Plugin for authenticating OpenVPN users against Okta optionally using MFA
- 👁️ Overview
- ✅ Requirements
- ⛏️ Build Process
- ⚙️ Configuration
- 🔑 Logging into OpenVPN
- 🔗 Additional Information
- 📃 License
- ❓ Questions, Issues and Feature Requests
The Okta OpenVPN plugin allows you to authenticate your OpenVPN users using Okta's SSO and MFA technology using pure REST API calls. While Okta's official support is thorugh the use of RADIUS, this plugin does not require the use of a RADIUS server. The plugin has been tested with OpenVPN Community Edition, but it should work with Access Server as well.
- Setup Okta SSO and MFA for your organization.
- Review the documentation for OpenVPN Server for details on how to configure OpenVPN.
- Alpine, Ubuntu or CentOS/RedHat Linux
- OpenVPN libraries and headers must be installed
To build the code from source, you will also need the following tools: cc or gcc, make, go
- Check out the latest code from the repository to your local system and make sure your
GOPATHis set up properly. Refer to the Go Documentation for details. - Run
maketo build the binaries. You may need to runCFLAGS=-I/usr/include/openvpn makeif your OpenVPN headers are located in a subdirectory of/usr/includeon your OS. - Copy the contents of the
buildfolder to your OpenVPN plugins directory along with theconfigs/okta-openvpn.ymlsample configuration.
Once you have the binaries compiled and place into your OpenVPN plugins folder, you'll need to add the lines below to your OpenVPN server configuration. These instructions assume you're using /usr/lib/openvpn/plugins/okta-openvpn for storing the plugin files.
plugin /usr/lib/openvpn/plugins/okta-openvpn/auth_script.so /usr/lib/openvpn/plugins/okta-openvpn/okta-openvpn -conf /usr/lib/openvpn/plugins/okta-openvpn/okta-openvpn.yml
client-cert-not-required
username-as-common-name
Edit the okta-openvpn.yml file and modify settings according to your organization and needs. You must supply a value for org_name, which is typically your Okta SSO hostname without the .okta.com suffix. The remainder of the settings are explained within the sample file and are optional.
If you choose to use an API key, you'll need to follow one of the following articles depending on your Okta subscription:
- https://developer.okta.com/docs/api/getting_started/getting_a_token
- https://support.okta.com/help/s/article/How-do-I-create-an-API-token
If you wish to add location details to the log output in addition to just the client IP, you'll need to download the GeoLite2 City database from https://dev.maxmind.com/geoip/geoip2/geolite2/ and specify the path to the extracted .mmdb file in your configuration.
Finally, you'll need to make sure the auth-user-pass directive is specified in your OpenVPN client configuration so that clients are prompted for a username and password.
Once the plugin has been configured on your OpenVPN server, users can log in using their Okta credentials. If their account is protected using MFA, they have 2 choices on how to supply the additional factor of authentication:
- If the
totpmethod is enabled in the configuration file, users can append a+sign to their password followed by the 6 digit code from their Okta Verify, Google Authenticator, etc. mobile app. In this case, users will not be able to save their OpenVPN credentials as their password will change each time since the 6 digit OTP code changes regularly. - If the
pushmethod is enabled in the configuration file, users can simply enter their password by itself. A push request will be sent automatically to the Okta Verify mobile app. Users have a given amount of time, which is configurable in theokta-openvpn.ymlfile, to respond to the push request before it times out.
This module is distributed under the MIT License.
If you have questions about this project, find a bug or wish to submit a feature request, please submit an issue.