Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL/TLS + User Auth = no client export packages

    Scheduled Pinned Locked Moved OpenVPN
    19 Posts 5 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Joschide
      last edited by

      Quick question:

      When I change server mode to SSL/TLS + User Auth, the client export package disappears.  If I change it back to just User Auth, the export package is available.  Is that by design?  When I run the wizard, I don't have a server mode option.

      I should add that I have tried deleting the ca, openvpn and firewall rules and I've tried to reinstall the client export packages.

      Thanks,
      Joschi

      1 Reply Last reply Reply Quote 0
      • M
        mikeisfly
        last edited by

        It's there on mine. I would back up your config and reinstall PfSense. I'm using 2.2.3 64bit. But I was using 2.2.4 64bit and had no issue, I had to downgrade due to the fact that my clients wouldn't pick up dhcp assigned addresses until I restarted my box.

        1 Reply Last reply Reply Quote 0
        • J
          Joschide
          last edited by

          Hmm, I'm on the latest release.  Did the wizard have the server mode option for you?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I don't have any issues with this..  running 2.2.4

            You sure your picking the correct instance in the client export drop down for the one you set to tls+user auth?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • J
              Joschide
              last edited by

              @johnpoz:

              I don't have any issues with this..  running 2.2.4

              You sure your picking the correct instance in the client export drop down for the one you set to tls+user auth?

              Yes I only have one created.  Could certain options cause this to happen?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                do you actually have a user created..  I just switched mine from tls auth to tls+user and see packages just fine to export.  Exported the package and all the stuff is in there.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • J
                  Joschide
                  last edited by

                  I'm using an LDAP server on my LAN to authenticate user.  Do I still need to create a user in pfSense?

                  1 Reply Last reply Reply Quote 0
                  • J
                    Joschide
                    last edited by

                    @Joschide:

                    I'm using an LDAP server on my LAN to authenticate user.  Do I still need to create a user in pfSense?

                    I'd like to add authentication functions correctly from diagnostics and from client.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      well if you don't have a user, not sure how the export package could give you anything to download.  Might a bit of an issue when trying to use an authserver??  I would have to test that..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • J
                        Joschide
                        last edited by

                        @johnpoz:

                        well if you don't have a user, not sure how the export package could give you anything to download.  Might a bit of an issue when trying to use an authserver??  I would have to test that..

                        A package is available and works correctly if I only use User Auth.  It disappears when I change server mode to ssl/tls + user auth…

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Ok I just setup an external auth server radius and one for ldap and then change one of my openvpn instances from tls to tls+user auth And sure looks like packages are there to download picking either the radius or the ldap server in the openvpn setup.

                          And also there if I use local database for the vpn instance.

                          externalauthexport.png
                          externalauthexport.png_thumb
                          andtherewhenlocalaswell.png
                          andtherewhenlocalaswell.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            If you use SSL/TLS + User Auth with an external auth server, you need to manually make user certs under System > Cert Manager.

                            It will offer the certs under the same CA there for download, ideally make one cert per user with the cn the same as their username.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • J
                              Joschide
                              last edited by

                              @jimp:

                              If you use SSL/TLS + User Auth with an external auth server, you need to manually make user certs under System > Cert Manager.

                              It will offer the certs under the same CA there for download, ideally make one cert per user with the cn the same as their username.

                              Ah okay.  That worked.  Thanks.  So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense.  Is this common practice when using external auth server?  Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?

                              Thank you for your time,
                              Joschi

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                What other cert would it use??  You could use a common cert that you give to ALL users.. That seems like what your after.. But not a very good idea.

                                certs.png
                                certs.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  @Joschide:

                                  So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense.

                                  Usually, yes. Though the specifics are up to the site policies/procedures.

                                  @Joschide:

                                  Is this common practice when using external auth server?  Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?

                                  It depends on the site/admin. Some prefer to only have user auth with an external LDAP/RADIUS server and forego using certs at all.

                                  Using one cert for everyone is a very bad practice, I don't know of anyone serious doing that in production.

                                  Those who are very strict about security generate their own certs on a central CA structure not handled on the firewall and wouldn't use the export package – but that's your classic security vs convenience tradeoff.

                                  The best balance for external auth is to make the individual user certs, make the cert CN match the username, and also check the option on the server for strict CN matching (that way user A can't use user B's certificate to login using their own credentials, or vice versa).

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    Joschide
                                    last edited by

                                    @jimp:

                                    @Joschide:

                                    So the cert used for SSL/TLS + User Auth is tied to a user and that user cert has to be added in pfSense.

                                    Usually, yes. Though the specifics are up to the site policies/procedures.

                                    @Joschide:

                                    Is this common practice when using external auth server?  Or do most forgo the cert to avoid having to create a user Cert in pfSense for each user with openVPN access (could be hundreds)?

                                    It depends on the site/admin. Some prefer to only have user auth with an external LDAP/RADIUS server and forego using certs at all.

                                    Using one cert for everyone is a very bad practice, I don't know of anyone serious doing that in production.

                                    Those who are very strict about security generate their own certs on a central CA structure not handled on the firewall and wouldn't use the export package – but that's your classic security vs convenience tradeoff.

                                    The best balance for external auth is to make the individual user certs, make the cert CN match the username, and also check the option on the server for strict CN matching (that way user A can't use user B's certificate to login using their own credentials, or vice versa).

                                    Thank you for your time and expertise.  I do appreciate the explanation.  8)

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      What would be great would be for OpenVPN to grab the users public key out of the LDAP directory so it wouldn't need a user in pfSense at all.

                                      But you'd need another system (could be offline) that had the users public and private keys in order to use client export.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        Joschide
                                        last edited by

                                        @Derelict:

                                        What would be great would be for OpenVPN to grab the users public key out of the LDAP directory so it wouldn't need a user in pfSense at all.

                                        But you'd need another system (could be offline) that had the users public and private keys in order to use client export.

                                        That would be nice!

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          Unfortunately LDAP schemas vary widely so it would be tough to pull something like that off. Not sure I like the idea of fetching a client's private keys via LDAP either, but as long as LDAP is using SSL itself it may not be too bad. The problem then becomes finding a way to query the LDAP server in such a way that it can get a list of all users with certs/keys available. Gets ugly fast…

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.