OpenVPN with FreeRadius 2FA
-
I am trying to download the openvpn package from the client export tab but I can not find my Free radius user's .openvpn configuration files. Here is my setup:
- Pfsense 2.4.4
- OpenVPN client export Installed from the packet manager
- FreeRadius3 installed from the packet manager
- I have successfully created a user with OTP enabled from within the Freeradius server (verified from Diagnostics-->Authentication)
- *I created a openvpn server tied to the database of my freeradius server from the OpenVPN Wizard/OPenVPN Remote Access Server Setup
The settings are:
Backend for Authentication - NAS2fa (freeradius server)
Local port - 1194
::Cryptograhic Settings::
-->Peer Certificate Authority--> FreeRadius CA
-->Server certificate --> VPN Cert
^^ This is where I think I am messing up? I am not sure what CA I should be using for the Peer Certificate Authority
I think its clear that the Server Certificate should be set to VPN certificate.
What else do I need to configure when I create a new user in the Radius server, I can have my vpn configuration files assigned to the new user? Thanks for your time and help.
-
The Peer Certificate Authority needs to be the Certificate Authority that creates and signs your peer certificates.
-
@w0lverine said in OpenVPN with FreeRadius 2FA:
Peer Certificate Authority
I have changed my OpenVPN server Peer certificate authority to Internal CA. But it still shows empty vpn client configuration profiles.
I feel like my mind is a little jumbled on how the new users of the radius server is authenticating from OpenVPN. This is how I view it:
We create a user within FreeRadius-->The freeradius user is integrated within the openvpn server (Based on the backend authentication we selected in creating the openvpn server) --> VPN configuration profiles are created by the vpn server.
But I feel like there is more going on between the freeradius user and openvpn because I can not seem to have the vpnserver create the free radius user's .openvpn configuration profiles. I think it might have something to do with the Certificates?
-
You are using authentication only - no user certs. There will be just one configuration for everyone in that case. There are no users for the firewall to export for other than "all"
-
@Derelict That was what I was missing.. Thanks for the help.