Untanux workshop

OpenVPN server on a Debian server

Untanux 
    Step 1: Install OpenVPN Server on Debian

        Update the package list:

    sudo apt update

    Install OpenVPN and additional required packages:

    sudo apt install openvpn easy-rsa

    Set up the Public Key Infrastructure (PKI) by navigating to the EasyRSA directory and building the CA:

    make-cadir ~/openvpn-ca
    cd ~/openvpn-ca
    ./easyrsa init-pki
    ./easyrsa build-ca

    Generate the server certificate and key:

    ./easyrsa gen-req server nopass
    ./easyrsa sign-req server server

    Generate client certificates, Diffie-Hellman key exchange, and HMAC key:

        ./easyrsa gen-req client1 nopass
        ./easyrsa sign-req client client1
        ./easyrsa gen-dh
        openvpn --genkey --secret ta.key

        Copy certificates and keys to the /etc/openvpn/ directory.

    Step 2: Configure OpenVPN to Use Azure AD for Authentication

        Install the OpenVPN Authentication Plugin for PAM:

        sudo apt install openvpn-auth-pam

        Configure Azure AD as an authentication provider.

        Go to the Azure Portal:
            Navigate to Azure Active Directory > Enterprise Applications > New Application.
            Select Non-Gallery Application and name it OpenVPN.

        Go to Authentication and configure the redirect URIs:
            Add the URI: https://<your-vpn-server-ip>/auth
            Ensure ID tokens are enabled.

        Go to Certificates & Secrets and create a Client Secret.

        Under API Permissions:
            Add the Microsoft Graph API permissions for User.Read.

    Step 3: Configure Azure AD SAML Authentication for OpenVPN

        In Azure AD:
            Go to your OpenVPN app > Single sign-on > SAML.
            Edit the Basic SAML Configuration with the following:
                Identifier (Entity ID): https://<your-vpn-server-ip>/saml.
                Reply URL: https://<your-vpn-server-ip>/saml.

        Download the Federation Metadata XML file to use with OpenVPN.

        Configure the User Attributes & Claims:
            Add a claim for user.userprincipalname as the NameID format.

    Step 4: Configure OpenVPN to Use SAML Authentication

        On the OpenVPN server:
            Place the Federation Metadata XML file in the /etc/openvpn/ directory.

        Edit the OpenVPN server configuration file, usually located at /etc/openvpn/server.conf:

            Add the following lines to enable SAML authentication:

            plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
            auth-user-pass-verify /etc/openvpn/check_saml.sh via-env

        Create a check_saml.sh script to verify the SAML token.

    Step 5: Configure 2FA with Azure AD

        In Azure AD, go to Security > Conditional Access:
            Create a new policy that requires Multi-Factor Authentication for the OpenVPN application.
            Set the Grant control to require Multi-Factor Authentication.

        Enable this policy to enforce 2FA for users accessing OpenVPN through Azure AD.

    Step 6: Restart OpenVPN and Test

        Restart the OpenVPN service:

        sudo systemctl restart openvpn@server

        Download and configure the OpenVPN client, importing the .ovpn profile configured for SAML authentication.

        Test by logging in with an Azure AD account; you should be prompted for 2FA if configured correctly in Conditional Access.

    Your OpenVPN server on Debian is now configured to authenticate users via Azure AD with 2FA enforced.

    Leave a Reply