We use OpenVPN in two regions at AWS. We currently stand up two very old (v2.1.9) AWS marketplace OpenVPN Access Servers in a VPC in each region. One OpenVPN server in a VPC is in active use. The other is there for cold standby. Each OpenVPN server uses local user accounts and we require Google Authenticator. Obviously this is not ideal because each user needs to keep track of user/password/google authenticator info times 4. We are a small company - so while it was a pain to onboard users, it has been workable.
We are planning an upgrade to OpenVPN 2.7.5 and ideally would like each user to only keep track of one username/password/google authenticator combo across all 4 OpenVPN servers (still spread across 2 regions). Is this possible? These are the options I have looked at so far but neither look to be a complete solution.
Option A: It looks like using Google Cloud Identity ldap with OpenVPN (1) could require a user to have only one username and password across regions - and also use Google Authenticator (according to the linked doc). I'm thinking the Google Authenticator hash would still need to be set for each server though - is that right?
Option B: Setup an OpenVPN Access Server cluster (2). This looks like it would get us down to one username/password/google authenticator combination per user in each region (assuming that the Google Authenticator info is stored in the database).
I haven't tried either of these so I may be missing something. I think I'm leaning toward Option B as the best of these two Options.I thought I would post here before venturing further as I am guessing there may be an Option C or D which could be better.
Thank you for your input.
(1) https://openvpn.net/google-cloud-identi ... s-and-vpn/
(2) https://openvpn.net/vpn-server-resource ... r-cluster/
one username/password/Google authenticator per user
-
bthurber
- OpenVpn Newbie
- Posts: 15
- Joined: Thu May 25, 2017 12:21 pm
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: one username/password/Google authenticator per user
The shared secret is actually stored in the user database so in theory you could copy the ones from one server to another. That's not ideal of course.
If you use a cluster, your access control rules are more limited, but the advantage is that the user certificates and google authenticator codes are the same on all the servers at once because it's just stored in one shared database.
If you use a cluster, your access control rules are more limited, but the advantage is that the user certificates and google authenticator codes are the same on all the servers at once because it's just stored in one shared database.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.