OpenVPN demo setup

These instructions assume you have a running installation of OpenVPN Access Server. Also that you have installed a running instance of a MIRACL Trust® RADIUS app and obtained API keys as detailed in the Setup and Installation section of these docs.

Do not confuse Client Secret with Secret!
Client Secret is one of the API keys you receive from the MIRACL Trust® authentication portal, while Secret is the arbitrary secret you must specify, which is stored in both the MIRACL Trust® config.json file and in the OpenVPN admin UI


Open your /etc/srv-radius/config.json file and make the following adjustments.

When changes have been made to your MIRACL Trust® RADIUS config it is necessary to run sudo service srv-radius restart to apply the changes

Edit the zfa section to include the client id and secret from your app (as created in the MIRACL Trust® SSO RADIUS authentication portal in the Setup and Installation section):

"zfa": {
  "global": {
    "client_id": "03wgfhdss77bj",
    "client_secret": "urewrfwefjdsfiwefj23rjejfwStd_wJFI",
    "otp_endpoint": "",
    "max_uses": 1,
    "max_attempts": 3

otp_endpoint should always be set as

Then, in the host section, add the IP of your OpenVPN Access Server server and the shared secret (a strong and hard to guess arbtirary string) that should also be entered in the OpenVPN Access Server admin console:

"host": {
  "": {
    "name": "local",
    "ldap": "global",
    "zfa": "global",
    "secret": "mrtrt_*%&6"

Finally, in the protocols section, specify the protocols you wish to be available, ensuring this includes the protocol you will specify in the OpenVPN AS admin console:

"protocols": ["pap", "chap", "mschapv1"]

Setup of Ports

Note that port 1194 (UDP) needs to be open, as does 943 (TCP), to allow use of the web UI. 443 (TCP) also should be open.

OpenVPN Configuration

In the OpenVPN Access Server admin console, go to Authentication > RADIUS and turn RADIUS on as the auth method (NOTE – make sure that the protocol you have chosen (pap or chap) is enabled in your /etc/srv-radius/config.json file for MIRACL Trust® RADIUS). Add your MIRACL Trust® RADIUS server IP Address and enter the shared secret. Save the settings and update the running server:


Go to User Management > User Permissions and add a new user with your email as username (matching the email you registered with the RADIUS app in the portal in step 2. Note that no password is required, as we are using RADIUS). Save and update the running server:


In order to prevent overwriting of your DNS when running the test client, you should also make sure the following settings are made:


Go to the non-admin login ( url of OpenVPN:


Login with your registered email and use the MIRACL Trust® mobile app to generate an OTP:


Once logged in, download the openvpn config file:


Test Login

Now run the openvpn config file:

sudo openvpn --config client.ovpn

Login with your registered email address. You can generate an OTP by either visiting the OTP url for in-browser OTP generation, or using the MIRACL Trust® mobile app to generate an OTP (see here for an explanation of in-browser/mobile OTP generation):

otp create id and create pin

You should now see that the connection has been made:


And the connection will be visible in the Status > Log Reports section of the OpenVPN admin UI: