Overview
This document is an installation guide for MFAVPN provided by RCDevs. The installation or configuration of WebADM, including token registration, is not covered here. For detailed installation and usage instructions for WebADM and OpenOTP, please refer to their respective documentation.
Installation
Installation through RPM Repository
On RPM-based systems, you can use the RCDevs repository. Clear the dnf cache and install the Radius Bridge package as follows:
dnf install mfavpn
Installation through Debian Repository
apt update
You are now ready to install RCDevs packages on your system:
apt install mfavpn
Setup script is running:
[root@webadm1 conf]# /opt/mfavpn/bin/setup
The fully qualified domain name of this server is 'mfavpn.rcdevsdocs.com'.
Please press [ENTER] to confirm or type another one:
Enter one of your running WebADM node IP or hostname: 192.168.4.160
Registered hostname is 'mfavpn.rcdevsdocs.com'. Would you like to use it as client id (y/n)? [N]: y
Do you want to register MFA VPN Server logrotate script (y/n)? [Y]: y
Do you want MFA VPN Server to be automatically started at boot (y/n)? [Y]: y
Primary OpenOTP service URL is: 'https://192.168.4.160:8443/openotp/'
Secondary OpenOTP service URL is: 'https://192.168.4.161:8443/openotp/'
Use 'mfavpn.rcdevsdocs.com' as client id: 'YES'
Register MFA VPN Server logrotate script: 'YES'
MFA VPN Server must be automatically started at boot: 'YES'
Do you confirm (y/n)?: y
Applying MFA VPN Server settings from default configuration files... Ok
Generating diffie-hellman key file for daemon 'openvpn'...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time...............................................
......................................................................................................Ok
Generating ta.key (tls-auth) file for daemon 'openvpn'... Ok
Retrieving WebADM CA certificate... Ok
The setup needs now to request a signed 'openvpn' certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation...
A certificate must be generated for OpenVPN. At this stage, log in to the WebADM Administrator GUI to approve the certificate request.
After logging in to the WebADM Administrator portal, you'll see a red button at the bottom of the page. Click on it to view the pending certificate request. Accept the request to generate the certificate, and the setup script will continue.
Waiting for approbation... Ok
Updating entry 'client_id' in file '/opt/mfavpn/conf/ovpnauthd.conf'... Ok
Registering MFA VPN Server service...Registering MFA VPN Server service... Ok
Adding logrotate script... Ok
MFA VPN Server has successfully been setup.
The installation is now complete. The installation folder is /opt/mfavpn/
.
RCDevs MFA VPN Configuration Files
All configuration files are located in /opt/mfavpn/conf/
.
ovpnauthd.conf
In this file, you can reconfigure WebADM URLs, enable or disable U2F support, and set a client ID to associate with a client policy. Other settings can remain as defaults.
#-#-#-#
#
# ovpnauthd's configuration file.
#
#-#-#-#
#
# A location where to store the daemon's log file.
# Note that at the very early stage (when the daemon started but did not read yet this configuration file),
# logs are sent to the standard output. Anyway, since the launcher script uses a redirection, you won't even see them.
# Don't forget to adapt also file '/opt/mfavpn/lib/logrotate' if for any reason you decide to change the default path...
#
log_file /opt/mfavpn/logs/ovpnauthd.log
#
#
#-#-#-#
#-#-#-#
#
# A location where to store the daemon's process ID file.
#
pid_file /opt/mfavpn/temp/ovpnauthd.pid
#
#
#-#-#-#
#-#-#-#
#
# A CA file is required in order to trust OTP servers the daemon will send requests to.
#
ca_file /opt/mfavpn/conf/ca.crt
#
#
#-#-#-#
#-#-#-#
#
# A list containing the address of your WebADM servers.
# It must contain one or items to let the daemon know where to send authentication requests.
#
server_urls {
url1 https://192.168.4.160:8443/openotp/
url2 https://192.168.4.161:8443/openotp/
}
#
#
# How ovpnauthd will relay a request to the WebADM backend.
# - "balanced" means the request will be balanced between server 1 and server 2 in a round-robin fashion.
# - "ordered" means server 2 is kept as a hot spare in case the primary server stops answering requests properly.
#
#server_policy Ordered
#
#
# When two servers are configured, ovpnauthd can check the server statuses at regular
# intervals by trying TCP socket connections. The status_cache is the polling interval
# between 10 and 600 seconds.
status_cache 30
#
#
#-#-#-#
#-#-#-#
#
# The default domain name passed to OpenOTP backends when the client entered a username only.
# This prevents WebADM server to apply any default domain configured on its own side.
#
#default_domain_name Default
#
#
# Tells ovpnauthd how to extract 'domain' and 'username' from the username string entered
# in order to send them both separately to OpenOTP backends.
#
#domain_separator \
#
#
#-#-#-#
#-#-#-#
#
# When U2F login is enabled and the user login mode is set to LDAPU2F or LDAPMFA,
# a U2F authentication challenge is used (overriding OTP methods if present).
# U2F for OpenVPN is supported by the Viscosity client only!
#
u2f_support Yes
#
#
#-#-#-#
#-#-#-#
#
# The client identifier to be sent to OpenOTP servers along authentication requests.
# This allows applying per client contextual policies on the WebADM server while running an authentication workflow.
#
client_id MFAVPN
#
#
#-#-#-#
#-#-#-#
#
# The SOAP request TCP timeout is by default 30.
# Just keep it as it unless you really understand all the possible consequences a change could have.
#
#soap_timeout 30
#
#
#-#-#-#
#
#
#-#-#-#
openvpn.conf
This is the OpenVPN configuration file. You need to configure it to start your OpenVPN server. For more information on configuring OpenVPN, please refer to the OpenVPN official documentation.
