Objectives
- Build a secure connection model via VPN.
- Integrate LDAP authentication and MFA for user management.
- Test and ensure access control and the security of the VPN model.
- Remote access to the internal network.
- Ensure security and safety during connection.
- Require authentication methods for user management and prevention of unauthorized access.
- Serve as an optimal and cost-effective solution.
- Install and configure OpenVPN, deployed in Google's cloud environment.
- Register and integrate a domain for the OpenVPN Web UI.
- Set up two-factor authentication (MFA) via TOTP.
- Utilize Okta and LDAP Authentication for user management.
- OpenVPN is an open-source project widely trusted by many businesses and companies.
- OpenVPN can run on multiple operating systems: Windows, macOS, Linux, etc.
- OpenVPN uses robust encryption algorithms and connection protocols.
- Users have full customization options for OpenVPN, including encryption protocols, virtual network configuration, and authentication methods.
- A core component of Okta's Identity and Access Management (IAM) system.
- Can integrate with thousands of applications and services through standard protocols such as LDAP, SAML, OAuth, SCIM, or Okta's APIs.
- Benefits include centralized management, scalability, ease of use, and compatibility with various environments.
Server side:
- Two virtual machines share the same internal network.
- The virtual machine "atm-vpn-vm" serves as the VPN server, with OpenVPN Server installed.
- The virtual machine "ftp-server" is configured as an FTP server.
Okta side:
- An LDAP interface is created to connect to the Okta directory.
Client side:
- Any user device (PC, laptop, or mobile phone) can act as a client.
- Create users on the server's web interface.
- Configure access permissions for users.
- Connect to the VPN server using the user's profile.
- After successfully connecting, we check whether the VPN Server has faked the IP address of the device and encrypted the packets or not.
- Download files from the FTP server.
- Upload files to the FTP server.
- Create an additional server within the network range 10.128.0.0/20.
- Add two users to the Okta Directory, assigning them to two different groups.
- Use the two newly created users to access OpenVPN.
- Add a Post-Auth Script to map Okta groups to OpenVPN.
- Configure access permissions for the groups and conduct testing.
- Use Tcpdump to capture packets and Wireshark to observe the VPN connection process.
- Monitor the encryption and decryption of packets during communication through the VPN tunnel.
Some drawbacks of OpenVPN Access Server include its demand for high server performance, vulnerability to poor internet connections, complexity in advanced configurations such as routing or clustering, and the lack of a connection interface on Linux.
- Build an Access Server Cluster system.
- Research the implementation of a Zero Trust Network Access model or advance further with the development of a Secure Access Service Edge (SASE) model.