Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN with only certificates, no users pfSense 2.0RC3

    Scheduled Pinned Locked Moved OpenVPN
    21 Posts 4 Posters 24.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TLP
      last edited by

      Hello, is there a way to have only certificates to users, with no need to create local users (or ldap or radius)
      And even better, with the possibility to Revocate the users certs so they cannot connect anymore to my network
      I have around 100 clients who needs to access the VPN
      And we cannot have User Auth, they need be without any password, just usint certs, like creating and revocating

      Thanks.

      1 Reply Last reply Reply Quote 0
      • T
        TLP
        last edited by

        Hello, is this possible??

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          Yes, it is possible.
          When you configure OpenVPN Server on pfsense 2.0 there will be an option "Remote Access SSL/TLS" (only certificate) or "Remote Access SSL/TLS + Auth" (cert + username and password).

          I am using Remote Access SL/TLS and it works fine.

          It is furthe rpossible to create a CRL and revoke certs. But at the moment there is a little bug, if a CRL is empty but jimp is working on this.

          Hope this will help you.b

          1 Reply Last reply Reply Quote 0
          • T
            TLP
            last edited by

            thanks for the reply, but i tried it, but doing so I need to:

            1. create a user for every cert
              or
            2. create a single cert for every user

            right??
            the create a user for every cert is fine, but I cant revocate for the single user can I ???

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              Hi,

              I tried it with one user and one cert and if I revoke a cert the user cannot access the vpn.

              Not sure, how it work if you create only one user and different certs.

              1 Reply Last reply Reply Quote 0
              • R
                rkelleyrtp
                last edited by

                Sorry to be dense here, but can someone please explain this a little more for me?  I also have a need to create an OpenVPN client setup whereby the clients don't want to authenticate using a username/password; they just want to use the certificates (with revokable certs).

                The only workaround I have found thus far is to create the users under the User Manager tab, download the OVPN files from the Client Export tab (after installing the OpenVPN Client Export package), and remove the line "auth-user-pass" from the vpn client config file.  I don't know if this is the right way of doing it or not…

                1 Reply Last reply Reply Quote 0
                • T
                  TLP
                  last edited by

                  Yes this is the only way i found too
                  But with this you cant revocate the certs for single users, but u need to revocate for all
                  and without the user-auth just deleting the user from the user manager does nothing

                  thats the problem

                  1 Reply Last reply Reply Quote 0
                  • N
                    Nachtfalke
                    last edited by

                    Hi,

                    take a look at my screenshot. This is the OpenVPN GUI in pfsense 2.0.
                    You have to chose "REMOTE ACCESS SSL/TLS"
                    this is ONLY certificate.

                    For this you don't have to create a User in User Manager. I think this was in previous versions but actually it isn't.

                    TLS.jpg
                    TLS.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • R
                      rkelleyrtp
                      last edited by

                      Thanks for the info!  After working with this for a while, I found out how to create a certificate-only configuration.  In case anyone else is wondering how to do this in pfSense 2.0-RC3 (mainly, as a reminder to myself):

                      Step 1 - Configure OpenVPN

                      • Run the OpenVPN Wizard to setup the new OpenVPN service (note: you may have to create a new CA and Cert for your site)
                      • Once completed, Click VPN–>OpenVPN
                      • Click on the Server tab and edit the newly create OpenVPN service
                      • Make sure the Server Mode reads "Remote Access (SSL/TLS)" - this will allow users to connect w/out a password

                      Step 2 - Add a Generic Remote Worker account

                      • Click on System–>User Manager
                      • Add a new user called "Remote Workers" (or, whatever you like)

                      Step 3 - For each user - add the remote user account

                      • Click System –> User Manager System
                      • Edit the Generic Remote Worker account create above
                      • Click the "+" sign at the bottom under User Certificates to create a new user certificate
                      • Select "Create an internal Certificate" for the Method
                      • Provide a description in the Descriptive Name field (I use the user's account name)
                      • Under Internal Certificate, make sure the Certificate authority is correct per the OpenVPN Wizard
                      • For the Distinguished Name, leave everything alone except the the EMail Address (change as necessary)
                      • Click Save

