Ovpn user scalability

For those who are familiar with large-scale deployments (100+ users) of OpenVPN on pfsense with user certificates (with or without ldap/radius). Is it difficult to manage numerous certificates within the GUI of pfsense? I do have an OpenVPN CA created on pfSense which I use to sign my user certificate. Is there a better approach when using user certs? To me it seems tedious but necessary to scroll through the pfsense page for a user cert to check if its created if you have over 100 users. Maybe i should rethink my approach?

Follow-up. Has anyone implemented Microsoft 2FA with OpenVPN?

For multifactor

For user management

1 Like

I only used OpenVPN briefly and only for personal remote access to the home network, but if I recall correctly, you don’t necessarily need the user certificates to be stored in pfSense. When a client attempts to connect with a certificate, pfSense will simply check whether the certificate was signed by the configured CA. So you could use any external means of storing certificates.

1 Like

Seeing Jims response to this exact question is interesting.
So basically User Auth.
For 2FA i assume i can use iDP such as DUO ?

I’m not 100% sure. Maybe if it was trying to auth directly with DUO it might work. It seems that is how it works for Azure AD in this reddit post.

https://www.reddit.com/r/PFSENSE/comments/s1dyka/openvpn_active_directory_auth_and_mfa/

Follow up

I signed up for duo and setup the LDAP proxy and 2FA prompts on my phone as soon as I try to login. It waits for a response before proceeding. :+1:

1 Like

Very nice. Thank you for confirming. I super appreciate it !
DUO i see a free trial version but if the POC works and pricing is right this is a huge step forward.

Looking at guides, do i need the RADIUS portion as well?
I got the Proxy Auth running and i have the configs for LDAP, just wondering if i need the RADIUS config. So far ovpn doesnt work and i cant login to my pfsense GUI using my ldap credentials.
My Auth Servers configuration point to the DUO Auth Proxy server.
Still tshooting.

You have to setup a user on duo as the same user you are trying to use to authenticate with using ldap.

Since I had an administrator account I had to create another entry on the duo app for my ldap user.

Once you authenticate on pfsense it will look like nothing is happening but you will get a notification on your phone that you are trying to authenticate. Once you approve the request it will proceed to login.

My problem is that any LDAP account that i create thats in the admin group for some reason cant bind

Im using the Synology LDAP server

[warn] The LDAP host clear connection to 192.168.3.3:389 has connectivity problems.
[error] The Auth Proxy was unable to bind as netadmin.
[error] Please ensure that the provided service account credentials are correct.
[warn] The Auth Proxy did not run the search check because of the problem(s) with the bind check. Resolve that issue and rerun the tester.
[info]

The results have also been logged in /opt/duoauthproxy/log/connectivity_tool.log

EDIT:
Had to add an auth_type along with my bind_dn parameter.

Connectivity tests pass.
When i try ovpn im still getting auth failed. A lot farther than before at least.

Did you setup your ldap user in duo? You cannot use your admin account from duo.

I did but im still getting auth fail.

So i have an ldap user called ‘netadmin’
I log into my DUO admin account. I go to Dashboard > Add User. Username i give it is netadmin
I make no other changes, click save.

From a networking standpoint, i see the Proxy and the LDAP talking in pcaps. Problem isnt there. I strongly suspect its between Proxy and the Duo service. But i dont know what else i could be missing.