SSO-enabled VPN for end-users

user9203902390 · April 19, 2024, 1:13pm

Hi Everyone,

I am contemplating migrating to OpenSense or PFSense for our company firewall.

We’re currently running a FortiGate appliance and one of the nice things about it is that it supports a SSO for VPN authentication that uses SAML. Does something like this exist for OpenSense or PFSense?

What are our options PFSense/OpenSense + SAML/OIDC-enabled VPN?

xMAXIMUSx · April 19, 2024, 2:02pm

For pfsense you have OpenVPN or wireguard. As far as I am aware neither of them support SSO. I’m not sure what OPNsense has.

michmoor · April 19, 2024, 4:56pm

You have no options for SSO/SAML on pfsense.

LTS_Tom · April 19, 2024, 5:42pm

There is not a direct SSO but we have many clients using Radius with AD:

https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-ra-auth-radius-ad.html

Then you could use:

user9203902390 · April 19, 2024, 7:02pm

Hi Tom,

Thank you for taking the time to write an answer here. I agree that RADIUS is an excellent option. And, if anyone is in our situation where your IdP is cloud-hosted, there are even options for RADIUS to cloud-hosted IdPs. The example below is relevant to us:

If I’m to be honest, in our situation, we’re trying to move away from asking users to re-type in their username and password each time they want to connect to VPN.

Moving authentication to SSO has allowed us to make our VPN rules really strict (e.g. after 10 mins of inactivity, disconnect the VPN). Users are not complaining because, although they might need to re-connect the VPN more often, reconnecting only involves them completing the conditional access policy mandating a MFA challenge on their mobile device. Meaning, there is no need for them to re-enter their username and password into the VPN client since they’re already authenticated via the IdP. I’m quite protective of that convenience and the security benefits we’ve enjoyed as a result.

Because moving to PFSense or OPNsense is conditional on password-less VPN, I am going to continue my search on the internet. If I find a solution, I will be sure to post it here.

LTS_Tom · April 20, 2024, 10:03am

We have some (400+ users) clients that have moved to using Tailscale as it’s a better solution than using things like OpenVPN. And it does support lots of SSO providers Supported SSO identity providers · Tailscale Docs

user9203902390 · April 23, 2024, 4:42pm

After a bit of research I found the ideal configuration where certificates are used for authentication, and a MFA platform is used as the second factor. Duo does this quite well. More details are provided in the link below.

Unfortunately, we don’t use Duo so we would want to replace that with a plugin with IBM Security Verify. As such, I’ve decided I’m just going to get OpenVPN Access Server since that supports SSO via SAML, allowing me to do the MFA prompt using conditional-access policies within IBM Security Verify.

I’m just sharing the Duo integration I discovered in my research in case the Duo plugin is useful to anyone else on the forum.

xMAXIMUSx · April 23, 2024, 7:50pm

The other bonus is you are supporting the project. I’m glad you settled on a solution!