This is a step-by-step description of how to configure OpenVPN Community Edition for LastPass Universal Proxy using the LDAP protocol, in order to set LastPass MFA as a secondary authentication method. The following steps contain the Universal Proxy related settings.
About this task:
Note: OpenVPN Community Edition does not have a Graphical User Interface (GUI). The settings are done using the Command Line Interface (CLI).
Note: As OpenVPN Community Edition handles the incoming authentication requests in a single thread, one client can log in at a time. Therefore, increased waiting time can be expected.
- Install the OpenVPN LDAP plugin, openvpn-auth-ldap, on your server to get the required libraries and configuration files.
Result: The OpenVPN LDAP authentication configuration file, auth-ldap.conf will be installed.
- Configure the OpenVPN server for LDAP authentication using the auth-ldap.conf file. Set the following:
-
URL
-
The IP address or DNS name of Universal Proxy.
-
BindDN
-
The admin user name configured for LDAP authentication in the following format:
CN=Admin,CN=Users,DC=domain,DC=country_code.
-
Password
-
The LDAP admin user password.
-
Timeout
-
61
-
TLSEnable
-
no
-
BaseDN
-
The Base DN under which the users are located, in the following format:
cn=Users,dc=domain,dc=country_code.
-
SearchFilter
-
"(&(userPrincipalName=%u))"
-
RequireGroup
-
false
-
Group - BaseDN
-
The Base DN under which the users are located, in the following format:
cn=Users,dc=domain,dc=country_code.
-
Group - Searchfilter
-
"(|(userPrincipalName=%u))"
-
Group – MemberAttribute
-
uniqueMember or
sAMAccountname, depending on the Universal Proxy configuration.
Example:
<LDAP> URL ldap://<IP Address or DNS name of Universal Proxy>:389 BindDN cn=Admin,cn=Users,dc=domain,dc=country_code Password ************** Timeout 61 TLSEnable no </LDAP> <Authorization> BaseDN "cn=Users,dc=domain,dc=country_code" SearchFilter "(&(userPrincipalName=%u))" RequireGroup false <Group> BaseDN "cn=Users,dc=domain,dc=country_code" SearchFilter "(|(userPrincipalName=%u))" MemberAttribute uniqueMember </Group> </Authorization>
- Add the following options to the OpenVPN server configuration file, server.conf:
- Path of the configuration file, to read the attributes and use it to authenticate users. For example:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login
- Enforce to use username and password for authentication:
- Turn off the certificate authentication on the client side:
Example:
port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf login server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt username-as-common-name keepalive 10 120 client-cert-not-required cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 6 explicit-exit-notify 0
- Enable client username and password authentication, by adding auth-user-pass:
client
dev tun
proto tcp
remote 20.67.97.220 1194
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;remote-cert-tls server
client-cert-not-required
username-as-common-name
;tls-auth ta.key 1
auth-user-pass
cipher AES-256-GCM
verb 6
;mute 20
<ca>
-----BEGIN CERTIFICATE-----
***********
-----END CERTIFICATE-----
</ca>
- Restart the OpenVPN server to apply the changes.
Results: The OpenVPN Community Edition VPN has been configured.
