OPNsense – OpenVPN with LDAP Authentication

1 Comment / Networking / By /

I have been using WireGuard VPN and recently I want my folks to browse the Internet safely via the OPNsense firewall. What this means is I will be implementing a full-tunnel VPN and not a split-tunnel VPN. I really don’t want to generate a WireGuard key for each user because it is not scalable. I have been using FreeIPA as my LDAP server. Therefore, another way to utilize the FreeIPA is to use it as the identity source for the OpenVPN remote access. If you are interested, here is the link to the post Installing FreeIPA on Rocky Linux.

This post will assume the following:

  • An LDAP server already deployed
  • A service account that will be used as a bind user
  • End-user(s) that is member of the VPN group

Just to paint a picture before we get started. The FreeIPA server that I am using has an IP address of 192.168.7.25. The sample VPN FQDN that I am going to be using in this post is ovpn.networkshinobi.com. The remote access VPN users will get their IP address from 192.168.16.0/24 block.

There are several sections of configuration that are required to deploy OpenVPN with LDAP authentication. These configuration sections are:

  1. LDAP server
  2. Importing LDAP users
  3. Certificates
  4. OpenVPN server
  5. OpenVPN user
  6. Firewall rulesets
  7. OpenVPN clients (Linux, Android, etc)

LDAP server

To set up the LDAP server, navigate to System / Access / Servers / then click on the + icon to add a server

  1. Enter a description in the Description field
  2. Select LDAP in the Type drop-down menu
  3. Enter the FQDN or IP address of the LDAP server in the Hostname or IP Address field
  4. For the Port value enter 389 for LDAP
  5. For the Bind credentials, enter the service account DN value
    1. To get the DN value, use the command on the FreeIPA: ldapsearch -D "cn=Directory Manager" -x uid=svc_fw -W
  6. Enter the password of the bind DN in the password field
  7. Select the Entire Subtree under the Search scope drop-down menu
  8. Enter the base DN value in the Base DN field
  9. For the Authentication containers, click on Select button and select container
  10. Enter the filter to select the specific user groups in the Extended Query field
  11. Select OpenLDAP in the Initial Template drop-down menu
  12. Enter the name attribute in the User naming attribute field
  13. Put a checkmark on Read properties and Synchronize groups
  14. Click Save
Figure 1

Make sure that the LDAP server is working correctly by testing the connection between the OPNsense and the LDAP server. This can be done in System / Access / Tester

Importing LDAP users

Now, that we have a working LDAP server, we can pull all the users the member of the group we queried. We need to enable LDAP in System / Settings / General / Administration / Authentication / Server then select the Local Database and the LDAP server. Once done, navigate to System / Access / Users. Click on the small cloud on the far right next to the + icon as shown in Figure 2.

Figure 2
  1. A window will pop up, so make sure you allow it
  2. Select the user(s) that need to be imported
  3. Click Save

Certificates

We need to create an internal CA and a Server certificate to allow the end-user to VPN in. First, we will need to create a Certificate Authority (CA). Navigate to System / Trust / Authorities.

  1. Click on the + icon to create a CA
  2. Give the CA a Descriptive name
  3. Select Create an internal Certificate Authority from the Method drop-down menu
  4. For the Key Type, select RSA
  5. Pick a Key length
  6. Select the Digest Algorithm
  7. Enter the desire Lifetime value
  8. For the Distinguished name section fill it out
  9. Click Save when done
Figure 3

To create a server certificate, navigate to System / Trust / Certificates

  1. Select Create an internal Certificate from the Method menu
  2. Give this a description
  3. Select the CA that was created earlier
  4. Select Server Certificate for the Type
  5. For the Key Type, select RSA
  6. Pick a Key length
  7. Select the Digest Algorithm
  8. Enter the desired Lifetime value
  9. For the Distinguished name, section should be auto-populated if not fill it out
  10. Click Save when done
Figure 4

OpenVPN server

It is time to create the OpenVPN server for remote access VPN. Navigate to VPN / OpenVPN / Servers.

