Duo integration on pfSense OpenVPN configuration


#1

Looking to integrate Duo onto my OpenVPN instance that sits within my pfSense router appliance but I’m hitting a bit of a road block in regards to my configuration and what Duo has documented. From what I can gather, the documentation Duo has created is for standalone OpenVPN server setups that are possibly Debian based. Since my setup is packaged with pfSense (FreeBSD), the directories are different than what is documented. I’m even noticing that the first step is causing an issue as “make && sudo make install” throws out errors (tried gmake and experienced the same errors). I’m wondering if anyone in this community has experienced this and what work around or documents you referred to? My pfSense 2.3.2 router is built on FreeBSD 10.3-RELEASE-p5 and my OpenVPN setup works perfectly fine authenticating locally to FreeRADIUS2 using SSL/TLS+User Auth. All of this is handled within pfSense, there are no other servers or instances that I’m running within my environment I’m just looking to test out Duo with this setup to incorporate 2FA and appreciate any help I can receive around this.

Thanks!


#2

I think you need to install a full-blown copy of FreeBSD 10.3 (on a VM, say) and build the plugin there, and then copy over to pfsense. Likely pf doesn’t include all the necessary development libraries - just a guess, but a reasonable one. Plus which, you really don’t want to have a full dev environment on your production firewall.

Your other options is to use the DuoProxy (RADIUS) and create a new auth sources within pf, and then point openvpn to that radius link as an auth source. That seemingly works pretty well (have tried it). You can have DuoProxy then pass on to FreeRadius2 for the user auth, and do the 2FA with Duo.

Could also try the pf forums, might be something in there. https://forum.pfsense.org/index.php?topic=95210.0


#3

I know. OLD topic. But if you are using FreeRADIUS, you should be able to use the Duo Proxy, to sit between PFsense and your FreeRADIUS server (unless your using free radius in pfsense too. I’ve accomplished the same thing with Pfsense, openvpn and windows AD.