A (very) short HOWTO: pfSense 2,OpenVPN,RADIUS,Windows Server with Certificates
-
Simple and working solution with these goals:
1. Certificate based OpenVPN connection
2. Windows Active Directory based authentication (based on group membership and personal user certificate)Windows Server: 192.168.111.10
Winodws AD Domain: monster.local
pfSense: 192.168.111.1
pfSense host: monster.mydomain.comWindows Server tasks:
Source: http://blog.stefcho.eu/?p=545
1. Server Manager - Roles - Add - Network Policy and Access Services - select only Network Policy Server.
2. Network Policy Server - RADIUS Clients and Servers - RADIUS Clients - New RADIUS Client:
Friendly name: pfSense
Address (IP or DNS): 192.168.111.1
Shared Secret: [long and secure key]3. Network Policy Server - Policies - Network Policies - New Network Policy:
Policy Name: Allow pfSense
[Next]
Conditions: Add… Client Friendly Name - Add... pfSense
Conditions: Add... Windows Groups - Add Groups... vpnusers
[Next]
Access Granted
[Next]
Check Unencrypted authentication (PAP, SPAP)4. Server Manager - Features - Add Features - WINS Server
5. Windows Server Firewall:
- Allow ports UDP 1812 and UDP 1813
pfSense tasks:
1. Select new TCP port for administration, do not use 443
2. System - Cert Manager - CAs
Add new
Descriptive name: Monster VPN
Method: Create an internal Certificate Authority
Common Name: monster-ca
[Save]3. System - Cert Manager - Certificates
Add new
Method: Create an internal Certificate
Descriptive name: monster-mydomain-com
Certificate authority: Monster VPN
Common Name: monster.mydomain.comFor each Active Directory user:
Add new
Method: Create an internal Certificate
Descriptive name: userX
Certificate authority: Monster VPN
Common Name: userX4. System - Cert Manager - Certificate Revocation
Monster VPN - Add new
Method: Create an internal Certificate Revocation List
Descriptive name: Monster VPN Revocation
Certificate Authority: Monster VPN5. System - User Manager - Servers
Add new
Descriptive name: RADIUS
Type: Radius
Hostname or IP address: 192.168.111.10 (Windows server IP)
Shared Secret: [long and secure key used in Windows Network Policy Server]
Service offered: Authentication and Accounting
Authentication port value: 1812
Accounting port value: 1813
[Save]6. VPN - OpenVPN - Server
Add new
Server Mode: Remote Access (SSL/TLS + User Auth)
Backend for authentication: RADIUS
Protocol: TCP
Device Mode: tun
Interface: any
Local port: 443
Descrription: Monster OpenVPN Server
Peer Certificate Authority: Monster VPN
Peer Certificate Revocation List: Monster VPN Revocation
Server Certificate: monster-mydomain-com
Tunnel Network: 10.124.124.0/24
Local Network: 192.168.111.0/24
DNS Default Domain: monster.local
DNS Servers: 192.168.111.10
NetBIOS Options: Enable NetBIOS over TCP/IP
WINS Servers: 192.168.111.10
Advanced: port-share 192.168.111.10 443 (if you are using 443 services on server)7. System - Package Manager - install OpenVPN Client Export Utility
8. VPN - OpenVPN - Client Export
Remote Access Server: Monster OpenVPN Server TCP:443
Host Name Resolution: Other, monster.mydomain.com
Certificate Export Options:
Use Microsoft Certificate Storage instead of local files.
Use a password to protect the pkcs12 file contents.On Certificate Name userX click on Configuration Archive and save fw-userX-TCP-443-config.zip, then change in fw-userX-TCP-443-config.ovpn:
cryptoapicert "SUBJ:" to
cryptoapicert "SUBJ:userX"On Windows Workstation:
1. Download and install latest OpenVPN client
2. Copy files from fw-userX-TCP-443-config.zip in Config folder of OpenVPN
3. Install fw-userX-TCP-443-ca.crt in Trusted Root Certification Authorities
4. Install fw-userX-TCP-443.p12 in users profile and DELETE file.
5. Connect!