Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with FreeRadius 2FA

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      w0lverine
      last edited by

      I am trying to download the openvpn package from the client export tab but I can not find my Free radius user's .openvpn configuration files. Here is my setup:

      1. Pfsense 2.4.4
      2. OpenVPN client export Installed from the packet manager
      3. FreeRadius3 installed from the packet manager
      4. I have successfully created a user with OTP enabled from within the Freeradius server (verified from Diagnostics-->Authentication)
      5. *I created a openvpn server tied to the database of my freeradius server from the OpenVPN Wizard/OPenVPN Remote Access Server Setup
        The settings are:
        Backend for Authentication - NAS2fa (freeradius server)
        Local port - 1194
        ::Cryptograhic Settings::
        -->Peer Certificate Authority--> FreeRadius CA
        -->Server certificate --> VPN Cert
        ^^ This is where I think I am messing up? I am not sure what CA I should be using for the Peer Certificate Authority
        I think its clear that the Server Certificate should be set to VPN certificate.

      What else do I need to configure when I create a new user in the Radius server, I can have my vpn configuration files assigned to the new user? Thanks for your time and help.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The Peer Certificate Authority needs to be the Certificate Authority that creates and signs your peer certificates.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • W
          w0lverine
          last edited by

          @w0lverine said in OpenVPN with FreeRadius 2FA:

          Peer Certificate Authority

          I have changed my OpenVPN server Peer certificate authority to Internal CA. But it still shows empty vpn client configuration profiles.OpenVPN_ Client Export Utility.png

          I feel like my mind is a little jumbled on how the new users of the radius server is authenticating from OpenVPN. This is how I view it:

          We create a user within FreeRadius-->The freeradius user is integrated within the openvpn server (Based on the backend authentication we selected in creating the openvpn server) --> VPN configuration profiles are created by the vpn server.

          But I feel like there is more going on between the freeradius user and openvpn because I can not seem to have the vpnserver create the free radius user's .openvpn configuration profiles. I think it might have something to do with the Certificates?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You are using authentication only - no user certs. There will be just one configuration for everyone in that case. There are no users for the firewall to export for other than "all"

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            W 1 Reply Last reply Reply Quote 0
            • W
              w0lverine @Derelict
              last edited by

              @Derelict That was what I was missing.. Thanks for the help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.