We had the need to create a OpenVPN system for office connectivity and just happened to be running a PF-Sense firewall. (If you havnt heard of it i highly suggest it http://www.pfsense.org ).
We decided the best way to do this was certificate + username/password. This way we know that you cant login to our VPN without a Valid Certificated that was created by our internal Certificate Authority. You also cannot connect without the proper username/password.
What this gives us is the least "hassle" for our office users with the highest level of security. This is because you cannot connect if you have only the user/pw or only the certificate. You require both to properly connect.
I have exported this document to PDF and it can be downloaded here: http://www.fusionnetwork.us/tutorials/pfsense/OpenVPN_Pfsense_122_FreeRadius.pdf
The text has been pasted below... Its a bit ugly because of formatting but you are welcome to it if you wish ;)
OpenVPN setup on PF-Sense 1.2.2 /w 2-way authentication (Certificates & Freeradius user/pw)
This document will show you how to setup OpenVPN on a PF-Sense 1.2.2 system while allowing for two-way authentication. This is so that you can use certificates as well as a username/password combination. You are also given centralized management over the Username/Password system. This will allow you to easily add or remove a user before creating the certificate/vpn installer. This is a plus because you can also set “login times” and access limits on users using free-radius.
What you need:
List of items that you should have already or is assumed.
Computer or Virtual Machine with PF-Sense 1.2.2 installed (may work with earlier versions but only tested with 1.2.2).
Connection to the internet (fetching and installing files/packages/etc)
Computer configured with OpenVPN client (for testing, can be windows/linux/mac).
OpenVPN already configured on your pf-sense system ( i used this document: http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf )
Getting Started: Installing FreeRadius and getting it ready for OpenVPN
The first thing you need to do is install FreeRadius onto the pf-sense system that you are using.
Navigate to “System->Packages”
Click the + sign on the right of “Freeradius”
Your pf-sense box will now install Freeradius from the pf-repositories. This might take a few minutes depending on how fast your system/network connection is.
From the PF-Sense web GUI navigate to “Services->FreeRADIUS”.
Select the “Clients” tab.
We are setting OpenVPN up as a “Client” of the FreeRadius server. Click the + sign to get started.
In the “Client” field put in the LAN ip address of your pfsense box. Mine is: 192.168.1.1
In the “Shortname” field put something descriptive. ex. OpenVPN Server (Remote Client auth).
In the “Shared Secrete” field put in a password which is not easy to guess.
In the “Description” field put in something that will help you identify this connection.
Setting up your Users:
Now navigate to the “Users” tab. This is where you setup EVERY user you want to authenticate with FreeRadius/OpenVPN.
Click the + Sign to get started.
Fill out the Username/Password Fields.
Make sure that you also fill out “Number of Multiple Connection” I suggest setting this to 1. It is the only other required field other than username/password. The rest is optional.
[optional] Set the “Session time” I have mine set at 21600. When this expires the user will be kicked off and will have to re-login. This would be close to a normal workday. This keeps users from staying logged in all the time. Even if they are not at the computer.
Click on the “Save” button.
Gain shell access on your PF-Sense system.
We will be working in command line. You should either temperately enable SSH on your PF-Sense system or have access to the main console directly connected to your PF-Sense box.
Enable SSH: Navigate to “System->Advanced”. Check “Enable Secure Shell” then Click “Save” at the bottom of the “Secure Shell” section.
You should now be able to ssh into your PF-Sense system.
If you are directly connected to your PF-Sense system with a console/monitor you can select option “8” to get a command prompt.
Connecting OpenVPN and FreeRadius.
Now that you are at a Shell prompt on your PF-Sense system we can configure the PAM system to work with OpenVPN and FreeRadius.
Create the file /etc/pam.d/openvpn with the following commands
Insert the following into the file (Exactly! Or it may not work!)
auth required pam_radius.so debug=10
account sufficient pam_permit.so
session sufficient pam_permit.so
Save and exit the file. (Press “Esc” then type “:wq” without the quotes.
