OpenVPN on AWS

Post Reply
asaushkin
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 23, 2021 7:20 pm

OpenVPN on AWS

Post by asaushkin » Tue Feb 23, 2021 7:36 pm

We have an OpenVPN server installed in AWS, I've recently started working with this instance as a DevOps, and the security team tasked me with some issues.

We use OpenVPN EC2 instance based on the ami-0abbb3ceae54aa9fa image (Access Server version: 2.6.1) and created from a cloudformation template.

Could you clarify is it possible to:

1. Use certificate authentication instead of user/password pair? Is it possible to do it through the Admin UI console (I mean configure user access with certificate authentication)?

2. How can we implement the password rotation mechanism to ensure that passwords are not obsolete?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 34
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN on AWS

Post by openvpn_inc » Wed Feb 24, 2021 6:26 pm

Hi There,

Thank you for raising this inquiry. See below for my responses for each inquiry you have.

1. Use certificate authentication instead of user/password pair? Is it possible to do it through the Admin UI console (I mean configure user access with certificate authentication)?
--Access Server already uses certificates. It uses certificates so the client can verify the identity of the server, and the server can verify the identity of the client. The certificates are already embedded in the client.ovpn connection profile.

If you want certification authentication ONLY, then you can use our auto-login profiles. This is when a configured user on Access Server has auto-login permission

You can configure or allow auto login by going to USER MANAGEMENT >> User Permissions and Click or Check Allow Auto-login. Then save configuration/settings.

If this is set or configured, then a user can connect with just the certificate embedded in his connection profile without having to enter username or password to start the connection. This is done by looking purely at the certificate. But, If your goal is that a user must have a certificate first that is provided to them through a secure channel separately, then you can for example disable access to the web interface, and have the administrator manually pass the client.ovpn for each user via a secure channel. Without that client.ovpn, then they won't be able to do anything.
2. How can we implement the password rotation mechanism to ensure that passwords are not obsolete?
---> So far there is no option for password rotation mechanism with Access Server, but if you are using a third party authentication method (e.g. Radius etc...) then you can have this implemented on those. Like on Radius radius setup/configured with AD on Microsoft NPS, you can set an expiration or duration into which the password needed to be renewed by the user.

Best Regards,

Crowley
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.nets/support

asaushkin
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 23, 2021 7:20 pm

Re: OpenVPN on AWS

Post by asaushkin » Thu Feb 25, 2021 8:23 am

Thank you a lot for such a detailed answer

Post Reply