Set up OpenVPN on PfSense with user certificates and Active Directory authentication

This article explains how to set up PfSense as an OpenVPN server which authenticates clients based on the certificate they have and their Active Directory credentials using either RADIUS or LDAP.

If you find this article helpful feel free to click some of the ads on this page. It won’t make me rich but it would tell me someone said thanks. There’s also a PayPal donation button on the right if you’re really euphoric.

This is a rewrite of and an update to the previous article using older versions.

– PfSense 2.4
– Windows Server 2016
– OpenVPN 2.4.4 for Windows
– Windows 10 Pro

Before you begin you should have:
– a working PfSense router set up as the default gateway for your network
– a working instance of Active Directory
– a second internet connection to test from

– Steps in Active Directory are just examples. You can do it all with remote management tools, PowerShell and there are probably other ways.
– The PfSense router in my network has ip address The only AD server has
– My Active Directory is called test.lab; the server is called server01.test.lab.
– My test user is called Pino van Sesamstraat; his username is pino, or pino@test.lab.
– It is very possible to run multiple OpenVPN instances on the same server. Just make sure the port-protocol combinations don’t overlap.
– Why so many screenshots? Because you can never have enough screenshots.

The steps:
On your Active Directory domain controller:
– create an Active Directory VPNusers group
– A. for RADIUS: install and configure RADIUS on Windows
– B. for LDAP: create a user account

On your PfSense router:
– set up an authentication server
– install a certificate authority, either RADIUS or LDAP
– create an internal certificate
– set up the OpenVPN server
– configure the firewall
– create a user account
– install the OpenVPN Client Export Utility
– prepare the Windows packages

On the Windows client:
– install the OpenVPN package
– using the Windows client
– tweaking the client


On your Active Directory domain controller

In Active Directory Users and Computers create a Global Security group called VPNusers. The group scope can be universal or domain local if you prefer.

Create a test user and add them to the group.

Option A: RADIUS

If it’s not on your server yet install the Network Policy and Access Services Server Role on your Active Directory Domain Controller:

Open Server Manager, choose Manage > Add Roles and Features.

Choose Role-based or feature-based installation.

Select your server.

Select Network Policy and Access Services.

Check Include management tools (if applicable). If applicable. And click Add Features.

Click Next.

Skip the Features and click Next.

Note it says you can deploy NPS as a RADIUS server. Dandy!

Click Install and wait for the installation to finish.


Create a RADIUS client in the Network Policy Server

From Server Manager > Tools choose Network Policy Server.

Expand NPS > RADIUS Clients and Server, right-click RADIUS Clients and choose New.

Friendly name PfSense VPN (or whatever you want)
Address (your PfSense router’s address)

Select Generate and click the Generate button to generate a shared secret. Save this key because you will need it later. Click OK.

Expand Policies, right-click Network Policies and click New.

Policy name Allow PfSense group.
Type of network access server Unspecified.

Click Add to create a new condition.

Select User Groups and click Add.

Click Add Groups.

Enter the name of the vpn group you created earlier and click OK.

Click OK.

Click Next.

Select Access granted and click Next.

Click Next.

OooOoh, more options! Play with it later. For now just click Next.

The encryption settings are for Routing and Remote Access Service. We’ll be using RADIUS, not RRAS so these settings don’t apply here. Just click Next.

Seems like the Wizard is done. Click Finish.

Option B: via LDAP

You can have PfSense authenticate using LDAP queries on Active Directory. That way there is no need to set up a RADIUS server. I suggest you create a dedicated Active Directory user for this with a hard password. Set the password to never expire (or make sure you make a calendar note to change it both in AD and PfSense in time lest your ). The dedicated user needs to be part of AD but does not need to be a member of any groups, let alone the Administrators group. I called my user ovpn.

A word on digging around in your Active Directory for your settings. By default Active Directory Users and Computers will not show you much LDAP settings. To get a bit more information, open the View menu and check Advanced Features.

Now if you view an object’s properties you’ll find a tab called Attribute Editor where you’ll find such things as the distinguishedName (DN) and Common Name (CN). Doubleclick a value to edit or copy it.

On your PfSense router.

We’re going to set up two-factor authentication. The first factor is a certificate and the second is your Active Directory password.

To deal out certificates per user we’ll first set up a Certficate Authority. Go to System > Cert. Manager and click Add.

First, set the Method to Create an internal Certificate Authority.

