Set up OpenVPN on pfSense for Windows clients with certificates and user authentication via Active Directory RADIUS

Contents

  1. Intro
    1. Intended audience
    2. Versions
    3. On security and a disclaimer
    4. Thanks
  2. On your Active Directory domain controller
    1. Create a group VPNusers
    2. Install and configure RADIUS
  3. On your pfSense router
    1. Set up the Authentication Server
    2. Install a Certificate Authority
    3. Create an internal certificate
    4. Set up the OpenVPN server
    5. Configure the firewall
    6. Create a user account
    7. Install the OpenVPN Client Export Utility
    8. Prepare the Windows packages
  4. On the Windows clients
    1. Install the OpenVPN package
    2. Change the cryptoapicert SUBJ
    3. Using the Windows client
  5. Tweaking the client
  6. Troubleshooting

1. Intro

Intended audience

This howto is intended for small businesses that want to roll out secure vpn connectivity for their users using free software. Due to the nature of its set up, which is mostly manual, this process may be too inefficient for larger businesses.

Versions

  • PfSense 2.0.1
  • Active Directory on Windows Server 2008 R2 – I’m using a Forest Functional Level of 2008 R2 but I don’t think that’s really a prerequisite. If it doesn’t work you may have to store your user account passwords using reversible encryption but since that seems like a serious security issue to me I guess you’d be better off upgrading to at east 2008 R2.

On security and a disclaimer

I am not a security expert. However the method described in this article is they way it should be:

  • you have two-factor authentication: something you have (the installed certificate) and something you know (your AD user account name and password);
  • your connection is encrypted and nothing crosses the internet in plain text.

If your laptop gets stolen, noone can dial into your corporate network if they don’t know your username and password. If someone guesses your password, they will also need your laptop to dial in. I can not guarantee that no bad things happen to you because of following this howto. Please consult other sources, use your common sense and try breaking into your own system to check if it’s safe.

Thanks

Thanks to the pfSense forum, in particular to user unguzov, who wrote a shorter version of this howto. I adapted his version and added screenshots.  Also thanks to Dan, who alerted me on the question of the policy order.

2. On your Active Directory domain controller

Create a group VPNusers

Create a security group in Active Directory Users and Computers called VPNusers. You could give everyone access but it’s a good idea to keep some granular control over it.

radiusvpn_204

Add all accounts that need to use your vpn system to this group.

radiusvpn_205

Install and configure RADIUS

If RADIUS isn’t alreay set up, you’ll need to add the roll to your Domain Controller. If it is set up, you can skip this step. Open Server Manager and click the Roles node in the tree on the left. radiusvpn_004

On the right side, click Add Roles.

radiusvpn_003

This will open the Add Roles Wizard.

radiusvpn_005

Check Network Policy and Access Services.

radiusvpn_006

Select Network Policy Server.

radiusvpn_010

If all went well you now have a Network Policy and Access Services node in the tree.

radiusvpn_011

Expand the Network Policy and Access Services node, go to NPS (Local) > RADIUS Clients and Servers, right-click RADIUS Clients and choose New.

radiusvpn_012

In the Friendly name field, enter pfSense VPN or anything you deem appropriate.

In the Address (IP or DNS) field, enter your pfSense router’s IP address. Mine is 192.168.77.1. Shared Secret: check Generate and save the shared secret; you’ll need it later on.

radiusvpn_123

Under NPS (Local) > Policies right-click Network Policies and select New.

radiusvpn_014

In the Policy name field, enter Allow pfSense. Type of network access serverUnspecified.

radiusvpn_015

In the Specify Conditions window, click Add…

radiusvpn_016

Select Windows Groups and click Add…

radiusvpn_017Click Add Groups… and add the group VPNusers (or whatever group you need).

radiusvpn_124

Back in the Specify Conditions window, click Next and select Access granted.

radiusvpn_020

Put the new policy before policies preventing the connection. Mind the Processing Order field. Thanks to Dan for alerting me on this.

NPS Policies

In the Configure Authentication Methods window, check Unencrypted authentication (PAP, SPAP).

radiusvpn_021

Skip the next wizard window (Constraints) or configure it as you like. I suggest leaving it as it is until you’re sure it works.

You’re done. Next, Next, Finish your way out.

