OpenVPN with RADIUS via Active Directory

From PFSenseDocs
Jump to: navigation, search
This article was contributed or cited from an outside source. The style and formatting may not match other articles.
This article is part of the How-To series.

By Vorkbaard, 2012-06-27 - gmail{a}vorkbaard[.]nl

This how-to will show how to set up OpenVPN on pfSense for Windows clients, using certificates with user authentication via RADIUS in Active Directory.

Intro

Intended audience

This how-to is intended for small businesses that want to roll out secure VPN connectivity for their users using free software. Due to the nature of its set up, which is mostly manual, this process may be too inefficient for larger businesses.

Versions

  • pfSense 2.x
  • Active Directory on Windows Server 2008 R2 - I'm using a Forest Functional Level of 2008 R2 but I don't think that's really a prerequisite. If it doesn't work, user account passwords may need to be stored using reversible encryption but since that is a serious security issue, it is better to upgrade to at least 2008 R2.

On security and a disclaimer

I am not a security expert. However the method described in this article is they way it should be:

  • Two-factor authentication: something you have (the installed certificate) and something you know (AD user account name and password);
  • The connection is encrypted and nothing crosses the Internet in plain text.

If a laptop gets stolen, no one can dial into the corporate network if they don't know a username and password. If someone guesses a password, they will also need the certificate to dial in.

I can not guarantee that no bad things happen because of following this how-to. Please consult other sources, use common sense and try breaking into the system to check if it's safe.

Thanks

Thanks to the pfSense forum, in particular to user unguzov, who wrote a shorter version of this how-to. I adapted his version and added screenshots. Thanks to Evan Jensen for providing some English version screenshots. Thanks to Dan, who alerted me on the question of the policy order.

[Ed Note: Grammar and style corrections were performed after the fact -jimp]

On the Active Directory domain controller

Create a group VPNusers

Create a security group in Active Directory Users and Computers called VPNusers. Everyone could have access but it's a good idea to keep some granular control over it.

Radiusvpn 204.jpg

Add all accounts that need to use the VPN system to this group.

Radiusvpn 205.jpg

Install and configure RADIUS

If RADIUS isn't already set up, add the role to the Domain Controller. If it is set up, skip this step.

Open Server Manager and click the Roles node in the tree on the left.

Radiusvpn 003.jpg

On the right side, click Add Roles.

Radiusvpn 003.jpg

This will open the Add Roles Wizard.

Radiusvpn 005.jpg

Check Network Policy and Access Services.

Radiusvpn 006.jpg

Select Network Policy Server.

Radiusvpn 010.jpg

If all went well there is now a Network Policy and Access Services node in the tree.

Radiusvpn 011.jpg

Expand the Network Policy and Access Services node, go to NPS (Local) > RADIUS Clients and Servers, right-click RADIUS Clients and choose New.

Radiusvpn 012.jpg

In the Friendly name field, enter pfSense VPN or anything deemed appropriate. In the Address (IP or DNS) field, enter the IP address of the pfSense firewall. Mine is 192.168.77.1. Shared Secret: check Generate and save the shared secret; It will be needed later on.

Radiusvpn 123.jpg

Under NPS (Local) > Policies right-click Network Policies and select New.

Radiusvpn 014.jpg

In the Policy name field, enter Allow pfSense. Type of network access server: Unspecified.

Radiusvpn 015.jpg

In the Specify Conditions window, click Add...

Radiusvpn 016.jpg

Select Windows Groups and click Add...

Radiusvpn 017.jpg

Click Add Groups... and add the group VPNusers (or whatever group is needed).

Radiusvpn 124.jpg

Back in the Specify Conditions window, click Next and select Access granted.

Radiusvpn 020.jpg

Put the new policy before policies preventing the connection. Mind the Processing Order field. Thanks to Dan for alerting me on this.

Radiusvpn 999.jpg

In the Configure Authentication Methods window, check Unencrypted authentication (PAP, SPAP).

Radiusvpn 021.jpg

Skip the next wizard window (Constraints) or configure it if desired. I suggest leaving it as it is until after confirming the VPN works.

It's done. Next, Next, Finish until the end.

On the pfSense firewall

Set up the Authentication Server

In pfSense, go to System > User Manager, on the Servers tab. Click "+" on the right.

Radiusvpn 022.jpg

Enter these values:

Descriptive name RADIUS
Type Radius
Hostname or IP address 192.168.77.15
Shared Secret Paste the shared secret generated by the RADIUS server. Then delete the file containing the shared secret. It will not be needed again and if it is, a new one may be generated instead.
Services offered Authentication and Accounting
Authentication port value 1812
Accounting port value 1813

Radiusvpn 023.jpg

Install a Certificate Authority

Go to System > Cert Manager, CAs tab and click "+".

Radiusvpn 024.jpg

Enter these values:

Descriptive name TestDomain VPN CA
Method Create an internal Certificate Authority
Key length 2048
Lifetime 3650 days
Ten years should be enough for now.
Distinguished name Fill out the preferences here.
Common name testdomainvpn-ca

Radiusvpn 025.jpg

Note that now there is an extra CA in the CA list.

