Feature #1260

Allow other Backends for Remote Access ( SSL/TLS + User Auth )

Added by Joseph Casale over 9 years ago. Updated almost 9 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:


Currently in 2.0 BETA5, only the local user db is allowed for use in a Remote Access ( SSL/TLS + User Auth ) template. Not sure why this limitation exists, but it obviously wouldn't be typical in any OpenVPN implementation outside of pfSense. Is this an oversight in so far as simply a gui limitation, or can this and the 'client-cert-not-required' directive be lifted?


#1 Updated by Jim Pingle over 9 years ago

It's currently done that way because only with Local auth can you manage both the users and the certificates easily in the GUI.

With LDAP or Radius you could make the certificates in the GUI (or elsewhere) but they couldn't be automated or tied in any meaningful way to user accounts. You'd have to manually make certificates for each user you want to connect, and ensure that the common name of the certificate matches the username.

#2 Updated by Joseph Casale over 9 years ago

Ok, I understand but that's a bit pedantic as this is how it is in every other installation outside of pfSense. My vote would still be to relax it:)

#3 Updated by Chris Buechler over 9 years ago

  • Target version set to 2.1

We were really overthinking it, it can be as simple as forcing individual certificates to be created. It doesn't have to know about the users, or provide an easy way to create the certs by checking for users that actually exist. It could do that for LDAP in the future, show a list of users so you can easily bulk-create certs, but just showing a list of all certs on the appropriate CA would suffice for a quick fix.

#4 Updated by Joseph Casale about 9 years ago

I plan on getting an important box updated to 2.0rc1 which requires secondary auth via ldap with SSL/TLS. As I see Chris has set the target for 2.1, could you guys point me to the php file I would need to modify to bypass the check and I will hack away at making it work?


#5 Updated by Jim Pingle about 9 years ago

Most likely you're looking at /etc/ and /usr/local/www/vpn_openvpn_server.php - and if you want to fixup the export package to handle it, /usr/local/pkg/ and /usr/local/www/vpn_openvpn_export.php would need to be fixed to handle the case where the user isn't known, to just list certificates instead of users.

#6 Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Feedback

I changed the code around a while back to allow this, didn't realize there was still a ticket hanging out for it. This should be working properly in the GUI and the exporter these days.

#7 Updated by Chris Buechler almost 9 years ago

  • Target version changed from 2.1 to 2.0

#8 Updated by Joseph Casale almost 9 years ago

Much appreciated!

#9 Updated by Chris Buechler almost 9 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF