OpenVPN – Azure – MFA with Radius

How to Use OpenVPN with Azure MFA Radius authentication


Install OpenVPN on Centos 6

#yum -y update

#rpm -Uvh

Step 2: Install and configure OpenVPN
$ yum install -y openvpn easy-rsa
Copy the sample.conf to /etc/openvpn as starting point for our own config file.
$ cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Step 3: Generating Keys and Certificates Using easy-rsa

Now that we’ve finished modifying the configuration file, we’ll generate the required keys and
certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.

$ mkdir -p /etc/openvpn/easy-rsa/2.0/keys
$ cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
With the files in the desired location, we’ll edit the “vars” file which provides the easy-rsa scripts
with required information.

$ nano -w /etc/openvpn/easy-rsa/2.0/vars
We’re looking to modify the “KEY_” variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once completed, the bottom of your “vars” file should appear similar to the following:
export KEY_ORG=”Organization Name”
export KEY_EMAIL=””
export KEY_NAME=server
export KEY_OU=server

OpenVPN might fail to properly detect the OpenSSL version on CentOS 6. As a precaution, manually copy the required OpenSSL configuration file.
$ cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

We’ll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.

cd /etc/openvpn/easy-rsa/2.0
$ source ./vars
$ ./clean-all
$ ./build-ca

Now that we have our CA, we’ll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
./build-key-server server

We’re also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:

cd /etc/openvpn/easy-rsa/2.0/keys

4 – Install Radius Plugin

$ cd /tmp

$ wget

$ tar -xvfz radiusplugin_v2.1.tar.gz

$ cd radiusplugin_v2.1/

$ make

Once that is complete (it will complete within seconds), copy the configuration file and library (*.so) file to /etc/openvpn/:

$ cp /etc/openvpn/

$ cp radiusplugin.cnf /etc/openvpn/

Open up the configuration file that we just copied radiusplugin.cnf with your favorite editor and make the following changes:

Edit this line
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address= #local ip of openvpn server
#disable accounting



# The UDP port for radius accounting.


# The UDP port for radius authentication.


# The name or ip address of the radius server.

name=X.X.X.X # MFA Radius IP address

# The shared secret.

sharedsecret=shared_secret # must match the shared key in MFA radius server

# How many times should the plugin send the if there is no response?


# How long should the plugin wait for a response?

wait=20 #increase timout to 20


5- Now, let’s change the configuration file.
vi /etc/openvpn/server.conf
As below :

port 1194

ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/server.crt
key easy-rsa/2.0/keys/server.key # This file should be kept secret
dh easy-rsa/2.0/keys/dh2048.pem

server #this is vpn subnet // that vpnusers will take ip from it
ifconfig-pool-persist ipp.txt
# back to the OpenVPN server. #specify which subnet should vpn users access
push “route” #subnet 1
push “route” #Subnet 2
push “route” #Subnet 3
push “dhcp-option DNS” #change dns to access internet if required
keepalive 10 120
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
management localhost 7505 #local port to be test on
#plugin /usr/lib64/openvpn/plugin/lib/ login #to authenticate from linux server local accounts
plugin /etc/openvpn/ /etc/openvpn/radiusplugin.cnf # authenticate from MFA Radius Server

6- Routing Configuration and Starting OpenVPN Server

$ iptables -I INPUT -p udp -m udp –dport 1194 -j ACCEPT
Enable IP Forwarding in sysctl:
$ nano -w /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:
$ sysctl -p
$ service openvpn start
$ chkconfig openvpn on

### Now openvpn server is up and configured to authenticate from MFA and Radius server
Next step is to configure MFA server:
Assuming that MFA server acts as Radius server and imports users from another AD server

1: Download Azure Multi-Factor Authentication Server from the Azure classic portal

Full How-to

#skip Configuration manager for now




Multi-Factor Authentication Server Console
1. Log in to the server where MFA is installed.
2. Open the Apps screen.
3. Click the Multi-Factor Authentication Server icon:
4. The Multi-Factor Authentication Server window opens.

Now you will configure the necessary services.

RADIUS Authentication
First you will enable RADIUS authentication, and then add the VPN appliance as a client.

1. Click the RADIUS Authentication icon.

2. When the RADIUS Authentication tool opens, select Enable RADIUS authentication.null

3. Select the Clients tab if necessary.

NOTE: Keep track of the port numbers noted for authentication and as you will need them for the VPN appliance configuration. Authentication defaults are 1645 or 1812.

4. Click Add to open the Add RADIUS Client dialog box.


5. Complete the following:
a. IP address – enter the openvpn local address. #ip must be reachable from server
b. Application name – enter a descriptive name for the openvpn server.
c. Shared secret – shared key in openvpn radius plugin.cnf to secure the RADIUS communication.

NOTE: The shared secret will be configured on both the MFA server and openvpn, so keep track of it.

d. Require Multi-Factor Authentication user match – select; only users who are included in the MFA Users list will be granted access.

NOTE: This feature provides better control over remote access. If not enabled (unchecked), then only users who are included in the MFA Users list will need to authenticate with MFA. Other domain users will be able to authenticate without MFA.

6. Select the Target tab.

7. Select LDAP Domain; this will configure the MFA server to use AD for primary authentication.
You have completed configuring RADIUS authentication and adding the VPN server as a RADIUS client. Leave the Multi-Factor Authentication Server window open for the next task.

Directory Integration
Now you will connect to the directory service.
1. In the navigation area, click the Directory Integration icon.

Server :AD server IP
Base DN : DN=example,DN=com
Authentication type :windows
Bind DN=AD Admin username
Bind Password:admin password

Default Authentication Method

The instructions below explain how to set a default option for the authentication method that will be automatically assigned to MFA user accounts. A default method is required when user are not allowed to change methods. The feature is optional when users are allowed to change their token methods, and may be more convenient if a majority of users need one method.
Configure Company Settings
1. In the navigation area, click the Company Settings icon:null
Leave default settings except for the following:
User defaults – select one of the options below:
§ Phone call – select Standard from the drop menu:

MFA Users

When the openvpn was configured as a RADIUS client, access was restricted to members of the MFA Users group. This provides more control over remote access, and is a security best practice. Now accounts need to be imported from the directory service.
Import User Accounts
Theses instructions are for on-demand user import.
– In the navigation area, click the Users icon.

2- When the Users tool opens, Click Import from LDAP
3- Once users imported Edit each user and make sure it’s enabled and phone no. is configured.

Example how to add new VPN user:

1- Add user test1 to AD
2- Import users in MFA server and make sure user test1 is enabled and configured with phone no!
3- navigate to openvpn server to generate user certificate
$ cd /etc/openvpn/easy-rsa/2.0/
$ source .vars
$ ./build-keys test1
$ cd keys

Create company.ovpn file as below
proto udp
dev tun
remote xx.xx.xx.xx # your openvpn public ip
ca ca.crt
cert test1.crt
Key test1.key
verb 4

$ tar -cvf test1-keys.tar ca.crt test1.crt test1.key company.ovpn
Send test1-keys.tar to user test1 to allow vpn connection


Now the next step is to configure Openvpn client to allow AD local users to use VPN.
– Install OpenVPN Client as follows:
Download and install openvpn Client
Install OpenVPN Client as follows:

Extract attached files sent to user test1 test1-Keys.tar to C:\Program Files\OpenVPN\config
Launch openvpn Client Gui on desktop with administrator permissions



provide test1 AD username/password


You will receive a phone call on test1 phone no configured in MFA server (just answer it and press # ) .

You are now connected.