Setting up an OpenVPN server with RCDevs WebADM, U2F and Viscosity
Virtual Private Networks (VPNs) can be utilized for a number of very useful applications. You can securely connect to any public WiFi hotspot. You can overcome geo-blocking restrictions on your favourite websites. And you can even connect to your home or office network from anywhere in the world, as if you were sitting right at your desk. This guide will walk you through the process of setting up your own OpenVPN server, and connecting to it with your copy of Viscosity.
Running your own OpenVPN server will allow you to encrypt everything you do on the internet. Anything you send over the VPN connection will be encrypted from your device until it reaches your OpenVPN server. Setting up your OpenVPN server to access your home or office network gives you full access to all your files on your network.
This guide will walk you through the steps involved in setting up a basic OpenVPN server on a RCDevs WebADM host with OpenOTP support using U2F as a second authentication factor. This guide is designed as a quick start or trial setup for enterprise users who are considering or already using WebADM, we don't recommend it to new or home users.
For this guide, we assume:
- You already have a WebADM with OpenOTP setup you are familiar with, or are using the base Virtual Appliance
- You have a valid SSL certificate
- You have a FQDN for your WebADM and OpenVPN server
- You have root access to this installation
- You have a Yubico U2F device
- You already have a copy of Viscosity installed on your client device
RCDevs WebADM is a security and user management suite designs for enterprise. Together with OpenOTP, it provides a powerful authentication suite that can be used right across your network. RCDevs also have their own OpenVPN server suite, MFAVPN, which easily integrates with WebADM and OpenOTP.
To use U2F with RCDevs packages, your WebADM and OpenVPN server needs to have two main extras, a valid SSL certificate, and a FQDN, i.e. a web address rather than an IP address. For this guide we'll be using rcvm.mydomain.com, change this address to match you're own where you see it.
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
If you need more information or help, RCDevs offer discussion groups at https://www.rcdevs.com/forum/
Basic WebADM Installation
If you don't already have a WebADM instance, the easiest way to get started is with one of RCDevs Virtual Appliances, available here. These can be easily imported into most Virtual Machine software and are easy to setup.
For the rest of this guide we'll assume you are using a Virtual Appliance from RCDevs, and you have chosen the default configuration.
Once WebADM is installed, you will need to ensure it is accessible via a FQDN, and add your SSL certificate to the instance, a guide is available here.
The SSL certificate is required by the U2F spec for checking origins or application IDs. Alternatively, you can simply proxy the U2F Facet URL to another server with a valid SSL certificate, we'll point this out further into the guide.
As a final note, for enterprise use we recommend setting your OpenVPN server up on a different physical or virtual server to WebADM. This guide is exactly the same when setting up MFAVPN on a different server, the server you choose to host MFAVPN just needs network access to your WebADM server.
Setting up WebADM and OpenOTP
Before we setup our OpenVPN server, there's a few things we need to do in WebADM. As a first step, login to your WebADM instance by going to it's address in your browser, for us https://rcvm.mydomain.com, and login, the default credentials are admin/password.
As a first step, take a moment to change the admin password. To do this, click on cn=admin on the left under o=Root, then click Change password under LDAP Actions.
The first thing we need to do is configure U2F. On the top menu, click Applications towards the right, then in the MFA Authentication Server area, click CONFIGURE. Next, scroll down the page until you find the U2F Devices section, a bit over halfway down.
First, change your U2F Application ID from https://126.96.36.199/ws/appid/ to https://rcvm.mydomain.com/ws/appid/, replacing rcvm.mydomain.com with the address of your WebADM server. If you have chosen to proxy to publish your Facet IDs, enter the proxied URL here.
Next, tick U2F Application Facets, and enter openvpn://rcvm.mydomain.com, replacing rcvm.mydomain.com with the address of your WebADM server, or if you are deploying your OpenVPN server somewhere else, enter that address here prefixed with openvpn://
Once done, scroll all the way to the bottom of the page and click Apply.
Before we continue, note the U2F Facet Endpoint URL under MFA Authentication Server. This is the URL you will need to proxy via another server if you do not with to add an SSL certificate to WebADM.
Next we need to setup a user. You can create a user using Create on the top menu, alternatively, you can use an existing user. The Virtual Appliance comes with a user, test_user, already created, so we'll use that. Click cn=test_user on the left under o=root in the tree. If you are using the test_user, first change the password.
