Protect OpenVPN Access Server VPN connections with a second authentication factor using the MultiFactor solution.
The integration scenario depends on your account provider:
- Account provider — Active Directory
Integrate with RADIUS protocol.
- Account Provider — OpenVPN AS Local Account Directory
Integrate with Post-auth authentication.
Supported authentication methods:
|Push||Answer to the question "Are you connecting to a VPN? " |
- Yes, it's me
- No, it's not me.
|One-time passcodes||Entering a one-time code in the 2FA optional field.|
- The user connects to the VPN, enters his login and password in the OpenVPN Connect client;
- OpenVPN Access Server validates the username and password in Active Directory via Multifactor RADIUS Adapter;
- Multifactor asks for a second authentication factor: push in the mobile app or Telegram; one-time OTP or SMS code; phone call (to be answered and press #);
- The user confirms the request and connects to the VPN.
- User connects to VPN, enters login and password of local account in OpenVPN Connect client;
- OpenVPN Access Server confirms the validity of the local login and password;
- Post-auth plugin Multifactor requests a second authentication factor: push in the mobile app or Telegram, one-time OTP or SMS code, call;
- The user confirms the request and connects to the VPN.
I. RADIUS integration
Use this integration option if your account provider is Active Directory.
- Create an account and login to the MultiFactoradministrative panel.
- Under resources, click Add Resource. In the list that appears, select Other under Firewalls. Fill in the required fields in order to obtain the NAS Identifier and Shared Secret parameters. You will need these parameters to complete the setup.
- Download, install, and configure the MultiFactor RADIUS Adapter component (Windows, Linux).
Configuring the OpenVPN Access Server
- Go to the OpenVPN Access Server administrative panel;
- Under Authentication, go to RADIUS subsection and click Use RADIUS;
- Under RADIUS Authentication Method, select PAP authentication method;
- In the RADIUS Settings section, specify the RADIUS component address and Shared Secret from the component settings;
- Click Save Settings to save the settings;
- For the changes to take effect, click Update Running Server.
Make sure there is only one RADIUS server listed, otherwise OpenVPN AS will send requests to all of them one by one.
II. Post-auth integration.
Use this integration option if your account provider is the local OpenVPN AS account directory.
- Create an account and login to the administrative panel Multifactor.
- Under resources, click Add Resource. In the list that appears, select Other under Network Screen. Fill in the required fields in order to obtain the NAS Identifier and Shared Secret parameters. You will need these parameters to complete the setup.
- In case of authenticating local OpenVPN AS users, create the appropriate users in the Multifactor system. Go to users and click Add User or Import.
- Download the Post-auth plugin Multifactor for OpenVPN Access Server.
Configuring the Post-auth plugin
post_auth_multifactor.pyfile with text editor. In the file you will need to set the NAS_IDENTIFIER and SHARED_SECRET parameters.
... NAS_IDENTIFIER = '' SHARED_SECRET = '' HOST = 'api.multifactor.ru'. ...
Save your changes and close the text editor.
post_auth_multifactor.pyscript in the
/usr/local/openvpn_as/scripts/directory of the OpenVPN Access Server.
$ scp post_auth_multifactor.py \ <SSH_USER>@<AS_HOST>:/home/<SSH_USER>/post_auth_multifactor.py
<AS_HOST>with the actual username and server IP address. Load the script into your home directory first, as by default the OpenVPN AS administrative user does not have write permissions without
If the server has been deployed with Microsoft Hyper-V, VMWare ESXi, Amazon AWS, Microsoft Azure, Google Cloud Platform and other virtualization tools, SSH login may be protected by a private key. In that case, set the path to the key using the
Open a new SSH session.
$ ssh <SSH_USER>@<AS_HOST>
post_auth_multifactor.pyto the scripts directory.
$ sudo mv post_auth_multifactor.py /usr/local/openvpn_as/scripts/ \ post_auth_multifactor.py
Make sure the file is executable.
$ sudo chmod a+x /usr/local/openvpn_as/scripts/post_auth_multifactor.py
Post-auth Plugin Installation
post_auth_multifactor.pyPost-auth default script using command line tool sacli. If the SSH-user does not have
sudopermissions, set the administrative user name from the web-console using the
$ sudo /usr/local/openvpn_as/scripts/sacli \ --key "auth.module.post_auth_script" \ --value_file="/usr/local/openvpn_as/scripts/post_auth_multifactor.py" \ ConfigPut
Run the services.
$ sudo /usr/local/openvpn_as/scripts/sacli start
After setting up and installing the Post-auth Multifactor plugin, try to connect to the VPN using the web interface or the OpenVPN Connect client.
If the installation was successful, the client will request a second factor for authentication via SMS or OTP code.
- To authenticate by SMS or OTP code, enter the code in a separate input window of OpenVPN Connect.
- To authenticate using the Multifactor mobile app (iOS, Android) or Telegram, click Yes, this is me in the authentication confirmation prompt.
Logs are available in
Causes of the most common authentication problems:
- You are using a bootstrap user
openvpnwhich ignores the post-auth authentication rules. It is recommended to disable the user after you have fully configured the server. Disconnection instructions;
- You are using an auto-login profile which ignores Post-auth rules; User logins in the Multifactor admin panel do not correspond to local user logins in the OpenVPN Access Server;
- In the
post_auth_multifactor.pyfile NAS Identifier and Shared Secret are incorrectly specified;
- Plugin has no rights to execute
- Plugin installed incorrectly;
- Server was not restarted after plugin installation.