3. On your PfSense router

3.1. Set up your Authentication Server

In pfSense, go to System > User Manager > Servers. Click the [+] button on the right.

radiusvpn_022

Enter these values:

Descriptive name RADIUS
Type Radius
Hostname or IP address 192.168.77.15
Shared Secret Paste the shared secret you had the RADIUS server generate. Then delete the file you saved the shared secret to. You won’t need it again and if you do you can just generate a new one.
Services offered Authentication and Accounting
Authentication port value 1812
Accounting port value 1813

radiusvpn_0233.2 Install a Certificate Authority

Go to System > Cert Manager > CAs and click the [+] button.

radiusvpn_024

Enter these values:

Descriptive name TestDomain VPN CA
Method Create an internal Certificate Authority
Key length 2048
Lifetime 3650 days Ten years should be enough for now.
Distinguished name Fill out your preferences here.
Common name testdomainvpn-ca

radiusvpn_025

Note that you now have an extra CA in your CA list.

radiusvpn_026

3.3 Create an internal certificate

Go to System > Cert Manager > Certificates and press the [+] button.

radiusvpn_027

Enter these values:

Method Create an internal Certificate
Desciptive name vpn-testdomain-network
Certificate Authority TestDomain VPN CA
Key length 2048
Certificate Type User Certificate
Lifetime 3560 days
Distinguished name Fill out your prefs here.
Common Name vpn.example.com

radiusvpn_0303.4 Set up the OpenVPN server

Go to VPN > OpenVPN > Server and click the [+] button.

radiusvpn_031

Enter these values:

Server Mode: Remote Access ( SSL/TLS + User Auth)
Backend for authentication RADIUS
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Description Something appropriate
TLS Authentication Check both Enable authentication of TLS packets and Automatically generate a shared TLS authentication key.
Peer Certificate Authority TestDomain VPN CA
Server Certificate vpn-testdomain-network (CA: TestDomain VPN CA)
DH Parameters Length 1024
Encryption algorithm AES-128-CBC (128-bit) Others probably work as well.
Hardware Crypto No Hardware Crypto Acceleration (Unless your hardware supports it. Check dmesg. No Acceleration is always safe.)
Certificate Depth One (Client+Server)
Strict User/CN Matching If you check this, a user can only connect with his own credentials, not that of other users. I think this is is good idea, so check this option.
Tunnel Network 192.168.82.0/24 Or any other network, as long as it is not in use in your lan/wan and probably not at your users’ locations. I.e. don’t use 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/24.
Redirect Gateway If you check this, not traffic to your lan will be routed through the tunnel but also to the rest of the internet. If the user starts downloading a BluRay dvd it will go through your company network. On the other hand, they will be behind your corporate firewall. Check this if you use the vpn for secure internet access. Do not check if your corporate line has a slow upload speed.
Local Network 192.168.77.0/24 This is my range. Yours is probably different. Enter your lan subnet here.
Concurrent connections Crypto can be tough on resources. If your pfSense installation runs on an appliance keep this number low. If it runs on an old computer it can do more. Keep en eye on the machine’s CPU. If more concurrent vpn connections ask too much of resources, upgrade your hardware.I tend to set this number to the number of client installations.
Compression Check, unless your clients and your server are on stone-age hardware.
Type-of-Service Unchecked
Inter-client communication Unchecked unless you need this for some reason.
Duplicate Connections Unchecked unless you need it.
Dynamic IP Checked unless you are seriously worried about laptops getting stolen in the middle of a vpn session.
Address Pool Checked
DNS Default Domain Checked, enter your Active Directory domain name here
DNS Servers Checked, enter some Active Directory DNS server addresses here.
NTP Servers If you set up one of your DC’s as an NTP server, check and enter it here. Decent time keeping is important for AD communication but if you have no weird time problems you can keep it unchecked.
NetBIOS Options Unchecked. It’s a security risk. Only check it if you need it for legacy applications but check if they work without NetBIOS first; they probably do.
WINS Servers Unchecked unless you need it.

radiusvpn_033

3.5 Configure the firewall

Go to Firewall > Rules > WAN and press the [+] button to create a new rule.

radiusvpn_207

3.5.2 Enter these values:

Action Pass
Disabled not checked
Interface WAN
Protocol UDP
Source unchecked, any
Destination unchecked, WAN address
Destination port range from OpenVPN to OpenVPN
Log only check when troubleshooting
Description OpenVPN RADIUS

radiusvpn_202

After you clicked Save, the rules page reloads. Do not forget to click Apply.

