How to configure a pfSense virtual machine with OpenVPN and LDAP authentication

TABLE OF CONTENTS

• Description
  • Requirements
  • Procedures
    • Create a user and a group in Active Directory
    • Add Authentication Server
    • Create Peer CA and Server Self-Sign Certificates
    • Setup VPN Server
    • Add Firewall Rules
    • Generate and install the OpenVPN installation file

Description

To allow remote users to use their Active Directory network credentials, OpenVPN can be integrated with the LDAP protocol for the user authentication for the VPN access.

Requirements

Have a working pfSense virtual machine in your virtual datacenter. If not already deployed, please follow this article to deploy a pfSense virtal machine in Performance Cloud VMware (NSX-T).

Procedures

Create a user and a group in Active Directory

1. Open the Active Directory Users and Computers console.

2. Create a domain user named vpnservice with a strong password in Active Directory

3. Create a security group in Active Directory under Users named VPN Users  

Add Authentication Server

4. Log into the Pfsense Webconfigurator

5. Go to System, User Manager and click Authentication Servers

6. Click on Add

7. For the Descriptive name field, enter the domain name (Example: ndr.local) 

8. For the Hostname or IP address field, enter the DC server LAN IP address (Example: 192.168.10.10)

9. For the Transport field, set to TCP – Standard.  You can select SSL-Encrypted but you need to add an SSL certificate to the AD server with its name.  This will offer secure communication. 



10. Set the Search scope field to Entire Subtree

11. Set the Base DN field to DC=[domain],DC=[com] (Example: DC=ndr,DC=local) 



12. Uncheck box beside Bind anonymous and set Bind credentials to the AD domain user you created earlier

13. Set the User naming attribute field to samAccountName

14. Set Group member attribute field to memberOf 




15. Go back up to Authentication containers

16. Set Authentication containers to CN=Users then click Select a container button. 

17. Check the containers you want to use that contain your users then click on Save.  Make sure to select all containers that have users in them you want to give access to.  You can filter by security group if needed in the next step (The Bind credentials must be saved in order for this to work) 

18. Check Enable extended query and specify a security group (VPN Users is the security group name you created at step #3)

Example: memberOf=CN=VPN Users,CN=Users,DC=ndr,DC=local
 
Note: It is possible to specify more than one (1) security group under Users.
Example: |(memberOf=CN=Group1,CN=Users,DC=ndr,DC=local)(memberOf=CN=Group2,CN=Users,DC=ndr,DC=local) 




19. Click on Save 

Create Peer CA and Server Self-Sign Certificates

20. Go to System, Certificates / Cert. Manager

21. Click on Add to create a Peer CA certificate

22. Enter a description

23. Set Method to Create an internal Certificate Authority

24. Enter the Address information

25. Click on Save 



26. Click on Certificates

27. Click on Add

28. Set Method to Create an internal Certificate

29. For Descriptive name field, enter MyOpenVPN-Server-Cert

30. Set Common Name to OpenVPN_Cert

31. Set Certificate Type to Server Certificate

32. Click on Save 

Setup VPN Server

33. Go to VPN and OpenVPN

34. Click on Add/Sign

35. Set Server mode to Remote Access (User Auth)

36. Set Peer Certificate Authority to the Peer CA you created

37. Set Server certificate to the server certificate you created

38. Set the DH Parameter length (bits) to 2048

39. Set the Encryption Algorithm to AES-256-CBC (256 bit key, 128 bit block)

40. Set IPv4 Tunnel Network to an unused network in your environment (Example: 10.3.8.0/24)

41. Set IPv4 Local network(s) to the LAN network to authorize (Example: 192.168.10.0/24)

42. Check box for Dynamic IP

43. Check box for DNS Default Domain

44. Set DNS Default Domain to the current Active Directory domain (Example: ndr.local)

45. Check box for DNS Server enable

46. Set DNS Server 1 to DC server LAN IP address

47. Click on Save

Add Firewall Rules

48. Go to Firewall, Rules (Under WAN)

49. Click Add

50. Change Protocol to UDP

51. Set the Destination Port Range to 1194

52. Click on Save, Apply Changes

53. Click on OpenVPN

54. Click Add

55. Set the Protocol to Any

56. Click on Save, Apply Changes

Generate and install the OpenVPN installation file

57. Go to System, Package Manager, Available Packages

58. Search for OpenVPN and install the openvpn-client-export

59. Go to VPN and OpenVPN, Client Export

60. Change the Host Name Resolution to Other and in the Host Name field, enter the WAN public IP address (of your Performance Cloud VMware environment).

This ensures the public IP address is used to connect to OpenVPN client and not the private IP address assigned to the WAN interface of the pfSense virtual machine.

61. Go to the bottom of the page under the OpenVPN Clients section.

62. Click on the installation package to download for your computer.



63. Once installed, you can login with a domain user being member of the VPN Users group.