How To Configure RCDevs MFAVPN
  Download PDF

1. Overview

This document is an installation guide for the MFA VPN provided by RCDevs. Hence, the installation or configuration of WebADM, including token registration is not covered in this guide. For installation and usage guides of WebADM and OpenOTP, please refer to the RCDevs WebADM Installation Guide and the RCDevs WebADM Administrator Guide available through the RCDevs online documentation Website.

2. Installation of MFA VPN

RCDevs MFA VPN package is available at the following link. When you have the RCDevs MFA VPN package, you have to extract it on the target VPN server:

gunzip mfavpn-x.x.x.x64.sh.gz

Extraction is done, we will now install the package.

sh mfavpn-x.x.x.x64.sh

Setup script is running:

MFA VPN Server v1.0.0 Self Installer
Copyright (c) 2010-2018 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.

Install MFA VPN Server in '/opt/mfavpn/' (y/n)? y
Proceeding with installation...
Adding system user 'mfavpn'... Ok
Extracting files, please wait... Ok
Removing temporary files... Ok
Setting file permissions... Ok
Run MFA VPN Server setup script now? (y/n)? y
Checking system architecture... Ok
Enter the server fully qualified host name (FQDN): webadm2.yorcdevs.com
Enter one of your running WebADM server IP or hostname: 192.168.3.155
Primary OpenOTP service URL is: 'https://192.168.3.155:8443/openotp/'
Applying MFA VPN Server setting from default configuration files... Ok
Generating diffie-hellman key file for daemon 'openvpn'...
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
......................................................................................................Ok
Generating ta.key (tls-auth) file for daemon 'openvpn'... Ok
Retrieving WebADM CA certificate... Ok
The setup needs now to request a signed 'openvpn' certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation...

A certificate should be generated for OpenVPN. So at this step, you have to go on the WebADM Administrator GUI to approve the certificate request.

screenshot

After logging on the WebADM GUI, you will show a red button at the end of the page. Please, click on it.

You will have a certificate request pending…

screenshot

screenshot

Click on the Accept button to generate the certificate, and the setup script will continue.

Waiting for approbation... Ok
Do you want MFA VPN Server to be automatically started at boot (y/n)? y
Registering MFA VPN Server service... Ok
Do you want to register MFA VPN Server logrotate script (y/n)? y
Adding logrotate script... Ok
MFA VPN Server has successfully been setup.
MFA VPN Server has been successfully installed.
Start MFA VPN Server (y/n)? y
Checking system architecture... Ok
Starting MFA VPN Server...
Starting daemon 'openvpn'... Ok
Starting daemon 'ovpnauthd'... Ok

Please read the README and INSTALL files in '/opt/mfavpn/'. 

The installation is now complete. Installation folder is /opt/mfavpn/.

3. RCDevs MFA VPN Configuration Files

Every configuration files are located in /opt/mfavpn/conf/.

3.1 ovpnauthd.conf

In this file, you can reconfigure WebADM URLs, enable/disable U2F support or set a client ID to point to a client policy. Other settings can be kept by default.

#-#-#-#
#
#  ovpnauthd's configuration file.
#
        #-#-#-#
        #
        #  A location where to store the daemon's log file.
        #  Note that at the very early stage (when the daemon started but did not read yet this configuration file),
        #  logs are sent to the standard output. Anyway, since the launcher script uses a redirection, you won't even see them.
        #  Don't forget to adapt also file '/opt/mfavpn/lib/logrotate' if for any reason you decide to change the default path...
        #
                log_file /opt/mfavpn/logs/ovpnauthd.log
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  A location where to store the daemon's process ID file.
        #
                pid_file /opt/mfavpn/temp/ovpnauthd.pid
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  A CA file is required in order to trust OTP servers the daemon will send requests to.
        #
                ca_file  /opt/mfavpn/conf/ca.crt
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  A list containing the address of your WebADM servers.
        #  It must contain one or items to let the daemon know where to send authentication requests.
        #
                server_urls {
                        url1 https://192.168.3.155:8443/openotp/
            }
        #
        #
        #  How ovpnauthd will relay a request to the WebADM backend.
        #   - "balanced" means the request will be balanced between server 1 and server 2 in a round-robin fashion.
        #   - "ordered" means server 2 is kept as a hot spare in case the primary server stops answering requests properly.
        #
                #server_policy       Ordered
        #
        #
        # When two servers are configured, ovpnauthd can check the server statuses at regular
        # intervals by trying TCP socket connections. The status_cache is the polling interval
        # between 10 and 600 seconds.
                status_cache         30
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The default domain name passed to OpenOTP backends when the client entered a username only.
        #  This prevents WebADM server to apply any default domain configured on its own side.
        #
                #default_domain_name Default
        #
        #
        #  Tells ovpnauthd how to extract 'domain' and 'username' from the username string entered
        #  in order to send them both separately to OpenOTP backends.
        #
                #domain_separator    \
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  When U2F login is enabled and the user login mode is set to LDAPU2F or LDAPMFA,
        #  a U2F authentication challenge is used (overriding OTP methods if present).
        #  U2F for OpenVPN is supported by the Viscosity client only!
        #
                u2f_support         Yes
        #
        #
        #-#-#-#


