DNX Tutorial - How To manage the OpenVPN module

Version: 1.1

Author: Pietro Marmelo

Revision: Douglas Porto

This tutorial aims to show how to create and revoke users in SSM in order to access the Open VPN.

Topics:

• Create user Certificate
• Configure OpenVPN
• Revoke User Certificate

## Create a new user certificate.

Log into AWS Console.

1. Switch to Shared Account
2. Choose your region
3. Go to Services → Systems Manager → Parameter Store

Click on –> /openvpn-shared-services/USERS → Edit

Write down your user on the value field.

• Obs. Do not remove users from the list, there’s a revoking process described below.

Download a new user certificate.

When a user is added, OpenVPN Server creates a “.ovpn” and “.mfa” files to an S3 bucket in the Shared-Service account. These files need to be downloaded and sent to the user to connect to the VPN.

To download this file:

1. Access AWS Console → Shared Account
2. S3
3. Find a bucket called openvpn-shared-services-

• Open the bucket
• Download both files (.ovpn and .mfa) with your username.

Important. That files should not be shared between users. Sharing these files will cause connection interruptions as one user can maintain only one connection at a time.

Configure and connect (MAC OS)

• Download and install OpenVPN Tunnelblick client.

https://tunnelblick.net/release/Tunnelblick_3.8.4a_build_5601.dmg

• Click on TunnelBlick icon in the menu bar at the top and select ‘VPN Details’ option.

• To install a configuration file (.ovpn), drag and drop it on the list of configurations in the ‘Configurations’ tab of the ‘VPN Details’ window.

1. On the “user name” field, type exactly your “.ovpn” file name, except by the file extension. E.g: if you have a file called “dnx-devop1.ovpn”, use “dnx-devop1” as username.
2. Open the “.mfa” file and copy the MFA URL.
3. Paste the URL in your favourite Web Browser to see the QR code.
4. Use your favorite MFA tool such as Google Authenticator, scan the QR Code and get the password.
5. Fill the password text box with OTP (one time password) code generated by MFA tool and click “OK”.

1. You will see the following screen after successfully connect via VPN.

Configure and connect (Windows)

1. Download OpenVPN client.
   • OpenVPN for Windows:
   • https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe
2. Click on OpenVPN client

1. Click at Import/From local file and choose the certificate.
2. Click on OpenVPN client again and click on openvpn.mgmt.cloud.domain and click on connect.
3. On the “user name” field, type exactly your “.ovpn” file name, except by the file extension. E.g: if you have a file called “dnx-devop1.ovpn”, use “dnx-devop1” as username.
4. Open the “.mfa” file and copy the MFA URL.
5. Paste the URL in your favourite Web Browser to see the QR code.
6. Use your favorite MFA tool such as Google Authenticator, scan the QR Code and get the password.
7. Fill the password text box with OTP (one time password) code generated by MFA tool and click “connect”.

Configure and connect (Linux Ubuntu)

• There is an OpenVpn client already installed on Ubuntu distributions so that you do not need to install any additional software.
  1. Open System Settings / Network.
  2. Add a new VPN, clicking on “+”.
  3. Select “Import file” and then choose your “.ovpn” file.
  4. On the “user name” field, type exactly your “.ovpn” file name, except by the file extension. Ex: if you have a file called “dnx-devop1.ovpn”, use “dnx-devop1” as username.
  5. Open the “.mfa” file and copy the MFA URL.
  6. Paste the URL in your favourite Web Browser to see the QR code.
  7. Use your favorite MFA tool such as Google Authenticator, scan the QR Code and get the password.
  8. Fill the password text box with OTP code generated by MFA tool and click on the “Add button”.
  9. In order to test your connection, go back to the previous screen, which lists all vpn connections, choose your new VPN connection. Please note that everytime you try to connect, you will be prompted to type the password again.

Revoke user certificate

1. Log into AWS Console.
2. Switch to Shared Account
3. Choose your region
4. Go to Services → Systems Manager → Parameter Store
5. Click on –> /openvpn-shared-services/REVOKE_USERS → Edit

1. Write down your username

1. Save changes