Confused about OpenVPN + username + cert + RADIUS



  • Hi,
    I'm new to pfsense and OpenVPN and RADIUS so please forgive my ignorance.  I am trying to setup OpenVPN so that I can send all my traffic via my home network securely when I'm on an untrusted network.

    I have been looking at a bunch of articles and the pfsense wiki and I'm a bit confused about how to setup user certificates when I've got OpenVPN and FreeRadius in pfsense.

    This page https://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS doesn't mention user certificates at all.  This howto https://www.highlnk.com/2013/12/configuring-openvpn-on-pfsense/ has the users being setup in pfsense System->User Manager

    I'm using the pfsense System->Cert Manager for the certificate authority and certificates.

    I can't see any place to add a user certificate in the FreeRadius user screens.

    I do have a slightly complicated setup: pfsense on the network boundary working as a firewall and has OpenVPN; another pfsense working as a RADIUS server behind the firewall.

    Any help is greatly appreciated.

    Thanks



  • On the Free radius box:

    Under System->Cert Manager Create a Certificate Authority, and a Server Certificate for OpenVPN.

    In FreeRadius under EAP check "Choose cert manager" and set "SSL CA Certificate" and "SSL Server Certificate" to the certificates you created above.

    Create a NEW client for the OpenVPN box

    On the OpenVPN Box:

    Under "System->User Manager->Servers"  Create a new server that points to/uses your FreeRadius box (don't forget to setup a new client and adjust firewall rules on your FreeRadius box)

    Create an OpenVPN server that uses the FreeRadius Server above as the "Back end for Authentication"

    ( beyond this point I'm not sure I'm giving you the correct info but it seems logical)

    Set "Peer Certificate Authority" to the Server Certificat created on the FreeRadius Box and select the "Server Certificate" you created for OpenVPN

    After this all other options should be configured as normal, and you should be able to create new users under FreeRadius, and new user certificates with the Certificate manager on the FreeRadius box to connect to the VPN.

    I've found that the user Certificate Common Name(CN) must match the Server Certificate Common Name(CN) unless you have selected "Strict User/CN Matching" in your OpenVPN Settings.

    EDIT NOTE: This reply went through a few corrections, I'm finally finished and will update this post with another reply if needed.

    DAMNIT, One last edit: You might need to create the users on the FreeRadius box, and the certificates on the OpenVPN box. I'm not sure, my set-up only uses one system.



  • I just found this topic and I know it's a few months old but it addresses my confusion. I followed the steps above about creating a new CA and a new certificate dedicated to a new OpenVPN server using the new cert.

    My confusion is how do I tie new users in FreeRadius to a cert that allows strict matching of the user to their cert for the OpenVPN connection?  I see a "Certificates" tab in FreeRadius2 but am not sure how that applies. Can anyone explain or assist?



  • When you create a user in freeRadius it is automatically tied to OpenVPN since OpenVPN is using FreeRadius as verify user info(this is done while setting up OpenVPN).  Just create  a certificate and fill in the user name for the user in the "Descriptive Name" field.



  • @IAMCB:

    When you create a user in freeRadius it is automatically tied to OpenVPN since OpenVPN is using FreeRadius as verify user info(this is done while setting up OpenVPN).  Just create  a certificate and fill in the user name for the user in the "Descriptive Name" field.

    Ah!  So that is the trick. I will give it a try.  Thanks buddy!!



  • @zerodamage:

    @IAMCB:

    When you create a user in freeRadius it is automatically tied to OpenVPN since OpenVPN is using FreeRadius as verify user info(this is done while setting up OpenVPN).  Just create  a certificate and fill in the user name for the user in the "Descriptive Name" field.

    Ah!  So that is the trick. I will give it a try.  Thanks buddy!!

    I keep getting an error:

    SIGUSR1[soft,auth-failure] received, process restarting
    

    It doesn't seem to be a problem when I turn off that certificate matching requirement so I am not doing something right.  Any ideas?



  • Just a minor bump.



  • First, make sure that your radius server is receiving Acces Requests from your VPN server and that it is sending replies.
    you can filter packets using tcpdump tcpdump -X -i vmx0 -s0 port 1812 for example.

    For OpenVPN logs under pfsense go to "Services->System logs-> OpenVPN"


Log in to reply