For those who are familiar with large-scale deployments (100+ users) of OpenVPN on pfsense with user certificates (with or without ldap/radius). Is it difficult to manage numerous certificates within the GUI of pfsense? I do have an OpenVPN CA created on pfSense which I use to sign my user certificate. Is there a better approach when using user certs? To me it seems tedious but necessary to scroll through the pfsense page for a user cert to check if its created if you have over 100 users. Maybe i should rethink my approach?
Follow-up. Has anyone implemented Microsoft 2FA with OpenVPN?
I only used OpenVPN briefly and only for personal remote access to the home network, but if I recall correctly, you don’t necessarily need the user certificates to be stored in pfSense. When a client attempts to connect with a certificate, pfSense will simply check whether the certificate was signed by the configured CA. So you could use any external means of storing certificates.
Very nice. Thank you for confirming. I super appreciate it !
DUO i see a free trial version but if the POC works and pricing is right this is a huge step forward.
Looking at guides, do i need the RADIUS portion as well?
I got the Proxy Auth running and i have the configs for LDAP, just wondering if i need the RADIUS config. So far ovpn doesnt work and i cant login to my pfsense GUI using my ldap credentials.
My Auth Servers configuration point to the DUO Auth Proxy server.
Still tshooting.
You have to setup a user on duo as the same user you are trying to use to authenticate with using ldap.
Since I had an administrator account I had to create another entry on the duo app for my ldap user.
Once you authenticate on pfsense it will look like nothing is happening but you will get a notification on your phone that you are trying to authenticate. Once you approve the request it will proceed to login.
My problem is that any LDAP account that i create thats in the admin group for some reason cant bind
Im using the Synology LDAP server
[warn] The LDAP host clear connection to 192.168.3.3:389 has connectivity problems.
[error] The Auth Proxy was unable to bind as netadmin.
[error] Please ensure that the provided service account credentials are correct.
[warn] The Auth Proxy did not run the search check because of the problem(s) with the bind check. Resolve that issue and rerun the tester.
[info]
The results have also been logged in /opt/duoauthproxy/log/connectivity_tool.log
EDIT:
Had to add an auth_type along with my bind_dn parameter.
Connectivity tests pass.
When i try ovpn im still getting auth failed. A lot farther than before at least.
So i have an ldap user called ‘netadmin’
I log into my DUO admin account. I go to Dashboard > Add User. Username i give it is netadmin
I make no other changes, click save.
From a networking standpoint, i see the Proxy and the LDAP talking in pcaps. Problem isnt there. I strongly suspect its between Proxy and the Duo service. But i dont know what else i could be missing.