OpenVPN with certificates + LDAP



  • Hi guys!

    I'm trying to config openvpn server with ldap auth.

    The problem is: how do I get the users certificates?

    LDAP auth is working ok, but is there any way to "import" users into "Users" of Pfsense so I can create their certificates and then use OpenVPN Export utility?

    Thanks


  • Rebel Alliance Developer Netgate

    You can create certificates for them under System > Cert Manager. No need to define the users on the User Manager.



  • Hello, I'm trying to do the same thing as the OP.  I have my LDAP configured and tested as far as authenticating to the firewall.  As per the response, I have created a certificate for the LDAP user in the local CA on the pfsense box.

    What I don't understand is how to use the OpenVPN Client Export utility to export the client + the user's cert.  The only thing that shows in the "Client Install Packages is the user "Authentication (No Cert)"
    Do i have to export the client software, then manually export the cert for each user and come up with instructions for telling them how to import the cert into their particular OpenVPN client?  Below is what my Client Export screen looks like, am I missing something?
    https://www.dropbox.com/s/cscr2qfdcoisuws/Screenshot%202015-01-15%2009.32.57.png?dl=0


  • Rebel Alliance Developer Netgate

    For the certificates to be used the server mode must be set to "SSL/TLS + User Auth", and the user certs/keys must be imported under System > Cert Manager, on the Certificates tab.

    If the export package only shows "Authentication Only (No Cert)" then the mode must be set to "User Auth" only without SSL/TLS, which is wrong if you want client certificates.



  • Derp.  Thank you.  I don't know how I missed that option during the setup wizard, but I did.  I edited the server entry under OpenVPN for my LDAP server, changed it to Remote Access (SSL/TLS + User Auth), and the client export wizard now shows a client build for the certificate I cut for my test user.  Now I jsut need to install it someplace and verfiy it's all working :D  Thanks a ton!


Log in to reply