![]() It is, however, a great option for small networks, including out-of-control homelabs like mine. This is okay! This is not a commercial VPN solution and shouldn’t be treated like one. You might be able to extract some reasonably good performance out of a sufficiently well-equipped machine up to about 50 simultaneous users, but things will begin to degrade after that. The caveat here, of course, is that this won’t scale terribly well. ![]() You could leave out the Google Authenticator part, especially if you’re only going to have one user, and just depend on password authentication plus your client certificate to secure logins. You could leave out the SSSD part and just authenticate your VPN to a given computer’s local PAM database rather than to an Active Directory or FreeIPA server. The best part of this arrangement is that no RADIUS server is necessary! This one machine will combine SSSD (software that can bind a Linux machine to a directory service), PAM (software that manages authentication, logins, etc.), Google Authenticator, and OpenVPN to accomplish everything. Active Directory and, in this case, the Google Authenticator PAM plugin. To accomplish this, you’ll set up a server on your network that will both serve OpenVPN connection requests and perform authentication both to e.g. You want to stand up a remote access VPN that allows users on the Internet to connect remotely to this infrastructure and be authenticated with a combination of your user directory and a TOTP app like Google Authenticator (or FreeOTP, or any number of other mobile apps that use the OATH spec). The general workflow is as follows: you have an existing user directory service, such as FreeIPA or Active Directory, and a network infrastructure such that you can either expose firewalled machines directly to the Internet or forward ports through a router performing NAT or PAT to a machine inside your network. Yet, after having Googled around for a while, looking for a comprehensive guide to how to do this, I came up only with pieces of a solution, but not the whole enchilada. Here at the BioTeam Convergence Lab, we needed a remote access solution for as little cost as possible that still leveraged reliable, secure technologies and would be fairly easy to administer. ![]() Additionally, updates and upgrades can be contingent on costly capital expenditure in the form of new firewall hardware. “Stand up a free remote access VPN authenticating to AD (or other LDAP server) with OTP two-factor authentication” seems like a fairly common use case it’s deployed in a paid iteration at plenty of businesses, government agencies, and in other organizational infrastructure. A common way to do this is via a commercial VPN solution authenticating to an existing directory service (most frequently Microsoft’s Active Directory), but the licensing costs for these solutions can be expensive, and may not necessarily meet customization requirements. With today’s ever present security threats, providing a way to enable this remote access in a way that is secure, simple, inexpensive and easy to administer is a key element of scientific systems design. Note this key as you’ll need it while configuring the Authenticator app on your PC.A core use case for many scientists is being able to access their systems and data when they are off-site.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |