I'm facing a challenge with VPN authentication in our setup. We're using pfSense with OpenVPN and NPS for RADIUS. Recently, someone connected to our VPN using a non-managed notebook, which brought up the need for stricter access controls. I thought about pushing computer certificates from our AD CA to require valid certs for VPN access, but it seems like the OpenVPN client can't utilize the Windows certificate store. It's puzzling because I've successfully implemented a similar solution for WiFi. Is it common to use computer certificates for VPN authentication? Are there better VPN clients that handle these types of certificates more effectively?
4 Answers
If you're working within a Windows/Active Directory environment, consider checking out Always On VPN with SSTP or IKEv2, which can read directly from the Windows certificate store. Certificate-based authentication is definitely the right way to go; it just seems that OpenVPN isn't the best fit for this in a Windows context.
Using VPN certificates for authentication is definitely a standard practice these days. For instance, Microsoft offers an Always On solution that generates short-lived certificates each time a compatible device connects. Other solutions like Palo Alto's GlobalProtect also support machine certificates, which is great for ensuring secure Always-On connections with minimal user intervention.
OpenVPN can work with the Windows certificate store without issues. Just ensure the private key is accessible to the VPN user. If you're using OpenVPN Service, you'll need the key in the Computer store and adjust some permissions. For the .ovpn file, include the line `cryptoapicert "THUMB:YOUR_CERT_THUMBPRINT"`. Just remember that to access the cert correctly, OpenVPN needs the right setup based on whether you’re connecting through a service or GUI.
Unfortunately, I heard that newer OpenVPN versions no longer support cryptoapicert. That's such a bummer!
Here's a quick setup guide for your RADIUS and OpenVPN config: First, add your RADIUS server in the User Manager section. Then set up the necessary certificates in the Cert Manager. When configuring OpenVPN, select Remote Access and ensure both client cert and RADIUS credentials are needed. Don’t forget to set up the proper backend on your RADIUS server for authentication. Export the client configuration from pfSense to include all certs needed for a smooth connection! Also, be wary of any ISP proxies that could interfere with your connection.
That makes sense! I’ve noticed a lot of emphasis on user certificates, but much less on machine certs. Is it true that OpenVPN runs in user mode, thus making computer certs harder to use?