Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Installing and configuring OpenVPN Access Server + pfsense

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 346 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user290329032
      last edited by

      We have replaced our Fortinet FW with pfSense. One of the outstanding things is get VPN back up and running. With the Fortinet VPN we were using SAML for Authentication, and I'd really like to continue to do that for ease of use by our end-users. It seems like we need to implement OpenVPN Access Server to have SAML authentication (source).

      I've scoured the internet for the past 2HRs, no luck finding a guide for deploying OpenVPN Access Server and configuring it to work with pfSense. Can someone please refer one for me?

      Also, if we deploy OpenVPN Access Server, can we still configure an a Site-to-Site IPSec VPN on pfSense? Or, does configuring the OpenVPN Access Server disable the pfSense Site-to-Site VPN feature and offload all VPN to OpenVPN Access Server?

      Ideally, I would like Site-to-Site to be done through pfSense. And, end-users to VPN using OpenVPN Access Server, authenticating using SAML authentication.

      U 1 Reply Last reply Reply Quote 0
      • U
        user290329032 @user290329032
        last edited by

        If you are a n00bie like me, and are coming across this article... I figured it out. Below are the steps:

        • Install OpenVPN Access Server (OpenVPN AS) on a Virtual Appliance or Dedicated Device.
        • On your firewall, "Pinhole" the OpenVPN port through the firewall (usually UDP Port 1194).
        • Update the hostname to OpenVPN AS to a DNS entry that is accessible locally (e.g. 192.168.x.x) and globally (123.210.x.x).
        • Get an SSL certificate from LetsEncrypt, and configure automatic renewals (guide).
        • In OpenVPN Access Server, configure SAML Authentication with your Identity Provider (IdP) of choice (e.g. Entra, Google, IBM Verify, etc.)
        • Within OpenVPN Access Server, configure your Access Control policy via User Permissions or Group Permissions
        • Use your phone to test the if your SAML authentication and OpenVPN Access Control policies are working.

        As for forum moderators and pfSense developers, I think it would be helpful if within your documentation you emphasised that OpenVPN Access Server is an easy option for organisations looking to implement a MFA-protected VPN solution. IMO everything on the web points to using OpenVPN embedded into pfSense, making organisations think that authentication via RADIUS and LDAP are the only options.

        Personally, for VPN I think it is safer to limit the number of times end-users need to enter their username/password. Instead, each time they access they should complete a push/biometric challenge. Since re-authentication is so much faster, you can make your VPN disconnect after a few minutes of inactivity. And, end-users can't really complain since reconnecting is so simple. OpenVPN AS as a FREE license that allows 2 concurrent connections. After that you have to purchase a subscription, which is reasonable, all things considered.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.