Radiusvpn 026.jpg

Create an internal certificate

Go to System > Cert Manager, Certificates tab and click "+".

Radiusvpn 027.jpg

Enter these values:

Method Create an internal Certificate
Desciptive name vpn-testdomain-network
Certificate Authority TestDomain VPN CA
Key length 2048
Certificate Type Server Certificate
Lifetime 3560 days
Distinguished name Fill out the preferences here.
Common Name vpn.example.com

Set up the OpenVPN server

Go to VPN > OpenVPN, Servers tab and click "+".

Radiusvpn 031.jpg

Enter these values:

Server Mode: Remote Access ( SSL/TLS User Auth)
Backend for authentication RADIUS
Protocol UDP
Device Mode tun
Interface WAN
Local port 1194
Description Something appropriate
TLS Authentication Check both Enable authentication of TLS packets and Automatically generate a shared TLS authentication key.
Peer Certificate Authority TestDomain VPN CA
Server Certificate vpn-testdomain-network (CA: TestDomain VPN CA)
DH Parameters Length 1024
Encryption algorithm AES-128-CBC (128-bit)
Others probably work as well.
Hardware Crypto No Hardware Crypto Acceleration
Certificate Depth One (Client Server)
Strict User/CN Matching If this is checked, a user can only connect with their own credentials, not that of other users. I think this is is good idea, so check this option.
Tunnel Network 192.168.82.0/24
Or any other network, as long as it is not in use in the LAN/WAN and probably not at users' locations. i.e. don't use 192.168.0.0/24, 192.168.1.0/24 and 10.0.0.0/24.
Redirect Gateway If this is checked, not only traffic to the LAN will be routed through the tunnel but also to the rest of the Internet. If the user starts downloading a movie it will go through the company network. On the other hand, they will be behind the corporate firewall. Check this to use the VPN for secure Internet access. Do not check if the corporate line has a slow upload speed.
Local Network 192.168.77.0/24
This is my range. Enter the actual LAN subnet here.
Concurrent connections

Crypto can be tough on resources. If the pfSense installation runs on an appliance keep this number low. If it runs on an old computer it can do more. Keep en eye on the machine's CPU. If more concurrent VPN connections ask too much of resources, upgrade the hardware.

I tend to set this number to the number of client installations.

Compression Check, unless clients and server are on stone-age hardware.
Type-of-Service Unchecked
Inter-client communication Unchecked unless needed.
Duplicate Connections Unchecked unless needed.
Dynamic IP Checked unless seriously worried about laptops getting stolen in the middle of a VPN session or client connections being hijacked.
Address Pool Checked
DNS Default Domain Checked, enter the Active Directory domain name here
DNS Servers Checked, enter some Active Directory DNS server addresses here.
NTP Servers If one of the DCs is acting as an NTP server, check and enter it here. Decent time keeping is important for AD communication but if there are no weird time problems or the client can maintain its own clock independently, it may remain unchecked.
NetBIOS Options Unchecked. It's a security risk. Only check it if needed for legacy applications but check if they work without NetBIOS first; they probably do.
WINS Servers Unchecked unless needed.

Radiusvpn 033.jpg

Configure the firewall

Go to Firewall > Rules, WAN tab and click "+" to create a new rule.

Radiusvpn 207.jpg

Enter these values:

Action Pass
Disabled not checked
Interface WAN
Protocol UDP
Source unchecked, any
Destination unchecked, WAN address
Destination port range from OpenVPN to OpenVPN
Log only check when troubleshooting
Description OpenVPN RADIUS

Radiusvpn 202.jpg

Click Save and the rules page will reload. Do not forget to click Apply Changes.

Radiusvpn 203.jpg

Create a Certificate

A certificate must be created for each user that is going to use the VPN system. In Descriptive and Common Name, enter the username the user uses to log on to Active Directory. Strictly speaking Descriptive name can be anything but usernames should be unique anyway.

Go to System > Cert Manager (not User Manager!), Certificates tab and click "+".

Radiusvpn 102.jpg

Enter these values:

Method Create an internal Certificate
Decriptive name [Username of the user that will be using the vpn connection]
In some cases this is case sensitive. I tend to stick to all lowercase for that reason. It doesn't really matter but keep it in mind if the connection can't be established.
Certificate authority TestDomain VPN CA
Key length 2048
Certificate Type User Certificate
Lifetime 3650 days
Unless the user has a temporary account.
Distinguished name Fill out the preferences here.
Common Name: [see Descriptive name]

Radiusvpn 104.jpg

Note the entry in the Certificate list.

Radiusvpn 105.jpg

Install the OpenVPN Client Export Package

Go to System > Packages, Available Packages tab.

Radiusvpn 106.jpg

Scroll down to OpenVPN Client Export Package and click "+" on the right.

Radiusvpn 107.jpg

Confirm the selection and the package will be installed.

