Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    AD user accounts for OpenVPN

    OpenVPN
    2
    4
    1651
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sebbo last edited by

      Hi,

      I've setup a Windows Server 2012 R2 server with following services (roles) on it:

      • Active Directory Domain Controller

      • DNS Server

      • DHCP Server

      In pfSense I've added an Active Directory server as LDAP authentification method for users, that admins are able to login on the pfSense webinterface with their AD credentials. This works fine.

      Is it also possible to setup OpenVPN, IPsec or something like that for all AD users, that they are able to connect via VPN to pfSense with their AD credentials? It would be awesome, if I don't have to add a new local user on pfSense and also don't have to download any kind of configuration file(s) for those users. It just should work out of the box for each user.

      Well… I've also tried to add a new local user to pfSense and configured OpenVPN with the wizard and installed the suggested export package. But always if I tried to export the OpenVPN configuration file for that user, I got the error message, that the system wasn't able to download the configuration file, because it couldn't contact the CA.

      As CA I've imported the certificate for RapidSSL, because I've a wildcard certificate for my domain from RapidSSL, which I've also imported as certifcate and in use for webConfigurator. Under "System" -> "Cert Manager" -> "Certificates" I can see a pending "user cert".

      Please note, that I want to use a valid SSL certificate for the webinterface of pfSense.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • S
        Sebbo last edited by

        I found a solution.

        I've added the RapidSSL certificate and additional I've also added an internal CA and certificate, which is only used for OpenVPN. With this it is possible to create a single OpenVPN configuration archive/file, which every user of the Active Directory can use.

        The RapidSSL certificate is just used for the webConfigurator.

        Nice! :)

        #Closed

        1 Reply Last reply Reply Quote 0
        • S
          skaaptjop last edited by

          Hi there,
          I'm curious how you got this right since I want to achieve the same thing.
          Could you describe what you meant by "single OpenVPN configuration file"?

          Thanks,
          Will

          1 Reply Last reply Reply Quote 0
          • S
            Sebbo last edited by

            @skaaptjop:

            Could you describe what you meant by "single OpenVPN configuration file"?

            Sure.

            All my users are using the exact same OpenVPN configuration file(s), but every user can login with his own Active Directory login. The files are

            • OpenVPN Configuration file

            • Security certificate

            • Key file

            Each user has to import those three files in his […]OpenVPN/config/ directory to be able to connect to pfSense VPN. If they connect with this connection/settings, they will see a login prompt for username and password and there they can use their Active Directory login credentials. :)

            Well… At the end I just had to create one single OpenVPN configuration package and user and don't have to create always a OpenVPN configuration for each user. Also I don't have to delete all those users after they may have left the company or just don't need the access anymore.

            To manage the access to pfSense, I've created a security group in our Active Directory, which has members like me and other users, which should have access to pfSense VPN. If somebody shouldn't have access anymore, I just have to remove his membership of this group. Very easy. :)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post