For those who are familiar with large-scale deployments (100+ users) of OpenVPN on pfsense with user certificates (with or without ldap/radius). Is it difficult to manage numerous certificates within the GUI of pfsense? I do have an OpenVPN CA created on pfSense which I use to sign my user certificate. Is there a better approach when using user certs? To me it seems tedious but necessary to scroll through the pfsense page for a user cert to check if its created if you have over 100 users. Maybe i should rethink my approach?
Follow-up. Has anyone implemented Microsoft 2FA with OpenVPN?
I only used OpenVPN briefly and only for personal remote access to the home network, but if I recall correctly, you don’t necessarily need the user certificates to be stored in pfSense. When a client attempts to connect with a certificate, pfSense will simply check whether the certificate was signed by the configured CA. So you could use any external means of storing certificates.
Looking at guides, do i need the RADIUS portion as well?
I got the Proxy Auth running and i have the configs for LDAP, just wondering if i need the RADIUS config. So far ovpn doesnt work and i cant login to my pfsense GUI using my ldap credentials.
My Auth Servers configuration point to the DUO Auth Proxy server.
You have to setup a user on duo as the same user you are trying to use to authenticate with using ldap.
Since I had an administrator account I had to create another entry on the duo app for my ldap user.
Once you authenticate on pfsense it will look like nothing is happening but you will get a notification on your phone that you are trying to authenticate. Once you approve the request it will proceed to login.
My problem is that any LDAP account that i create thats in the admin group for some reason cant bind
Im using the Synology LDAP server
[warn] The LDAP host clear connection to 192.168.3.3:389 has connectivity problems.
[error] The Auth Proxy was unable to bind as netadmin.
[error] Please ensure that the provided service account credentials are correct.
[warn] The Auth Proxy did not run the search check because of the problem(s) with the bind check. Resolve that issue and rerun the tester.
The results have also been logged in /opt/duoauthproxy/log/connectivity_tool.log
Had to add an auth_type along with my bind_dn parameter.
Connectivity tests pass.
When i try ovpn im still getting auth failed. A lot farther than before at least.