pfSense OpenVPN Setup with FreeRadius3 2fa Authentication: Part 1 (OpenVPN Setup)

The purpose of this 3 part series will be to implement FreeRADIUS3 authentication with OpenVPN and allow you to use 2-factor authentication methods such as Google Authenticator.

Prerequisites:  This guide will assume you have pfSense version 2.3.4+ installed, and are starting from scratch setting up OpenVPN + the FreeRadius3 package.

Part 1: OpenVPN Setup
Part 2: FreeRADIUS3 Setup
Part 3: Final Setup – Connecting the Two

PART 1: OpenVPN Setup (standalone installation)

OpenVPN comes pre-installed so there is no need to install the package before proceeding.  To get started navigate to the VPN menu and go to OpenVPN.  From here click the Wizards option to get started on our initial setup.

We will change the value later but for now set the Type of Server to Local User Access, and hit next.

At this point you have a couple different options.  I have written up instructions already on how to utilize Let’s Encrypt certificates (domain ownership required) otherwise for this guide I will include instructions on creating a new self-signed CA.  To generate the new certificate authority click Add new CA.

Descriptive name:  Whatever you like, but preferably something to denote the CA will be used for OpenVPN certs
Key Length:  I’d recommend at least 3072 if not 4096.
Other Info Fields:  Assuming this is for a home environment you can fill this in with dummy information or not, whichever is your preference.

Now click Add new CA

At this point we will follow a similar process to create a certificate under the new CA.  Click Add new Certificate.

To avoid confusion, you will probably want to name it “OpenVPN default cert” or “OpenVPN Server cert”, but again this is up to you.  All other settings here can be mirrored to what you entered for the Certificate Authority setup.  Once complete click Create new Certificate.

Now we’re on to the actual setup portion.  Here you will want to set the port you’d like incoming VPN connections to use.  Put in a description for the server if you want, but it is probably not necessary unless you’re planning on running multiple OpenVPN server instances.

Cryptographic Settings

TLS:  Recommend you keep enabled (default)
DH Parameters Length:  3072+ recommended
Encryption Algorithm:  This will affect performance so if you have a large user base or are working with limited hardware you may want to consider using lower (128) but I would generally recommend AES-256-CBC or equivalents.
Auth Digest Algorithm: SHA512 recommended
Hardware Crypto: If you have any sort of hardware crypto accelerator you can set it here.

Tunnel Settings

Tunnel Network:  This will be a new address pool separate from your existing LAN.
Redirect Gateway:  This will depend on how you are utilizing the VPN.  If you just need to connect to access local resources on your pfSense network you can leave it unchecked, but if you are wishing to tunnel all internet traffic through the VPN for security reasons you may want to check this.  Note this isn’t absolutely essential because you can also force traffic through the VPN via settings in client apps.
Local Network:  Add your local network here if you would like to allow access between the local LAN and VPN clients.
Compression:  This will again depend on hardware and bandwidth restrictions.  Just be aware that the more compression is used the larger the CPU load on the pfSense box + remote machine, however this will save on bandwidth.

For the rest of the configuration you can likely keep all settings at default, but read each entry carefully to ensure it matches up with the particulars of your own environment.

Once satisfied, click Next.

Unless you have reason to manually configure the required firewall rules you can leave the settings at default and click Next.  You can always change these later in the Firewall Rules menu as needed.

We’re almost done! Click Finish.

We can now start creating some users.  Under the System Menu go to User Manager, then Add.

Fill in the user settings as desired and be sure to check Certificate so we can generate a new cert for this new user.

For the certificate generation make sure the CA selected is the same you created in the previous steps.  Set the key length you prefer again, and add a description that makes the certificate easily identifiable as being tied to a particular user.  Once done, click Save.

We can now go to the System: Certificate Manager and confirm everything was setup correctly.

Assuming everything went smoothly under the CAs tab you should have 1 new entry:

And 2 entries under Certificates:

Now we can double check that a firewall rule was correctly added.  Go to Firewall: Rules.

Confirm that there is a incoming WAN rule for the port you specified in setup.  Under OpenVPN there should also be a default any/any (* to *) rule created.

The last step before we start testing is to go to the System Menu and go to the Package Manager.  Go into the Available Packages tab and install openvpn-client-export.

With the export utility installed now to go VPN: OpenVPN.  Click on the Client Export tab, and scroll all the way to the bottom.

Import the settings file into an OpenVPN client of your choosing (cell phone disconnected from Wifi being an obvious choice for testing), fill in your username and password, and go ahead and test your new connection!

Once successfully connected if you go to Status: OpenVPN you should be able to see the new client session along with the associated DHCP lease.