"My OpenVPN configuration is very simple:
- Defined a
dev tun
interface to create a routed IP tunnel. - Configured 2 routes to be pushed to the client for accessing different networks.
- Set the DNS server and domain to be pushed to the client for name resolution and domain resolution for Windows clients.
- Other settings are kept as defaults."
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have pre-created a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.2.0 255.255.255.0"
push "route 172.16.8.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 192.168.4.250"
;push "dhcp-option DNS 208.67.220.220"
;push "dhcp-option WINS 208.67.220.223"
push "dhcp-option DOMAIN rcdevsdocs.com"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Enable compression on the VPN link and push the
# option to the client (2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
#
reneg-sec 0
After editing both files, please restart RCDevs MFAVPN services:
/opt/mfavpn/bin/mfavpn restart
Your MFA VPN is now ready to work!
Generate an end-user package
A script is available to generate an end-user package that will include the OpenVPN configuration file, the Certificate Authority file, and the key.
To run this script, please execute the following command:
/opt/mfavpn/bin/clientpkg user
adding: user/ (stored 0%)
adding: user/ca.crt (deflated 25%)
adding: user/ta.key (deflated 40%)
adding: user/user.ovpn (deflated 54%)
An output file named user.zip
will be created. Give this folder to your user.
Modification to enable FIDO authentication
Modifications in this part are necessary only to enable authentication with FIDO keys.
You need to edit the user.ovpn
file generated in the previous package. Add the following two lines at the beginning:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
#viscosity FIDOServerOrigin rcdevs.com
#viscosity U2FURIScheme none
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
Import VPN Configuration File in Viscosity or OpenVPN Client
After copying the zip file to your client machine, you can extract it.
I use Viscosity as a VPN client. Viscosity is fully compatible with the RCDevs MFA VPN server and OpenOTP for U2F authentication.
To import the OpenVPN client configuration, simply double-click on the .ovpn
file.
The VPN configuration is now imported in Viscocity client/OpenVPN Client and you can try a login.
Login Test with an OTP/Push
Click on the user connection profile to initiate the VPN connection, and you will be prompted to provide LDAP credentials. If the LDAP credentials are validated successfully, you will then be prompted for the OTP password or to approve the push notification, depending on the policy configured in WebADM/OpenOTP.
Provide the OTP password or respond to the push login request to continue the login process.
Check the WebADM server logs if the login fails for any reason.
Login Test with FIDO Key
Refer to the dedicated FIDO documentation for FIDO configuration.
To use RCDevs MFA VPN with a FIDO key, ensure that the setting support_u2f
is set to yes
in the /opt/mfavpn/conf/ovpnauthd.conf
file.
By default, this setting is already set to yes
.
Additionally, configure the login mode to LDAPMFA
or LDAPU2F
in OpenOTP and ensure the following FIDO configuration:
- FIDO Origin or AppId:
rcdevsdocs.com
(this must match theFIDOServerOrigin
parameter previously set in Viscosity).
When FIDO configuration and FIDO key enrollment are complete, click on the user connection in Viscosity to initiate the VPN connection. You will be prompted to enter your LDAP credentials.
After the LDAP credential validation, you will be prompted with a FIDO challenge and will have to press your FIDO key to complete the login.
Check the WebADM server logs if the login fails for any reason.
High Availability setup
If you need load balancing or high availability, you can install multiple MFAVPN servers. After installing the first server, use the backup script to create a backup package.
[root@mfavpn1 ~]# /opt/mfavpn/bin/backup mfavpn_backup
Are you sure you want to backup MFA VPN Server (y/n)? y
Starting backup procedure...
Adding required file 'conf/ca.crt'... Ok
Adding required file 'conf/openvpn.conf'... Ok
Adding required file 'conf/openvpn.crt'... Ok
Adding required file 'conf/openvpn.key'... Ok
Adding required file 'conf/ovpnauthd.conf'... Ok
Adding optional file 'temp/'... Ok
Adding optional file 'logs/'... Ok
Compressing backup file... Ok
MFA VPN Server backup created in 'mfavpn_backup.gz'.
Install the second server the same way as the first one. Copy the backup file from the first server and use the restore script to apply the settings.
[root@mfavpn2 ~]# /opt/mfavpn/bin/restore mfavpn_backup.gz
Are you sure you want to restore MFA VPN Server (y/n)? y
Starting restore procedure...
Unpacking backup files... Ok
Silent mode requires one WebADM node's hostname or IP.
Usage: /opt/mfavpn/bin/setup <silent HOSTNAME|IP | reset | restore>
Silent setup: setup without user any prompt.
Reset: Reset MFA VPN Server to its original state.
MFA VPN Server backup restored from file 'mfavpn_backup.gz'.
[root@mfavpn2 ~]# /opt/mfavpn/bin/mfavpn start
Starting MFA VPN Server...
Starting daemon 'openvpn'... Ok
Starting daemon 'ovpnauthd'... Ok
You need to configure your VPN clients to use both servers. This can be done either by modifying the .ovpn
file in the end-user package or, if using the Viscosity VPN client, through the GUI.
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote my-server-1 1194
remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
remote-random
Add the addresses of both servers in the General settings under the remote server section. Refer to the Viscosity/OpenVPN documentation for the correct syntax.
Then configure the remote-random
option in the Advanced settings of Viscosity or the OpenVPN client.
For advanced configuration, refer to OpenVPN configuration.