It’s been a while since our last tutorial on how to add two-factor authentication to OpenVPN using the WiKID Strong Authentication System. The people at OpenVPN have been very active lately and it seems like a good time to take a look at what they’ve done. It’s still dead simple to configure, but it is mostly done via the new slick web interface.
I downloaded the CentOS Version of OpenVPN Access Server and dropped the RPM onto a WiKID server I built with our Enterprise ISO.
# rpm -ivh openvpn-as-1.3.4-CentOS5.i386.rpm
You are prompted to configure the server with this command:
Which runs you through a number of options:
Once you provide a few initial configuration settings, OpenVPN Access Server can be configured by accessing its Admin Web UI using your Web browser. Please specify the network interface and IP address to be used by the Admin Web UI: (1) all interfaces: 0.0.0.0 (2) eth0: 10.100.0.125 Please enter the option number from the list above (1-2). > Press Enter for default :
Enter the default for all the options, or change them if you know what you are doing.
Configuring The Server Via The Admin Web Interface
Proceed to the web interface at the interface and port you specified. Login in with root or whatever credentials you supplied above.
Once you login, click on the Authentication –> General link and choose Radius for authentication:
Once you specify that Radius is to be used, click on the Radius link to enter the details. Since this is running on the same server, we use the same IP address. Note though that we are not using the localhost IP as the WiKID server radius listener is using that.
That’s it for the OpenVPN server.
Configuring The WiKID Server
For the sake of brevity, we assume you have your WiKID server configured and only need to add the Openvpn AS server as a network client. (For complete installation documentation please see http://www.wikidsystems.com/support/wikid-support-center On the Network Client tab of the WiKIDAdmin interface, click “Add New network client:”
Click Modify and enter the shared secret on the next page:
You need to restart the WiKID server to load the new radius configuration:
# wikidctl restart
That’s it for the servers!
Configuring The Client
One of the new features that OpenVPN AS has is the automatically created client configuration flies. The user logs into the web interface and downloads the client application (for Windows) and the configuration file.
First start up the WiKID Token and get a one-time passcode from your WiKID server:
Enter your PIN:
The PIN will be encrypted and sent to the WiKID server. If the account is active, the encryption valid and the PIN is correct, an one-time passcode will be created and returned to the token:
Use this one-time passcode to login to the web interface as a user:
Now you will see the web page for clients:
For linux clients, you should be able to install openvpn via yum or apt-get. Then run the client from the command line, specifying the client config file:
# openvpn –config client.ovpn
And you should now have a 10.0 ip address!
It’s great to see a great product like OpenVPN get even better. The new radius management interface is quite nice in it’s simplicity. With the recent increase in corporate attacks, password vulnerabilities and malware, it’s definitely time to consider adding two-factor authentication to your VPN.
Add two-factor authentication to Google Apps for your domain
How to add two-factor authentication to Freeradius
OpenVPN on Centos 5.2
WiKID Systems Website