Skip to content

Fusion Network

HowTO: Setup openvpn with LDAP integration on Pfsense 1.2.3

From FusionNetwork

 

Credit where due: Much of this information was taken from the pfsense forums. Ive taken posts from minus as well as Ritmo2k and vito. The original post can be found here: http://forum.pfsense.org/index.php/topic,14946.0.html

Purpose: To get your pfsense system using OpenVPN with LDAP integration. This has several benifits. You could integrate into an already running LDAP system, you have to install less onto your pfsense system to get username/password/cert authentication working which means less hassle and less open attack vectors. In the long run you should spend time to see if this is a good solution for you. If you make modifications, find problems or have suggestions please follow the above listed link to the pfsense forms and post what you come up with.


 

 

What you Need:

  • System with Pfsense 1.2.3 installed (this may work with other versions however this is geared toward 1.2.3 stable).

  • SSH access to your pfsense system.

  • Web Configuration access to your pfsense system.

  • Internet access to download and install packages.

  • An already configured/working LDAP server (Or LDAPS).

  • An already configured OpenVPN server on your pfsense system.

Note: Lines starting with # should be ran from the command line on your pfsense system.

 

Getting Started:

 

  1. SSH into your pfsense system. Once you have ssh access select option “8” at the menu in your console. This should drop you to a command line.

  2. Install the following packages using the pkg_add -r command. Openvpn-auth-ldap, gcc42, gmake, texinfo, heimdal

    #pkg_add -r openvpn-auth-ldap gcc42 gmake texinfo heimdal

  3. Once this is complete open your web configuration page for your pfsense system. Go to VPN->OpenVPN. Select your OpenVPN Server by clicking the “edit” button.

  4. Scroll to the bottom of the configuration. Locate the box listed as “Custom options”. Add the following to the top of any options you have listed already. If you have options already listed make sure the place a semi-colon after the following.

    plugin /usr/local/lib/openvpn-auth-ldap.so /usr/local/etc/openvpn-auth-ldap.conf

  5. Save your openvpn server. It may not correctly restart yet. Try saving/restarting it after you finish step 7.

  6. Get the base configuration for the “openvpn-auth-ldap.conf” file from here: http://code.google.com/p/openvpn-auth-ldap/wiki/Configuration Place it in an empty/new file in /usr/local/etc/

    #vi /usr/local/etc/openvpn-auth-ldap.conf

  7. Now we need to fix missing libraries. (libgssapi.so.9 and libobjc.so.3)

    # ln -s /usr/local/lib/libgssapi.so.2 /usr/local/lib/libgssapi.so.9

    # ln -s /usr/local/lib/gcc-4.3.5/libobjc.so.2 /usr/local/lib/libobjc.so.3

  8. If you go to Status->System Logs->OpenVPN you should be able to see that the openvpn server started correctly. It may be complaining about the config file we listed earlier so lets move on to fix that.