Descriptive name OpenVPN_CA (or anything you want, really)
Key length (bits) 2048, or whatever you want.
Lifetime (days) this is your certificate authority so I suggest you set this nice and high if you don’t want to replace all your clients’ vpn certs too often.
Country, etc. fill out your information.
Common name OpenVPN_CA (or whatever you like but I suggest you keep it simple)

Now we must create an internal certificate for the OpenVPN server to use.
Go to System > Cert. Manager > Certificates and click Add/Sign.

First set the Method to Create an internal Certificate.

Descriptive name OpenVPN_Cert
Certificate authority OpenVPN_CA
Key length 2048 (or whatever’s your fancy)
Digest Algorith sha256 (idem)
Lifetime (days) 3650
Fill out the Country etc.
Common Name OpenVPN_Cert (keep it simple)
Certificate Type Server Certificate

Now for the second authentication part: Active Directory.

Option A: via RADIUS.

Go to System > User Manager > Authentication Servers. Click Add.

Descriptive name RADIUS
Protocol leave at MS-CHAPv2
Hostname or IP address (your AD RADIUS server’s ip address)
Shared Secret the shared secret you had generated earlier.
Services offered Authentication and Accounting

Keep the default ports, set Authentication Timeout to a sane value or leave empty.

Option B: via LDAP
Go to System > User Manager > Authentication Servers. Click Add.

Descriptive name Active Directory
Hostname or IP address (your domain controller’s address)
Port value 389
Transport TCP – Standard
Protocol version 3
Search scope Entire Subtree (unless all your users are in that one OU)
Authentication containers CN=Users (unless you keep your users in a different OU)
Extended query &(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=VPNusers,CN=Users,DC=test,DC=lab) This will only return objects with objectClass ‘person’ (users you created) who are a member of (groups who are a member of) the VPNusers group. That memberOf:1.2.840.113556.1.4.1941: is a static name: it does not vary per installation and it is not a string. It is the literal name of the group.
Bind anonymous uncheck
Bind credentials the dedicated user and password you created earlier in Active Directory for specifically this purpose
Initial Template AD (this fills out the rest of the attributes; this option will disappear after usage)
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOf

There are probably better ways to do this. If you know them and you have tested them please feel free to mention them in the replies. The above settings are what works for me.

Setting up the OpenVPN server

Go to VPN > OpenVPN > Server and click Add.

You can change most tunnel values to your liking; my settings are just suggestions and/or defaults.

[General Information]
Server Mode Remote Access ( SSL/TLS + User Auth)
Backend for authentication select the authentication server you created: RADIUS or Active Directory

[Cryptographic Settings]
TLS Configuration checked – a key is automatically generated after the settings are saved; you do not need to enter a key manually.
Peer Certificate Authority OpenVPN_CA
Server certificate OpenVPN_Cert (Server: Yes, CA: OpenVPN_CA)
Strict User/CN Matching If you check this, a user can only connect with his own credentials, not that of other users. I think this is is good idea, so check this option.

[Tunnel Settings]
IPv4 Tunnel Network or any other network, as long as it is not in use in your lan/wan and probably not at your users’ locations. I.e. don’t use, and
Redirect Gateway if you check this, not traffic to your lan will be routed through the tunnel but also to the rest of the internet. If the user starts downloading a BluRay dvd it will go through your company network. On the other hand, they will be behind your corporate firewall. Check this if you use the vpn for secure internet access. Do not check if your corporate line has a slow upload speed.
Local Network – your corporate LAN’s subnet. Only asked if Redirect Gateway is not checked.
[Advanced Settings]
DNS Default Domain test.lab (your Active Directory domain name)
DNS Server enable check. DNS Servers: provide your AD’s DNS servers.

You must create a firewall rule that will allow traffic through the OpenVPN interface. Otherwise what’s the use?
Go to Firewall > Rules > OpenVPN and click Add.

Protocol Any
Description Allow OpenVPN traffic.

You may want to tune this down a bit if this whole contraption turns out to work. I suggest allowing only TCP/UDP traffic and perhaps ICMP if you need to ping as well. You may want to change the Destination to ‘LAN net’ if you don’t want your clients to have internet access. And so on.

Don’t forget to click Apply Changes.

We’ll create a certificate for every user that must be able to use the vpn.
Go to System > Cert. Manager (not User Manager!) > Certificates ad click Add/Sign.

Method Create an internal Certificate
Descriptive name [Username of the user that will be using the vpn connection] In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn’t really matter but keep it in mind if the connection can’t be established.
Certificate Authority OpenVPN_CA
Key length 2048
Digest Algorithm sha256
Lifetime (days) 365 – now here is something to think about. You define here how many days your clients’ certificates are going to be valid. How often do you need those laptop back on your desk? Let’s go with a year for the time being.
Common name see Descriptive Name.
Certificate Type User Certificate

Install the OpenVPN Client Export Utility: go to System > Package Manager > Available Packages and install the openvpn-client-export package.

