OpenVPN + Active Directory + Google Authenticator = Remote Access Win

Background and Introduction

A core use case for many scientists is being able to access their systems and data when they are off-site. With today's ever present security threats, providing a way to enable this remote access in a way that is secure, simple, inexpensive and easy to administer is a key element of scientific systems design. A common way to do this is via a commercial VPN solution authenticating to an existing directory service (most frequently Microsoft's Active Directory), but the licensing costs for these solutions can be expensive, and may not necessarily meet customization requirements. Additionally, updates and upgrades can be contingent on costly capital expenditure in the form of new firewall hardware. "Stand up a free remote access VPN authenticating to AD (or other LDAP server) with OTP two-factor authentication" seems to me like a fairly common use case; it's deployed in a paid iteration at plenty of businesses, government agencies and in other organizational infrastructure. Here at the BioTeam Convergence Lab, we needed a remote access solution for as little cost as possible that still leveraged reliable, secure technologies and would be fairly easy to administer. Yet, after having Googled around for a while, looking for a comprehensive guide to how to do this, I came up only with pieces of a solution, but not the whole enchilada. So, here it is, fresh out of the oven. The general workflow is as follows: you have an existing user directory service, such as FreeIPA or Active Directory, and a network infrastructure such that you can either expose firewalled machines directly to the Internet or forward ports through a router performing NAT or PAT to a machine inside your network. You want to stand up a remote access VPN that allows users on the Internet to connect remotely to this infrastructure and be authenticated with a combination of your user directory and a TOTP app like Google Authenticator (or FreeOTP, or any number of other mobile apps that use the OATH spec). To accomplish this, you'll set up a server on your network that will both serve OpenVPN connection requests and perform authentication both to e.g. Active Directory and, in this case, the Google Authenticator PAM plugin. This one machine will combine SSSD (software that can bind a Linux machine to a directory service), PAM (software that manages authentication, logins, etc.), Google Authenticator, and OpenVPN to accomplish everything, and the best part of this arrangement is that no RADIUS server is necessary! This is a fairly modular setup. You could leave out the SSSD part and just authenticate your VPN to a given computer's local PAM database rather than to an Active Directory or FreeIPA server. You could leave out the Google Authenticator part, especially if you're only going to have one user, and just depend on password authentication plus your client certificate to secure logins.

Some Notes on Use Cases

The caveat here, of course, is that this won't scale terribly well. You might be able to extract some reasonably good performance out of a sufficiently well-equipped machine up to about 50 simultaneous users, but things will begin to degrade after that. This is okay! This is not a commercial VPN solution and shouldn't be treated like one. It is, however, a great option for small networks, including out-of-control homelabs like mine. The envisioned environment for a setup like this is "users who are technical enough to SSH into a machine and run a script, and admins who would rather let their users do this than go through the pain of generating and managing individual client configurations and keys for every user." If that looks like your lab, office, or other small network, then these instructions are for you. So, let's break down how to set this up. Note: I've linked all the source documents I've glued together to make this at the bottom of this article; I highly recommend checking those out as well for additional details!