pfSense OpenVPN Point-to-Site (P2S) Connection over RADIUS/Active Directory Authentification
Because of the annoying Windows 10 DNS LEAK problem in combination with the native windows vpn, I decided to setup an OpenVPN Applicance with pfSense to provide an alternative VPN Dial-In Gateway which addressed already the problem.
You will find many articles on how to avoid this by set a couple of group policy settings and switch to a low static metric for the vpn adapter, but there are no guaranty that windows 10 will not still use the dns response from your local gateway first instead from the corporate network.
What is OpenVPN?
OpenVPN is open-source commercial software that implements virtual private network (VPN) techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License Version 2 (GPLv2).
OpenVPN runs a custom security protocol based on SSL and TLS rather than supporting IKE, IPsec, L2TP or PPTP. OpenVPN offers support of smart cards via PKCS#11-based cryptographic tokens.
OpenVPN vs IKEv2 vs PPTP vs L2TP/IPSec vs SSTP – Ultimate Guide to VPN Encryption
OpenVPN vs SSTP VPN: Which Protocol is Best for Your Use?
For RADIUS Authentification of course we need a RADIUS Server which will provide Microsoft with the Network Policy and Access Services Server Role.
So if still not installed yet in your network first thing is to provide this Role.
On the Network Policy Server we must add the pfSense Appliance as a new RADIUS Client. Here you must enter a friendly Name for the client and it’s internal IP Address. Further a shared secret which we also must set at pfSense.
To allow Clients to dialin we must further create a Network Policy which grant dialin permission.
Create or select an Active Directory Group and place all users in it who should be allowed to dialin from remote.
Attach this windows group in the Specify Conditions dialog.
Grant Access for this group.
Leave the default settings for Authentification and also for the next two dialogs with Configure Contraints and Settings.
So far configuration of the RADIUS Server is complete!
Let’s goto pfSense and there we first add and setup an Authentification Server.
Goto System – User Manger – Authentification Servers and click Add
For the description name we use RADIUS or any other name as it’s only for our information. The Type must be RADIUS of course and for the protocol you can leave MS-CHAPv2. Further we need to enter the ip address of the RADIUS Server and the shared secret we choose previous at adding the RADIUS Client in our NPS console. Leave the ports and the default timeout. Last Step here is to select the internal interface of pfSense for RADIUS NAS IP Attribute.
Next we must create or import a Certification Authority. In this case we import our existing internal company CA from the Active Directory Certification Services (ADCS).
For an only working purpose a self signed newly created CA will be enough and works also. I used our internal CA as the root certificate is on each corporate computer deployed and therefore be trusted from all.
When exporting and installing the Client, the root certificate from the CA will be installed into the config folder from OpenVPN, so it doesn’t matter if it is trusted or not from the computer itself, OpenVPN will trust it. Even if you use a trusted CA for the OpenVPN Server certificate, OpenVPN client will still need the root certificate in the config folder, otherwise you cannot connect to the server.
So now we export the Root Cert with the corresponding Private Key that we later can import them into pfSense. The Private key is also needed that the CA can be used to create new certificates or CRL entries on pfSense.
Export the Private key and CA Certificate:
To use this PKCS File we first had to export the private and public key from it. So we need openssl.
Extract the private key:
Extract the certificate:
Run the following command to decrypt the private key:
After this we can import the CA into pfSense, therefore goto System – Cert Manager – CAs and click Add
Here select Import an existing Certification Authority
Insert the previous exported public and private key and enter an serial number for the next certificate, can be 1.
Now we must create a Server Certificate which is then signed from our internal CA.
Don’t forget the Common Name and SANs (Alternative Names) if needed at the end!
As we setup the RADIUS Server and configured the CA and server certificate, now we come to the true setup of the OpenVPN Server, therefore goto VPN – OpenVPN and click under Servers the Add button.
As you can see, I used here for the protocol UDP with the local Port 1194 which ist reserved for OpenVPN. Best performance you will get with UDP but OpenVPN can also run with TCP and any other Port.
