This article describes the configurations needed to make OpenVPN Access Server work with AuthLite.

New way (separate OTP field)

  • Configure OpenVPN authentication to use LDAP to Active Directory, and make sure it works with username/password only.

Set up a domain member or DC as follows:

  • Install NPS server role
  • Create NPS Radius client matching the OpenVPN-AS server's IP. Create a shared secret.
  • Set up appropriate Connection Request Policy (the default "use windows authentication for all users" is fine)
  • Set up appropriate Network Policy to grant access to the Windows Group "AuthLite Users", allow PAP authentication.
  • install AuthLite on NPS server and restart
  • Enable AuthLite's NPS plugin to One-factor PAP mode, selecting "Permit requests that don't send the domain name"
  • Restart AuthLite service and NPS service
  • Log into the OpenVPN-AS appliance and enter:
cd /usr/local/openvpn_as/scripts
wget https://s3.authlite.com/downloads/ovpnas_postauth_cr.py
wget https://raw.githubusercontent.com/pyradius/pyrad/master/example/dictionary
wget https://raw.githubusercontent.com/pyradius/pyrad/master/example/dictionary.freeradius

Edit the ovpnas_postauth_cr.py file and change the following values to match your NPS server:

  • RADIUS_SERVER
  • RADIUS_SECRET

Now run the following commands to load the script and restart the service:

./sacli -k auth.module.post_auth_script --value_file=ovpnas_postauth_cr.py ConfigPut 
./sacli start

After this configuration, the OpenVPN web logon and VPN client should show an additional dialog after submitting the username and password.  The new dialog will request "AuthLite OTP" (this is configurable in the ovpnas_postauth_cr.py file), and the user will have to enter a valid OTP to proceed.

Old way (no separate field)

The OpenVPN Access Server (OpenVPN-AS) uses the username field to create and push configuration files. This means it cannot tolerate an AuthLite OTP in the username field by default. To work around this problem you can either:

  1. Use RADIUS PAP and enter credentials as follows:

    • Username in the Username field

    • Password and OTP together in the password field

  2. Use AuthLite 1.2.25 or later and add a "post auth" script to the VPN server to make it tolerate an OTP in the username field. This is accomplished by making the VPN software use the username returned by AuthLite as the canonical username for its internal operations.

The remainder of this article contains the steps needed to configure option #2.

  • From a shell on the VPN server, cd to /usr/local/openvpn_as/scripts

  • Create the file authlite.py, with the following contents:
      import json
      from pyovpn.plugin import *

      def post_auth(authcred, attributes, authret, info):

          if info.get('auth_method') in ('session', 'autologin'):
              return authret

          if 1 in info['radius_reply']:
              ul = info['radius_reply'][1]
              us = ''.join(ul)
              u = us.split("\\")[-1]
              authret['user'] = u

          return authret

  • Execute the following command, substituting your VPN admin username if it is not "openvpn":

     ./sacli -a openvpn -k auth.module.post_auth_script --value_file=authlite.py ConfigPut

  • Execute the following command, substituting your VPN admin username if it is not "openvpn":

     ./sacli -a openvpn start

Note that the script executes from a copy stored directly in the configuration database, NOT the .py file. So if you change the py file you need to ConfigPut it again in order for your changes to be picked up.

You can use the sacli command with the ConfigDel option if you need to remove the script.

See /usr/local/openvpn_as/doc/post_auth/post_auth.txt for more information.