Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN SSL/TLS + User Auth over LDAP

    OpenVPN
    1
    4
    265
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wojciech__
      last edited by

      Hello,
      My company got pfsense+ so dont know whats best way to get any help with it so Im really counting in here just someone done this configuration before. Its hard to find this combination or any info if its possible or not.

      What do we desire:
      Having separated RA SSL VPN profiles for different users; internal users; internal admins; external users;
      eg. every of those group got different permissions.
      Every user is authenticated trough LDAP and needs to have their own certificate created by pfsense CA.

      How to do it?

      • I've set up LDAP authentication to pfsense.
      • Set up trough openvpn wizzard new OpenVPN server with pfsense CA.
      • Way of authentication chosen as SSL\TLS + Auth.

      Now is the thing
      We got around 1000 users, how to make it work to generate for everyone from AD pointed users or from a group certificates and configs for them? Is there any way to do it automatically? Any way to bulk download it or how to even deal it to make it work.
      Should I create by hand 1000 users in pfsense as local users and create for them certificate? What point then is LDAP in there?

      I do really count that someone got wisdom how to deal that. My very only experience with this stuff was on sophos saddly...

      BR

      W 1 Reply Last reply Reply Quote 0
      • W
        wojciech__ @wojciech__
        last edited by

        Okay.
        I've dig in to info that I have to create certificate for every user from LDAP side with same Common name as user auth login.
        The very question is - do pfsense have any mechanism to help with creating 1000 of them for users from LDAP?
        Manually generating 1000 certificates for everyone from LDAP would be hard tho.
        Has anyone went trough implementation OpenVPN in enterprise 1000+ infrastructure and handled it better way?

        BR

        W 1 Reply Last reply Reply Quote 0
        • W
          wojciech__ @wojciech__
          last edited by

          @wojciech__
          Hey Its again me!
          Im working on it in my organistaion.
          So the way how to approach this topic:

          We got domain and domaina CA. In there we do create a template that doesnt have any dependencies and features in AD, just simple cert, when you have to change Subject Name of the cert template to 'provide by requester' and allow auto enrollment to everyone of the OpenVPN group. Concider checking that there is no need to accept it by admin to provide the cert, or whatever way you want to handle it.

          After it, people will be able with this powershell script to get certificate by user side
          Get-Certificate -Template "Template-Name" -CertStoreLocation cert:\CurrentUser\My -SubjectName "CN=$env:USERNAME"

          It will get certificate where CN is same as provided in CN (so user login). Pfsense OpenVPN server will have set to strict CN=login provided in logging VPN attempt, so no way to authenticate by other user cert and credentials :)
          Other topic is that there is need to export this cert out of this storage to PCSK#12 with private key and encrypt it with password.
          It needs some elevated permissions so im trying to dig it out.
          On other way after successfull export of this cert with private key, you can just remotely install the OpenVPN for a user by any .msi or what not.
          After it there is script that import the PCSK#12 certificate with a key to OpenVPN
          Next script is importing the profile provided in some directory, add $username, add imported certificate to a profile.
          So from a user point of view, the user only have to click OpenVPN and log in with password :)

          Function to generate a random password

          function Generate-RandomPassword {
          $length = 16 # Set the desired password length
          $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()'
          -join ((Get-Random -Count $length -InputObject $chars.ToCharArray()))
          }

          Generate a random password

          $pfxPasswordString = Generate-RandomPassword
          $pfxPassword = ConvertTo-SecureString -String $pfxPasswordString -AsPlainText -Force
          echo $pfxPasswordString

          #Import already exported cert into OpenVPN profile
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --accept-gdpr
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --skip-startup-dialogs
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-certificate=C:\Users%USERNAME%\OpenVPN%USERNAME%.pfx --password=$pfxPasswordString
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates
          $certId = (cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates | Select-String -Pattern '"cert-id":\s*"([^"]+)"' | ForEach-Object { if ($_ -match '"cert-id":\s*"([^"]+)"') { $matches[1] } })
          cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-profile=C:\Users%USERNAME%\OpenVPN\config.ovpn --name=%USERNAME% --username=%USERNAME% --certificate=$certId

          as security you set on NPS rules that it checks NAS Port (so port that certain OpenVPN server works on) and user group for a user that gonna be allowed to connect to this server.
          If you would need any help please just write here :)

          This script is to get and export cert but needs troubleshooting by my side and then combine with the previous cert, so 1 cert gonna do everything...

          Get-Certificate -Template "Template-Name" -CertStoreLocation cert:\CurrentUser\My -SubjectName "CN=$env:USERNAME"

          Define the path where you want to save the PFX file

          $pfxFilePath = "C:\path\to\your\certificate.pfx" # Change this to your desired path

          Define the password for the PFX file; use generated variable but it needs to be secure string

          $pfxPassword = ConvertTo-SecureString -String "YourPfxPassword" -AsPlainText -Force # Change this to your desired password

          Retrieve the certificate of user for sure

          $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$env:USERNAME" }

          Export the certificate with the private key

          Export-PfxCertificate -Cert $cert -FilePath $pfxFilePath -Password $pfxPassword

          Output success message

          Write-Host "Certificate exported successfully to $pfxFilePath."

          1 Reply Last reply Reply Quote 0
          • W wojciech__ referenced this topic on
          • W
            wojciech__
            last edited by wojciech__

            Here is working script i do run on a pc
            to make it work you need to already imported into directory files like .cert .ovpn .tls for this certain profile configuration.

            What script does;
            Request cert from windows domain CA, export it as a pcsk12 with private key and then import it and config into OpenVPN application. By that design no any action on user side is needed. Just smoothly click on openvpn, click connect and provide password

            # Function to generate a random password
function Generate-RandomPassword {
    $length = 16  # Set the desired password length
    $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
    -join ((Get-Random -Count $length -InputObject $chars.ToCharArray()))
}

# Generate a random password
$pfxPasswordString = Generate-RandomPassword
$pfxPassword = ConvertTo-SecureString -String $pfxPasswordString -AsPlainText -Force
$username_only = $env:Username


$cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" }

if ($cert) {
    Write-Host "Certificate already exists for user: $username_only"
} else {
    Get-Certificate -Template "Template_Name" -CertStoreLocation cert:\CurrentUser\My -SubjectName "CN=$username_only"
    $cert = Get-ChildItem -Path cert:\CurrentUser\My | Where-Object { $_.Subject -like "CN=$username_only" }
    
    if ($null -eq $cert) {
        Write-Host "Certificate not found for user: $username_only"
        exit
    }
}

Export-PfxCertificate -Cert $cert -FilePath $env:USERPROFILE\OpenVPN_Configuration\Profile_Name\$username_only.pfx -Password $pfxPassword

cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --accept-gdpr
cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --skip-startup-dialogs
cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates
cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-certificate=%userprofile%\OpenVPN_Configuration\Profile_Name\%USERNAME%.pfx --password=$pfxPasswordString
cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates
$certId = (cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --list-certificates | Select-String -Pattern '"cert-id":\s*"([^"]+)"' | ForEach-Object { if ($_ -match '"cert-id":\s*"([^"]+)"') { $matches[1] } })
cmd.exe /c 'C:\Program Files\OpenVPN Connect\OpenVPNConnect.exe' --import-profile=C:\Users\%USERNAME%\OpenVPN_Configuration\Profile_Name\profile_name.ovpn --name=%USERNAME% --username=%USERNAME% --certificate=$certId
cmd.exe /c 'del %userprofile%\OpenVPN_Configuration\%username%.pfx'
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.