OpenVPN With Radius and Multi-Factor Authentication

Download the OpenVPN Client software.

Install the OpenVPN Client:

Once the installation is finished, we can import the configuration file demouser.ovpn which was generated on the OpenVPN server, but before importing, we need to modify the IP address of our OpenVPN server within this file:

client
proto udp
explicit-exit-notify
remote 192.168.0.150 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
...

Normally the remote IP by default will be the address of your public IP which is normal if you have your VPN server on your local network and need remote access from outside this network. You can leave the public IP address in the config, but then you will have to open up the correct port and set the routing on your internet access point.

Finally, we can test the VPN connection. The first time the connection will probably fail as the firewall on the OpenVPN Linux server is blocking the access. To quickly test this, we can just disable the firewall using the command:

# systemctl stop firewalld

Alternatively, configure Linux firewall for OpenVPN connectivity:

# sudo firewall-cmd --add-service=openvpn
# sudo firewall-cmd --permanent --add-service=openvpn
# sudo firewall-cmd --add-masquerade
# sudo firewall-cmd --permanent --add-masquerade
# sudo firewall-cmd --permanent --add-port=1194/udp
# sudo firewall-cmd --reload

Now the connection should work:

On the windows client, you should now also get an additional VPN adapter configured with a default IP address of 10.8.0.2 (this subnet is defined within the file /etc/openvpn/server.conf).

3. How To Use Radius With OpenVPN

First, we will install the IBM Security Verify Gateway for Radius on a Windows machine. 

This package can be downloaded from the IBM Security AppExchange (you will need to use your IBMid to log in).

Extract and run the installation using setup_radius.exe.

Edit the Radius configuration file c:\Program Files\IBM\IbmRadius\IbmRadiusConfig.json:

• Find the clients section in the configuration file.
• The default file has three example client definitions. Delete these definitions and replace them with the single definition shown above.
• This definition will match any Radius client connecting from the network used by the test machines. The secret authenticates the client.

Save the file and close the editor.

{
	"address":"::",
	"port":1812,
/*
	"trace-file":"c:/tmp/ibm-auth-api.log",
	"trace-rollover":12697600,
*/
	"ibm-auth-api":{
		"client-id":"???????",
		"obf-client-secret":"???????", /* See IbmRadius -obf "the-secret" */
		"protocol":"https",
		"host":"???????.verify.ibm.com",
		"port":443,
		"max-handles":16
	},
	"clients":[
		{
			"name": "OpenVPN",
			"address": "192.168.0.0",
			"mask": "255.255.0.0",
			"secret": "Passw0rd",
			"auth-method": "password-and-device",
			"use-external-ldap": false,
			"reject-on-missing-auth-method": true,
			"device-prompt": "A push notification has been sent to your device:[%D].",
			"poll-device": true,
			"poll-timeout": 60
		}
	] 
}

Complete the fields client-id, obf-client-secret and host with the correct information to point to your IBM Verify Saas API.

Before we can do this, we will need to set up API access in IBM Verify Saas.

Login to your environment or go for a trial account if you don’t have one.

From the main menu, select Security > API Access > Add API client

Create a new API Client :

• Specify the entitlements by selecting the check bow from the list:
  • Authenticate any user
  • Read authenticator registrations for all users
  • Read users and groups
  • Read second-factor authentication enrollment for all users
• Click next on the following screens and finally give the API client a name: e.g. MFA-Client

A Client ID and Secret will automatically be created for you. Use this information to complete the Radius config. Use the c:\Program Files\IBM\IbmRadius\IbmRadius.exe -obf command to generate the obfuscated secret value.

Finally, configure the IBM Radius service to startup automatically and start the service:

Test Radius Authentication using the Radius tool : NTRadPing 

You should get a push notification on the IBM Verify app on the mobile device.

(Make sure you test with a userid that is known in IBM Verify Saas and is enrolled for OTP)

4. Install OpenVPN Radius Plugin

• Log in to the Linux OpenVPN server and launch the following commands:

# wget https://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
# tar -xvf radiusplugin_v2.1a_beta1.tar.gz
# cd radiusplugin_v2.1a_beta1
# yum install libgcrypt libgcrypt-devel gcc-c++
# make

• Copy the Radius plugin files to /etc/openvpn

# cp /root/radiusplugin_v2.1a_beta1/radiusplugin.cnf /etc/openvpn
# cp /root/radiusplugin_v2.1a_beta1/radiusplugin.so /etc/openvpn

• Edit the file /etc/openvpn/server.conf and add the following line to activate the Radius plugin:

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf 

• Edit the file /etc/openvpn/radiusplugin.cnf and modify the ip address of the Radius server and set the sharedsecret to Passw0rd (this is the secret that was also configured on the Radius server side). Make sure to set nonfatalaccounting=true because the Radius server does not support Radius accounting.

...
NAS-IP-Address=<IP Address of the OpenVPN Server>
...
nonfatalaccounting=true
...
Server
{
	# The UDP port for RADIUS accounting.
	acctport=1813
	# The UDP port for RADIUS authentication.
	authport=1812
	# The name or ip address of the RADIUS server.
	name=<IP Address of the RADIUS Server>
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=60
	# The shared secret.
	sharedsecret=Passw0rd
}

Save the file and restart the OpenVPN server using the command :

# systemctl restart openserver-server@server.service

• Finally, edit the OpenVPN client file demouser.ovpn and add a line auth-user-pass :

client
proto udp
auth-user-pass
explicit-exit-notify
remote 192.168.0.150 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
...

This will allow the user to enter a username and password when initiating the VPN connection. These credentials will be authenticated against the IBM Verify Saas directory, and this should result in a challenge request on the IBM Verify Mobile app. The wait=60 will allow the plugin to wait for a response from the user who has to respond to the challenge using the IBM Verify App on his phone.

If you prefer to use a TOTP challenge instead, you can modify the Radius configuration file on Windows (IBMRadiusConfig.json) and set the auth-method to password-and-totp. Then you can open the client VPN connection and use 123456:password instead of the normal password.