                      Export the Client Certificates

                      • Install the OpenVPN Client Export Utility (System–>Packages)
                      • Click VPN-->OpenVPN-->Client Export
                      • Choose between the Configuration, Configuration archive, Windows Installer, or Viscosity Bundle for the particular user
                      • Send the resulting file(s) to the remote user and have them import the config files into their OpenVPN client

                      Voila!  You now have remote users how can authenticate using just certificates (and no passwords).

                      As TLP noted above, the current release of pfSense (Beta2.0-RC3 dated 11 July, 2011) does NOT allow you to revoke a client certificate.  This means if one of your users leaves/quits/etc, there is currently no way to deny them access to the network.  I am sure the pfSense developers are working on solving that problem.

                      Hope this helps someone!

                      1 Reply Last reply Reply Quote 0
                      • T
                        TLP
                        last edited by

                        @Nachtfalke

                        Yes this part was fine, but where do I create a single user certificate??
                        and without an user, the client export package doesnt give me the option to export, how do I export the certs??

                        @rkelleyrtp

                        This sounds nice (and huge), i will try it
                        but as you mentioned, we still need an user account, but i will give a shot

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          Hi,

                          If I create a certificate I use this way:

                          SYSTEM - Cert Manager
                          1.) Create a CA
                          2.) Create a certificate according to my CA
                          That's all.

                          No I am going to:
                          SERVICES - OpenVPN - Client Export Utility:
                          there I Download the "Configuration file" accoridng to the certificate I created before.
                          No need of a User.

                          Further revoking certificates is working fine. I created two certificates according to one CA. With both I can connect. After this, I revoked one and after a short period of time I could not reconnect anymore with this cert but with the other, which isn't revoked.

                          I am on HEAD (amd64) built on Wed Jul 6 22:00:09 EDT 2011

                          1 Reply Last reply Reply Quote 0
                          • T
                            TLP
                            last edited by

                            I really cant export the certs from the Client Export utility without an user
                            thats the strange thing, very odd

                            1 Reply Last reply Reply Quote 0
                            • R
                              rkelleyrtp
                              last edited by

                              Same here.  No users = no export ability.

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                Hi,

                                I had a second user in the past when I installed Client Export utility but now there is only the default admin user.

                                User.jpg
                                User.jpg_thumb
                                OVPN-Export.jpg
                                OVPN-Export.jpg_thumb

                                1 Reply Last reply Reply Quote 0
                                • T
                                  TLP
                                  last edited by

                                  This is very strange, whats your pfsense version and package version???
                                  we are missing something

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    Read the note at the bottom there. If you can select your VPN from the export list and see no clients to export, you probably did not generate your client certificates from the same CA that the VPN is set to use. Double check the CA selected for the VPN.

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      TLP
                                      last edited by

                                      OK it worked now, what I did was recreate every cert (on cert manager and openvpn) but paying doubled attention to certificates and it showed now

                                      thanks all

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        TLP
                                        last edited by

                                        OK just one problem, for every computer do I need to create a new certificate and a new openvpn server certificate??

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          You only have one server certificate/ca, you have one certificate per user.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            Nachtfalke
                                            last edited by

                                            @TLP:

                                            OK just one problem, for every computer do I need to create a new certificate and a new openvpn server certificate??

                                            1.) You don't need to create an further OpenVPN Server certificate.
                                            2.) You can use the same certificate for different computers BUT then you have to configure this on your server to allow multiple connection from same common name. Further if you revoke a certificate, than alle clients with the same certificate cannot access anymore.
                                            so the the way you should go is:
                                            3.) For every Computer create a new certificate.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.