4.7.2.11. End User Guide
This section provides all the necessary information for end users of the 2SRA module. Here, you will learn how to set up your environment to establish a secure VPN connection to the corporate network through the OpenNAC Agent using a 2FA (Two-Factor Authentication) service.
Refer to the Agent’s User Interface section for detailed information about the interface capabilities and status colors.
4.7.2.11.1. Installing the Agent
To download the OpenNAC Agent, access the URL given by your administrator. It will display the Agent Download options:
Choose the type of agent that you want to install and click on Download. In this example, we will download the Windows installable agent.
The file download starts automatically. Select in which folder in our computer you want to save the file (Documents, Downloads, etc.). It is important to remember the location of the file for future steps.
The download file name will have a format similar to the following one:
opennac-agent-{Version}-release-{Platform}-xxxxxxxxxxxxxxxxxx
Warning
IMPORTANT: DO NOT modify the file name, otherwise it will not work properly.
Once the download is complete, go to the folder where you have saved the file and double-click on it to start the installation process.
A dialog will ask for you permission to execute the file. Once you accept it, the installation process will begin.
Once the installation process is complete, you will need to agree to the Agent’s Terms and Conditions. If you choose to ignore or reject them, you will receive a notification and the application will close.
After accepting the Terms and Conditions, the installation process is finished and the On Agent Icon will be displayed in your taskbar.
After a few minutes, you can right-click on this icon to authenticate the client or establish a connection to the VPN.
Refer to the Agent Troubleshooting section in case you encounter any errors during the installation process.
4.7.2.11.2. VPN Connection
To establish the VPN connection, you must have the OpenNAC Agent installed and running. If it is true, you should see the Agent’s icon in the taskbar.
Right-click on the icon and select the option “Connect VPN with WireGuard”.
Introduce your credentials in the user interface and click on Connect to establish a VPN connection.
Note
As soon as the OpenNAC Agent starts, it obtains and sends information to the server to allow or disallow the VPN connection. If the VPN connection is not available, wait a few minutes for the information to be sent or click on “Refresh status” to speed up the process.
4.7.2.11.3. VPN Disconnection
To disconnect from the VPN, right-click on the Agent’s icon and select the “Disconnect VPN with WireGuard” option.
The user interface will pop-up and you should click on Disconnect.
Note
By disconnecting the VPN, your Agent application is still running. You must execute the Agent Stop Script if you want the Agent to be inactive.
4.7.2.11.4. Agent Pause
When you disconnect from the VPN, the Agent application is still active and reporting. To prevent the Agent from scanning your device temporarily, you must “Pause” it.
Right-click on the Agent taskbar icon and select the “Agent Pause” option:
Click on accept to confirm the action:
The OpenNAC Agent will automatically stop being active and the taskbar icon color will change to grey:
When you decide to reconnect to the VPN, you first need to enable the Agent. Right-click on the Agent taskbar icon and select the “Enable Agent” option:
4.7.2.11.5. Ongoing Google Authenticator Authentication
After finishing the OTP configuration, you will need a QR authenticator app, such as Google Authenticator. To set up your user account, you need to scan the QR code sent to your email.
To install the application, download it from one of the following links:
For detailed information about how to install and use the app, visit the Google Authenticator help documentation.
After installing the application, you need to scan the QR code sent to you via email from OpenNAC Enterprise using Google Authenticator. The email will provide detailed instructions on how to perform the scanning process and guide you through all the necessary steps:
If this is your first time using Google Authenticator, follow these steps:
Click on “START SETUP”.
Then, click on “Scan Barcode”.
Scan the QR code attached to the email.
Now you will be able to view the code.
If you have previously used Google Authenticator, follow these steps:
Click on the “+” symbol at the top right.
Then, click on “Scan Barcode”.
Scan the QR code attached to the email.
Now you will be able to view the code.
When you scan the QR, a dynamic PIN appears and it will be displayed in the app for about 30 seconds.
4.7.2.11.5.1. Agent 2FA Connection
Once the Agent is installed on clients’ computers, we can continue with the Google Authenticator registration and the connection tests. See the Agent’s Deployment section for detailed information about download and installation options.
To connect to the VPN using the 2FA option, follow these steps:
1. Open your Agent interface. 3. Enter your username and password and click on Connect.
The Agent will then send a payload to the server, which responds indicating whether 2FA is necessary for that user.
If a second authentication factor is indeed required, the user is prompted to enter an OTP code (the PIN generated by Google Authenticator) to proceed with the connection.
Click on the Connect button.
4.7.2.11.6. Registering one-time QR codes
When establishing a VPN connection using one-time QR codes, you will be prompted to provide a double authentication factor (2FA). The 2FA is facilitated through the captive portal specified in the configuration. To register your user account, you need to scan the QR code sent to you via email.
To obtain the 2FA code, you must scan the QR code received in the specified email.
By scanning the code, you will be directed to a web portal that will generate the OTP and redirect you to your password wallet (Apple) or default application (Android) to save and display the access code:
In the event that the QR has expired or the maximum number of scans has been reached, the portal will display an error message.
4.7.2.11.7. Authenticate WireGuard user using SAML
This section will provide a SAML authentication example.
Once you have already downloaded and installed the Agent:
Right-click on the Agent icon in the taskbar and select the “Connect VPN with WireGuard”:
It will open the Agent UI, and it will attempt to connect to the VPN automatically without requiring access credentials. To establish the connection, click on Connect.
A new window will automatically open in the browser, directing you to the IdP access page (example image), where you need to enter our credentials.
Once you are logged in, the Agent will receive information to establish the VPN connection:
The Agent will automatically configure itself and access the VPN:
For a complete list of notifications messages that may be displayed on the Agent’s User Interface, see the Agent Troubleshooting section.
4.7.2.11.8. Uninstalling the Agent
To uninstall the Agent application from your machine, follow the simple steps provided below. Whether you no longer require its services or need to troubleshoot any issues, uninstalling the Agent is a straightforward process.
4.7.2.11.8.1. Windows
To uninstall the Agent from your Windows system, run the following script:
wget --user "repo_user" --ask-password https://repo-opennac.opencloudfactory.com/windows-agent/scripts/agent-manager/agent-uninstall-windows.ps1
4.7.2.11.8.2. MacOS
To uninstall the Agent from your MacOS, run the following script:
/Applications/OpenNACAgent.app/Contents/Resources/uninstall.sh
4.7.2.11.8.3. Linux
To uninstall the Agent from your Linux system, run the following script:
sudo apt remove opennacagent