PfSense + OpenVPN + Windows Domain/Certifiate Authority (CA) + LDAP or Radius

  • Hello All,

    I am putting the pieces together and have read a ton of forums to gather as much knowledge as possible.

    The end user goal is for laptop users to Launch OpenVPN, click connect, provide their credentials, and have an encrypted connection to the network.

    The deployment method goal is to deploy laptops either with OpenVPN and the config file preinstalled, or installing it when logging on to the domain via script.

    The management goal is to use our existing Windows CA to issue and revoke certs, instead of pfSense.

    So far it seems that authenticating users RADIUS and AD Security Groups is the best route, and I've set that up already.

    The part I don't understand is how to set up the OpenVPN server to use the Windows CA to issue certs automatically.

    Thanks in advance for the education and your help!

  • By the way, my current set up is:

    Laptop > OpenVPN client > VPN.DOMAIN.COM > Internet > <wan>pfsense <lan>pfsense is setup as a CA and there is 1 server cert issued, and 1 user cert issued that I would deploy to all machines (I am trying to change this by using Windows CA, but dont know how, hence my thread)

    pfsense is also setup to authenticate VPN using RADIUS to check if a user belongs in a security group.


  • You just need to export the windows CA cert and key and then import that into PFSense. Then set the OpenVPN server to use that CA. You can create a server cert using that CA as well. Then create the client certs with the windows CA tool, and your PF sense OpenVPN will then recognize those certs because it has the same CA cert.

    Do the same thing with your CRL as you do for the CA. You will need to manually update the CRL on the pfsense box each time a cert is revoked.

    You wont really be able to use the client export utility, because the client certs wont exist on the pfsense box (just the CA, and server cert). But it is pretty easy to build up a little openvpn package manually. In your domain you can make the msi for openvpn install and then have their logon script copy their config, plus your global tls-auth key to the client. Then you can use windows tools to export their client cert into a crt and key file so openvpn can use it. I am sure there are some command line utilities to do that. If you name their client cert and key files the same for every user then everyone can share the exact same config file, and the only thing that would be different per client machine is their certs.

    Also, you have some problems in the screenshots.
    -Your tunnel network is 'inside' your local network subnet. is inside I generally use 172 addresses for tunnel networks as they are rarely ever used for other things, and it makes them a bit obvious.
    -Also, you probably want to turn on NetBIOS over TCP/IP, otherwise you will not be able to access windows file shares and printers and such. Set the IP it asks for to one of your AD servers, and start with h-node, but you may want to experiment with the other node settings if h-node does not work well. In an AD environment, it should work pretty good though.

Log in to reply