Pricing  Get Quote
 
 

MFA for OpenVPN

Enhance login security with ADSelfService Plus

Start free trial

What is OpenVPN?

OpenVPN is a popular open-source software that allows organizations to connect to their corporate network through a secure tunnel. It encrypts the data transmitted between your client (computer or smartphone) and server, ensuring privacy and security. OpenVPN can mask your IP address, making it difficult for others to track your online activities. Other benefits include being able to access data from anywhere and bypass geo-restrictions to access contents blocked in your region.

Protect OpenVPN with MFA

OpenVPN offers two-factor authentication (2FA) using time-based one-time password (TOTP) codes. While this provides an additional layer of security, it isn't the strongest and most effective way to secure your OpenVPN logins. This is where ADSelfService Plus comes in. With advanced authentication methods and adaptive MFA, you'll enjoy a seamless and secure login process. The solution also helps you comply with regulations and mandates like the NIST SP 800-63B, HIPAA, NYCRR, the FFIEC, the PCI DSS and the GDPR.

ADSelfService Plus offers an intuitive portal where you can select your preferred MFA authentication method from a wide range of one-way and challenge-based authenticators. An MFA policy can also be configured for a specific group of OpenVPN users so as to restrict everyone from having the same login process.

Once OpenVPN is setup with ADSelfService Plus, the login process is as follows:

  1. The user opens the OpenVPN client.
  2. The user completes the first stage of authentication using their AD domain credentials.
  3. If successful, ADSelfService Plus initiates the MFA process involving up to three stages of authentication.
  4. Once the user completes the MFA process, they are logged into OpenVPN.

Try out our interactive VPN MFA demo!

Enabling MFA for OpenVPN

Here's how you can configure ADSelfService Plus' MFA for OpenVPN logins:

Prerequisites

  • Ensure you have a Professional Edition license of ADSelfService Plus with Endpoint MFA enabled.
  • Enable HTTPS in ADSelfService Plus by navigating to Admin > Product Settings > Connection.
    Note: If you are using an untrusted certificate in ADSelfService Plus for HTTPS, disable the Restrict User Access when there is an Invalid SSL Certificate option under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Customization > Advanced.
  • The access URL configured under Admin > Product Settings > Connection > Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Ensure the access URL is updated before installing the NPS extension.
  • In AD, set the users’ Network Access Permission to Control access through NPS Network Policy in their dial-in properties.
  • Configure your OpenVPN gateway to use RADIUS authentication.
  • The RADIUS server must be a Windows Server (Windows Server 2008 R2 or later) with the NPS role enabled.
  • On the Windows NPS server, set the authentication settings of the Connection Request Policy to authenticate requests on this sever.

Configuring ADSelfService Plus

Step 1: Enable the required authenticators

  1. Log in to ADSelfService Plus as an administrator.
  2. Navigate to ConfigurationSelf-Service Multi-factor AuthenticationAuthenticators Setup.
  3. Enable the required authenticators for OpenVPN login.
  4. Click Save.

Step 2: Enable MFA for VPN logins

  1. Go to the MFA for Endpoints tab.
  2. From the Choose the Policy drop-down menu, select a policy which will determine the users for whom MFA for VPN login will be enabled. Click here to learn more about creating an OU- or a group-based policy.
  3. In the MFA for VPN Logins section, check the box and choose the number of authentication factors and the authentication methods using the drop-down options.
  4. Click Save Settings.

Step 3: Install the NPS extension

Install the NPS extension and restart the NPS Window service.

The setup is complete. Users will be prompted for MFA when they login to OpenVPN to verify their identities using the chosen authentication methods.

Choose from a wide range of authenticators

You can choose from a wide range of authenticators supported by ADSelfService Plus to log in to OpenVPN.

  1. Microsoft Authenticator
  2. YubiKey
  3. SMS and email verification
  4. Zoho OneAuth TOTP

Advantages of implementing ADSelfService Plus' MFA

  • Conditional access

    By evaluating risk factors like IP address, access time, device, and location, you can increase or decrease security measures depending on the situation. For example, MFA requirements can be increased for logins from unfamiliar devices or during off-peak hours.

  • Real-time audit reports

    Gain comprehensive insights into user MFA activity with detailed reports on attempted times, device types, and IP addresses. Also get reports on all MFA-enrolled users, MFA failures, and trusted devices. These reports can be scheduled to generate at regular intervals and delivered to email addresses of your choice.

  • Complete endpoint protection

    Expand your authentication options to include Windows, MacOS, and Linux machines, as well as leading VPN providers. MFA can also be implemented for Outlook on the web logins and endpoints that support RADIUS authentication.

Supported VPN providers and non-VPN RADIUS endpoints:

  • Juniper VPN
  • Fortinet VPN
  • Palo Alto VPN
  • Cisco ASA AnyConnect VPN
  • SonicWall VPN
  • Checkpoint VPN
  • Citrix Gateway
  • Microsoft Remote Desktop Gateway
  • VMware Horizon View

Secure OpenVPN logins with adaptive MFA for your remote workforce

Get your free trial 

ADSelfService Plus also supports

  •  

    Adaptive MFA

    Enable context-based MFA with 19 different authentication factors for endpoint and application logins.

    Learn more  
  •  

    Enterprise single sign-on

    Allow users to access all enterprise applications with a single, secure authentication flow.

    Learn more  
  •  

    Remote work enablement

    Enhance remote work with cached credential updates, secure logins, and mobile password management.

    Learn more  
  •  

    Powerful integrations

    Establish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.

    Learn more  
  •  

    Enterprise self-service

    Delegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.

    Learn more  
  •  

    Zero Trust

    Create a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.

    Learn more  

ADSelfService Plus trusted by