Integrate OpenVPN with JumpCloud’s RADIUS-as-a-Service
4 min readDec 5, 2022
Everything is on the cloud ☁︎
This setup is suitable for use cases like — testing JumpCloud RADIUS / LDAP / SAML in a lab, Or a real-deal VPN server.
Instructions
Step 1 — Setup the OpenVPN server
System/Network Requirements:
- OS — Ubuntu 20.04.4 LTS, x86.
- 2 vCPUs.
- 4GB RAM.
- At least 10GB of the system drive.
- The desired ports are reachable from the internet. (Forward these ports on your router cautiously)
- 443, 943 / TCP
- 1194 / UDP
Option 1
- Provision the server on AWS by cloning my TF repo.
Option 2
- Clone this repo for a templated jump start via Vagrant (VirtualBox provider):
- OpenVPN installation is provisioned when booting up.
- Ports are forwarded to the host: 443, 943 / TCP; 1194 / UDP.
Option 3
- A Linux VM manually created, meets the requirement above.
- Make sure the ports mentioned above are forwarded to your host.
- Run the lines below to install OpenVPN:
apt update && apt -y install ca-certificates wget net-tools gnupg
wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -
echo "deb http://as-repository.openvpn.net/as/debian focal main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as
Take note of the login info of Access Server’s WebUI once the installation is finished as shown below.
- Terraform will output the public IP info for your EC2 instance as below
- Use
Localhost
if you are running it on a local VM with ports forwarded. - Use your public IP only if you have allowed these ports from your router/firewall.
Step 2 — Setup JumpCloud RADIUS server
- Use the public IP — of your VPN gateway, or office on-prem firewall.
- Follow the steps for the rest.
- Generate a shared secret, and save it securely for later.
- Bind the RADIUS server to the designated user group(s).
Step 3 — Configure the OpenVPN Server
- Login to the admin UI with the cred generated during the installation.
- Go “Authentication” → “RADUIS”.
- Toggle “Enable RADIUS Authentication” to “Yes” at “RADIUS Settings”.
- Pick a JC RADIUS server IP, and choose the IP(s) closest to your geographic location. (Refer to the Appendix A)
- Fill in the server IP and the
shared secret
acquired from your JC RADIUS server, in the "RADIUS Server" section. - Toggle “MS-CHAP v2” as “Yes” in the “RADIUS Authentication Method” section.
- Click “Save Settings”, and “update running server” to push the changes to the server.
- Go back to “Authentication” → “Settings”.
- Change the “Default Authentication System” to “RADIUS”, and repeat step 3.7.
- Go to “Configuration” → “Network Settings”.
- Change the IP of the “VPN Server” to your public address, leave the rest as is, and repeat step 3.7.
- Refresh the page and log in again as the admin.
Step 4 — Configure the user permissions and profile.
- Go “User management” → “Group permissions” → Create a new group with “Allow Auto-login” permission.
- Click “save settings”.
- Select the group you just create at the “Default Group Permissions to use for any User not in any Group” drop-down list.
- Log in as a JC user at https://your.public.ip:9943/?src=connect
- Go back to “User management” → “User Profiles” → The JC user has been created, click “new profile”, select “Autologin”, tick “tls-crypt v2”, and click “create profile”.
Step 5 — Verify and setup on your (mobile) devices
- Download the OpenVPN client preferably your choice of OSes.
- Visit https://your.public.ip:943/?src=connect on your device, and log in with your JC cred.
- Download the connection profile, and open it with the OpenVPN client app.
- Once you imported the profile, give it a go by clicking “connect”.
(Optional) Step 6 — Enable MFA on JC RADIUS via JC protect
- Enable MFA as per KB. Enable JumpCloud Protect for the designated user.
- Re-login as the same user, you should get a push before getting in. (TOTP won’t work for OpenVPN client at this point as it conflicts with JC’s TOTP facility).
Last but not least
- Now you can verify the login attempts on your JumpCloud Directory Insight portal
Appendix A
JC RADIUS Server list: