Hi, I am a bit new to advanced configuration of pfSense and I have been looking for a secured solution for my users from other locations to login to the head-office infrastructure. I have currently in place pfSense router that manages the head-office network. This network has the main LAN as the main VLan 192.168.10.X upon which the IT management resources and device are hooked unto including Windows Active Directory, DNS, Group Policy Management and File Server services are run. I have two other VLans 192.168.12.X which staff users and 10.10.30.X managers are connected to with routing services and dns by pfSense they are all able to reach the Active Directory for all the services stated above.
Now I have some staff located in other locations of the city which I want to let them connect to the head-office and be able to be managed by Active Directory, have access to the File Server and the other services.
I believe the way to go is to have a VPN in place but once I have pfSense setup, I want the best and secured way to go about this and how to set it up, especially to have one that support 2FA.
When using OpenVPN with pfsense the two factors are the certificates that need to be installed and then the user/pass. Currently pfsense does not have any great way to use the OTP function along side password for OpenVPN.
I’ve used pfsense with openVPN using user/password authentication against AD/LDAP. For MFA, I used Duo with their proxy service (Duo Authentication Proxy Reference | Duo Security) which basically creates an LDAP proxy, so pfsense points to that, which can then proxy the VPN login to AD/LDAP and do the MFA authentication if the proxies AD/LDAP response is valid. Of course this adds extra complications and cost, but it does provide MFA for OpenVPN using pfsense against AD users.
Looking to do this too, AD, OpenVPN, 2FA with auth app on iPhone. Looks like Untangle natively supports this better, but reason for shifting back to pfsense is that it a better skill on the CV.