Go to VPN > OpenVPN > Client Export Utility

Remote Access Server AD + Cert UDP4:1194 (or whatever you called your authentication server).
Host Name Resolution If you have a static IP (not a semi-static like cable providers give you), enterInterface IP Address here. – If you have a dns address pointing in your direction, enter Installation hostnamehere.Personally, I like to create a dedicated dns entry for vpn connections called If you ever decide to move things around it is nice to have things set up modularly. If you’re not sure, stick with Interface IP Address for now.
Microsoft Certificate Storage checked
Certificate Password choose a random password here and save it for when you need to install it on the client.

Under Advanced > Additional configuration options enter: auth-nocache. This will prevent the client from complaining that it may cache passwords.

The ‘Safe a default’ button is a nice touch here. Scroll down and find the user for whom you want to prepare the package. Choose a download option; I’m picking ‘Windows Vista and Later’ because I’ll be testing on Windows 10.

Create a Firewall rule to allow the vpn clients to connect: go to Firewall > Rules > WAN and click Add.

Protocol UDP (if you didn’t change it)
Destination This firewall (self)
Destination Port Range OpenVPN (1194)
Description Allow OpenVPN

Click Apply Changes.

On the Windows client

Doubleclick the package you exported. My Windows 10 machine threw me warning about being unable to recognize the app.

When I clicked More info a Run anyway button appeared, which seemed appropriate.

Upon installing Windows presented me with the Certificate Import Wizard. It was really helpful.

Ah! Right, the certificate password. Choose your preferences.

Automatically select the store.

Sounds like a success!

Finish the OpenVPN Setup.

Using the Windows client

If it’s not started yet, doubleclick the OpenVPN GUI icon.

Right-click the taskbar icon and choose Connect. Enter the username (without the domain part) and the password.

If all is well OpenVPN should now connect. However it will probably fail and you’ll need to troubleshoot it a bit.

Note: you can ignore the warning about cryptapicert and TLS version 1.1. This is a result of OpenVPN storing the certificate in Windows’ certificate store, which can be done using TLS 1.1 (depricated) or TLS 1.2 (safe, at the time of writing). Because this version of cryptoapicert in OpenVPN does not support TLS 1.2 and newer, TLS 1.1 is used, which is not so safe but safer than storing the certificate in plain text. If the warning really bugs you uncheck ‘Microsoft Certificate Storage’ in the Client Export Utility, export the package and re-install it on the client.

Tweaking the client

Change the name of the .ovpn file
When you connect to your router OpenVPN shows a balloon telling you that the vpn is up. It contains your rather cryptic Windows Installer name, but you can change that to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config to whatever name you want the balloon to show.


  • The username may be case sensitive.
  • Use pfSense’s fine logging system under Status > System logs > OpenVPN.
  • Ask your question in the pfSense forum.
  • Windows 7 sometimes adds a Microsoft Virtual WiFi Miniport Adapter. Disabling this sometimes solves vague connection problems where there should be none.
  • Is the subnet unique? Perhaps the user is in a subnet that is the same as your virtual or corporate subnet.
  • Certificate problems? Check certmgr.msc. Perhaps an old certificate is blocking the installation of a new certificate.
  • Client getting disconnected? Check the user’s wifi connection. No wifi=no internet=no vpn.
  • Check if your domain controller allows UDP ports 1812 and 1813 throught the firewall. Adding the Network Policy and Access Services role and configuring a RADIUS client should automatically have entered these rules in the server’s firewall. They are called Network Policy Server (RADIUS Accounting – UDP-In) and Network Policy Server (RADIUS Authentication – UDP-In). Note that this is about the firewall on your domain controller, not pfSense’s firewall!
  • Change the cryptoapicert SUBJ
    Open C:\Program Files\OpenVPN\config\yourconfig.ovpn or C:\Program Files(x86)\OpenVPN\config\yourconfig.ovpn and change the line that says
    cryptoapicert "SUBJ:"
    cryptoapicert "pino"
    …replace pino by the user’s username. I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.


    1. Martin

      Very good tutorial! Do you know if it‘s possible to authenticate with Domain User Certificates. What I want do realize is to authenticate users to OpenVPN with there Smart Card Logon Certiticates.

