Pfsense with OpenVPN, Free Radius And Two Factor

Networking & Firewalls
1

How to setup FreeRadius with OpenVPN on pfsense

Part2 How to user 2FA for users with the above mentioned setup.

6 Likes
2

I figured I’d add my comment from YouTube here to hopefully help someone be more secure even though TOTP is pretty secure a TLS certificate is pretty important for every user. I know Tom even said that he was just rushing through as an example but I am sure it is implied that we all know how to do this. For me I will admit I was rushing through this but it’s always a good idea to look at the logs! In my instance I found this notice in my OpenVPN logs “WARNING: POTENTIALLY DANGEROUS OPTION”. Since I was configuring a new VPN from scratch I forgot to go in and switch the server mode to Remote Access (SSL/TSL + User Auth). Anyway this is how one would add a certificate to users in FreeRadius after following these two videos in a row.

  • Go to VPN > OpenVPN > Pencil icon.
  • Change Server mode to Remote Access (SSL/TSL + User Auth)
  • Go to Services > FreeRadius > EAP > check Validate the Client Certificate Common Name
  • Now create a certificate using the FreeRadius CA that was created
  • Also make sure you match the username in FreeRadius with the common name while you create a certificate.
  • The user you created a certificate for should be in VPN > OpenVPN > Client Export

That should do it for the FreeRadius part. Please let me know if I should have made other changes. Thanks!

Also just so anyone who is interested in this knows, I have been using this custom option in my OpenVPN options to get local users to have static IP addresses and it has served it’s purpose until I watched this but I am just now getting around to implementing it. This is just for local authentication

  • Go to VPN > Client Specific Overrides
  • Click Add
  • Choose the related server if there are multiple
  • Match the common name with the user
  • Add a description to the override
  • Add the below to the advanced section. Use this as a template but replace the X’s to match your VPN network
    ifconfig-push XXX.XXX.XXX.XXX 255.255.255.0;

Thanks again Tom for all your time you put into this stuff!

Edit: corrected a couple typos.

1 Like
3

@LTS_Tom Thank you for your video you made it quite easy even for a beginner like me to implement a RA Server with FreeRADIUS authentication.

@tbigs2011 Thank you for adding your walkthrough. I managed to make the VPN server more secure by adding a user certificate using the Common Name tag and binding it to the FreeRADIUS user. Created two users with different firewall rules and pinged my way to happiness!!

Kind regards,
Pete

1 Like