Integrate OpenVPN
OpenVPN is a virtual private network system to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. See https://www.openvpn.net. You can protect access to OpenVPN by integrating OpenVPN with Identity as a Service. Once integrated, users can use single sign-on to log in to their OpenVPN account through Identity as a Service.
Note: This integration was tested using Identity as a Service version 5.33 and a trial OpenVPN version. Other versions of OpenVPN may require integration and configuration steps that differ from those documented in this procedure. In the event of other issues, contact support@entrust.com for assistance
To integrate OpenVPN with Identity as a Service, you must do the following:
Before you begin, open two browser windows. In one window, log in to your OpenVPN administrator account. In the other window, log in to your IDaaS administrator account.
Step 1: Complete the prerequisitesStep 1: Complete the prerequisites
To complete this integration, you must do the following before you begin the integration:
Create and configure a Gateway.
Make note of the following:
Gateway IP address
Gateway shared secret (password)
Step 2: Configure OpenVPN for Identity as a Service authenticationStep 2: Configure OpenVPN for Identity as a Service authentication
Log in to OpenVPN as an administrator. The Status Overview page appears.
Expand User Management and select User Permissions. The User Permissions page appears.
Click More Settings select the IDaaS username for your integration admin account, for example, IDaaSuser. The User Permissions page updates to display the configuration settings.
Set the Configure user authentication method to RADIUS.
Set the TOPT-based Multi-Factor Authentication to the Default.
Set IP Addressing to Use Dynamic.
Set the Access Control to Use Nat.
Set the Allow Access From to all other VPN clients.
Set the VPN gateway to No.
Set the DMZ settings to No.
Click Save Settings.
Restart the VPN server, as follows:
In the menu pane, expand Status and select Status Overview. The Status Overview page appears.
Click Stop VPN services.
Click Confirm Stop on the confirmation prompt.
Click Start VPN services.
In the menu pane, click Authentication > RADIUS. The RADIUS page appears.
Open a text editor and copy the IP address in the Hostname or IP Address field. You need this value for Step 3: Add OpenVPN to Identity as a Service.
In the Shared Secret field, enter the shared secret that is shared with IDaaS.
Make note of the Authentication Port and Accounting Port. You need these in Step 3: Add OpenVPN to Identity as a Service.
Scroll to RADIUS Authentication Method and set PAP to Yes.
Click Save Settings.
Restart the VPN server, as follows:
In the menu pane, expand Status and select Status Overview. The Status Overview page appears.
Click Stop VPN services.
Click Confirm Stop on the confirmation prompt.
Click Start VPN services.
Step 3: Add OpenVPN to Identity as a ServiceStep 3: Add OpenVPN to Identity as a Service
Integrate OpenVPN with Identity as a Service
Log in to Identity as a Service.
Click 
> Security > Applications. The Add Applications page appears.
Click Add. The Select an Application Template page appears.
Do one of the following:
Select RADIUS and VPN Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
- or -
In the Search bar, enter a search option to filter for the application you want to add to IDaaS.
Click OpenVPN. The Add Open VPN page appears.
In the Application Name field, enter a name for your RADIUS client.
Enter a Description for your application.
Optional. Add an application logo:
Click 
next to Application Logo. The Upload Logo dialog box appears.
Click 
to select an image file to upload.
Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
If required, resize your image.
Click OK.
Click Next. The General page appears.
In the Hosts field, click Add to add the host IP address that you copied in Step 2: Configure OpenVPN for Identity as a Service authentication. The RADIUS agent receives the request on this host.
Note: If you enter multiple host names, separate each one with a comma but do not leave any spaces between them. Multiple host names indicates that the RADIUS application is running multiple replicas on multiple hosts.
In the Port field, enter the port on which the RADIUS agent accepts messages, enter 1812.
Attention: The RADIUS agent uses the host name that sent a request and the port number that it received the request from to determine which RADIUS application made the request. Because of that:
–Two RADIUS applications with the same port value cannot share any host names.
–Two RADIUS applications that have one or more matching host names must have different port values.
In the Shared Secret field, enter the shared secret that you copied in Step 2: Configure OpenVPN for Identity as a Service authentication.
From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to OpenVPN will be assigned.
Optional: From the Select RADIUS Attribute for IP Address drop-down list, select TUNNEL-CLIENT-ENDPOINT (66).
Set the Challenge Response Queue Max Time to 180, to set the number of seconds that the RADIUS agent waits for a response to first-factor authentication.
In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.
In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.
From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.
Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.
Optional. Enable the Authentication Settings:
Select When authenticating the user will be asked to select their second-factor authenticator. When selected, after the user responds to the first-factor challenge, they are prompted to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.
The following is a list of supported strings matched to the authentication types:
Grid: grid
Knowledge-based Authentication: kba
One-time password: email, sms, voice
Smart Credential Push: scpush
Temporary Access Code: tac
Token: token
Token push: push
Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
Leave all other settings at the default values.
Click Submit.
Step 4: Add a resource ruleStep 4: Add a resource rule
Step 5: Test the integrationStep 5: Test the integration
Open a Web browser and enter the URL for your OpenVPN client UI.
Log in with your username and password and then click Sign-in.
You are prompted to select your second-factor authentication method.
In the blank field, type your second-factor authentication method. For example, type grid.
Click Continue.
Enter the second-factor challenge response, for example, the grid coordinates.
Click Continue. The OpenVPN Access Server page appears.
Click the 
icon. The openvpn-connect.3.4.0.3121_signed.msi file downloads.
Install the file.
Navigate to your desktop and open the OpenVPN Connector. The Profiles page appears.
Toggle to Connect.
Enter the required credentials.
Respond to the second-factor authentication challenge.
Click Send. You are connected to OpenVPN.