OpenVPN demo setup

These instructions assume you have a running installation of OpenVPN Access Server. If you are inexperienced with OpenVPN it is not recommended that you try this with a standard OpenVPN installation, as the setup is much more involved. We also assume that you have installed a running instance of a MIRACL Trust RADIUS app and obtained your keys as detailed in the Installation section.

Do not confuse Client Secret with Secret! Client Secret is one of the keys you receive from the MIRACL Trust administration portal, while Secret is the arbitrary secret [u]you[/u] must specify, which is stored in both the MIRACL Trust config.json file and in the OpenVPN admin UI

MIRACL Trust RADIUS setup

When changes have been made to your MIRACL Trust RADIUS config it is necessary to run sudo service srv-radius restart to apply the changes

Make sure your /etc/srv-radius/config.yaml lists the correct files to include (you will need to create a hosts/openvpn.yaml file as exlpained below):

includes:
  - core.yaml
  - hosts/openvpn.yaml

Open your /etc/srv-radius/core.yaml file and edit the mfa section to include the client id and client secret from your app (as created in the MIRACL Trust administration portal in the Installation section):

server:
  address: :1812
protocols:
  - pap
  - chap
  - mschapv1
mfa:
  global:
    client_id: ''
    client_secret: ''

Then edit your /etc/srv-radius/hosts/openvpn.yaml file. Add the IP of your OpenVPN Access Server server and the shared secret (a strong and hard to guess arbitrary string) that should also be entered in the OpenVPN Access Server admin console. For the purposes of this simple demo you can also use the mfa_id parameter to allow for a non-email username. The example below will mean that you can use the first half of an '@mycompany.com’ email address as your username for logging into OpenVPN (e.g. ‘john’ from 'john@mycompany.com’):

host:
  52.xxx.xxx.xx:
    name: openvpn
    mfa: global
    secret: '********'
    mfa_id: '{{.UserID}}@mycompany.com'
    authorize: true
#    authorize:
#    - - ldap: ldap_profile

Using authorize: true on its own would mean that anybody would be permitted to attempt to login, but combining it with mfa_id: '{{.UserID}}@mycompany.com means that only users with the @mycompany email domain are authorized. The LDAP and authorization section explains how LDAP or simple regex of email domains can be used for more detailed control of lists of users authorized to attempt to login.

Note on user authentication

Note that, for the actual authentication of a user, the MIRACL Trust authentication server must receive an email address (Please see the OTP Generation menu section for an understanding of how an email address is used to register and authenticate once RADIUS/OTP is up and running). Hence the above mfa_id enables a user to use the prefix to their email address for OpenVPN login, while still presenting the full email address to the MIRACL Trust platform for authentication purposes. For example, while you have registered with `john.smith@example.com, this would enable you to log in with john.smith`

Note that the mfa_id feature is only available from version 1.1.0 release 101 and above. If you are using a version older than this, you will need to use a full email address for your username.

Do not confuse Client Secret with Secret! Client Secret is one of the keys you receive from the MIRACL Trust authentication portal, while Secret is the arbitrary secret [u]you[/u] must specify, which is stored in both the MIRACL Trust RADIUS config.json file and in the PAM RADIUS config file

Setup of Ports

Note that port 1194 (UDP) needs to be open, as does 943 (TCP), to allow use of the web UI. 443 (TCP) also should be open.

OpenVPN Configuration

In the OpenVPN Access Server admin console, go to Authentication > RADIUS and turn RADIUS on as the auth method (NOTE – make sure that the protocol you have chosen (pap or chap) is enabled in your /etc/srv-radius/core.json file for MIRACL Trust RADIUS). Add your MIRACL Trust RADIUS server IP Address and enter the shared secret. Save the settings and update the running server:

ovpn_ui1

Go to User Management > User Permissions and add a new user with your email as username (matching the email you registered with the RADIUS app in the portal in step 2. Note that no password is required, as we are using RADIUS). If you use the mfa_id parameter, you can also use just the prefix from your email address as a username. Please see earlier note on user authentication for an explanation of this. Save and update the running server:

ovpn_ui2

In order to prevent overwriting of your DNS when running the test client, you should also make sure the following settings are made:

ovpn_dns_settings

Go to the non-admin login (https://xx.xx.xxx.xx:943) url of OpenVPN:

ovpn_login

Login with your registered email and use the browser PIN pad or the MIRACL Trust mobile app to generate an OTP:

mob_genotp

Once logged in, download the openvpn config file:

ovpn_download_profile

Test Login

Now run the openvpn config file:

sudo openvpn --config client.ovpn

Login with your registered email address. You can generate an OTP by either visiting the OTP url for in-browser OTP generation, or using the MIRACL Trust mobile app to generate an OTP (see here for an explanation of in-browser/mobile OTP generation):

otp create id and create pin

You should now see that the connection has been made:

term_connected

And the connection will be visible in the Status > Log Reports section of the OpenVPN admin UI:

ovpn_logged_users