Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN + certificate + TOTP

    OpenVPN
    2
    4
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rhoekstra
      last edited by

      Good day,

      Fairly new to pfSense, I'm figuring out how to enable VPN access utilizing both certificate and TOTP.

      For this I first verified working of OpenVPN with the default authentication back-end. I installed the openvpn export package, so a '.ovpn' could be created for the specific user. This contained its certificate. Worked like a charm.

      Then I installed the freeradius3 package which supports the Google Authenticator TOTP method. This appears to add another authentication backend, which I had to select at the openvpn server. Doing so, nullifies the usage of the previously created certificate, rendering the vpn to use only password + totp, but no longer certificate verification.

      To prove the assumption, I deleted the client certificate in pfSense and the vpn still worked (wrong verification done here? is certificate ONLY verified against the CA that signed it?).

      As it appears, the user backend for radius has no relation to the internal backend, but I'm gladly informed otherwise.

      If my assumption IS true, is there a way to have them both which I'm missing?

      Thanks for any help (or at least some clarification/hints) that helps me achieving my goal,

      Robert

      1 Reply Last reply Reply Quote 0
      • Raffi_R
        Raffi_
        last edited by

        @rhoekstra please let me know if you found any news on this. I'm looking into setting up the same thing. Do you have any good resources/links you used during the process?

        1 Reply Last reply Reply Quote 0
        • R
          rhoekstra
          last edited by rhoekstra

          @Raffi_ Well, I figured when I change CA for the openvpn server, my vpn client is unable to establish connection, unless I create a certificate under that CA and export that as an ovpn profile.

          When imported on client, it does establish a connection. so basically, my strong assumption is:

          • in CA manager you need to create a user certificate - this enables openvpn package to export to ovpn profile.
          • the openvpn profile is separate to the user authenticating. if openvpn is just verifying the issuer of the user certificate, you technically only need one cert for a profile, and all users can reuse that (less secure, but just making my point). it's up to the radius user database for all users to be able to authenticate. (Only works when 'Strict user-CN matching' is off)

          Better security would be also more work, to issue a certificate per user and export an ovpn profile for that user. Only then create that user username+pin+TOTP secret in the radius configuration. Technically the ovpn profile and the radius user are not related. (strict user-CN matching can be used when username and cert CN are same, binding cert to user)

          Does this make any sense?

          1 Reply Last reply Reply Quote 0
          • Raffi_R
            Raffi_
            last edited by

            @rhoekstra thank you very much for the info. It does makes sense. I follow most of it :)
            I currently already have an ovpn setup which requires a unique cert per user. As you said it is more work, but I prefer this since I do have users which travel. If a user cert is compromised, I can revoke that specific cert and it won't affect other users. I have more homework to do on the radius part. I have not configured that yet.

            Thanks again.
            Raffi

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.