For this demonstration, the important parts are going to be the MFA challenge response mechanisms.
For this demonstration, you can download the sample configuration zip file.
The files included contain:
- Server Configuration File server.conf
- Certificate Authority Certificate ca.crt
- Server Certificate server.crt
- Server Private Key server.key
- macOS Client Configuration File macOS-MFA.ovpn
- Windows Client Configuration File windows-MFA.ovpn
- Oauth-tool MFA Verification Script oath.sh
- Okta MFA Verification Script okta.sh
- Oath Secret Generator oath-secret-gen.sh
The example files expect a FreeBSD or Linux system; my examples use FreeBSD on the server. Installing the OpenVPN and oath-toolkit packages from the FreeBSD ports tree or package repository should be all you need. Those will pull in any dependencies necessary.
For my examples, I used a virtual server hosted by Vultr. You can set up a virtual server in just a few minutes for less than a penny an hour. You are welcome to use my referral link or visit the site directly.
Note: It’s not necessary to host a server external to your local network. Virtual Private Servers (VPSs) make this cheap and easy to do, though.
Base Server Build
I created an account on Vultr, clicked on Products, clicked on the little blue plus (+) button in the upper right corner to create a new server.
Next, I selected “Cloud Compute”, Chicago (it’s closest to me), FreeBSD 12.1, $5/mo ($.007/h), and then “Deploy Now” at the bottom. It takes about 5 minutes for the machine to be available. Once ready, I installed the openvpn and oath-toolkit packages (along with vim, to make my life easier).
# pkg install vim oath-toolkit curl py37-urllib3 openvpn
Download the sample configuration files, extract them, and put the server files in place.
# fetch https://secure-computing.net/openvpn/mfa_example.zip
# unzip mfa_example.zip
# cd mfa_example
# mkdir /usr/local/etc/openvpn && cp server.* dh2048.pem ca.crt *.sh /usr/local/etc/openvpn/
Once that’s done, you need to enable the openvpn daemon on the box:
# echo ‘openvpn_enable=”YES”’ >> /etc/rc.conf
Then you can start the openvpn process:
# /usr/local/etc/rc.d/openvpn start
If you don’t see any errors, your server process is running. I don’t mean to leave out novice users here, but the intent of this article is MFA, not generic OpenVPN setup and startup.
For the macOS client, we are using Tunnelblick for the GUI client. No additional packages are required. For Windows, the built-in OpenVPN GUI is enough. The examples here don’t push any routes or perform any real network changes since the purpose is to demonstrate MFA.
Base Client Config
The two client configurations contain the configuration, as well as almost all of the certificate components required to start your VPN client. As we move our VPN forward from a basic client-certificate authenticated VPN to using username/password and MFA, we’ll be editing this config just a little bit.
The first edit required is to add the proper remote line, telling our clients what server to connect to. The port is assumed to be udp/1194, though you’re more than welcome to change that. There is no remote line in the configuration file as shipped, so you’ll need to add one like:
Note: We assume your server can auto-create the tunX device. Some instances, like Raspberry Pi are not set up to do this by default. Like other more advanced configurations, this is out of scope for this article.
macOS with Tunnelblick
For the macOS operating system, Tunnelblick is the premier OpenVPN GUI client. The CLI client works just fine, and it compiles from source, assuming you have all the XCode tools installed. The GUI client, however, makes things like DNS reconfiguration and “privacy” a bit easier.
Both the Windows and macOS (Tunnelblick) clients recognize the .ovpn file extension and will apply the appropriate icon and auto-loading logic to such files. The .conf file extension is more common on the *nix platforms, which is why they are named differently in the example file.
Double-clicking on the file will result in Tunnelblick loading the file and attempting to secure it. This just means it will copy the file to a location with restricted permissions. You will be prompted to elevate permissions.
Once the configuration is loaded, you can connect directly to the VPN. You won’t get an IP address, or new DNS servers, so Tunnelblick will pop up a couple of warnings; you can ignore these as they don’t really apply to our MFA test.
Windows with OpenVPN GUI
The windows installation is similar to the Mac. Download and install the official OpenVPN application. Once installed, copy the windows-MFA.ovpn file to your system into the OpenVPN config directory in C:\Program Files\OpenVPN\config.
On my Windows 10 system, Windows Defender initially blocked access and presented a popup window. Clicking on the Allow Access button allowed me to connect to the VPN.