Best practice VPN Configuration (RADIUS vs TLS)
-
Hello,
I set up a RADIUS Server for ease of user management for the user authentication on my pfSense VPN Server and would like to know what the best practice is. The RADIUS is getting its users from an Active Directory.
My questions:
Is having one certificate for all + RADIUS a good choice?
Or should I go Cert+Auth?
Also what would be wise for the best performance/safety balance?Thanks much
kkit -
@kkit providing each user with their unique user certificate as part of their VPN profile will give you the ability to revoke a single certificate if it is exposed. This is done through the Certificate Revocation List (CRL), which you attach to your OpenVPN Server.
-
@to2020
Totally forgot about the CRL, thank you very much!What do you think about the RADIUS, would you recommend using it or do you have a setup which utilizes it? I am still unsure if I should just stick with the certs.
Thanks much and stay safe
-
@kkit It will depend on where the accounts used to authenticate on OpenVPN are located. If you have a directory, like MS Active Directory, I recommend to use that.
You can use LDAP directly for this.
Or if you want to use any third party MFA solution, you might need to use RADIUS and then for example MS NPS as RADIUS server (if you run MS AD).
In NPS, you can also do checks for group membership, so you end up with several layers where you can deny or grant access to VPN.
I run the latter with DUO Security and it works well.Netgate has plenty of good documentation as well, for example this page
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra.html -
@ KKIT, you could use certificate authentication without the need of RADIUS. You set up windows PKI which seamlessly and automatically issues unexportable certificates to workstations then verify the certificate in OpenVPN according to CA. There is no good way to use windows CRL here - you have to either issue short certificates (1month) and don't use CRL at all, or you have to manually copy CRL from Windows PKI to PFSense each time it's updated.
For RADIUS - it works flawlessly for user/pass/2fa authentication. You could mix windows NPS for user/pass with freeradius for google authenticator's 2FA tokens.But there is a cath when you have more clients (>100). Pfsense newer thant 2.4.5 have OpenVPN 2.5 which acts quite crappy server side. Each time new user connects (no matter radius or pki) increased network latency is introduced to all already connected clients (>500ms) for few seconds. When you have many clients this becomes nightmare. The only working solution I've found is to use Pfsense 2.4.5, which has openvpn 2.4.
-
Hi, thank you all for your valuable input. I went with Cert+RADIUS to have extra layers of protection, like @TO2020 mentioned. This way I have a tad bit more security and a better integration into active directory where I manage all accounts.