Improvements to OpenVPN roadwarrior with RADIUS AD backend ?

  • I just happened to notice the howto in the Wiki, which at the beginning states that it is "intended for small businesses that want to roll out secure vpn connectivity for their users using free software. Due to the nature of its set up, which is mostly manual, this process may be too inefficient for larger businesses." and indeed taking a closer look, this howto requires manual steps to be performed for each OpenVPN client.

    Since any scaleable VPN setup beyond a handful of clients will probably include authentication against a backend (e.g. radius/AD), can we discuss how to improve this as much as possible ? E.g. based on a quick look at the OpenVPN Client Export code, it seems that step 4.2 of manually editing the cryptoapicert "SUBJ:user" may be no longer needed.

    Could someone quickly explain to me what's the security model in the pfsense OpenVPN /w AD auth setup ? e.g. do we need to protect each client's private keys with a passphrase (in case a laptop is stolen) ? etc