How to use password and profile double authentication

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
doit2010
OpenVPN User
Posts: 23
Joined: Sat Feb 05, 2022 8:37 am

How to use password and profile double authentication

Post by doit2010 » Thu Oct 06, 2022 12:58 pm

How to use password and profile double authentication ?(openvpn-as 2.11)

How to use password and profile double authentication
By default, you can connect with a password. For security reasons, I close the web end to download configuration files, and the administrator generates user profiles in the background. I hope all users must connect with passwords and configuration files. However, your documents are not easy to understand, and I hope they can be answered.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1051
Joined: Tue Feb 16, 2021 10:41 am

Re: How to use password and profile double authentication

Post by openvpn_inc » Thu Oct 06, 2022 1:12 pm

Hello doit2020,

I don't know what you mean by profile double authentication, it is a vague description.

In the case that you mean that there should be verification with certificates, and verification with username and password, then that is already happening. The client private key is embedded in the connection profile you generated on the server and verified automatically when you connect. Then on top of that you have to provide your credentials. If you don't have the config file you don't have the required private key to connect.

In the case that you mean that there should be username+password verification and on top of that a multi-factor authentication like with Google Authenticator or such, then you can enable MFA in the authentication settings page in the Admin UI of the access server. Users will then have to enroll in MFA first on the web interface and can then use that to establish the VPN connection.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

doit2010
OpenVPN User
Posts: 23
Joined: Sat Feb 05, 2022 8:37 am

Re: How to use password and profile double authentication

Post by doit2010 » Thu Oct 06, 2022 1:59 pm

openvpn_inc wrote:
Thu Oct 06, 2022 1:12 pm
Hello doit2020,

I don't know what you mean by profile double authentication, it is a vague description.

In the case that you mean that there should be verification with certificates, and verification with username and password, then that is already happening. The client private key is embedded in the connection profile you generated on the server and verified automatically when you connect. Then on top of that you have to provide your credentials. If you don't have the config file you don't have the required private key to connect.

In the case that you mean that there should be username+password verification and on top of that a multi-factor authentication like with Google Authenticator or such, then you can enable MFA in the authentication settings page in the Admin UI of the access server. Users will then have to enroll in MFA first on the web interface and can then use that to establish the VPN connection.

Kind regards,
Johan
i mean there should be verification with certificates, and verification with username and password

But the default configuration is that I fill in the server address, account and password on the client, and then I can connect directly,No client.ovpn required。
how can i do,there should be verification with certificates, and verification with username and password?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1051
Joined: Tue Feb 16, 2021 10:41 am

Re: How to use password and profile double authentication

Post by openvpn_inc » Thu Oct 06, 2022 2:43 pm

Hello doit2020,

You are referring to the import procedure in the OpenVPN Connect application. It allows the user to import his or her connection profile using just his or her credentials. The imported profile can then be used to start the connection. This is a usability feature, otherwise things get too complicated for a beginner to get started with their own OpenVPN server.

You have some options. You can go to the Admin UI of the Access Server and under Configuration > CWS settings set it to restrict access to the web services only to Access Server administrators, and to turn off the XML-RPC/REST API. That will ensure your users cannot obtain their connection profiles by themselves, but they will have to go through an administrator of the Access Server to obtain these profiles. The administrator of the server can generate and download connection profiles for users and hand them over via whatever medium they feel is safe. The user can then use that connection profile to get connected.

Another option is to use SAML authentication, and in the SAML IdP you can use X509 client authentication, meaning a certificate must be installed on the client system that can validate against the SAML IdP. That way when you start the import process in OpenVPN Connect, you will be redirected to the SAML IdP, that will then do a validation of a certificate that can validate against the SAML IdP, and only then can the connection profile with its own OpenVPN client certificates be imported and used to connect.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply