Any remote access to sensitive resources must be ensured to have
- Strict user authentication upon connection;
- An encrypted channel of access to the network where the resource resides.
To solve these problems, we will use a bundle of three components:
- OpenVPN — a well-known, free VPN server that creates an encrypted tunnel between the user and the server, which ensures the privacy of remote work.
- Active Directory as an account provider, so you don't have to duplicate users on the OpenVPN server and give out new passwords.
- MultiFactor platform for two-factor authentication.
To set it up, you'll need an Active Directory domain, a separate Linux server with OpenVPN installed, and a subscription to the Multifactor service. Minimum Linux and Windows server administration skills are also required.
- User connects to VPN, enters username and password of the account.
- OpenVPN confirms the correctness of the login and password in the Active Directory.
- MultiFactor sends a request to the user's phone to confirm access: a push to Telegram or a call, which must be answered to press #.
- User confirms the request and connects to the VPN.
Navigate to the Multifactor management system, create a new OpenVPN resource. Once created, you will be presented with two parameters: NAS Identifier and Shared Secret. You will need these to complete configuration.
Configuring Active Directory
Download the Multifactor Radius Adapter component from the Multifactor website and unzip the archive on the server with Active Directory. The component acts as a RADIUS server, receives requests from OpenVPN, and checks the username and password of the user in the domain.
Parameters of the component are stored in the MultiFactor.Radius.Adapter.exe.config file in XML format.
<!-- Address and port (UDP) on which the adapter will receive authentication requests from OpenVPN --> <add key="adapter-server-endpoint" value="192.168.0.1:1812"/> <!-- Shared secret for OpenVPN authentication (from Multifactor settings) --> <add key="radius-shared-secret" value=""/> <!--How to check the first factor: Active Directory --> <add key="first-factor-authentication-source" value="ActiveDirectory"/> <!--Domain--> <add key="active-directory-domain" value="domain.local"/> <!-- Give access to users from specified group only (setting not checked if removed)--> <add key="active-directory-group" value="VPN Users"/> <!--Multifactor API address --> <add key="multifactor-api-url" value="https://api.multifactor.ru"/> <!--NAS-Identifier parameter to connect to the Multifactor API (found in user profile) --> <add key="multifactor-nas-identifier" value=""/> <!-- Shared Secret parameter to connect to the Multifactor API (found in user profile) --> <add key="multifactor-shared-secret" value=""/>
The component can run in console mode or as a Windows service. To run in console mode, just run the application.
To install it as a Windows Service, start it with the
/i key as the Administrator
And start the service
net start mfradiusadapter
Component's logs are located in the
Logs folder. If they are not there, make sure that the folder is writable by the
Network Service user.
First, you need a Linux server with OpenVPN installed. The server can be CentOS, Ubuntu, Debian, etc. In our example we use CentOS, but for other systems the difference is minimal.
We will not dive into the actual installation and initial setup of OpenVPN because there are many articles on it.
Install the PAM_RADIUS module.
sudo yum -y install epel-release sudo yum -y install pam_radius
Open the /etc/pam_radius.conf file for editing and specify the Multifactor Radius Adapter component address and shared key.
192.168.0.1:1812 shared_secret 40
Other servers, if they are in the file by default, need to be removed or commented out (put # at the beginning).
OpenVPN server configuration
Open file /etc/openvpn/server.conf and add plugin for authentication with PAM module
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Next, create an authentication file for openvpn
sudo vi /etc/pam.d/openvpn
And append the following
auth sufficient pam_radius_auth.so account sufficient pam_permit.so session sufficient pam_permit.so
Restart the OpenVPN server
sudo systemctl restart openvpn@server
The configuration presented in the article provides a substantial level of reliability and remote access protection for organizations ranging from a few to several thousand users. Besides, the administration is significantly simplified, since a single Active Directory directory is used. Using the second authentication factor from Multifactor eliminates the need to issue each user with an individual certificate to connect to OpenVPN.