pfSense + Windows Active Directory + VPN Help

Hi, I am a bit new to advanced configuration of pfSense and I have been looking for a secured solution for my users from other locations to login to the head-office infrastructure. I have currently in place pfSense router that manages the head-office network. This network has the main LAN as the main VLan 192.168.10.X upon which the IT management resources and device are hooked unto including Windows Active Directory, DNS, Group Policy Management and File Server services are run. I have two other VLans 192.168.12.X which staff users and 10.10.30.X managers are connected to with routing services and dns by pfSense they are all able to reach the Active Directory for all the services stated above.

Now I have some staff located in other locations of the city which I want to let them connect to the head-office and be able to be managed by Active Directory, have access to the File Server and the other services.

I believe the way to go is to have a VPN in place but once I have pfSense setup, I want the best and secured way to go about this and how to set it up, especially to have one that support 2FA.

Counting on you to have a good setup please.

When using OpenVPN with pfsense the two factors are the certificates that need to be installed and then the user/pass. Currently pfsense does not have any great way to use the OTP function along side password for OpenVPN.

I’ve used pfsense with openVPN using user/password authentication against AD/LDAP. For MFA, I used Duo with their proxy service (Duo Authentication Proxy Reference | Duo Security) which basically creates an LDAP proxy, so pfsense points to that, which can then proxy the VPN login to AD/LDAP and do the MFA authentication if the proxies AD/LDAP response is valid. Of course this adds extra complications and cost, but it does provide MFA for OpenVPN using pfsense against AD users.

1 Like

Thanks @LTS_Tom, can you share a link of any tutorial of yours that deploys this setup effectively.

I don’t have one yet on AD, but I do have this

Thanks @LTS_Tom for the tutotrial

@LTS_Tom can you do one for my case scenario, especially with Active Directory access, PLEASE

It’s been on my to do list for a long time, not sure when I will get to it.

2 Likes

Looking to do this too, AD, OpenVPN, 2FA with auth app on iPhone. Looks like Untangle natively supports this better, but reason for shifting back to pfsense is that it a better skill on the CV.

1 Like