        #-#-#-#
        #
        #  The client identifier to be sent to OpenOTP servers along authentication requests.
        #  This allows applying per client contextual policies on the WebADM server while running an authentication workflow.
        #
                client_id           MFAVPN
        #
        #
        #-#-#-#

        #-#-#-#
        #
        #  The SOAP request TCP timeout is by default 30.
        #  Just keep it as it unless you really understand all the possible consequences a change could have.
        #
                #soap_timeout        30
        #
        #
        #-#-#-#
#
#
#-#-#-#

3.2 openvpn.conf

This is the OpenVPN configuration file. You have to configure it to start your OpenVPN server. For more information about the configuration of OpenVPN, please refer to the OpenVPN official documentation.

My OpenVPN configuration is very simple :

  • I have defined a dev tun interface to create a routed IP tunnel.
  • I have configured 2 routes who will be pushed to the client to access to my different networks.
  • I have set my DNS server and domain who will be pushed to the client for the names resolution and the domain resolution for Windows client.
  • Other settings are kept by default.
#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have pre-created a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.2.0 255.255.255.0"
push "route 172.16.8.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 192.168.3.50"
;push "dhcp-option DNS 208.67.220.220"
;push "dhcp-option WINS 208.67.220.223"
push "dhcp-option DOMAIN yorcdevs.com"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link and push the
# option to the client (2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

# 
reneg-sec 0

After editing both files, please restart RCDevs MFA VPN services :

/opt/mfavpn/bin/mfavpn restart

Your MFA VPN is now ready to work!

4. Generate an End-user Package

A script is available to generate an end user package who will contain OpenVPN configuration file, Certificate authority file and the key.

To run this script, please execute the following command :

/opt/mfavpn/bin/clientpkg user

  adding: user/ (stored 0%)
  adding: user/ca.crt (deflated 25%)
  adding: user/ta.key (deflated 40%)
  adding: user/user.ovpn (deflated 54%)
  

An output file named user.zip will be created. Give this folder to your user.

5. Import VPN Configuration File in Viscosity or OpenVPN Client

After copying the zip file on your client machine, you can extract it.

On my side, I use Viscosity as a VPN client. Viscosity is fully compatible with RCDevs MFA VPN server and OpenOTP for the U2F authentication.

Note

Currently, Viscosity client is the only VPN client able to manage U2F authentication.

To import the OpenVPN client configuation, you just have to double-click on the .ovpn file.

My new VPN configuration is now imported in Viscosity client.

5.1 Login Test with an OTP

I click on the user connection to initiate the VPN connection and I’m prompted to enter my LDAP credentials :

I press Ok and on the next screen, I’m prompted for the OTP :

I enter my OTP password and press Ok. I’m now successfully logged through RCDevs MFA VPN with an OTP.


5.2 Login Test with U2F Key

To use RCDevs MFA VPN with a U2F key, the setting support_u2f should be set to yes in /opt/mfavpn/conf/ovpnauthd.conf file. By default, this setting is set to yes.

You also have to configure the login mode = LDAPMFA in OpenOTP and have a proper U2F configuration. To do it, please refer to OpenOTP U2F documentation.

When U2F configuration and U2F key enrollment are done, I click on the user connection in Viscosity to initiate the VPN connection and I’m prompted to enter my LDAP credentials :

I press Ok and on the next screen, I’m prompted to press my U2F key :

I press my U2F key already plugged on my laptop and I’m now connected through RCDevs MFA VPN.

