This article explains how to set up PfSense as an OpenVPN server which authenticates clients based on the certificate they have and their Active Directory credentials using either RADIUS or LDAP.
If you find this article helpful feel free to click some of the ads on this page. It won’t make me rich but it would tell me someone said thanks. There’s also a PayPal donation button on the right if you’re really euphoric.
This is a rewrite of and an update to the previous article using older versions.
– PfSense 2.4
– Windows Server 2016
– OpenVPN 2.4.4 for Windows
– Windows 10 Pro
Before you begin you should have:
– a working PfSense router set up as the default gateway for your network
– a working instance of Active Directory
– a second internet connection to test from
– Steps in Active Directory are just examples. You can do it all with remote management tools, PowerShell and there are probably other ways.
– The PfSense router in my network has ip address 192.168.90.1. The only AD server has 192.168.90.2.
– My Active Directory is called test.lab; the server is called server01.test.lab.
– My test user is called Pino van Sesamstraat; his username is pino, or firstname.lastname@example.org.
– It is very possible to run multiple OpenVPN instances on the same server. Just make sure the port-protocol combinations don’t overlap.
– Why so many screenshots? Because you can never have enough screenshots.
On your Active Directory domain controller:
– create an Active Directory VPNusers group
– A. for RADIUS: install and configure RADIUS on Windows
– B. for LDAP: create a user account
On your PfSense router:
– set up an authentication server
– install a certificate authority, either RADIUS or LDAP
– create an internal certificate
– set up the OpenVPN server
– configure the firewall
– create a user account
– install the OpenVPN Client Export Utility
– prepare the Windows packages
On the Windows client:
– install the OpenVPN package
– using the Windows client
– tweaking the client
In Active Directory Users and Computers create a Global Security group called VPNusers. The group scope can be universal or domain local if you prefer.
Create a test user and add them to the group.
Option A: RADIUS
If it’s not on your server yet install the Network Policy and Access Services Server Role on your Active Directory Domain Controller:
Open Server Manager, choose Manage > Add Roles and Features.
Choose Role-based or feature-based installation.
Select your server.
Select Network Policy and Access Services.
Check Include management tools (if applicable). If applicable. And click Add Features.
Skip the Features and click Next.
Note it says you can deploy NPS as a RADIUS server. Dandy!
Click Install and wait for the installation to finish.
Create a RADIUS client in the Network Policy Server
From Server Manager > Tools choose Network Policy Server.
Expand NPS > RADIUS Clients and Server, right-click RADIUS Clients and choose New.
|Friendly name||PfSense VPN (or whatever you want)|
|Address||192.168.90.1 (your PfSense router’s address)|
Select Generate and click the Generate button to generate a shared secret. Save this key because you will need it later. Click OK.
Expand Policies, right-click Network Policies and click New.
|Policy name||Allow PfSense group.|
|Type of network access server||Unspecified.|
Click Add to create a new condition.
Select User Groups and click Add.
Click Add Groups.
Enter the name of the vpn group you created earlier and click OK.
Select Access granted and click Next.
OooOoh, more options! Play with it later. For now just click Next.
The encryption settings are for Routing and Remote Access Service. We’ll be using RADIUS, not RRAS so these settings don’t apply here. Just click Next.
Seems like the Wizard is done. Click Finish.
Option B: via LDAP
You can have PfSense authenticate using LDAP queries on Active Directory. That way there is no need to set up a RADIUS server. I suggest you create a dedicated Active Directory user for this with a hard password. Set the password to never expire (or make sure you make a calendar note to change it both in AD and PfSense in time lest your ). The dedicated user needs to be part of AD but does not need to be a member of any groups, let alone the Administrators group. I called my user ovpn.
A word on digging around in your Active Directory for your settings. By default Active Directory Users and Computers will not show you much LDAP settings. To get a bit more information, open the View menu and check Advanced Features.
Now if you view an object’s properties you’ll find a tab called Attribute Editor where you’ll find such things as the distinguishedName (DN) and Common Name (CN). Doubleclick a value to edit or copy it.
