OpenVPN with only certificates, no users pfSense 2.0RC3

TLP

Hello, is there a way to have only certificates to users, with no need to create local users (or ldap or radius)
And even better, with the possibility to Revocate the users certs so they cannot connect anymore to my network
I have around 100 clients who needs to access the VPN
And we cannot have User Auth, they need be without any password, just usint certs, like creating and revocating

Thanks.

TLP

Hello, is this possible??

Nachtfalke

Yes, it is possible.
When you configure OpenVPN Server on pfsense 2.0 there will be an option "Remote Access SSL/TLS" (only certificate) or "Remote Access SSL/TLS + Auth" (cert + username and password).

I am using Remote Access SL/TLS and it works fine.

It is furthe rpossible to create a CRL and revoke certs. But at the moment there is a little bug, if a CRL is empty but jimp is working on this.

Hope this will help you.b

TLP

thanks for the reply, but i tried it, but doing so I need to:

1. create a user for every cert
   or
2. create a single cert for every user

right??
the create a user for every cert is fine, but I cant revocate for the single user can I ???

Nachtfalke

Hi,

I tried it with one user and one cert and if I revoke a cert the user cannot access the vpn.

Not sure, how it work if you create only one user and different certs.

rkelleyrtp

Sorry to be dense here, but can someone please explain this a little more for me?  I also have a need to create an OpenVPN client setup whereby the clients don't want to authenticate using a username/password; they just want to use the certificates (with revokable certs).

The only workaround I have found thus far is to create the users under the User Manager tab, download the OVPN files from the Client Export tab (after installing the OpenVPN Client Export package), and remove the line "auth-user-pass" from the vpn client config file.  I don't know if this is the right way of doing it or not…

TLP

Yes this is the only way i found too
But with this you cant revocate the certs for single users, but u need to revocate for all
and without the user-auth just deleting the user from the user manager does nothing

thats the problem

Nachtfalke

Hi,

take a look at my screenshot. This is the OpenVPN GUI in pfsense 2.0.
You have to chose "REMOTE ACCESS SSL/TLS"
this is ONLY certificate.

For this you don't have to create a User in User Manager. I think this was in previous versions but actually it isn't.

rkelleyrtp

Thanks for the info!  After working with this for a while, I found out how to create a certificate-only configuration.  In case anyone else is wondering how to do this in pfSense 2.0-RC3 (mainly, as a reminder to myself):

Step 1 - Configure OpenVPN

• Run the OpenVPN Wizard to setup the new OpenVPN service (note: you may have to create a new CA and Cert for your site)
• Once completed, Click VPN–>OpenVPN
• Click on the Server tab and edit the newly create OpenVPN service
• Make sure the Server Mode reads "Remote Access (SSL/TLS)" - this will allow users to connect w/out a password

Step 2 - Add a Generic Remote Worker account

• Click on System–>User Manager
• Add a new user called "Remote Workers" (or, whatever you like)

Step 3 - For each user - add the remote user account

• Click System –> User Manager System
• Edit the Generic Remote Worker account create above
• Click the "+" sign at the bottom under User Certificates to create a new user certificate
• Select "Create an internal Certificate" for the Method
• Provide a description in the Descriptive Name field (I use the user's account name)
• Under Internal Certificate, make sure the Certificate authority is correct per the OpenVPN Wizard
• For the Distinguished Name, leave everything alone except the the EMail Address (change as necessary)
• Click Save

Export the Client Certificates

• Install the OpenVPN Client Export Utility (System–>Packages)
• Click VPN-->OpenVPN-->Client Export
• Choose between the Configuration, Configuration archive, Windows Installer, or Viscosity Bundle for the particular user
• Send the resulting file(s) to the remote user and have them import the config files into their OpenVPN client

Voila!  You now have remote users how can authenticate using just certificates (and no passwords).

As TLP noted above, the current release of pfSense (Beta2.0-RC3 dated 11 July, 2011) does NOT allow you to revoke a client certificate.  This means if one of your users leaves/quits/etc, there is currently no way to deny them access to the network.  I am sure the pfSense developers are working on solving that problem.

Hope this helps someone!

TLP

@Nachtfalke

Yes this part was fine, but where do I create a single user certificate??
and without an user, the client export package doesnt give me the option to export, how do I export the certs??

@rkelleyrtp

This sounds nice (and huge), i will try it
but as you mentioned, we still need an user account, but i will give a shot

Nachtfalke

Hi,

If I create a certificate I use this way:

SYSTEM - Cert Manager
1.) Create a CA
2.) Create a certificate according to my CA
That's all.

No I am going to:
SERVICES - OpenVPN - Client Export Utility:
there I Download the "Configuration file" accoridng to the certificate I created before.
No need of a User.

Further revoking certificates is working fine. I created two certificates according to one CA. With both I can connect. After this, I revoked one and after a short period of time I could not reconnect anymore with this cert but with the other, which isn't revoked.

I am on HEAD (amd64) built on Wed Jul 6 22:00:09 EDT 2011

TLP

I really cant export the certs from the Client Export utility without an user
thats the strange thing, very odd

rkelleyrtp

Same here.  No users = no export ability.

Nachtfalke

Hi,

I had a second user in the past when I installed Client Export utility but now there is only the default admin user.

TLP

This is very strange, whats your pfsense version and package version???
we are missing something

jimp

Read the note at the bottom there. If you can select your VPN from the export list and see no clients to export, you probably did not generate your client certificates from the same CA that the VPN is set to use. Double check the CA selected for the VPN.

TLP

OK it worked now, what I did was recreate every cert (on cert manager and openvpn) but paying doubled attention to certificates and it showed now

thanks all

TLP

OK just one problem, for every computer do I need to create a new certificate and a new openvpn server certificate??

jimp

You only have one server certificate/ca, you have one certificate per user.

Nachtfalke

@TLP:

OK just one problem, for every computer do I need to create a new certificate and a new openvpn server certificate??

1.) You don't need to create an further OpenVPN Server certificate.
2.) You can use the same certificate for different computers BUT then you have to configure this on your server to allow multiple connection from same common name. Further if you revoke a certificate, than alle clients with the same certificate cannot access anymore.
so the the way you should go is:
3.) For every Computer create a new certificate.