Hello all!
So recently I set up OpenVPN from within pfSense with success, but I was a little annoyed that I was only able to get a successful connection with config files. This hasn’t been a huge deal as this was just for access to my home lab, but I got curious and wanted to know how to implement LDAP, with 2FA, all while being able to keep it simple. The main reason for this was that this would be similar to a business solution and would provide a good learning experience.
So my question now is, is it possible to have the client enter the URL vpn.domainname.com:1194 and connect without the use of a config file? I have setup my external DNS to have an A record point to my WAN IP, as well as going into VPN > OpenVPN > Client Export > Client Connection Behavior and setting the hostname resolution to vpn.domainname.com (with and without port number), but still have been unable to successfully connect. Am I missing something? I’m pretty sure years ago I got this to successfully work, but I wasn’t doing it through pfSense.
So my question now is, is it possible to have the client enter the URL vpn.domainname.com:1194 and connect without the use of a config file?
With the current code base, no that is not really possible. You need a configuration file. And you also need a copy of the CA certificate locally to verify that the initial connection to the server is not the server of any one else.
What is possible though, which is what OpenVPN Access Server and OpenVPN Cloud enables, is to have an automated download of the profile. Those server sides provides an API which does some username/password/MFA authentication and returns a configuration profile on successful authentication. But you need to use a client supporting this. Currently OpenVPN Connect, OpenVPN GUI (OpenVPN 2.x on Windows), OpenVPN for Android and OpenVPN 3 Linux implements the client side support for this.
The Access Server protocol is actually quite straight forward. The documentation could probably be clearer, but here is a few pointers for that:
2FA with Google Authenticator for example is possible with FreeRADIUS… I set it up that way in my company. Employees have to authenticate with a PIN and a OTP generated by the Google Authenticator on their Mobile phone. Just Google “Pfsense OpenVPN Google Authenticator”.
Thank you so much for the response! This is exactly what I needed to know. I had actually just began looking into Access Server and Cloud, but I couldn’t really come up with a solid answer on if I needed to make the mover over.