Set up Free Radius on PfSense with two factor authentication for OpenVPN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi robert here in this video i'll go through how to set up free radius on pfsense for the purposes of using two-factor authentication on openvpn if you haven't already set up openvpn on your pfsense box please take a look at my previous video in the link above so if you're ready let's get started first of all we need to log into the pfcents web interface and then go to system and package manager click on available packages and in the search term enter free radius and then click the blue search button and under packages make sure you're seeing free radius 3 over on the right hand side click the green install button and over on the left hand side click the green confirm button this will now install all of the modules that are required for free radius to work when free radius has installed it's just a basic installation with no configuration whatsoever next we need to go to services free radius and interfaces go over to the green add button and click all items on this page can stay the same we just need to give it a description so we'll call this authentication port the default port for the authentication port is 1812. click save and then go back to add click on that again the only items we need to change this time are the port we change that from 1812 to 1813 and the interface type from authentication to accounting and the description we'll call account import and click save next we need to go to nas clients go over to the green button and click add for the ip address enter 127.0.0.1 the client short name we'll just call it free radius for the client shared secret it can be anything you want but you will need to remember it because you will need it in the next step next scroll to the bottom of the page and click save next go to system user manager and authentication servers click on add for the descriptive name we'll call it auth server change type from ldap to radius protocol stays at ms chat v2 for the host name or ip address we enter 127.0.0.1 and the shared secret is whatever you entered in the previous step services offered is authentication and accounting and the two ports that we set up in the previous step which is authentication port on 1812 and accounting port on 1813 then go down to radius nas ip attribute change that to the lan ip address and then click save next go to services and free radius click on users and then the green add button now set up a user account they'll just call this one test1 and password we'll also call it test one just for this nothing else required go down to the bottom and click save and then we'll add another account so click on the add button again create another account we'll call this test2 and password test2 again nothing else needs to be entered on the rest of this page so go down to the bottom and click save now we need to test that those accounts work okay so go to diagnostics authentication on the authentication server change it from local database to auth server and then type in the username so it's test1 and the password which was also test one and click test so user test one authenticated successfully the user is a member of groups so we'll do the same for test two and the password test two and test it's exactly the same again so we know that both of these accounts work next go to vpn open vpn click on edit and under servers change server mode from remote access ssl tls plus user auth to remote access user auth and change the back end for authentication from local database to auth server then scroll to the bottom of the page and click save next go to client export scroll to the bottom and here you will see the open vpn clients so the first one that we're going to do is for android so if you click over here on the open vpn connect ios slash android and download that configuration file we then load this configuration file onto an android phone and set up the vpn connection before we do the installation on the android phone just a couple of items to note first of all in this test network the one ip address is a class c address 192.168.10.237 the second thing that you're going to need to do is to copy over the open vpn configuration file to your android phone this can be done either by using a usb cable and connecting the phone to the pc or just emailing the file to yourself next go on to your android device and go to the google play store in the search box search for open vpn and then install openvpn connect once installed click open read through the open vpn data collection use and retention policy and click agree and then go over to the file tab where it says allow open vpn connect to access photos media and files on your device click allow and then go to the directory where you downloaded the ovpn file which is normally going to be the download directory so you click on that highlight the ovpn file and click import for the profile name you can name that anything you want i'm just going to leave it as it is at its default for now enter your username which we called test1 and then click add in the top right hand side once that's done click on the slider to connect to the vpn and enter your password which was test one for this example and click ok you'll then get a message that comes up saying connection request openvpn wants to set up a vpn connection that allows it to monitor network traffic only except if you trust this source a key icon appears at the top of the screen when vpn is active it then says cancel or ok so click on ok and this will establish the vpn connection and after a few seconds this will then show up on the pfsense web interface that's the first part of this vpn setup with radius done so i'm now going to click on the slider to disconnect the vpn connection the first time you do this it will say disconnect vpn do you wish to disconnect from and your ip address i'm going to click on don't show again and then click ok again after a few seconds the vpn connection on pfsense on the interface will disappear and that's it's that disconnected now that we've confirmed that openvpn authenticates ok with the radius server we're now going to set up two factor authentication to do that on the main page of pfsense go to system user manager and then over to authentication servers then edit the auth server change the protocol from ms chap v2 to pap go down to the bottom of the page and click on save next go to services down to free radius and then go to settings scroll down to the bottom of the page click on mobile one-time password and for the otp lifetime if it's not already showing enter two and the number of invalid password attempts set that at five go to the bottom of the page and click on save next click on users and then edit user remove the password and check the one-time password box and change the otp auth method from motp to google authenticator click the button for generate otp secret and enter a pin number for this demonstration we'll just use one two three four scroll down and click on generate qr code now on another phone that isn't the one with openvpn installed on go to the google play store and search for google authenticator and click install once installed click open and click get started and then click scan a qr code the first time you use this you'll get a message that will come up or say allow authenticator to take pictures and record video so click allow and then point the camera at the pf sense interface for the qr code and scan that qr code once that's done click add account and then scroll down to the bottom of the page and click save next go to the pfcents homepage and then on the phone with openvpn connect installed launch it click the slider to connect to the vpn and for the password we enter the pin number that we set which was one two three four and the one time password in this case is seven eight one six three six and then click ok once this is connected the connection will show in the p of sense interface and to disconnect just tap on the connection slider and again after a few seconds the connection will disappear in the pfsense interface that completes the installation and configuration of free radius two-factor authentication for openvpn if you found this video helpful please give it a thumbs up subscribe and click the bell icon to receive notification when i upload new content until next time thanks for watching

Info

Channel: Robert Sloan

Views: 1,564

Rating: undefined out of 5

Keywords: PfSense, PfSense 2.5, PfSense 2.5.1, OpenVPN, PfSense OpenVPN, VPN, PfSense VPN setup, PfSense VPN Configuration, PfSense VPN Connection, pfsense openvpn configuration step by step, Configure openvpn, FreeRadius, FreeRadius3, 2FA, Two Factor Authentication, MFA, Multi-Factor Authentication, Google Authenticator, Free Radius, Free Radius Setup, Free Radius 2FA, Free Radius Config, Free Radius Setup Guide, FreeRadius Setup, FreeRadius Config

Id: a1F03UY1xKg

Channel Id: undefined

Length: 15min 1sec (901 seconds)

Published: Thu Jul 22 2021