Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN local user lockout policy

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 733 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      greeners
      last edited by

      Does pfSense OpenVPN user authentication (local database) have a lockout policy? I have checked the documentation and I cannot find any reference to it. Can anyone point me at a section in the pfsense plus documentation?

      Auto-lockout of an account due to a recurring failed password is important to satisfy security policy, including the UK NCSC Cyber Essentials certification.

      G 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        OpenVPN authentication does not have that kind of protection built-in, but if you forward authentication to a RADIUS or LDAP server, it may implement its own policies of that nature.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • G
          greeners @greeners
          last edited by

          To answer this myself - I do not think OpenVPN user authentication failures from the pfSesne local database causes account lockout. SSH and Web UI failed logins will cause the source of the connection to be temporarily added to the block list.

          @jimp just answered this (as I type) to say it does not lockout the local database users.

          I have found, with help from Lawrence Systems videos (Tom L is a legend, n'est pas?) I can install FreeRadius package, and enable mobile one-time-passwords, add Radius users with OTP and get two benefits - disable accounts that fail to authenticate AND MFA/OTP.

          This satisfies UK Cyber Essentials, and I have a much stronger login process. Today is a good day.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.