Using FreeIPA to authenticate OpenVPN users on pfSense
I have been fiddling with multiple different authentication methods to centralise the authentication across all my devices and services. Im trying to push myself to use FreeIPA more as it seems to be becoming more widley used where using Active Directory isnt suitable.
It is also really easy to enable 2FA per user which i find to be a big bonus.
If you havnt already setup FreeIPA, check out my guide on going through the installation process HERE.
The first thing i needed to do was to create a group within FreeIPA which will tell pfSense whether that user is allowed to VPN in.
This is fairly simple, just log into your FreeIPA server’s web interface and go to
Identity and then
User Groups then press
Add on the right hand side. Fill out the details like the image below.
Add. You will need to remember to add your user to the group.
Thats all that you need to do in FreeIPA for now. Next we need to configure pfSense.
Adding the FreeIPA server as an Authentication Server in pfSense
Adding the CA Cert
Now we need to tell pfSense to use this server to authenticate against.
First we need to add the FreeIPA Certificate Authority to pfSense. We will need to grab this cert from FreeIPA.
In the FreeIPA web interface, go to
Certificates, you should get something similar to this:
The one we need is the top one. So click on the
Serial Number (1 in this case), this will take you to another page with an overview of the certificate details.
On this page, click
Action then select
Now that you have downloaded the cert, open it up in a basic text editor and copy everything from it, including the
-----BEGIN CERTIFICATE----- and
Now we need to add the CA to pfSense. Log into the web interface of you pfSense box then go to
Cert. Manager, on the
CA's tab click on the
Add Button. This will take you to another page.
Add in the details like in the following image. It is in the
Certificate Data box that you need to paste the contents from the certificate we downloaded earlier.
Once you are done, just press save.
Adding the Authentication Server
If you are already pretty familiar with LDAP then this should be pretty simple for you. In this section ill go through adding the FreeIPA server as an auth backend, and testing it.
In the pfSense web interface, go to
User Manager then select the
Authentication Servers tab. This will take you to another page, press
Add at the bottom.
There is quite a lot of info required here. Ill add an image of my setup at the end, but will add it in text as well so you can copy/paste the bits you need (and obviously change them to suit your environment).
Just a name for your reference
Hostname or IP Address: Hostname or IP of your FreeIPA Server
Port Value: 636
Transport: SSL - Encrypted
Peer Certificate Authority: The name you set in the “Adding the CA Cert” section
Protocol version: 3
Server Timeout: 25
Search Scope Level: Entire Subtree
Base DN: Your FreeIPA Base DN
Authentication Containers: cn=accounts
Extended Query: Ticked
&(memberof=cn=vpn,cn=groups,cn=accounts,dc=internal,dc=home,dc=thehaywards,dc=me) (obviously changing this to come into line with your own Base DN.)
Bind anonymous: Unticked
Bind Credentials: I used a system user here. You could create a user to bind with though.
User naming Attribute: uid
Group naming Attribute: cn
Group memver Attribute: member
RFC 2307 Groups: Unticked
Group Object Class: posixGroup
UTF8 Encode: Unticked
Username alterations: Unticked
Here are some screenshots of my setup.
Testing the new backend
That should be the configuration completed, next we need confirm it is actually working. There are a couple of tests i usually do to make sure it is working as it should be, these are:
- Login with a user in the VPN group and with the correct Credentials
- Login with a user in the VPN group with incorrect Credentials
- Login with a user not in the VPN group with the correct Credentials
Doing these 3 tests will confirm that our extended query is working correctly and that only users with valid credentials AND in the VPN group can connect. The authentication test page does make it explicitly clear when authentication has worked. Here are examples of a successful login and failed login:
(It failed as i didnt provide my MFA token)
Once you are happy your user is able to login, we need to go through the final section which is to tell the OpenVPN server to use the FreeIPA server for authentication.
Setting FreeIPA as the OpenVPN Authentication backend
This is a quick and simple change.
In the pfSense interface, go to
OpenVPN. On the
Servers tab, click the Edit button next to the server we are changing.
Backend For Authentication to the name you gave the server in the
Adding the authentication server section. Once done, press save. Here is how mine now looks:
That should be complete now. Testing it and see!