6. Authentications Logs

6.1 OTP Login Logs

[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] > Username: administrateur
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] > Password: xxxxxxxx
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] > Client ID: MFAVPN
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] > Source IP: 192.168.3.254
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Registered openotpSimpleLogin request
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Resolved LDAP user: CN=Administrateur,CN=Users,DC=yorcdevs,DC=com (cached)
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Resolved LDAP groups: propri\xc3\xa9taires cr\xc3\xa9ateurs de la strat\xc3\xa9gie de groupe,admins du domaine,administrateurs de l\xe2\x80\x99entreprise,administrateurs du sch\xc3\xa9ma,administrateurs,utilisateurs du bureau \xc3\xa0 distance,groupe de r\xc3\xa9plication dont le mot de passe rodc est refus\xc3\xa9
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Started transaction lock for user
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found user language: EN
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 1 user mobiles: +33xxxxxxxx
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 1 user emails: support@rcdevs.com
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 4 user certificates
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 37 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,PushLogin=No,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 12 user data: LoginCount,RejectCount,LastOTP,ListInit,ListState,TokenType,TokenKey,TokenState,TokenID,Device1Name,Device1Data,Device1State
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Last OTP present (valid until 2018-03-12 10:54:57)
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] OTP List present (2/25 passwords used)
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Found 1 registered OTP token (TOTP)
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Requested login factors: LDAP & OTP
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] LDAP password Ok
[2018-03-12 10:50:51] [192.168.3.55] [OpenOTP:1GXC35AG] Challenge required
[2018-03-12 10:50:52] [192.168.3.55] [OpenOTP:1GXC35AG] Sent push notification for token #1
[2018-03-12 10:50:52] [192.168.3.55] [OpenOTP:1GXC35AG] Started OTP challenge session of ID 0Dy12B8P32ElaO5p valid for 90 seconds
[2018-03-12 10:50:52] [192.168.3.55] [OpenOTP:1GXC35AG] Sent challenge response
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] New openotpChallenge SOAP request
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] > Username: administrateur
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] > Session: 0Dy12B8P32ElaO5p
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] > OTP Password: xxxxxx
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Registered openotpChallenge request
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Found challenge session started 2018-03-12 10:50:51
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Started transaction lock for user
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] PUSH password Ok (token #1)
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Sent stop notification for token #1
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Updated user data
[2018-03-12 10:51:09] [192.168.3.55] [OpenOTP:1GXC35AG] Sent success response

6.2 U2F Login Logs

[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] New openotpSimpleLogin SOAP request
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Username: administrateur
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Password: xxxxxxxx
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Client ID: MFAVPN
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Source IP: 192.168.3.156
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Registered openotpSimpleLogin request
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Resolved LDAP user: CN=Administrateur,CN=Users,DC=yorcdevs,DC=com (cached)
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Resolved LDAP groups: propriétaires créateurs de la stratégie de groupe,admins du domaine,administrateurs de l’entreprise,administrateurs du schéma,administrateurs,utilisateurs du bureau à distance,groupe de réplication dont le mot de passe rodc est refusé
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Started transaction lock for user
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found user language: EN
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 1 user mobiles: +33658506140
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 1 user emails: support@rcdevs.com
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 4 user certificates
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 38 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,PushLogin=Yes,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 12 user data: LoginCount,RejectCount,ListInit,ListState,TokenType,TokenKey,TokenState,TokenID,TokenSerial,Device1Name,Device1Data,Device1State
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] OTP List present (2/25 passwords used)
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Token #1 (TOTP) is disabled
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] User has no OTP token registered
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found 1 registered U2F device
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Requested login factors: LDAP & U2F
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] LDAP password Ok
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Challenge required
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Started U2F challenge session of ID f0FKOqM20x2XxqkF valid for 90 seconds
[2018-03-12 10:40:58] [192.168.3.55] [OpenOTP:IDPCMSSZ] Sent challenge response
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] New openotpChallenge SOAP request
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Username: administrateur
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] > Session: f0FKOqM20x2XxqkF
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] > U2F Response: 417 Bytes
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] Registered openotpChallenge request
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] Found challenge session started 2018-03-12 10:40:58
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] Started transaction lock for user
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] U2F response Ok (device #1)
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] Updated user data
[2018-03-12 10:41:13] [192.168.3.55] [OpenOTP:IDPCMSSZ] Sent success response

7. Video Tutorial


Play Video on Youtube