Allow other Backends for Remote Access ( SSL/TLS + User Auth )
Currently in 2.0 BETA5, only the local user db is allowed for use in a Remote Access ( SSL/TLS + User Auth ) template. Not sure why this limitation exists, but it obviously wouldn't be typical in any OpenVPN implementation outside of pfSense. Is this an oversight in so far as simply a gui limitation, or can this and the 'client-cert-not-required' directive be lifted?
#1 Updated by Jim Pingle over 8 years ago
It's currently done that way because only with Local auth can you manage both the users and the certificates easily in the GUI.
With LDAP or Radius you could make the certificates in the GUI (or elsewhere) but they couldn't be automated or tied in any meaningful way to user accounts. You'd have to manually make certificates for each user you want to connect, and ensure that the common name of the certificate matches the username.
#3 Updated by Chris Buechler over 8 years ago
- Target version set to 2.1
We were really overthinking it, it can be as simple as forcing individual certificates to be created. It doesn't have to know about the users, or provide an easy way to create the certs by checking for users that actually exist. It could do that for LDAP in the future, show a list of users so you can easily bulk-create certs, but just showing a list of all certs on the appropriate CA would suffice for a quick fix.
#4 Updated by Joseph Casale over 8 years ago
I plan on getting an important box updated to 2.0rc1 which requires secondary auth via ldap with SSL/TLS. As I see Chris has set the target for 2.1, could you guys point me to the php file I would need to modify to bypass the check and I will hack away at making it work?
#5 Updated by Jim Pingle over 8 years ago
Most likely you're looking at /etc/openvpn.inc and /usr/local/www/vpn_openvpn_server.php - and if you want to fixup the export package to handle it, /usr/local/pkg/openvpn-client-export.inc and /usr/local/www/vpn_openvpn_export.php would need to be fixed to handle the case where the user isn't known, to just list certificates instead of users.