A (very) short HOWTO: pfSense 2,OpenVPN,RADIUS,Windows Server with Certificates



  • Simple and working solution with these goals:

    1. Certificate based OpenVPN connection
    2. Windows Active Directory based authentication (based on group membership and personal user certificate)

    Windows Server: 192.168.111.10
    Winodws AD Domain: monster.local
    pfSense: 192.168.111.1
    pfSense host: monster.mydomain.com

    Windows Server tasks:

    Source: http://blog.stefcho.eu/?p=545

    1. Server Manager - Roles - Add - Network Policy and Access Services - select only Network Policy Server.

    2. Network Policy Server - RADIUS Clients and Servers - RADIUS Clients - New RADIUS Client:
    Friendly name: pfSense
    Address (IP or DNS): 192.168.111.1
    Shared Secret: [long and secure key]

    3. Network Policy Server - Policies - Network Policies - New Network Policy:
    Policy Name: Allow pfSense
    [Next]
    Conditions: Add… Client Friendly Name - Add... pfSense
    Conditions: Add... Windows Groups - Add Groups... vpnusers
    [Next]
    Access Granted
    [Next]
    Check Unencrypted authentication (PAP, SPAP)

    4. Server Manager - Features - Add Features - WINS Server

    5. Windows Server Firewall:

    • Allow ports UDP 1812 and UDP 1813

    pfSense tasks:

    1. Select new TCP port for administration, do not use 443

    2. System - Cert Manager - CAs
    Add new
    Descriptive name: Monster VPN
    Method: Create an internal Certificate Authority
    Common Name: monster-ca
    [Save]

    3. System - Cert Manager - Certificates

    Add new
    Method: Create an internal Certificate
    Descriptive name: monster-mydomain-com
    Certificate authority: Monster VPN
    Common Name: monster.mydomain.com

    For each Active Directory user:

    Add new
    Method: Create an internal Certificate
    Descriptive name: userX
    Certificate authority: Monster VPN
    Common Name: userX

    4. System - Cert Manager - Certificate Revocation
    Monster VPN - Add new
    Method: Create an internal Certificate Revocation List
    Descriptive name: Monster VPN Revocation
    Certificate Authority: Monster VPN

    5. System - User Manager - Servers
    Add new
    Descriptive name: RADIUS
    Type: Radius
    Hostname or IP address: 192.168.111.10 (Windows server IP)
    Shared Secret: [long and secure key used in Windows Network Policy Server]
    Service offered: Authentication and Accounting
    Authentication port value: 1812
    Accounting port value: 1813
    [Save]

    6. VPN - OpenVPN - Server
    Add new
    Server Mode: Remote Access (SSL/TLS + User Auth)
    Backend for authentication: RADIUS
    Protocol: TCP
    Device Mode: tun
    Interface: any
    Local port: 443
    Descrription: Monster OpenVPN Server
    Peer Certificate Authority: Monster VPN
    Peer Certificate Revocation List: Monster VPN Revocation
    Server Certificate: monster-mydomain-com
    Tunnel Network: 10.124.124.0/24
    Local Network: 192.168.111.0/24
    DNS Default Domain: monster.local
    DNS Servers: 192.168.111.10
    NetBIOS Options: Enable NetBIOS over TCP/IP
    WINS Servers: 192.168.111.10
    Advanced: port-share 192.168.111.10 443 (if you are using 443 services on server)

    7. System - Package Manager - install OpenVPN Client Export Utility

    8. VPN - OpenVPN - Client Export
    Remote Access Server: Monster OpenVPN Server TCP:443
    Host Name Resolution: Other, monster.mydomain.com
    Certificate Export Options:
    Use Microsoft Certificate Storage instead of local files.
    Use a password to protect the pkcs12 file contents.

    On Certificate Name userX click on Configuration Archive and save fw-userX-TCP-443-config.zip, then change in fw-userX-TCP-443-config.ovpn:

    cryptoapicert "SUBJ:" to
    cryptoapicert "SUBJ:userX"

    On Windows Workstation:

    1. Download and install latest OpenVPN client
    2. Copy files from fw-userX-TCP-443-config.zip in Config folder of OpenVPN
    3. Install fw-userX-TCP-443-ca.crt in Trusted Root Certification Authorities
    4. Install fw-userX-TCP-443.p12 in users profile and DELETE file.
    5. Connect!


Locked