      • Kapitein Vorkbaard

        Thanks :) I suppose it is possible (in the sense that it is not impossible) with RADIUS but it would really depend on the OpenVPN implementation in PfSense. I suggest you read up on OpenVPN documentation. The PfSense forum has some discussion on the matter but I’m not sure what the plans at Netgate are.

    2. Mehdi

      Nice Job ! I have one questions do you know if it’s possible to identify users who have the same common name but belong to different groups ??

    3. Robert Cotran

      Thanks so much for your tutorials. I’m about to go through a combination of this one and the 2FA one. I was wondering if you have an elegant solution for having users connect to the pfSense and download the OpenVPN client pre-configured with the proper configuration? This setup is replacing a Sophos implementation which has a small portal where users can download the client.

      Thanks again!

    4. julien

      thank you for this great post as Always,
      your old post contain a script to add behind the openvpn –connect something like this.
      i lost the script somehow, i need to have a bat file to connect the vpn and open remote desktop client when it connect.
      do you happen to have this script ?

      • Kapitein Vorkbaard

        I can’t remember ever having made something like this but I guess it wouldn’t be very difficult. Find out how to start the vpn connection from the command line, then find out how to start the remote desktop client from the command line (use mstsc) and put those in a .cmd file.

      • Kapitein Vorkbaard

        You need a bunch of ip addresses for the vpn internally which is handled by OpenVPN on PfSense. For the regular addresses (e.d. a host on your LAN) it doesn’t matter which device is the dhcp server.

    5. geepriest

      Followed your instructions….great tutorial by the way, however,
      I’m unable to connect…getting this message: TLS handshake failed
      Additionally, can you tell me what RADIUS NAS IP ATTRIBUTE is, its the last option in user manager/authentication server/RADIUS

      • Kapitein Vorkbaard

        Check your log files for more info. I suspect the certification process didn’t go completely right but it’s impossible to tell without more information.
        Sorry, can’t find the RADIUS NAS IP ATTRIBUTE; perhaps this is a recent change in PfSense.

    6. Roberto Cruz

      Hi Kap. Vorkbaard!

      Great tutorial, thank you for that, help me a lot!!!

      But, I need some help. I try Export Viscosity Bundle to a MAC OS, but the package didn’t work.

      When I click on the package, system returns message because impompatibility, the message says the version of the packege is for windows. In the pfsense> OpenVPN>client export I chose the Viscosity packet.

      Can you help me about this issue?

      Thank you for your support!!!

    7. Kapitein Vorkbaard

      Hi Roberto, I suggest you report this to the OpenPVN Export package maintainer. Meanwhile you can try exporting the generic configuration file and using that on your Mac OS installation.

    8. Pacific

      Hey, thanks for the guide.

      I have completed all the steps, but no matter what my fatar error occurs because it cannot load the certificate from Microsoft store.

      I have checked that certificate is indeed installed and I have renamed SUBJ to username.

    9. I am running PfSense 2.4.4-p3 and there is no client export option under VPN -> OpenVPN.

      What I see are Servers, Clients, CLient Specific Overrides and Wizards as options.


    10. Marcelo Lemos

      Bom dia! Parabéns pelo POST. Muito didático e fácil de implementar. Gostaria de Saber se tem alguma dica para fazer controle de acesso à internet sob o protocolo HTTPS.

    11. Oleg Ivanov

      Great article, thanks!

      But i have a problem with this configuration. I do all as you write. My NPS Radius grants access to user (i see this in NPS log), but in the OVPN server log i see ” Error during RADIUS authentication : No valid RADIUS responses received” and on the client “User authentication Failed”.

      Any suggestions?

    12. Pingback: 3 Steps to Pfsense VPN Server Setup, VPN to Home or Work

    13. Marisa Taber

      Greetings, I was just checking out your website and submitted this message via your “contact us” form. The contact page on your site sends you messages like this via email which is the reason you’re reading through my message right now right? That’s the most important accomplishment with any type of online ad, getting people to actually READ your ad and that’s exactly what I just accomplished with you! If you have an ad message you would like to blast out to millions of websites via their contact forms in the US or to any country worldwide let me know, I can even focus on your required niches and my costs are super reasonable. Send a message to:

    14. Narve Andreas Nordås

      Thank you for this great article.
      The only thing I needed to enable was the “Ignore user account dial-in properties” in the NPS Network policy. PfSense was not able to authenticate with RADIUS without the the setting,

    15. Pingback: pfSense: OpenVPN mit Benutzeranmeldung via Active Directory – Andy's Blog

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Back to Top