OpenVPN with FreeRadius 2FA

  • I am trying to download the openvpn package from the client export tab but I can not find my Free radius user's .openvpn configuration files. Here is my setup:

    1. Pfsense 2.4.4
    2. OpenVPN client export Installed from the packet manager
    3. FreeRadius3 installed from the packet manager
    4. I have successfully created a user with OTP enabled from within the Freeradius server (verified from Diagnostics-->Authentication)
    5. *I created a openvpn server tied to the database of my freeradius server from the OpenVPN Wizard/OPenVPN Remote Access Server Setup
      The settings are:
      Backend for Authentication - NAS2fa (freeradius server)
      Local port - 1194
      ::Cryptograhic Settings::
      -->Peer Certificate Authority--> FreeRadius CA
      -->Server certificate --> VPN Cert
      ^^ This is where I think I am messing up? I am not sure what CA I should be using for the Peer Certificate Authority
      I think its clear that the Server Certificate should be set to VPN certificate.

    What else do I need to configure when I create a new user in the Radius server, I can have my vpn configuration files assigned to the new user? Thanks for your time and help.

  • LAYER 8 Netgate

    The Peer Certificate Authority needs to be the Certificate Authority that creates and signs your peer certificates.

  • @w0lverine said in OpenVPN with FreeRadius 2FA:

    Peer Certificate Authority

    I have changed my OpenVPN server Peer certificate authority to Internal CA. But it still shows empty vpn client configuration profiles.OpenVPN_ Client Export Utility.png

    I feel like my mind is a little jumbled on how the new users of the radius server is authenticating from OpenVPN. This is how I view it:

    We create a user within FreeRadius-->The freeradius user is integrated within the openvpn server (Based on the backend authentication we selected in creating the openvpn server) --> VPN configuration profiles are created by the vpn server.

    But I feel like there is more going on between the freeradius user and openvpn because I can not seem to have the vpnserver create the free radius user's .openvpn configuration profiles. I think it might have something to do with the Certificates?

  • LAYER 8 Netgate

    You are using authentication only - no user certs. There will be just one configuration for everyone in that case. There are no users for the firewall to export for other than "all"

  • @Derelict That was what I was missing.. Thanks for the help.

Log in to reply