Automate creating certificates / exporting OpenVPN clients

ttblum

Hello,

I would like to use LDAP to authenticate my OpenVPN users against my Windows domain controller.

I have several hundred Active Directory users. Is there a way to automate creating the certificates for each user? Also is there a way to automate exporting the OpenVPN client packages for each user?

martin.k

Hi ttblum,

Can you describe what you would expect for automation? I have a solution but not sure if you would consider it automated.

Martin

ttblum

Yes, I'd like to have pfSense user certificates generated automatically for each user in Active Directory.

I'd also like to end up with a folder containing the OpenVPN install packages for each user.

Just curious, if I wanted to is it possible to have the OpenVPN users share the same user certificate, but still authenticate against Active Directory?

jimp

At the moment there is no automated way to generate certificates or export packages.

You can disable the user certificate requirement if that is what you want, so it only uses authentication (plus a TLS key, which you should have enabled). That is better than trying to make everyone share a single certificate.

To do this, change the Server mode drop-down from Remote Access (SSL/TLS + User Auth) to Remote Access (User Auth). And make sure you have TLS key enabled. Then when you export, since there is no per-user configuration needed, you get a single installer package which everyone can use.

martin.k

Unfortunately I do not think the setup we use would fit that description. We have a linux host that we have installed EASY-RSA. We have setup a base config file we use when generating new user keys. When configuring a new user we SSH into the linux host and generate the keys and config and zip the files. We then copy the zip file to the users computer that needs VPN access and configure either OpenVPN client for windows or tunnelblick for MAC. The OpenVPN setup on the PfSense is configured to for backend auth pointed to our AD. So... not really automated but works well for us. I can go into more detail if you are interested.

ttblum

Ok.

Do any other types of 2-factor authentication work with OpenVPN, such as OTP token, Azure MFA, Microsoft Authenticator app, etc?

jimp

That's up to your authentication server, not OpenVPN.

Some things like Google Authenticator can easily integrate into RADIUS to be used in place of a password (pin+code = password when logging in), I'm not sure of any that work with an OOB step in between, but again that's entirely up to the auth server.

wojciech__

This post is deleted!