Protection of the Remote Access to the Corporate Network Using OpenVPN, ActiveDirectory and Two-factor Authentication

Any remote access to the confidential resources has to be under protection, i.e.:

  • strong authentication has to be performed during the connection;
  • an encrypted channel of access to the network has to be established.

To solve those tasks, we will use a package of the following three components:

  1. OpenVPN is a well-known free VPN server that establishes an encrypted tunnel between a user and a server, which ensures confidentiality during the remote work.
  2. Active Directory as the provider of the accounts so that there would be no need to make the users’ doubles on an OpenVPN server and to distribute new passwords.
  3. Multifactor for the two-factor authentication.

For configuration, you will need an Active Directory domain, a separate Linux server with the OpenVPN installed and the subscription for the Multifactor service.

You will also need the minimum skills of the Linux and Windows servers administration.

Operating Procedure

  1. A user connects to VPN, enters the account login and password.
  2. OpenVPN confirms the validity of the login and password in the Active Directory in accordance with the RADIUS protocol.
  3. Multifactor sends a request for access confirmation to the user’s telephone: push in Telegram or a call to which the user has to answer and press #.
  4. The user confirms the request and connects to VPN.

Configuration of the Multifactor

Get in the Multifactor control system, create new OpenVPN resource. After its creation two parameters will be available to you: NAS Identifier and Shared Secret, you will need them for further configuration.

Configuration of the Active Directory

Upload the Multifactor Radius Adapter component from the website of the Multifactor and unpack the archive on the server with the Active Directory. The component runs as a RADIUS server, receives requests from OpenVPN and verifies the user’s login and password in the domain.

Parameters of the component

The parameters of the component’s work are stored in MultiFactor.Radius.Adapter.exe.config file in XML format.

< !-- Address and port (UDP) through which the adapter will receive the authentication requests from OpenVPN -->
< add key="adapter-server-endpoint" value="192.168.0.1:1812"/>
< !-- Shared secret for authentication of OpenVPN (from the configurations of the Multifactor) -->
< add key="radius-shared-secret" value=""/>
< !-- Where the user’s login and password is to be verified: ActiveDirectory -->
< add key="first-factor-authentication-source" value="ActiveDirectory"/>
< !-- Domain -->
< add key="active-directory-domain" value="domain.local"/>
< !-- Verify the user’s affiliation with the group (cannot be verified if the configuration is deleted) -->
< add key="active-directory-group" value="VPN Users"/>
< !--API address of the Multifactor -->
< add key="multifactor-api-url" value="https://api.multifactor.ru"/>
< !-- NAS-Identifier parameter for connection to the API of the Multifactor - from the personal user account -->
< add key="multifactor-nas-identifier" value=""/>
< !-- Shared Secret parameter for connection to the API of the Multifactor - from the personal user account -->
< add key="multifactor-shared-secret" value=""/>

Launch of the component

The component can be running in console mode or as a Windows service. To run in console mode simply launch the application.

To run as Windows Service, execute with the key /i as Administrator

MultiFactor.Radius.Adapter.exe /i

and run the service

net start mfradiusadapter

Logs

The logs of the component’s work are in the Logs folder. If there are none, check if the folder is writable for the user of the Network Service.

Configuration of OpenVPN

First of all, you need a Linux server with OpenVPN installed.

It can be CentOS, Ubuntu, Debian server, etc. In our case, CentOS will be considered, but there will be minimal differences for the other systems.

We do not consider the procedure of installing and primary configuration of OpenVPN because there are many articles on this subject.

PAM_RADIUS module

Install the PAM_RADIUS module

$ sudo yum -y install epel-release
$ sudo yum -y install pam_radius

Open the /etc/pam_radius.conf file for editing and designate the address of the Multifactor Radius Adapter component and shared key.

192.168.0.1:1812   shared_secret   40

Delete or comment (type # in the beginning) the other servers, if they are available in the file by default.

Configuration of OpenVPN server

Open /etc/openvpn/server.conf file and add a plugin for authentication using PAM module.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

After that, create the verification file for OpenVPN.

$ sudo vi /etc/pam.d/openvpn

and enter into it.

auth    sufficient  pam_radius_auth.so
account sufficient  pam_permit.so
session sufficient  pam_permit.so

Restart the OpenVPN server.

$ sudo systemctl restart openvpn@server

Conclusion

The configuration considered in this article ensures the reliability and protection level necessary for the organization of the remote access of several to several thousand employees.

Besides, the administration becomes much simpler because the unified catalogue of Active Directory entries is used. The use of the second authentication factor from the Multifactor removes the need to distribute individual certificates for connection to OpenVPN to each user.

Reliable VPS servers