OpenVPN Clients -> Captive Portal

  • My VPN clients connect into OpenVPN for everything (LAN+Internet) however I would like to authenticate them via captive portal before allowing them "on" the network - is this possible? If so how?

  • Rebel Alliance Developer Netgate

    No, Captive Portal happens at Layer 2, and even if you run OpenVPN in tap mode so you'd actually get layer 2 info, its GUI doesn't have a way to tie into the OpenVPN interface.

    There is a ticket open I believe to expand the function in the future so it will work at layer 3 and above so it could be used on any interface, but that isn't possible yet.

    Though if you setup OpenVPN to use user+pass auth, there isn't much point in making them login again through a portal.

  • Thanks - I figured so I managed a bit of a work around -

    ovpn Client -> pfsense (load balance) -> debian ovpn instance -> pfsense captiva -> lan/internet

    this worked…. and its all on a single VM machine..

    Why the madness? We can do more flexible pre-authentication things w/ captiva than w/ radius.

Log in to reply