Ovpn user scalability

For those who are familiar with large-scale deployments (100+ users) of OpenVPN on pfsense with user certificates (with or without ldap/radius). Is it difficult to manage numerous certificates within the GUI of pfsense? I do have an OpenVPN CA created on pfSense which I use to sign my user certificate. Is there a better approach when using user certs? To me it seems tedious but necessary to scroll through the pfsense page for a user cert to check if its created if you have over 100 users. Maybe i should rethink my approach?

Follow-up. Has anyone implemented Microsoft 2FA with OpenVPN?

For multifactor

For user management

1 Like

I only used OpenVPN briefly and only for personal remote access to the home network, but if I recall correctly, you don’t necessarily need the user certificates to be stored in pfSense. When a client attempts to connect with a certificate, pfSense will simply check whether the certificate was signed by the configured CA. So you could use any external means of storing certificates.

1 Like

Seeing Jims response to this exact question is interesting.
So basically User Auth.
For 2FA i assume i can use iDP such as DUO ?

I’m not 100% sure. Maybe if it was trying to auth directly with DUO it might work. It seems that is how it works for Azure AD in this reddit post.


Follow up

I signed up for duo and setup the LDAP proxy and 2FA prompts on my phone as soon as I try to login. It waits for a response before proceeding. :+1:

1 Like

Very nice. Thank you for confirming. I super appreciate it !
DUO i see a free trial version but if the POC works and pricing is right this is a huge step forward.

Looking at guides, do i need the RADIUS portion as well?
I got the Proxy Auth running and i have the configs for LDAP, just wondering if i need the RADIUS config. So far ovpn doesnt work and i cant login to my pfsense GUI using my ldap credentials.
My Auth Servers configuration point to the DUO Auth Proxy server.
Still tshooting.

You have to setup a user on duo as the same user you are trying to use to authenticate with using ldap.

Since I had an administrator account I had to create another entry on the duo app for my ldap user.

Once you authenticate on pfsense it will look like nothing is happening but you will get a notification on your phone that you are trying to authenticate. Once you approve the request it will proceed to login.

My problem is that any LDAP account that i create thats in the admin group for some reason cant bind

Im using the Synology LDAP server

[warn] The LDAP host clear connection to has connectivity problems.
[error] The Auth Proxy was unable to bind as netadmin.
[error] Please ensure that the provided service account credentials are correct.
[warn] The Auth Proxy did not run the search check because of the problem(s) with the bind check. Resolve that issue and rerun the tester.

The results have also been logged in /opt/duoauthproxy/log/connectivity_tool.log

Had to add an auth_type along with my bind_dn parameter.

Connectivity tests pass.
When i try ovpn im still getting auth failed. A lot farther than before at least.

Did you setup your ldap user in duo? You cannot use your admin account from duo.

I did but im still getting auth fail.

So i have an ldap user called ‘netadmin’
I log into my DUO admin account. I go to Dashboard > Add User. Username i give it is netadmin
I make no other changes, click save.

From a networking standpoint, i see the Proxy and the LDAP talking in pcaps. Problem isnt there. I strongly suspect its between Proxy and the Duo service. But i dont know what else i could be missing.