OpenVPN Clients -> Captive Portal
-
My VPN clients connect into OpenVPN for everything (LAN+Internet) however I would like to authenticate them via captive portal before allowing them "on" the network - is this possible? If so how?
-
No, Captive Portal happens at Layer 2, and even if you run OpenVPN in tap mode so you'd actually get layer 2 info, its GUI doesn't have a way to tie into the OpenVPN interface.
There is a ticket open I believe to expand the function in the future so it will work at layer 3 and above so it could be used on any interface, but that isn't possible yet.
Though if you setup OpenVPN to use user+pass auth, there isn't much point in making them login again through a portal.
-
Thanks - I figured so I managed a bit of a work around -
ovpn Client -> pfsense (load balance) -> debian ovpn instance -> pfsense captiva -> lan/internet
this worked…. and its all on a single VM machine..
Why the madness? We can do more flexible pre-authentication things w/ captiva than w/ radius.