  1. Click on the + to create a new OpenVPN server
  2. Give the configuration a Description
  3. Select Remote Access (User Auth) from the Server Mode menu
  4. Select the LDAP server for the Backend authentication
  5. Select the protocol TCP or UDP
  6. For the Interface, select the WAN interface
  7. Enter the OpenVPN port. The OpenVPN default port is 1194
  8. For the TLS Authentication, select Enable – Authentication & encryption
  9. For the TLS Shared Key, make sure the checkbox is checked
  10. For the Peer Certificate Authority, select the CA that was created earlier
  11. Select the server cert that was created earlier for the Server Certificate
  12. Select the DH Parameters Length
  13. Pick an Encryption algorithm
  14. Pick a Auth Digest Algorithm
  15. Select Do not check, from the Certificate Depth menu
  16. Enter the IP block for the remote access VPN users in the IPv4 Tunnel Network
  17. Since I am interested in full-tunnel mode, I will check the Redirect Gateway
  18. Check the following options Dynamic IP, Address Pool, Topology and DNS Servers
    1. Enter the IP address of the internal DNS server (or pihole / adguard)
  19. Click Save
Figure 5

OpenVPN user

Now that we have an OpenVPN server, we need to add the certs to the LDAP VPN users. To do so, navigate to System / Access / Users.

  1. Select a user from the list by clicking on the Edit button
  2. Scroll down to the User Certificates and click on the + icon to add the certs
  3. For the Method, select Choose an existing certificate
  4. Keep the Descriptive name the way it is
  5. Select the server certificate that was created earlier
  6. Click Save
Figure 6

Firewall rulesets

Now that we got the LDAP server and imported the end-user(s), we need to allow an inbound OpenVPN from the Internet and allow the users to access the Internal resources. First thing first, let’s create some aliases for the firewall rules. There are two aliases we are going to create. One for the OpenVPN port and the other is for the network block where the user(s) going to be using. Navigate to Firewall / Aliases.

  1. Click on the + icon to add a new entry
  2. Give the alias a name
  3. Select Port(s) from the Type drop-down menu
  4. Enter the desired port for the OpenVPN. I will be using the default port number of 1194
  5. Enter a description
  6. Click Save
Figure 7
  1. Click on the + icon to add a new entry
  2. Give the alias a name
  3. Select Network(s) from the Type drop-down menu
  4. Enter the desired port for the OpenVPN. I will be using the default port number of 1194
  5. Enter a description
  6. Click Save
  7. Click on Apply
Figure 8

Now that we have the aliases we needed, we can create two firewall rules. Navigate to Firewall / Rules / Floating.

I like to create all my rulesets using the floating rules instead of the Interface. If you are still following this, create your rulesets for your desired methods. Using the floating rules the more specific rulesets should be at the top, so it may require some moving around the rulesets.

To get the OpenVPN working we need to create an inbound rule.

  1. Click on the + icon to add a new ruleset
  2. Select Pass for the Action
  3. Tick the Quick option
  4. Select the WAN interface
  5. Select In for the Direction flow
  6. Select the UDP for the Protocol. Remember I am using the default port and it is UDP
  7. Keep the Source value any
  8. Select the WAN address for the Destination
  9. Select the OpenVPN port alias that was created earlier for the Destination port range
  10. Enter a description in the Description field
  11. Click Save
Figure 9

Now that we got an inbound rule, create another one for the users to access the internal resources.

  1. Click on the + icon to add a new ruleset
  2. Select Pass for the Action
  3. Tick the Quick option
  4. Select the OpenVPN interface
  5. Select In for the Direction flow
  6. Select TCP for the Protocol.
  7. Select the OpenVPN network block alias that was created earlier as the Source
  8. Select the alias of the resource for the Destination.
  9. Select the resource port alias that was created earlier for the Destination port range
  10. Enter a description in the Description field
  11. Click Save
Figure 10

To allow the remote access VPN users to access the Internet, we would need to create another firewall rule but with the Destination of any and Destination port range of any. Make sure the WAN gateway is selected for the Gateway then click Save.

OpenVPN Client Export

We need to export the .ovpn file from the OPNsense. To get this file, navigate to VPN / OpenVPN / Client Export

  1. Select the OpenVPN server that was created earlier for the Remote Access Server
  2. The Export type is File Only
  3. Enter the IP address of FQDN of the WAN interface to the Hostname field
  4. Make sure the following are checked Use random local port, Validate server subject and Disable password save
  5. Then click on the cloud icon to download the user profile
Figure 11

This is it. It is done. To get more users, just repeat Figure 6 and Figure 11 then securely send .ovpn file to the user.

Cheers!

Subscribe
Notify of
guest

1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Rilcy
Rilcy
3 months ago

Thank you very much for your post !
It was very usefull for the newbie I am on OpnSense.

0
Reply
1
0
Would love your thoughts, please comment.x
()
x