Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automate creating certificates / exporting OpenVPN clients

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttblum
      last edited by

      Hello,

      I would like to use LDAP to authenticate my OpenVPN users against my Windows domain controller.

      I have several hundred Active Directory users. Is there a way to automate creating the certificates for each user? Also is there a way to automate exporting the OpenVPN client packages for each user?

      1 Reply Last reply Reply Quote 0
      • M
        martin.k
        last edited by

        Hi ttblum,

        Can you describe what you would expect for automation? I have a solution but not sure if you would consider it automated.

        Martin

        1 Reply Last reply Reply Quote 0
        • T
          ttblum
          last edited by ttblum

          Yes, I'd like to have pfSense user certificates generated automatically for each user in Active Directory.

          I'd also like to end up with a folder containing the OpenVPN install packages for each user.

          Just curious, if I wanted to is it possible to have the OpenVPN users share the same user certificate, but still authenticate against Active Directory?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            At the moment there is no automated way to generate certificates or export packages.

            You can disable the user certificate requirement if that is what you want, so it only uses authentication (plus a TLS key, which you should have enabled). That is better than trying to make everyone share a single certificate.

            To do this, change the Server mode drop-down from Remote Access (SSL/TLS + User Auth) to Remote Access (User Auth). And make sure you have TLS key enabled. Then when you export, since there is no per-user configuration needed, you get a single installer package which everyone can use.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              martin.k
              last edited by

              Unfortunately I do not think the setup we use would fit that description. We have a linux host that we have installed EASY-RSA. We have setup a base config file we use when generating new user keys. When configuring a new user we SSH into the linux host and generate the keys and config and zip the files. We then copy the zip file to the users computer that needs VPN access and configure either OpenVPN client for windows or tunnelblick for MAC. The OpenVPN setup on the PfSense is configured to for backend auth pointed to our AD. So... not really automated but works well for us. I can go into more detail if you are interested.

              1 Reply Last reply Reply Quote 0
              • T
                ttblum
                last edited by

                Ok.

                Do any other types of 2-factor authentication work with OpenVPN, such as OTP token, Azure MFA, Microsoft Authenticator app, etc?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  That's up to your authentication server, not OpenVPN.

                  Some things like Google Authenticator can easily integrate into RADIUS to be used in place of a password (pin+code = password when logging in), I'm not sure of any that work with an OOB step in between, but again that's entirely up to the auth server.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  W 1 Reply Last reply Reply Quote 0
                  • W
                    wojciech__ @jimp
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.