Integrate OpenVPN with JumpCloud’s RADIUS-as-a-Service

Shawn Song

4 min readDec 5, 2022

Everything is on the cloud ☁︎

This setup is suitable for use cases like — testing JumpCloud RADIUS / LDAP / SAML in a lab, Or a real-deal VPN server.

Instructions

Step 1 — Setup the OpenVPN server

System/Network Requirements:

OS — Ubuntu 20.04.4 LTS, x86.
2 vCPUs.
4GB RAM.
At least 10GB of the system drive.
The desired ports are reachable from the internet. (Forward these ports on your router cautiously)
- 443, 943 / TCP
- 1194 / UDP

Option 1

Provision the server on AWS by cloning my TF repo.

Option 2

Clone this repo for a templated jump start via Vagrant (VirtualBox provider):
- OpenVPN installation is provisioned when booting up.
- Ports are forwarded to the host: 443, 943 / TCP; 1194 / UDP.

Option 3

A Linux VM manually created, meets the requirement above.
Make sure the ports mentioned above are forwarded to your host.
Run the lines below to install OpenVPN:

apt update && apt -y install ca-certificates wget net-tools gnupg
wget -qO - https://as-repository.openvpn.net/as-repo-public.gpg | apt-key add -
echo "deb http://as-repository.openvpn.net/as/debian focal main">/etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as

Take note of the login info of Access Server’s WebUI once the installation is finished as shown below.

Terraform will output the public IP info for your EC2 instance as below

Use Localhost if you are running it on a local VM with ports forwarded.
Use your public IP only if you have allowed these ports from your router/firewall.

Step 2 — Setup JumpCloud RADIUS server

Use the public IP — of your VPN gateway, or office on-prem firewall.
Follow the steps for the rest.
Generate a shared secret, and save it securely for later.
Bind the RADIUS server to the designated user group(s).

Step 3 — Configure the OpenVPN Server

Login to the admin UI with the cred generated during the installation.
Go “Authentication” → “RADUIS”.
Toggle “Enable RADIUS Authentication” to “Yes” at “RADIUS Settings”.
Pick a JC RADIUS server IP, and choose the IP(s) closest to your geographic location. (Refer to the Appendix A)
Fill in the server IP and the shared secret acquired from your JC RADIUS server, in the "RADIUS Server" section.
Toggle “MS-CHAP v2” as “Yes” in the “RADIUS Authentication Method” section.
Click “Save Settings”, and “update running server” to push the changes to the server.
Go back to “Authentication” → “Settings”.
Change the “Default Authentication System” to “RADIUS”, and repeat step 3.7.
Go to “Configuration” → “Network Settings”.
Change the IP of the “VPN Server” to your public address, leave the rest as is, and repeat step 3.7.
Refresh the page and log in again as the admin.

Step 4 — Configure the user permissions and profile.

Go “User management” → “Group permissions” → Create a new group with “Allow Auto-login” permission.
Click “save settings”.
Select the group you just create at the “Default Group Permissions to use for any User not in any Group” drop-down list.
Log in as a JC user at https://your.public.ip:9943/?src=connect
Go back to “User management” → “User Profiles” → The JC user has been created, click “new profile”, select “Autologin”, tick “tls-crypt v2”, and click “create profile”.

Step 5 — Verify and setup on your (mobile) devices

Download the OpenVPN client preferably your choice of OSes.
Visit https://your.public.ip:943/?src=connect on your device, and log in with your JC cred.
Download the connection profile, and open it with the OpenVPN client app.
Once you imported the profile, give it a go by clicking “connect”.

(Optional) Step 6 — Enable MFA on JC RADIUS via JC protect

Enable MFA as per KB. Enable JumpCloud Protect for the designated user.
Re-login as the same user, you should get a push before getting in. (TOTP won’t work for OpenVPN client at this point as it conflicts with JC’s TOTP facility).