HELP FILE

OpenVPN Community Edition VPN configuration for the LastPass Universal Proxy RADIUS protocol

    This is a step-by-step description of how to configure OpenVPN Community Edition VPN for LastPass Universal Proxy using the RADIUS protocol, in order to set LastPass MFA as a secondary authentication method. The following steps contain the Universal Proxy related settings.

    Note: OpenVPN Community Edition does not have a Graphical User Interface (GUI). The settings are done using the Command Line Interface (CLI).
    Note: As OpenVPN Community Edition handles the incoming authentication requests in a single thread, one client can log in at a time. Therefore, increased waiting time can be expected.
    1. Install the OpenVPN RADIUS plugin, openvpn-auth-radius, on your server to get the required libraries and configuration files.

      Result: The OpenVPN RADIUS authentication configuration file, radiusplugin.cnf will be installed.

    2. Configure the OpenVPN server for RADIUS authentication using the radiusplugin.cnf file. Set the following:

      NAS-Identifier
      OpenVpn
      Service-Type
      5
      Framed-Protocol
      1
      NAS-Port-Type
      5
      NAS-IP-Address
      OpenVPN Community Edition IP address.
      OpenVPNConfig
      Path to the OpenVPN configuration file.
      overwriteccfiles
      true
      acctport
      1813
      authport
      1812
      name
      IP Address or DNS name of Universal Proxy.
      retry
      1
      wait
      61
      sharedsecret
      RADIUS shared secret, which is configured on the LastPass Universal Proxy.

      Example:

      NAS-Identifier=OpenVpn Service-Type=5 Framed-Protocol=1 NAS-Port-Type=5 NAS-IP-Address=<OpenVPN Communitity edition IP address> OpenVPNConfig=/etc/openvpn/server/server.conf overwriteccfiles=true server { acctport=1813 authport=1812 name=<IP Address or DNS name of Universal Proxy> retry=1 # How long should the plugin wait for a response? wait=61 sharedsecret=********* }

    3. Add the following to the OpenVPN server configuration file, server.conf:
      1. Path of the configuration file, to read the attributes and use it to authenticate users. For example:

        plugin /usr/lib/openvpn/openvpn-radius-ldap.so /etc/openvpn/radiusplugin.cnf login

      2. Enforce to use username and password for authentication:

        username-as-common-name

      3. Turn off the certificate authentication on the client side:

        client-cert-not-required

      Example:

      port 1194 proto tcp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem plugin /usr/lib/openvpn/openvpn-auth-radius.so /etc/openvpn/radiusplugin.cnf login server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt username-as-common-name keepalive 10 120 client-cert-not-required cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log log-append /var/log/openvpn/openvpn.log verb 6 explicit-exit-notify 0

    4. Enable client username and password authentication, by adding auth-user-pass:

      client
      dev tun
      proto tcp
      remote 20.67.97.220 1194
      resolv-retry infinite
      nobind
      ;user nobody
      ;group nogroup
      persist-key
      persist-tun
      ;remote-cert-tls server
      client-cert-not-required
      username-as-common-name
      ;tls-auth ta.key 1
      auth-user-pass
      cipher AES-256-GCM
      verb 6
      ;mute 20
      <ca>
      -----BEGIN CERTIFICATE-----
      ***********
      -----END CERTIFICATE-----
      </ca>

    5. Restart the OpenVPN server to apply the changes.
    The OpenVPN Community Edition VPN has been configured.