Next, click CONFIGURE next to WebADM settings on the right. In the Configure page, click OpenOTP on the left, then tick and change Login Mode to LDAPU2F, and tick and change OTP Type to Token (Default). Then scroll to the bottom of the page and click Apply.
Finaly, click MFA Authentication Server on the right, then click Register/Unregister U2F Devices. Give your device a name if you'd like to easily identify it later, click in the area saying [Click Here or Press Enter], then tap the gold disk on your Yubico U2F Device to activate and register it. Click OK on the next page and you should now see the device registered.
User and OpenOTP setup is now done! Lets configure OpenVPN now.
Setting up the OpenVPN Server
As mentioned earlier, if you're intending to use this server as more than a test, we recommend installing the server on a different system. Running up a Ubuntu server is quite easy for example and the process below is the same. For this guide however, we'll assume you're installing the server on the same system as WebADM.
First, download the MFAVPN package from the RCDevs download page. If you are using the Virtual Appliance from RCDevs, you will need the x64 version. At the time of writing you should be downloading mfavpn-1.0.0-x64.sh.gz, but adjust this below if the version has been updated.
Next, SCP the gz package onto your server with an application like WinSCP, or if you have the latest Windows 10 or are on a Mac or Linux computer, open a command prompt/terminal and run:
scp path/to/mfavpn-1.0.0-x64.sh.gz email@example.com:~/
The default password for root is password. Next, SSH into the WebADM server. If you are using the Virtual Appliance, it is missing some packages required to run OpenVPN, install them with the following commands:
yum install net-tools
Next, run the following commands to start the setup:
Answer 'y' (yes) to each question, with the following exceptions:
- Enter the server fully qualified host name (FQDN): - Enter the address to this server
- Enter one of your running WebADM server IP or hostname: - Enter the address to your WebADM server, this may be the same as the above.
After the DH parameters are generated, you will see the following message:
The setup needs now to request a signed 'openvpn' certificate. This request should show up as pending in your WebADM interface and an administrator must accept it. Waiting for approbation...
When you see this message, log back into WebADM and you should see the following message at the bottom of the page:
Click Click Here For Details, and then on the next page click the blue Accept button. The script will then continue on. Keep answering 'y' (yes) until the end.
By default, u2f support is on and everything is setup correctly, so there is nothing we need to do. A few things to note though:
- If you need to change any settings or addresses related to OpenOTP, they are found in /opt/mfavpn/conf/ovpnauthd.conf
- If you would like to change any OpenVPN server settings, they are located at /opt/mfavpn/conf/openvpn.conf.
The OpenVPN config is very simple. It is enough to connect and route traffic to the VPN server with, but there will be no access to the local network, the internet, nor DNS, thus this OpenVPN server is only really useful for remote access to WebADM in it's default state. For more information on setting up routing or DNS, take a look at our Ubuntu Server Guide.
As a final step, we need to generate some client configurations. To do this, run the following to generate it and copy it to your local computer:
scp firstname.lastname@example.org:~/user.zip ~/
Then copy ~/user.zip off the server. This configuration is not unique. You can make any changes you need to and distribute it to all your users.
Setting Up Viscosity
The interface provided by the Mac and Windows versions of Viscosity are intentionally very similar. As such, we will focus our guide on the Windows version, pointing out any differences with the Mac version as they arise.
If you do not have Viscosity already running, start Viscosity now. In the Mac version you will see the Viscosity icon appear in the menu bar. In the Windows version you will see the Viscosity icon appear in the system tray.
Click the Viscosity icon in the menu bar on Mac or System Tray on Windows and select 'Preferences...':
Next, click the + button, and navigate to Import Connection >, From File..., navigate to where you extracted the zip user configuration you copied off the server and select user.ovpn, then click Import.
If you wish to make any changes to the configuration, like adding routes or DNS Servers, you can edit the connection, make these changes and then export the connection, as mentioned earlier, this configuration is not unique as it does not have user certificates.
Now all you need to do is connect. If you have followed this guide through using the test_user, enter test_user/<your password> when prompted for a username and password, and then you can tap your U2F device to authenticate it when connected.
As we mentioned at the start, this guide is more to get you introduced to WebADM and it's OpenVPN/U2F functionality if you are considering it for your business, we don't recommend using this exact setup in a production environment or at home. We hope this guide shows though that it's a simple process and easy experience to get setup and use the security benefits that U2F and OpenOTP provides. Remember, OpenOTP isn't restricted to just OpenVPN but can be used with many other services, take a look at RCDevs documentation for more examples.