You are here

OpenVPN authentication

Printer-friendly versionPrinter-friendly version

Our standard configuration files connect to the endpoints in password-authentication mode. OpenVPN also supports certificate-based authentication, and it is possible to connect to our endpoints in this way. Rather than validating a username and password, they will instead accept certificates issued by our kx509 service, and will validate them against the the appropriate CA chain. No additional password is required in this case, so extending the DICE single-signon paradigm.

This has been tested on DICE-based Linux, and works well. If you'd like to try this on a self-managed Linux box, we can offer some guidance as to what to put in your OpenVPN configuration files.

Windows users should proceed as follows (note that this doesn't work properly with some revisions of XP due to what look like certificate-chaining bugs):

  1. Set up OpenAFS following these instructions if you haven't already. (Strictly speaking, you only really need the Identity Manager to be working, but you might as well go the whole way and set up OpenAFS too.)
  2. Go to the Secure Endpoints front page, scroll down to find the "Kerberized Certificate Authority Provider" installers, and install as appropriate for your system. This should Just Work next time you start the Identity Manager. If not, check that the "obtain a KCA identity..." entry in the "KCA certificate" tab of the "identities" page of the Identity Manager configuration window is ticked. You can see the certificate listed in the "advanced" view of the Identity Manager's status page.
  3. Download the additional kx509-*.ovpn configuration files, as described on our configuration files page and install them in the same place as all your other OpenVPN configuration files.
  4. That's it. You should find that next time you start up the OpenVPN GUI you get some additional menu options, and if you select one of the kx509 options while your kx509 certificate is valid then you should be able to connect without any additional username and password prompts.

(If you happen to have identities from other than Informatics, you may have to edit these configuration files to use something more distinctive than "Ephemeral Key Certification Agency" as identifier. The "kxlist" command on a DICE machine will show your certificate, and might allow you to pick something. "vim for windows" works well for this kind of thing; it's the first hit in google when you search for that string.)

Last reviewed: 

System Status

Home dirs (AFS)
Other services
Scheduled downtime

Because of the cooling failure in Appleton Tower server room on Saturday morning, many services (including some AFS volumes) are still unavailable. All services should be working by Monday lunchtime.

Choose a topic