• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Automate creating certificates / exporting OpenVPN clients

Scheduled Pinned Locked Moved OpenVPN
8 Posts 4 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    ttblum
    last edited by Nov 5, 2019, 9:43 PM

    Hello,

    I would like to use LDAP to authenticate my OpenVPN users against my Windows domain controller.

    I have several hundred Active Directory users. Is there a way to automate creating the certificates for each user? Also is there a way to automate exporting the OpenVPN client packages for each user?

    1 Reply Last reply Reply Quote 0
    • M
      martin.k
      last edited by Nov 7, 2019, 10:38 PM

      Hi ttblum,

      Can you describe what you would expect for automation? I have a solution but not sure if you would consider it automated.

      Martin

      1 Reply Last reply Reply Quote 0
      • T
        ttblum
        last edited by ttblum Nov 8, 2019, 3:46 AM Nov 8, 2019, 3:44 AM

        Yes, I'd like to have pfSense user certificates generated automatically for each user in Active Directory.

        I'd also like to end up with a folder containing the OpenVPN install packages for each user.

        Just curious, if I wanted to is it possible to have the OpenVPN users share the same user certificate, but still authenticate against Active Directory?

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Nov 8, 2019, 1:30 PM

          At the moment there is no automated way to generate certificates or export packages.

          You can disable the user certificate requirement if that is what you want, so it only uses authentication (plus a TLS key, which you should have enabled). That is better than trying to make everyone share a single certificate.

          To do this, change the Server mode drop-down from Remote Access (SSL/TLS + User Auth) to Remote Access (User Auth). And make sure you have TLS key enabled. Then when you export, since there is no per-user configuration needed, you get a single installer package which everyone can use.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            martin.k
            last edited by Nov 8, 2019, 5:22 PM

            Unfortunately I do not think the setup we use would fit that description. We have a linux host that we have installed EASY-RSA. We have setup a base config file we use when generating new user keys. When configuring a new user we SSH into the linux host and generate the keys and config and zip the files. We then copy the zip file to the users computer that needs VPN access and configure either OpenVPN client for windows or tunnelblick for MAC. The OpenVPN setup on the PfSense is configured to for backend auth pointed to our AD. So... not really automated but works well for us. I can go into more detail if you are interested.

            1 Reply Last reply Reply Quote 0
            • T
              ttblum
              last edited by Nov 8, 2019, 8:58 PM

              Ok.

              Do any other types of 2-factor authentication work with OpenVPN, such as OTP token, Azure MFA, Microsoft Authenticator app, etc?

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Nov 8, 2019, 9:09 PM

                That's up to your authentication server, not OpenVPN.

                Some things like Google Authenticator can easily integrate into RADIUS to be used in place of a password (pin+code = password when logging in), I'm not sure of any that work with an OOB step in between, but again that's entirely up to the auth server.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                W 1 Reply Last reply Aug 5, 2024, 11:30 AM Reply Quote 0
                • W
                  wojciech__ @jimp
                  last edited by Aug 5, 2024, 11:30 AM

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received