OpenVPN + certificate + TOTP

  • Good day,

    Fairly new to pfSense, I'm figuring out how to enable VPN access utilizing both certificate and TOTP.

    For this I first verified working of OpenVPN with the default authentication back-end. I installed the openvpn export package, so a '.ovpn' could be created for the specific user. This contained its certificate. Worked like a charm.

    Then I installed the freeradius3 package which supports the Google Authenticator TOTP method. This appears to add another authentication backend, which I had to select at the openvpn server. Doing so, nullifies the usage of the previously created certificate, rendering the vpn to use only password + totp, but no longer certificate verification.

    To prove the assumption, I deleted the client certificate in pfSense and the vpn still worked (wrong verification done here? is certificate ONLY verified against the CA that signed it?).

    As it appears, the user backend for radius has no relation to the internal backend, but I'm gladly informed otherwise.

    If my assumption IS true, is there a way to have them both which I'm missing?

    Thanks for any help (or at least some clarification/hints) that helps me achieving my goal,


  • @rhoekstra please let me know if you found any news on this. I'm looking into setting up the same thing. Do you have any good resources/links you used during the process?

  • @Raffi_ Well, I figured when I change CA for the openvpn server, my vpn client is unable to establish connection, unless I create a certificate under that CA and export that as an ovpn profile.

    When imported on client, it does establish a connection. so basically, my strong assumption is:

    • in CA manager you need to create a user certificate - this enables openvpn package to export to ovpn profile.
    • the openvpn profile is separate to the user authenticating. if openvpn is just verifying the issuer of the user certificate, you technically only need one cert for a profile, and all users can reuse that (less secure, but just making my point). it's up to the radius user database for all users to be able to authenticate. (Only works when 'Strict user-CN matching' is off)

    Better security would be also more work, to issue a certificate per user and export an ovpn profile for that user. Only then create that user username+pin+TOTP secret in the radius configuration. Technically the ovpn profile and the radius user are not related. (strict user-CN matching can be used when username and cert CN are same, binding cert to user)

    Does this make any sense?

  • @rhoekstra thank you very much for the info. It does makes sense. I follow most of it :)
    I currently already have an ovpn setup which requires a unique cert per user. As you said it is more work, but I prefer this since I do have users which travel. If a user cert is compromised, I can revoke that specific cert and it won't affect other users. I have more homework to do on the radius part. I have not configured that yet.

    Thanks again.

Log in to reply