We’re going to set up two-factor authentication. The first factor is a certificate and the second is your Active Directory password.
To deal out certificates per user we’ll first set up a Certficate Authority. Go to System > Cert. Manager and click Add.
First, set the Method to Create an internal Certificate Authority.
|Descriptive name||OpenVPN_CA (or anything you want, really)|
|Key length (bits)||2048, or whatever you want.|
|Lifetime (days)||this is your certificate authority so I suggest you set this nice and high if you don’t want to replace all your clients’ vpn certs too often.|
|Country, etc.||fill out your information.|
|Common name||OpenVPN_CA (or whatever you like but I suggest you keep it simple)|
Now we must create an internal certificate for the OpenVPN server to use.
Go to System > Cert. Manager > Certificates and click Add/Sign.
First set the Method to Create an internal Certificate.
|Key length||2048 (or whatever’s your fancy)|
|Digest Algorith||sha256 (idem)|
|Fill out the Country etc.|
|Common Name||OpenVPN_Cert (keep it simple)|
|Certificate Type||Server Certificate|
Now for the second authentication part: Active Directory.
Option A: via RADIUS.
Go to System > User Manager > Authentication Servers. Click Add.
|Protocol||leave at MS-CHAPv2|
|Hostname or IP address||192.168.90.2 (your AD RADIUS server’s ip address)|
|Shared Secret||the shared secret you had generated earlier.|
|Services offered||Authentication and Accounting|
Keep the default ports, set Authentication Timeout to a sane value or leave empty.
Option B: via LDAP
Go to System > User Manager > Authentication Servers. Click Add.
|Descriptive name||Active Directory|
|Hostname or IP address||192.168.90.2 (your domain controller’s address)|
|Transport||TCP – Standard|
|Search scope||Entire Subtree (unless all your users are in that one OU)|
|Authentication containers||CN=Users (unless you keep your users in a different OU)|
|Extended query||&(objectClass=person)(memberOf:1.2.840.1135184.108.40.2061:=CN=VPNusers,CN=Users,DC=test,DC=lab) This will only return objects with objectClass ‘person’ (users you created) who are a member of (groups who are a member of) the VPNusers group. That memberOf:1.2.840.1135220.127.116.111: is a static name: it does not vary per installation and it is not a string. It is the literal name of the group.|
|Bind credentials||the dedicated user and password you created earlier in Active Directory for specifically this purpose|
|Initial Template||AD (this fills out the rest of the attributes; this option will disappear after usage)|
|User naming attribute||samAccountName|
|Group naming attribute||cn|
|Group member attribute||memberOf|
There are probably better ways to do this. If you know them and you have tested them please feel free to mention them in the replies. The above settings are what works for me.
Setting up the OpenVPN server
Go to VPN > OpenVPN > Server and click Add.
You can change most tunnel values to your liking; my settings are just suggestions and/or defaults.
|Server Mode||Remote Access ( SSL/TLS + User Auth)|
|Backend for authentication||select the authentication server you created: RADIUS or Active Directory|
|TLS Configuration||checked – a key is automatically generated after the settings are saved; you do not need to enter a key manually.|
|Peer Certificate Authority||OpenVPN_CA|
|Server certificate||OpenVPN_Cert (Server: Yes, CA: OpenVPN_CA)|
|Strict User/CN Matching||If you check this, a user can only connect with his own credentials, not that of other users. I think this is is good idea, so check this option.|
|IPv4 Tunnel Network||192.168.91.0/24 or any other network, as long as it is not in use in your lan/wan and probably not at your users’ locations. I.e. don’t use 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/24.|
|Redirect Gateway||if you check this, not traffic to your lan will be routed through the tunnel but also to the rest of the internet. If the user starts downloading a BluRay dvd it will go through your company network. On the other hand, they will be behind your corporate firewall. Check this if you use the vpn for secure internet access. Do not check if your corporate line has a slow upload speed.|
|Local Network||192.168.90.0/24 – your corporate LAN’s subnet. Only asked if Redirect Gateway is not checked.|
|DNS Default Domain||test.lab (your Active Directory domain name)|
|DNS Server enable||check. DNS Servers: provide your AD’s DNS servers.|
You must create a firewall rule that will allow traffic through the OpenVPN interface. Otherwise what’s the use?
