OpenVPN on pfSense: Custom Password + Google Authenticator 2FA
-
Hello everyone,
I need help with a task.
I need to set up OpenVPN on pfSense with authentication using my own generated password + 2FA via Google Authenticator.
pfSense Version: 2.7.2-RELEASE
I couldn't find any documentation, videos, or step-by-step instructions on how to implement this on pfSense.
The existing guides mostly describe setups using FreeRADIUS with one-time passwords (OTP) in the form of a PIN code, which must be between 4 and 8 digits. However, this approach is not secure enough for user authentication.
I cannot get FreeRADIUS to work with Google Authenticator 2FA while allowing users to authenticate with their own password (containing letters, numbers, and special characters).
Currently, I can only achieve either:
Login + My Password (without 2FA)
Login + PIN (4-8 digits) + Google Authenticator
But I need a setup where users authenticate with their own password + Google Authenticator 2FA.
On a standard Ubuntu server, I was able to implement this setup quickly using PAM (Pluggable Authentication Module). However, pfSense offers better usability and additional features that I would like to leverage.
If anyone can point me in the right direction regarding configuration settings and where to look in logs/debugging, I would be very grateful.
From my observations:The current setup using PIN codes works because FreeRADIUS is configured to use PAP, transmitting passwords as plain text, which is insecure but functional.
I need to know which authentication protocol FreeRADIUS should use to allow my desired setup with a secure password + Google Authenticator.
Any guidance or resources would be greatly appreciated. Thanks in advance! -
@XANT said in OpenVPN on pfSense: Custom Password + Google Authenticator 2FA:
Any guidance
You mean OpenVPN & FreeRadius on pfSense software for Two Factor Authentication ?
-
@Gertjan Yes.
-
@Gertjan I am using a downloaded PFSense image on my virtual machine. I want users to log in with a generated password and their login, and add +2MFA via Google Authenticator. However, the only thing I have managed to do so far is using Google Authenticator with a PIN code containing only digits and no more than 8 characters. If you can suggest implementation paths, that would be very helpful. At the moment, I am on a rather complex path—optimizing a script for Ubuntu to work on FreeBSD, installing a PAM module, and using a special plugin to implement this authentication scheme.
I also have an idea to use a cloud service as FreeRADIUS and organize authentication through it. I have also tried various options, including adding a separate PAM module and making FreeRADIUS work with it. However, based on the errors and log files, it seems that the FreeRADIUS server does not support working with both Google Authenticator and its own password simultaneously. It only works with a one-time password, which means using a PIN code.
And as I understand, FreeRADIUS does not support working with PAM, which is very unfortunate.
If on Ubuntu I implemented this scheme in about 30 minutes, here I have already spent more than two weeks without achieving a result. Yes, I have learned a lot and figured out the specifics of PFSense, but for me, the result is more important than the time spent. -
@XANT said in OpenVPN on pfSense: Custom Password + Google Authenticator 2FA:
FreeRADIUS
FreeRadius can do a lot, and way more then you ever need.
The solution is simple : do not use the pfSense FreeRadius package, get the official FreeRadius copy on a known good OS (not the Unbuntu glammer and click, get the original Debian, without GUI and all that BS) and now you have the full control.
The FreeRadius pfSense package is very limited in its usage, as the number of config settings is simply huge, and can't be done with a GUI.IMHO : the entire (free)radius config is just a mess. The typical "some one wrote a product, then others added other things, and this went on for decades, as everybody : who will stop us".
There will be an end, like ISC stopped DHCP and rebuild everything under the name Kea and OpenVPN rewrote their VPN.
Bind, postfix and Apache2 will be next. Go see the doc of these products. Master all three of them, and you won't be close to the Radius documentation volume.So :
@XANT said in OpenVPN on pfSense: Custom Password + Google Authenticator 2FA:
And as I understand, FreeRADIUS does not support working with PAM, which is very unfortunate.
I did no fact check that, but I know (feel, dono .. a voice in my head
) :
What is PAM ? Answer : Pluggable Authentication Module
What is Radius ? An authorization and identification system to manage access to a resource.Do you agree with me that these two have a something in common ?
So I'm pretty sure that FreeRadius can interface with something like PAM.
Thus "Somebody already did just that" (always) applies.
and
The "you just don't know about it yet" also applies. -
@Gertjan
Thank you for your time.
Brief, competent and clear.
Most likely my solution is to use the DUO Security platform first, and then, if successful, deploy my own server. Because I have a large number of VPN servers that require increased security
Thank you very much again!
Have a nice day.