radiusvpn_203

3.6 Create a user account

You must create a user account for each user that is going to use your vpn system. In Descriptive and Common name, enter the username the user uses to log on to Active Directory. Strictly speaking Descriptive name can be anything but usernames should be unique anyway. Go to System > Cert Manager (not User Manager!) > Certificates and click the [+] button. (Note that the alt text of this button may be wrong.)

radiusvpn_102

Enter these values:

Create an internal Certificate
Decriptive name [Username of the user that will be using the vpn connection] In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn’t really matter but keep it in mind if the connection can’t be established.
Certificate authority TestDomain VPN CA
Key length 2048
Certificate Type User Certificate
Lifetime 3650 days Unless the user has a temporary account.
Distinguished name Fill out your preferences here.
Common Name: [see Descriptive name]

radiusvpn_104Note the entry in the Certificate list.

radiusvpn_105

3.7 Install the OpenVPN Client Export Utility

Note – these screenshots are out of date. Today many more export formats are available.

Go to System > Packages > Available Packages.

radiusvpn_106

Scroll down to OpenVPN Client Export Utility and click the [+] button on the right.

radiusvpn_107Confirm that you want to install that package and the package will be installed.

When it says Installation completed the installation is finished.

radiusvpn_1083.8 Prepare the Windows packages

Go to VPN > OpenVPN and note that there is an extra tab called Client Export. Open it.

radiusvpn_208Enter these values:

Remote Access Server VPN with RADIUS UDP:1194
Host Name Resolution – If you have a static IP (not a semi-static like cable providers give you), enterInterface IP Address here. – If you have a dns address pointing in your direction, enter Installation hostnamehere.Personally, I like to create a dedicated dns entry for vpn connections called vpn.example.com. If you ever decide to move things around it is nice to have things set up modularly.

If you’re not sure, stick with Interface IP Address for now.Use Microsoft Certificate Storage instead of local filescheckedUse a password to protect the pkcs12 file contents or key in Viscosity bundle.checked; choose a random password here and safe it for when you need to install it on the client.Use HTTP ProxyUnchecked unless you need it.

Find the right username under Certificate Name and click Windows Installer.

radiusvpn_110

Get a package for each user

4. On the Windows clients

4.1 Install the OpenVPN package

Copy the Windows Install you downloaded to the client. It is called after the tunnel configuration, for example router-udp-1194-install.exe.

Run the installer with all defaults. When selecting components, make sure they are all checked (they are by default).

Once the installation is complete, press Next. Read or don’t read the Readme and press Finish.

radiusvpn_112

The OpenVPN Configuration Setup will continue to install the certificates.

Radiusvpn-113-EN

Stick to the defaults. When prompted for a password, enter the password you used when you exported the Windows Installer from the Client Export tab.

Radiusvpn-114-EN

Have the wizard automatically select the archive.

Radiusvpn-115-EN

Change the cryptoapicert SUBJ

Open C:\Program Files\OpenVPN\config\yourconfig.ovpn or C:\Program Files(x86)\OpenVPN\config\yourconfig.ovpn and change the line that says

cryptoapicert “SUBJ:”

to

cryptoapicert “SUBJ:vorkbaard

…replace vorkbaard by the user’s username. I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.

Using the Windows client

To use the client, doubleclick the OpenVPN GUI icon on your Desktop. Radiusvpn_116 Windows will ask you to comfirm the execution. Confirm. OpenVPN will start but that’s not enough. Right-click the OpenVPN icon in the taskbar and choose Connect. Radiusvpn_117 The user must now enter his username and password. This is only the username part, without the domain. The password is the user’s Active Directory password.

Radiusvpn-118-EN

  If all is well, OpenVPN will connect to your pfSense router and minimize to the system tray.

5. Tweaking the client

Here are some tweaks I like to do on my client installations.

Change the name of the .ovpn file

When you connect to your router OpenVPN shows a balloon telling you that the vpn is up. It contains your rather cryptic Windows Installer name, but you can change that to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config to whatever name you want the balloon to show. Radiusvpn_122   (is nu verbonden is dutch for is now connected.)

Edit the shortcut to connect directly

You can edit the shortcut to OpenVPN GUI to directly connect to your router in stead of first starting OpenVPN and then starting the connection by right-clicking the shortcut and adding to the Target field:

–connect “Headquarters.ovpn”

…if Headquarters.ovpn is the name of your ovpn file. Radiusvpn_206 The user will still need to enter his password but it does save a step in the process.

Edit more settings

More information on automation, customization and registry tweaks are available in this text document:http://openvpn.se/install.txt.