Go to Firewall > Rules > OpenVPN and click Add.
|Description||Allow OpenVPN traffic.|
You may want to tune this down a bit if this whole contraption turns out to work. I suggest allowing only TCP/UDP traffic and perhaps ICMP if you need to ping as well. You may want to change the Destination to ‘LAN net’ if you don’t want your clients to have internet access. And so on.
Don’t forget to click Apply Changes.
We’ll create a certificate for every user that must be able to use the vpn.
Go to System > Cert. Manager (not User Manager!) > Certificates ad click Add/Sign.
|Method||Create an internal Certificate|
|Descriptive name||[Username of the user that will be using the vpn connection] In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn’t really matter but keep it in mind if the connection can’t be established.|
|Lifetime (days)||365 – now here is something to think about. You define here how many days your clients’ certificates are going to be valid. How often do you need those laptop back on your desk? Let’s go with a year for the time being.|
|Common name||see Descriptive Name.|
|Certificate Type||User Certificate|
Install the OpenVPN Client Export Utility: go to System > Package Manager > Available Packages and install the openvpn-client-export package.
Go to VPN > OpenVPN > Client Export Utility
|Remote Access Server||AD + Cert UDP4:1194 (or whatever you called your authentication server).|
|Host Name Resolution||If you have a static IP (not a semi-static like cable providers give you), enterInterface IP Address here. – If you have a dns address pointing in your direction, enter Installation hostnamehere.Personally, I like to create a dedicated dns entry for vpn connections called vpn.example.com. If you ever decide to move things around it is nice to have things set up modularly. If you’re not sure, stick with Interface IP Address for now.|
|Microsoft Certificate Storage||checked|
|Certificate Password||choose a random password here and save it for when you need to install it on the client.|
|Protocol||UDP (if you didn’t change it)|
|Destination||This firewall (self)|
|Destination Port Range||OpenVPN (1194)|
Click Apply Changes.
Doubleclick the package you exported. My Windows 10 machine threw me warning about being unable to recognize the app.
When I clicked More info a Run anyway button appeared, which seemed appropriate.
Upon installing Windows presented me with the Certificate Import Wizard. It was really helpful.
Ah! Right, the certificate password. Choose your preferences.
Automatically select the store.
Sounds like a success!
Finish the OpenVPN Setup.
Using the Windows client
If it’s not started yet, doubleclick the OpenVPN GUI icon.
Right-click the taskbar icon and choose Connect. Enter the username (without the domain part) and the password.
If all is well OpenVPN should now connect. However it will probably fail and you’ll need to troubleshoot it a bit.
Note: you can ignore the warning about cryptapicert and TLS version 1.1. This is a result of OpenVPN storing the certificate in Windows’ certificate store, which can be done using TLS 1.1 (depricated) or TLS 1.2 (safe, at the time of writing). Because this version of cryptoapicert in OpenVPN does not support TLS 1.2 and newer, TLS 1.1 is used, which is not so safe but safer than storing the certificate in plain text. If the warning really bugs you uncheck ‘Microsoft Certificate Storage’ in the Client Export Utility, export the package and re-install it on the client.
Tweaking the client
Change the name of the .ovpn file
When you connect to your router OpenVPN shows a balloon telling you that the vpn is up. It contains your rather cryptic Windows Installer name, but you can change that to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config to whatever name you want the balloon to show.
Open C:\Program Files\OpenVPN\config\yourconfig.ovpn or C:\Program Files(x86)\OpenVPN\config\yourconfig.ovpn and change the line that says
…replace pino by the user’s username. I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.