Requirements: Ubuntu 14.04, yubikey-ksm, yubikey-val (recent versions), Yubikey token Description: Pair of fully redundant OpenVPN servers with multifactor authentication, using Yubikey.
Basically, you need to create your VPN infrastructure, you want multifactor authentication, and you want redundancy. This document shows you how.
Note: This (v01) is a preliminary version. Feel free to review it and point out improvements, if needed. I will revise the document and update it if significant changes are needed. I'm especially interested in the interaction between the DB replication and yubikey-val (ykval-queue is disabled); I think it should work the way I did it, and my tests were successful, but comments and improvements are welcome.
What's in the document:
- Install two OpenVPN servers, fairly classic setup, fine-tuned for this scenario - Create your own CA (certificate authority), generate certificates for servers and clients - Configure OpenVPN for SSL certificate authentication - Add Yubikey OTP authentication, either local (keys stored in DB), or via the Yubico public auth servers - Add a PIN to the OTP (stored in a local DB) - Perform master/master replication between DBs, securely - Customize your Yubikey - Network security - protect the VPN servers against network-based attacks
Log: - uploaded v02, containing corrections, some parts of the text are made more clear, etc. Nothing of substance.
_________________ Florin Andrei http://florin.myip.org/
Last edited by FlorinAndrei on Sat Sep 13, 2014 2:01 am, edited 1 time in total.
|