Yubico Forum

[HOW TO] Redundant VPN servers w/ multifactor authentication
Page 1 of 1

Author:  FlorinAndrei [ Thu Sep 11, 2014 2:14 am ]
Post subject:  [HOW TO] Redundant VPN servers w/ multifactor authentication

Requirements: Ubuntu 14.04, yubikey-ksm, yubikey-val (recent versions), Yubikey token
Description: Pair of fully redundant OpenVPN servers with multifactor authentication, using Yubikey.

Basically, you need to create your VPN infrastructure, you want multifactor authentication, and you want redundancy. This document shows you how.

Note: This (v01) is a preliminary version. Feel free to review it and point out improvements, if needed. I will revise the document and update it if significant changes are needed. I'm especially interested in the interaction between the DB replication and yubikey-val (ykval-queue is disabled); I think it should work the way I did it, and my tests were successful, but comments and improvements are welcome.

What's in the document:

- Install two OpenVPN servers, fairly classic setup, fine-tuned for this scenario
- Create your own CA (certificate authority), generate certificates for servers and clients
- Configure OpenVPN for SSL certificate authentication
- Add Yubikey OTP authentication, either local (keys stored in DB), or via the Yubico public auth servers
- Add a PIN to the OTP (stored in a local DB)
- Perform master/master replication between DBs, securely
- Customize your Yubikey
- Network security - protect the VPN servers against network-based attacks

- uploaded v02, containing corrections, some parts of the text are made more clear, etc. Nothing of substance.

RedundantOpenVPNserverswithYubikeyOTPandPIN-v02.pdf [795.6 KiB]
Downloaded 441 times

Author:  Tom [ Thu Sep 11, 2014 8:05 am ]
Post subject:  Re: [HOW TO] Redundant VPN servers w/ multifactor authentica

Thank you for this.

You have a PM.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group