AD user accounts for OpenVPN

Sebbo

Hi,

I've setup a Windows Server 2012 R2 server with following services (roles) on it:

• Active Directory Domain Controller

• DNS Server

• DHCP Server

In pfSense I've added an Active Directory server as LDAP authentification method for users, that admins are able to login on the pfSense webinterface with their AD credentials. This works fine.

Is it also possible to setup OpenVPN, IPsec or something like that for all AD users, that they are able to connect via VPN to pfSense with their AD credentials? It would be awesome, if I don't have to add a new local user on pfSense and also don't have to download any kind of configuration file(s) for those users. It just should work out of the box for each user.

Well… I've also tried to add a new local user to pfSense and configured OpenVPN with the wizard and installed the suggested export package. But always if I tried to export the OpenVPN configuration file for that user, I got the error message, that the system wasn't able to download the configuration file, because it couldn't contact the CA.

As CA I've imported the certificate for RapidSSL, because I've a wildcard certificate for my domain from RapidSSL, which I've also imported as certifcate and in use for webConfigurator. Under "System" -> "Cert Manager" -> "Certificates" I can see a pending "user cert".

Please note, that I want to use a valid SSL certificate for the webinterface of pfSense.

Any suggestions?

Sebbo

I found a solution.

I've added the RapidSSL certificate and additional I've also added an internal CA and certificate, which is only used for OpenVPN. With this it is possible to create a single OpenVPN configuration archive/file, which every user of the Active Directory can use.

The RapidSSL certificate is just used for the webConfigurator.

Nice! :)

#Closed

skaaptjop

Hi there,
I'm curious how you got this right since I want to achieve the same thing.
Could you describe what you meant by "single OpenVPN configuration file"?

Thanks,
Will

Sebbo

@skaaptjop:

Could you describe what you meant by "single OpenVPN configuration file"?

Sure.

All my users are using the exact same OpenVPN configuration file(s), but every user can login with his own Active Directory login. The files are

• OpenVPN Configuration file

• Security certificate

• Key file

Each user has to import those three files in his […]OpenVPN/config/ directory to be able to connect to pfSense VPN. If they connect with this connection/settings, they will see a login prompt for username and password and there they can use their Active Directory login credentials. :)

Well… At the end I just had to create one single OpenVPN configuration package and user and don't have to create always a OpenVPN configuration for each user. Also I don't have to delete all those users after they may have left the company or just don't need the access anymore.

To manage the access to pfSense, I've created a security group in our Active Directory, which has members like me and other users, which should have access to pfSense VPN. If somebody shouldn't have access anymore, I just have to remove his membership of this group. Very easy. :)