When it says Installation completed the installation is finished.

Radiusvpn 108.jpg

Prepare the Windows package

Go to VPN > OpenVPN and note that there is an extra tab called Client Export. Click it.

Radiusvpn 208.jpg

Enter these values:

Remote Access Server VPN with RADIUS UDP:1194
Host Name Resolution

- If WAN has a static IP, enter Interface IP Address here.
- If there is a DNS address pointing to the firewall, enter Installation hostname here.

Personally, I like to create a dedicated DNS entry for VPN connections called vpn.example.com. If IP addresses / ISP connections are moved around it is nice to have things set up modularly.

If unsure, stick with Interface IP Address for now.

Use Microsoft Certificate Storage instead of local files checked
Use a password to protect the pkcs12 file contents or key in Viscosity bundle. checked; choose a random password here and save it for use when installing the certificate on the client.
Use HTTP Proxy Unchecked unless needed.

Find the right username under Certificate Name and then in the Windows Installer section, choose an appropriate installer for the user's platform, such as x64-win6 for a 64-bit installer for Windows Vista and later.

Radiusvpn 110.jpg

Get a package for each user.

On the Windows clients

install the OpenVPN package

Copy the downloaded Windows Installed to the client. It is named after the tunnel configuration, for example router-udp-1194-install.exe.

Run the installer with all defaults. When selecting components, make sure they are all checked (they are by default).

Radiusvpn 112.jpg

The OpenVPN Configuration Setup will continue to install the certificates.

Radiusvpn-113-EN.png

Stick to the defaults. When prompted for a password, enter the password used when exporting the Windows Installer from the Client Export tab.

Radiusvpn-114-EN.png

Have the wizard automatically select the archive.

Radiusvpn-115-EN.png

Change the cryptoapicert SUBJ

Open C:\Program Files\OpenVPN\config\config.ovpn or C:\Program Files(x86)\OpenVPN\config\config.ovpn and change the line that says

cryptoapicert "SUBJ:"

to

cryptoapicert "SUBJ:vorkbaard"

...replace vorkbaard by the user's actual username.

I may be mistaken but I think this helps specifying which certificate OpenVPN should use in case certificates have a naming conflict.

Using the Windows client

Set the Windows Client to run as Administrator.

To use the client, double click the OpenVPN GUI icon on the Desktop.

Radiusvpn 116.jpg

Windows will ask to confirm the execution. Confirm.

OpenVPN will start but that's not enough. Right-click the OpenVPN icon in the taskbar and choose Connect.

Radiusvpn 117.jpg

The user must now enter their username and password. This is only the username part, without the domain. The password is the user's Active Directory password.

Radiusvpn-118-EN.png

If all is well, OpenVPN will connect to the pfSense router and minimize to the system tray.

Radiusvpn 119.jpg

Right-click the system tray icon and choose Disconnect or Close to either disconnect the tunnel or close the OpenVPN program altogether.

Tweaking the client

Here are some tweaks I like to do on my client installations.

Change the name of the .ovpn file

When connecting to the firewall OpenVPN shows a balloon announcing that the VPN is up. It contains a rather cryptic Windows Installer name, but that can be changed to something more appropriate by renaming the .ovpn file in C:\Windows\Program Files\OpenVPN\config (or C:\Windows\Program Files(x86)\OpenVPN\config) to whatever name the balloon should show.

Radiusvpn 122.jpg

(is nu verbonden is dutch for is now connected.)

Edit the shortcut to connect directly

The shortcut to OpenVPN GUI can be edited to directly connect to a firewall instead of first starting OpenVPN and then starting the connection by right-clicking the shortcut and adding to the Target field:

--connect "Headquarters.ovpn"

...if Headquarters.ovpn is the name of the .ovpn file.

Radiusvpn 206.jpg

The user will still need to enter their password but it does save a step in the process.

Edit more settings

More information on automation, customization and registry tweaks are available in this text document: http://openvpn.se/install.txt

Troubleshooting

If something doesn't work, here are some pointers for troubleshooting:

  • The username may be case sensitive.
  • Use pfSense's fine logging system under Status > System logs > OpenVPN.
  • Ask questions in the pfSense forum.
  • Windows 7 sometimes adds a Microsoft Virtual WiFi Miniport Adapter. Disabling this sometimes solves vague connection problems where there should be none.
  • Is the subnet unique? Perhaps the user is in a subnet that is the same as the virtual or corporate subnet.
  • Certificate problems? Check certmgr.msc. Perhaps an old certificate is blocking the installation of a new certificate.
  • Client getting disconnected? Check the user's wifi connection. No wifi=no internet=no vpn.
  • Check if the domain controller allows UDP ports 1812 and 1813 throught the firewall. Adding the Network Policy and Access Services role and configuring a RADIUS client should automatically have entered these rules in the server's firewall. They are called Network Policy Server (RADIUS Accounting - UDP-In) and Network Policy Server (RADIUS Authentication - UDP-In). Note that this is about the firewall on the domain controller, not the firewall on pfSense!