Create the file /etc/radius.conf with the following commands.
Insert the following into the file (Change the IP address to the IP of your PF-Sense LAN interface. The *****PassHere should be replaced with the password you set in the “Client” section of the FreeRadius configuration screen).
acct 192.168.1.1:1892 *****PassHere
auth 192.168.1.1:1892 *****PassHere
Save and exit the file. (Press “Esc” then type “:wq” without the quotes.
We are finished with this section. Go back to your PF-Sense Web GUI.
Load the Pam plugin for OpenVPN.
Navigate to your OpenVPN Server configuration screen. “VPN->OpenVPN”. Make sure you are on the “Server” tab.
Click the “Edit” button next to the OpenVPN server you have setup.
When the new screen loads, scroll down to the bottom where you see the section marked “Custom Options”. Insert the following into the textbox.
plugin /usr/local/lib/openvpn-auth-pam.so openvpn
Click “Save” at the bottom of the screen and navigate to the OpenVPN log screen “Status->System Logs” Click on the “OpenVPN” tab.
You should see something similar to what is listed below. (Borrowed from j0emv on pf-sense forums –Thanks! --)
Mar 20 13:16:26 openvpn: Need IPv6 code in mroute_extract_addr_from_packet
Mar 20 13:16:21 openvpn: Initialization Sequence Completed
Mar 20 13:16:21 openvpn: TCPv4_SERVER link remote: [undef]
Mar 20 13:16:21 openvpn: TCPv4_SERVER link local (bound): [undef]:1194
Mar 20 13:16:21 openvpn: Listening for incoming TCP connection on [undef]:1194
Mar 20 13:16:20 openvpn: /etc/rc.filter_configure tun0 1500 1543 192.168.3.1 192.168.3.2 init
Mar 20 13:16:20 openvpn: /sbin/ifconfig tun0 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.255 up
Mar 20 13:16:20 openvpn: TUN/TAP device /dev/tun0 opened
Mar 20 13:16:20 openvpn: gw xx.xx.xx.xx
Mar 20 13:16:20 openvpn: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
Mar 20 13:16:20 openvpn: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Mar 3 2007
If your text looks more like the following output continue on. Otherwise your done. (Borrowed from j0emv on pf-sense forums –Thanks! --)
Mar 20 12:41:16 openvpn: Exiting
Mar 20 12:41:16 openvpn: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
Mar 20 12:41:16 openvpn: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
If you have the above text output it means something broke with OpenVPN. The easy way to fix this is to use the pkg_add utility on your PF-Sense systems command line. So from your PF-Sense systems command line issue the following.
pkg_add -r openvpn
This will reinstall OpenVPN and should fix your problems. If not, you can post in the pf-sense forms: http://forum.pfsense.org/index.php/topic,4105.0.html or PM me (username: eureka on pf-sense forms).
You should now be able to connect to your OpenVPN system using Two-Way authentication. If you have problems i have listed an option that you can add to your OpenVPN system to help in your debugging.
Debugging your system.
Sometimes things dont work how we think they should. The following options can be helpful in your debugging. It assumes that your are running these commands on the PF-Sense system either via directly connected monitor/keyboard or via SSH unless otherwise specified.
Make OpenVPN more Verbose and force it to log to a non-standard location so you can read it easier.
From the PF-Sense web GUI Naviage to “VPN->OpenVPN” and select the server you created earlier.
Go to the bottom of the screen and modify the “Custom Options” text box to have the following.
This will log everything from OpenVPN to the /var/log/opvn.log file. You can watch it with the following command (while trying to connect/etc).
tail -f /var/log/opvn.log
You can also watch FreeRadius for attempted connections/authorizations (Failed or successful).
tail -f /var/log/radius.log
With this information in hand google and the pfsense forms can be a very good resource.