Uncategorized

AuthX OpenVPN

Posted authxwp

This is a step by step instructions to configure your OpenVPN server with AuthX. The second factor authentication to connect to the private network with the OpenVPN client.

To Begin

  1. Sign up for you AuthX account here //Hyper link to sign up manual
  2. Navigate to the applications tab
  3. Click on protect a application and select the type of application as OpenVPN
  4. Getting Started to Applications
  5. Copy the application credentials (Application ID, Application Key, application URL)
  6. Download the AuthX OpenVPN package from here

Server-side requirements

  • Python 2.7 or later should be installed on the server

Pre-Requisites

PIP2 – installing the python packages for request and simplejson. request package is used to send HTTP/HTTPS requests and simplejson is used to send the REST API requests to AuthX Web service.

Installing PIP

  1. Download the packages from https://bootstrap.pypa.io/get-pip.py
  2. To install it navigate to the location where it is download to
$ python ./get-pip.py

3. install the requests and simplejson packages using pip command

$ pip install requests
$ pip install simplejs

4. request package can be found in /usr/lib/python2.7/site-packages

5. simplejson package can be found /usr/lib64/python2.7/site-packages

If the packages are installed at a different path determine the locations where they have been installed since we have to specify these locations either through PYTHONPATH environment variable or add these locations to the script itself

Extract and Copy

  1. Extract the package that has been downloaded from the AuthX repository.
  2. The extracted folder should have three files certify_constants.py, certify_post_auth_script.py, certify_web_api.py
  3. Copy the certify_post_auth_script.py  to /usr/local/openvpn_as/scripts/ directory.
  4. To add the path of the certify_constants.py and certify_web_api.py to certify_post_auth_script.py use the command below 
    $ sys.path.insert(1, ‘/home/<username>/<Path to the extracted folders>)

Configure

  1. Update the certify_constants.py file with the application parameters that you have received from the portal

DEFAULT_CERTIFY_AUTH_SERVER_URL = ” Application URL ”

DEFAULT_CERTIFY_HOST = “Hostname”

DEFAULT_APPLICATION_KEY = ” Application ID ”

DEFAULT_SECRET_KEY =” Application Key ”

DOMAIN_SUFFIX = “<Domain where the VPN server is configured”

2. Use the commands below to configure the scripts

$ sudo /usr/local/openvpn_as/scripts/sacli -a <username> -k auth.module.post_auth_script --value_file=/usr/local/openvpn_as/scripts/certify_post_auth_script.py ConfigPut

3. After the server is restarted, AuthX can be used as second factor authentication.

$ sudo /usr/local/openvpn_as/scripts/sacli -a <username> Reset

To remove the google authentication from OpenVPN server

$ sudo /usr/local/openvpn_as/scripts/sacli --user <USER_OR_GROUP> --key "prop_google_auth" --value "false" UserPropPut

Verify Your configuration

  1. Navigate to your OpenVPN home page/Client after the primary authentication of username and password you should be prompted to enter AuthX Code or push for authentication.
  2. You can authenticate using multiple factors
Push Send a push request to the phone to accept or deny
AuthX Code Enter the TOTP generated on the AuthX application
SMS Enter the AuthX code received as text on your phone
Call Enter the AuthX code that has been said on the received call
Face Authenticate with your face on your phone
Palm Authenticate with your palm on your phone

High Level Flow Diagram

Leave a Reply