A (very) short HOWTO: pfSense 2,OpenVPN,RADIUS,Windows Server with Certificates

unguzov

Simple and working solution with these goals:

1. Certificate based OpenVPN connection
2. Windows Active Directory based authentication (based on group membership and personal user certificate)

Windows Server: 192.168.111.10
Winodws AD Domain: monster.local
pfSense: 192.168.111.1
pfSense host: monster.mydomain.com

Windows Server tasks:

Source: http://blog.stefcho.eu/?p=545

1. Server Manager - Roles - Add - Network Policy and Access Services - select only Network Policy Server.

2. Network Policy Server - RADIUS Clients and Servers - RADIUS Clients - New RADIUS Client:
Friendly name: pfSense
Address (IP or DNS): 192.168.111.1
Shared Secret: [long and secure key]

3. Network Policy Server - Policies - Network Policies - New Network Policy:
Policy Name: Allow pfSense
[Next]
Conditions: Add… Client Friendly Name - Add... pfSense
Conditions: Add... Windows Groups - Add Groups... vpnusers
[Next]
Access Granted
[Next]
Check Unencrypted authentication (PAP, SPAP)

4. Server Manager - Features - Add Features - WINS Server

5. Windows Server Firewall:

• Allow ports UDP 1812 and UDP 1813

pfSense tasks:

1. Select new TCP port for administration, do not use 443

2. System - Cert Manager - CAs
Add new
Descriptive name: Monster VPN
Method: Create an internal Certificate Authority
Common Name: monster-ca
[Save]

3. System - Cert Manager - Certificates

Add new
Method: Create an internal Certificate
Descriptive name: monster-mydomain-com
Certificate authority: Monster VPN
Common Name: monster.mydomain.com

For each Active Directory user:

Add new
Method: Create an internal Certificate
Descriptive name: userX
Certificate authority: Monster VPN
Common Name: userX

4. System - Cert Manager - Certificate Revocation
Monster VPN - Add new
Method: Create an internal Certificate Revocation List
Descriptive name: Monster VPN Revocation
Certificate Authority: Monster VPN

5. System - User Manager - Servers
Add new
Descriptive name: RADIUS
Type: Radius
Hostname or IP address: 192.168.111.10 (Windows server IP)
Shared Secret: [long and secure key used in Windows Network Policy Server]
Service offered: Authentication and Accounting
Authentication port value: 1812
Accounting port value: 1813
[Save]

6. VPN - OpenVPN - Server
Add new
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: RADIUS
Protocol: TCP
Device Mode: tun
Interface: any
Local port: 443
Descrription: Monster OpenVPN Server
Peer Certificate Authority: Monster VPN
Peer Certificate Revocation List: Monster VPN Revocation
Server Certificate: monster-mydomain-com
Tunnel Network: 10.124.124.0/24
Local Network: 192.168.111.0/24
DNS Default Domain: monster.local
DNS Servers: 192.168.111.10
NetBIOS Options: Enable NetBIOS over TCP/IP
WINS Servers: 192.168.111.10
Advanced: port-share 192.168.111.10 443 (if you are using 443 services on server)

7. System - Package Manager - install OpenVPN Client Export Utility

8. VPN - OpenVPN - Client Export
Remote Access Server: Monster OpenVPN Server TCP:443
Host Name Resolution: Other, monster.mydomain.com
Certificate Export Options:
Use Microsoft Certificate Storage instead of local files.
Use a password to protect the pkcs12 file contents.

On Certificate Name userX click on Configuration Archive and save fw-userX-TCP-443-config.zip, then change in fw-userX-TCP-443-config.ovpn:

cryptoapicert "SUBJ:" to
cryptoapicert "SUBJ:userX"

On Windows Workstation:

1. Download and install latest OpenVPN client
2. Copy files from fw-userX-TCP-443-config.zip in Config folder of OpenVPN
3. Install fw-userX-TCP-443-ca.crt in Trusted Root Certification Authorities
4. Install fw-userX-TCP-443.p12 in users profile and DELETE file.
5. Connect!