Setting up an OpenVPN server with RCDevs WebADM, U2F and Viscosity
This guide will walk you through the steps involved in setting up an OpenVPN server on a RCDevs WebADM host with OpenOTP support using U2F as a second authentication factor. This guide is designed as a quick start or trial setup for enterprise users who are considering or already using WebADM, we don't recommend it to new or home users.
Preparation
For this guide, we assume:
- You already have a WebADM with OpenOTP setup you are familiar with, or are using "MFAVPN All in One Appliance", version 1.7.11 at time of writing
- You have a valid SSL certificate
- You have a FQDN for your WebADM and OpenVPN server
- You have SSH/SCP access to this installation
- You have a Yubico U2F device
- You already have a copy of Viscosity installed on your client device
RCDevs WebADM is a security and user management suite designed for enterprise. Together with OpenOTP, it provides a powerful authentication suite that can be used right across your network. RCDevs also have their own OpenVPN server suite, MFAVPN, which easily integrates with WebADM and OpenOTP.
To use U2F with RCDevs packages, your WebADM and OpenVPN server needs to have two main extras, a valid SSL certificate, and a FQDN, i.e. a web address rather than an IP address. For this guide we'll be using rcvm.mydomain.com, change this address to match you're own where you see it.
Support
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
If you need more information or help, RCDevs offer discussion groups at https://www.rcdevs.com/forum/
WebADM with MFAVPN/OpenOTP Installation
If you don't already have a WebADM instance, the easiest way to get started is with the MFAVPN All in One Appliance, available here. These can be easily imported into most Virtual Machine software and are easy to setup.
For the rest of this guide we'll assume you are using a MFAVPN All in One Appliance from RCDevs, and you have chosen the default configuration.
First, import the applicance into your Virtual Machine platform of choice. On first run, follow the prompts, you should see MFAVPN setup as part of this process. The default login information for both SSH and the web portal will be displayed once setup is complete, take a note of these.
Once WebADM is installed, you will need to ensure it is accessible via a FQDN, and add your SSL certificate to the instance, a guide is available here.
The SSL certificate is required by the U2F spec for checking origins or application IDs. Alternatively, you can simply proxy the U2F Facet URL to another server with a valid SSL certificate, we'll point this out further into the guide.
As a final note, for enterprise use we recommend setting your OpenVPN server up on a different physical or virtual server to WebADM. This guide is exactly the same when setting up MFAVPN on a different server, the server you choose to host MFAVPN just needs network access to your WebADM server.
Setting up WebADM and OpenOTP
Before we setup our OpenVPN server, there's a few things we need to do in WebADM. As a first step, login to your WebADM instance by going to it's address in your browser, for us https://rcvm.mydomain.com, and login, the default credentials are admin/password.
As a first step, take a moment to change the admin password. To do this, click on cn=admin on the left under o=Root, then click Change password under LDAP Actions.
Configure U2F
- On the top menu click Applications, then in the MFA Authentication Server area, click CONFIGURE. Scroll down to the FIDO Devices section.
- Tick FIDO Device Type and select U2F
- Tick U2F Application ID and enter https://rcvm.mydomain.com/ws/appid/, replacing rcvm.mydomain.com with the address of your WebADM server
- Tick U2F Application Facets and enter openvpn://rcvm.mydomain.com, replacing rcvm.mydomain.com with the address of your WebADM server or OpenVPN server if elsewhere
- Scroll to the bottom in click Apply
Before we continue, note the U2F Facet Endpoint URL under MFA Authentication Server. This is the URL you will need to proxy via another server if you do not with to add an SSL certificate to WebADM.
Configure User
You can create a new user if you wish, but for the purposes of this test setup, we will use the already provisioned test-user account.
- On the left click cn=test-user under o=root in the RCDevs Directory tree
- Click Change password and set a password for this user. Click Update Password to save it.
- Back in the user object, click CONFIGURE next to WebADM settings under Object Details
- Tick Login Mode and select LDAPU2F
- Tick OTP Type and select TOKEN (Default)
- Scroll to the bottom and click Apply
Next we can register a token for this user. Please ensure you are using the latest version of Chrome, Firefox or Microsoft Edge for the best results. At the time of writing, Safari does not have FIDO2 support.
- On the right click MFA Authentication Server under Application Actions
- Click Register/Unregister FIDO Devices
- Ensure FIDO Device Type is set to U2F, enter a Friendly Name to ID the token later easily
- Click where it says Click Here or Press Enter and your token should flash. Tap the device to register it and you should receive a confirmation.
User and OpenOTP setup is now done! Lets configure OpenVPN now.
Setting up the OpenVPN Server
If using the MFAVPN All in One Appliance, OpenVPN is already setup, we simply need to retrieve the configuration from the server. The configuration is located at ~/client.zip on the server. This configuration is not unique. You can make any changes you need to and distribute it to all your users. Copy this configuration to your local computer with SCP.
A few things to note:
- If you need to change any settings or addresses related to OpenOTP, they are found in /opt/mfavpn/conf/ovpnauthd.conf
- If you would like to change any OpenVPN server settings, they are located at /opt/mfavpn/conf/openvpn.conf.
- If you need to generate a new client config after making changes, run
/opt/mfavpn/bin/clientpkg user
, then copy off ~/user.zip.
Setting Up Viscosity
The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Windows version, pointing out any differences with the Mac version as they arise.
If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.
Click the Viscosity icon in the menu bar on Mac or System Tray on Windows and select 'Preferences...':
Next, click the + button, and navigate to Import Connection >, From File..., navigate to where you extracted the zip user configuration you copied off the server and select user.ovpn, then click Import.
Finally, edit the connection and update the address under General. The default configuration may not have the correct address so update it accordingly. Make any further changes you wish to routing or DNS for example, then save the connection.
Using Viscosity
Now all you need to do is connect. If you have followed this guide through using the test_user, enter test_user/<your password> when prompted for a username and password, and then you can tap your U2F device to authenticate it when connected. If you are on Windows 10 1803 or newer, you will see a Windows Security dialog.
Final Notes
As we mentioned at the start, this guide is more to get you introduced to WebADM and it's OpenVPN/U2F functionality if you are considering it for your business, we don't recommend using this exact setup in a production environment or at home. We hope this guide shows though that it's a simple process and easy experience to get setup and use the security benefits that U2F and OpenOTP provides. Remember, OpenOTP isn't restricted to just OpenVPN but can be used with many other services, take a look at RCDevs documentation for more examples.