Steps to renew the certificate:

Start → Run → certlm.msc

Under Personal → Certificates, you will see a certificate with Azure AD Tenant ID – and its expiry date

To renew the certificate, Open Powershell as Administrator

Run the following commands:

cd “C:\Program Files\Microsoft\AzureMfa\Config\”
.\AzureMfaNpsExtnConfigSetup.ps1

It will first prompt to install the libraries from PS Gallery, Type A to say “Yes to All” and click enter.

Next it will open up the AD login page for authentication. Enter the username, password and approve the MFA request.

Wait for the script to continue running. It will prompt to check the existing Tenant Id. Ensure the Azure Tenant Id is listed as 59xxx-xxxx-xxxx-xxxxx-xxxxx

At the end of the script, it will try to restart the Network Policy server.

OpenVPN CLI Commands – Troubleshooting

less /usr/local/openvpn_as/etc/as.conf

less /etc/openvpn/server/server.conf

root@ip-:/var/log# /usr/local/openvpn_as/scripts/sacli version
2.8.5 (build f4ad562b)

Check the users connected to OpenVPN:

/usr/local/openvpn_as/scripts/sacli VPNStatus

/usr/local/openvpn_as/scripts/sacli VPNSummary

Check the status of OpenVPN:

/usr/local/openvpn_as/scripts/sacli status

List the current server configuration:

/usr/local/openvpn_as/scripts/sacli configquery

List the user and group properties:

/usr/local/openvpn_as/scripts/sacli UserPropGet

Check the Current OpenVPN version

/usr/local/openvpn_as/scripts/sacli version

****Verify the Cert Validity

cd /usr/local/openvpn_as/etc/ssl-api/

openssl x509 -enddate -noout -in client.crt

openssl x509 -enddate -noout -in server.crt

aws s3 cp /var/log/temp/ s3://openvpn-log-analysis/ –recursive

THE DB can be internal or external

/usr/local/openvpn_as/scripts/
1) Download the configuration to a single file (where config.txt is the name of the file):
sacli ConfigQuery > config.txt

2) where is the username / password stored for connecting the db ?

3) what’s inside the db ?
config ,cert, userprop, log

db configuration location*

The DB Configuration is stored in /usr/local/openvpn_as/etc/as.conf

root@ip-10-209-7-166:/etc# grep db /usr/local/openvpn_as/etc/as.conf
certs_db=mysql://admin:xxxx@xxxxx.ap-southeast-2.rds.amazonaws.com:3306/as_certs
user_prop_db=mysql://admin:xxxxx@xxxxxxx.ap-southeast-2.rds.amazonaws.com:3306/as_userprop
config_db=mysql://admin:xxxxxx@xxxxxxx.ap-southeast-2.rds.amazonaws.com:3306/as_config
config_db_local=sqlite:///~/db/config_local.db
cluster_db=mysql://admin:xxxxx@xxxx.ap-southeast-2.rds.amazonaws.com:3306/as_cluster
notification_db=mysql://admin:xxxx@xxxxxxx.ap-southeast-2.rds.amazonaws.com:3306/as_notification
log_db=sqlite:///~/db/log.db

*change config value
/sacli -k auth.module.post_auth_script –value_file=ovpnas_postauth_cr.py ConfigPut
./sacli start

====================
CLI Command to Change Open VPN configure

sudo su
cd /usr/local/openvpn_as/scripts
./sacli -k “auth.radius.0.per_server_timeout” -v “60” ConfigPut
./sacli start

=====================

=======LINKS========
Configure Radius Server
https://openvpn.net/vpn-server-resources/openvpn-access-server-and-active-directory-radius/
https://openvpn.net/vpn-server-resources/keeping-openvpn-access-server-updated/

****Configure settings in cli
https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/

***Self signed Certificates and import certificate
https://openvpn.net/vpn-server-resources/managing-settings-for-the-web-services-from-the-command-line/

Verify authentication for a user:

cd /usr/local/openvpn_as/scripts
./authcli –user –pass

Barchive

A great WordPress.com site

Month: May 2022

Renew RADIUS Certificate (NPS Server)

OpenVPN CLI Commands