6. Troubleshooting

If something doesn’t work, here are some pointers for troubleshooting:

  • The username may be case sensitive.
  • Use pfSense’s fine logging system under Status > System logs > OpenVPN.
  • Ask your question in the pfSense forum.
  • Windows 7 sometimes adds a Microsoft Virtual WiFi Miniport Adapter. Disabling this sometimes solves vague connection problems where there should be none.
  • Is the subnet unique? Perhaps the user is in a subnet that is the same as your virtual or corporate subnet.
  • Certificate problems? Check certmgr.msc. Perhaps an old certificate is blocking the installation of a new certificate.
  • Client getting disconnected? Check the user’s wifi connection. No wifi=no internet=no vpn.
  • Check if your domain controller allows UDP ports 1812 and 1813 throught the firewall. Adding the Network Policy and Access Services role and configuring a RADIUS client should automatically have entered these rules in the server’s firewall. They are called Network Policy Server (RADIUS Accounting – UDP-In) and Network Policy Server (RADIUS Authentication – UDP-In). Note that this is about the firewall on your domain controller, not pfSense’s firewall!

This article is also published on doc.pfsense.org.

18 Comments

  1. Dan

    Your Guide in setting up OpenVPN with RADIUS via Active Directory with pfSense is a great article. I’m writing this to have one small thing added.

    While testing, I followed your document and had some issues getting the setup to work and spent 1.5 days trying with no success. After reading another article about Radius (NPS), I noticed one such step they mentioned was to change the Policy Processing Order. After moving the policy created based on your guide from 3 to 1, voila, everytnhing worked like a charm.

    If you could add this simple step into the pfsense guide you created (http://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory), I think it could be very helpful to others using attempting this configuration.

    Thanks,

    Dan

    • Kapitein Vorkbaard

      My original policies showed up as 999999 and 999998, respectively. Newly created policies were automatically numbered 999997, 999996 and so on. I guess it is logical the Policy Order should have the Allow PfSense policy before any policy blocking the PfSense connection.

      Perhaps Microsoft decided to change the default numbering somewhere along the way. I added your suggestion. Thanks for the screenshot!

  2. Ashraf

    Really great article,
    after following your guide I’d managed to connect to my pfSense router, and the VPN client is green, but that’s it. I couldn’t connect to any device on my LAN even my pfSense box.
    I’m only can ping my Windows 7 machine,
    I’m working on this issue three days ago, with no luck.
    Please help!

      • Ashraf

        Could you please describe on which interface should I create the rules, and what is the appropriate configuration for each rules?

        Sorry for that question, but I’m working on this issue 4 days ago, and tried to much settings with no luck.

          • Kapitein Vorkbaard

            In PfSense go to Firewall > Rules and select the OpenVPN tab. Add a rule that allows all IPv4 traffic and another one allowing IPv6 if you’re doing IPv6. The rule should look like this: ID | Proto IPv4* | Source * | Port * | Destination * | Port * | Gateway * | Queue none | Schedule | Description allow everything through OpenVPN
            If it works feel free to narrow down the firewall rule but this should help troubleshooting.

            If it still doesn’t work check if the network you are connecting to (the one your PfSense router is in) has your PfSense router’s ip address set as default gateway, otherwise clients in the network don’t know how to route traffic back to your vpn client.

            Finally, open a topic on the PfSense forum. It’s easier to discuss there than here. Feel free to post a link here to the topic you opened and I’ll go take a look.

          • mohan rao

            Dear Ashrafji,

            have u successfully configured Road Warrior Open Vpn,
            i had properly connected from remote location from non windows machine like mac or ubuntu fedora or my android phone.
            but when i try from my windows machine like windows xp or windows 7 its show connected also take ip address from vpn server but main problem is not able to communicate with server side lan..

            pls help if have any idea… !

  3. romeo

    Hi Really great article, after following your guide I’d managed to connect to my pfSense router but I couldn’t despite the firewall rules i set on OpenVPN and WAN interfaces.It always return error TLS handshake failed.Help me please

    • Kapitein Vorkbaard

      Try recreating the certificates. If it doesn’t help, search the PfSense forum for that error. It’s not an uncommon one but I have no ready answer for it.

      Also if you post on the forum it may help others to put a link in the comments here; perheps someone else can make use of it.

    • Kapitein Vorkbaard

      Make the client more verbose by adding ‘verb 3’ to the CLIENT config. Increase for more verbosity, decrease for less. You will find the output in the client’s log file. Perhaps that will give you something to look for.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.