Using Duo Mobile as MFA for OpenVPN on PFsense

Hi all, I’d like to start my first post with a big thank you for al the Youtube video’s. They’ve been a great help to me and made me a PFsense ‘fan’. I’m fairly new in the business and I’ve been given the task to try and figger out the following (and of course, I want to deliver :D).

I’m exploring the possibilities of using the App/platform Duo Mobile (/Security) to use as MFA for OpenVPN servers running on PFsense.

I’ve already applied Duo succesfully with Windows Logins using their LDAP mirroring. It works great! We use OpenVPN with serveral clients (with LDAP and without) and like to secure this with MFA. There is documentation for using Duo with OpenVPN, but I don’t see how I can apply this within PFsense.

I’ve already done a fair bit of Googling as well as searched this forum. Finding bits here and there.
I’ve watched ToTP Multi Factor Authentication OpenVPN with pfsense and FreeRadius - YouTube but I’m not sure if I need Freeradios and ToTP for my usecase.

Perhaps someone here can steer me in the right direction.

I am not aware of any way to get it working with with OpenVPN in pfsense, their docs say it can be done if you setup the “ACCESS SERVER VPN” as a separate server, not integrated.

1 Like

Looks like it might work if you use their authentication server, you can point to that server in pfSense.

No idea if it will work but it seems you have the choice to offload OpenVPN from pfSense or use it’s authentication.

From a project point of view, presumably you want to MFA for remote access, that is easily done in pfSense, plus with OpenVPN you can easily revoke certs. If your project objective is a must use Duo then you need to support that solution moving forward, for sure more cost. Easier to support pfSense.

I’d be curious to know which path you end up taking.

See if DUO - Setting up Multi-Factor Authentication for OpenVPN on pfSense - Rocky Mountain Tech Team or DUO Implementation for pfSense Based OpenVPN Server with RADIUS (AD) Integration - Step by Step | Netgate Forum helps. These instructions were back in early 2020.