OpenVPN with LDAP authentication and SSL/TLS plus User Auth

sgw

I don't understand fully yet, so I ask here:

I have 2 pfsense-nodes (CARP) using a 2-node-LDAP-cluster as user backend. This works for OpenVPN in mode "User Auth". Now my customer wants to add user-certs to the VPN-tunnels as well. These certs come from their internal PKI.

How to configure that? Would the certs go into the LDAP as well, and can they be "pulled" from the LDAP user-backends? Maybe someone could explain and/or even point at some example.

thanks, Stefan

TO2020

@sgw Hi Stefan

suggest you take a look at this article
https://docs.netgate.com/pfsense/en/latest/certificates/certificate.html

I have not done this myself, but rather used the pfSense itself as CA and created certs from there, however I believe you will need to import the server and client certs from the external CA to the pfSense devices.

sgw

@to2020 well, thanks, but ... that would mean that certs would have to be created on pfsense as well.

We want to ask the company's CA / PKI for validity of user certs and also be able to use CRLs there.

Maybe that is beyond the scope of the community support? We have 2 appliances with pfsense Plus on them (= Netgate hardware) so maybe I have to file a specific support ticket and ask.

sgw

Found these scripts here: https://github.com/mdcurtis/pfsense-python

a bit old, but I will test pfsense-updateCRL.py asap