How can a create a user that can just create local accounts for OpenVPN?



  • I've spent a few fruitless hours searching the forum for a guide to the User Manager, didn't find anything relevant, so here goes….

    I am attempting to build a firewall (several, actually) with a local VPN administrator to create local VPN users, but nothing else.  As soon as I give ANY access to
    WebCfg: - System: User Manager page,, Add Privileges, Password Manager, or settings, the user is able to increase their OWN rights.  No "access control" system should allow a user to raise their own rights, I have a feeling I must be missing something here?

    I have created a group that allows users to see a limited subset of the menus, and I want to add the ability for users in that group to add OpenVPN users, and for those OpenVPN users to be able to login to download their packages. I am not averse to manually editing files to do this, so long as I can create a base image that makes it possible and reproduce the functionality by making copies of the base image.  Can anyone help?  Is there really no way to create sub-levels of administrative users ?



  • I was actually looking at this myself and am curious about it… it doesn't seem to be an implemented feature, though I don't really see why it would be hard to implement; you know, as a separate tool entirely that blocks out the ability to choose the groups and also hide the user that has logged in.

    If this doesn't currently exist I might try my hand at writing this as a package. I really would love to be able to give my clients access to this without endagering their very complex setups..


  • Netgate

    Creating something where they could add users to a RADIUS setup would probably be a better way to go.



  • Yeah, I've done this setup:
    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    Only with creating an account operator for the client so they have full rights to the admin group.. This was also great because the upper management could just setup users and revoke permissions easily..

    It still would be nice though to have a local utility for those that are wanting an easy route.. You know, a utility that has an admin page and then general user page. You could give people access to the general page who should only be able to add a user and not modify their account while the admin page would only be given to those that need to modify main settings..



  • Thanks all for your responses! I appreciate the help.

    I'll take a look at the AD link, but in my case, I cannot use an external (as in, off box) auth source.  I also had the thought of trying to do radius by loading the freeradius2 package.  I was able to give the restricted local user access to the Certificate Authority in order to generate certs, but there is no built in "right" to allow a restricted user to see Freeradius - if anyone has figured out a way to grant access to Services -> freeradius through the user manager, let me know.

    If I can overcome that, OpenVPN users could be created in freeradius, but the next issue is that I can't figure out how to associate the cert for a user with the user created in freeradius - it appears that under the Certificates tab in freeradius, you can create a user cert with the same DN as the username, but I have no way to tell if the cert is then associated with a freeraduis user of that name.  None of the pfsense->openvpn->freeradius guides I've found so far talk in any way to user certs, so I'm kind of grasping in the dark here.


  • Netgate

    If the only service using freeradius is the VPN, then even if the user has full access to freeradius they can only affect the VPN, which is what you're looking for right?



  • Correct - I'm totally OK with that aspect, but I can't figure out how to GIVE that level of access to someone - the Services menu is totally blank except for things I add that are labeled "Services:….." in the individual or group rights.  There is no individual or group membership for a local user that allows them to "see" the freeradius menu item under Services.

    I also need to have a unique cert for every user - the whole "something you have, something you know" two factor bit.  I can't figure out how to associate a cert cut by the internal CA to be associated with a particular user in freeradius.

    I really don't care if the OpenVPN users are local users or freeradius users - I just need each OpenVPN user to have their own cert, and have the restricted admin user be able to create the user and cert.  Added bonus, if once created, the OpenVPN users could log in and grab their configuration, but we can lay that task on the admin if we have to.


  • Netgate

    You are probably going to need to trust someone to create users in pfSense.

    As far as I can tell, the permissions granularity you're asking is a feature request.  The general feeling will probably be "get to work" if you want it in 2.2 and it'll still be weeks/months away.



  • Ha.  If I could actually build it myself, I would :) And I may try to figure out how, but my skills don't extend to coding.

    Sadly, this is a design choice that is beyond my control.  If I can't allow the limited user to create the VPN users, it will fall back to our support group to do it. I suspect that this is a problem in search of an answer - the previous firewall was UNABLE to do AD, LDAP or RADIUS integration for OpenVPN, so we ended up importing hundreds of users in some cases.  I suspect that those same use cases will be thrilled to simply move to AD integration, and we won't NEED local OpenVPN users at scale - but it's not my decision on the feature set.  So I slog on, trying to find the best compromise :)



  • EDIT:  So far, trying the method below my "restricted" user can't see the User Manager menu item in the gui, so even if the other changes I made are correct, I can't test them.  I'm no coder, so I'm still looking for exactly how the menus are drawn.

    I'm making a start into this.  I looked into /etc/inc/priv.defs.inc to find "interesting" php file names.  From there, I started looking at files in /usr/local/www to see what is there.  Here is my general plan:
    Make a copy of system_usermanager.php to system_usermanager_restricted.php, modify the copy to remove functions I don't want the restricted user to be able to do.
    Go to /etc/inc/priv folder and create a custom usermanager_restricted.priv.inc file and point the options therein to /usr/local.www.system_usermanager_restricted.php.

    I don't know if everything I want to restrict is in that one file.  At this point, I'd like my restricted user to be able to :
    Create a new user
    Set username for new user
    set password for new user
    tick the box to create a new cert for the user
    save new user.
    POSSIBLY delete users.

    Caveats I see are that it is possible that the custom files I create could be removed during a future upgrade, so I'm going to have to keep a copy of the custom files off box just in case. Also, if the file DOES get deleted, I'm not sure what happens to the user that is relying on those files for its rights - I assume that other rights will remain, but they would loose access to the customer user manager.

    If anyone has any feedback on my proposed process here, I'm all ears.  I don't "know" php, but I can generally figure things out from code that is already written.  This is likely going to take some trial and error (mostly error) on my part, so any hints would be appreciated.