Therefore you can run OpenVPN with TCP and Port 443 like SSTP. This brings the benefit that users can dial-in from remote networks with restricted outbound traffic rules as HTTP and HTTPS over Port 80 and 443 in most networks outbound allowed.
At Server mode I used Remote Access (User Auth). Recommended and more secure is the Remote Access (SSL/TLS + User Auth).
But as we authenticate against RADIUS Server and Active Directory, I don’t want to create for each user a certificate and therefore a separate client install package. Therefore be sure to check Use a TLS Key which enhances the security by adding a further secret as only user and password. If checked, for the user is installed a static key in the config folder which is the same as on the server.
Under https://en.wikipedia.org/wiki/HMAC you will find more about this TLS Key known as Keyed-Hash Message Authentication Code.
At IPv4 Tunnel Network you must specify a network range in which your dialin clients reside.
If you have enabled netmask ordering on your DNS servers and have more than one AD Site, be aware to use a range near your physical AD Site on which the clients dialin!
Otherwise your vpn clients maybe will get for DNS requests which resides on multiple AD Sites, the IP from a system at the remote side.
Also under IPv4 Local nework(s) or IPv6 if used, add your local subnets which should be accessible from the vpn clients.
Also keep in mind, that clients/systems in the local network which should be accessible for the remote clients, should know the route into the Tunnel Network!
Under the Advanced Client Settings you can specify a default DNS domain and assign internal DNS servers to the clients.
Also you can check here Block Outside DNS to prevent the mentioned Windows 10 DNS Leak!
Now we must create a Firewall Rule on the WAN Interface to allow connections from OpenVPN Clients to UDP Port 1194.
That we can export the OpenVPN Client, first we had to install the openvpn-client-export package.
Therefore goto System – Package Manager – Available Packages and search for OpenVPN
After you installed this package you have under the menu OpenVPN a new tab with Client Export.
Don’t forget to check the Block Outside DNS checkbox to prevent the Windows 10 DNS LEAKS problems!
At the bottom of the Site you can download the several VPN Clients suited for your OS.
To allow Traffic from the OpenVPN Clients finally you must configure an allow Rule at the firewall under the OpenVPN tab.
In my case I allow all IPv4 traffic but for security reasons you should only allow required traffic.
One last thing we must configure at the corporate network are the new route to the tunnel network which is used by OpenVPN and the Clients, otherwise the internal servers and routers don’t know how to route outbound traffic to your vpn client computers and you can’t connect to them!
Now if you installed the client for your OS you can dialin to your corporate Network.
For the username you can type in the new UPN format like email@example.com or just the username. The common old legacy pre-Windows 2000 login DOMAIN\user is not supported.
One thing I forget to mention is if you use OpenVPN in an perimeter network configuration with front- and backfirewall. Don’t forget to allow UDP Traffic for RADIUS Authentification on the backfirewall, otherwise you will get an Auth-Error at dialin.
(UDP 1812 & 1813)
Configuration on the backfirewall
Below you see the few changes to make if you want to use the Server mode Remote Access (SSL/TLS + User Auth) instead of Remote Access (User Auth).
Goto VPN – OpenVPN – Servers
Select at Server mode Remote Access (SSL/TLS + User Auth) .
Goto System – Certificate Manager – Certificates
Click on Add and select Create an internal Certificate. This is the user certficate without the client could not login to OpenVPN. For each user you must create one. Under Descriptive name and Common Name put in the username from the Active Directory. Use her lowecase.
As we switched to Remote Access (SSL/TLS + User Auth) and created the user certificate we now can export the clients install package for this user. As mentioned for this server mode we must create for each user a separate user certficate and clients intall package.
Goto OpenVPN – Client Export
I checked here to use the Microsoft Certficate Storage and protect the certificates with a password. The user will need this when installing the package and importing the user certificate.
Here you can download the user specific install package with contains the user certificate. If you have many users you can search for them. For each created user certficate you will find here the corresponding client intall package.
At installing the client you will be automatically assisted to import the user certificate to the Microsoft Certificate Storage as selected previous in the Client Export settings.