Duo integration on pfSense OpenVPN configuration

PlowHouse · ‎03-13-2017

Looking to integrate Duo onto my OpenVPN instance that sits within my pfSense router appliance but I’m hitting a bit of a road block in regards to my configuration and what Duo has documented. From what I can gather, the documentation Duo has created is for standalone OpenVPN server setups that are possibly Debian based. Since my setup is packaged with pfSense (FreeBSD), the directories are different than what is documented. I’m even noticing that the first step is causing an issue as “make && sudo make install” throws out errors (tried gmake and experienced the same errors). I’m wondering if anyone in this community has experienced this and what work around or documents you referred to? My pfSense 2.3.2 router is built on FreeBSD 10.3-RELEASE-p5 and my OpenVPN setup works perfectly fine authenticating locally to FreeRADIUS2 using SSL/TLS+User Auth. All of this is handled within pfSense, there are no other servers or instances that I’m running within my environment I’m just looking to test out Duo with this setup to incorporate 2FA and appreciate any help I can receive around this.

Thanks!

kvrajesh1509 · ‎12-04-2023

Good to know you have succeeded in implementation, We're interested in implementing a similar solution within our organization. If you have any documentation available that you could share, it would be greatly appreciated and helpful for our process.

gnyce · ‎03-17-2017

I think you need to install a full-blown copy of FreeBSD 10.3 (on a VM, say) and build the plugin there, and then copy over to pfsense. Likely pf doesn’t include all the necessary development libraries - just a guess, but a reasonable one. Plus which, you really don’t want to have a full dev environment on your production firewall.

Your other options is to use the DuoProxy (RADIUS) and create a new auth sources within pf, and then point openvpn to that radius link as an auth source. That seemingly works pretty well (have tried it). You can have DuoProxy then pass on to FreeRadius2 for the user auth, and do the 2FA with Duo.

Could also try the pf forums, might be something in there. https://forum.pfsense.org/index.php?topic=95210.0

budviser37 · ‎11-21-2017

I know. OLD topic. But if you are using FreeRADIUS, you should be able to use the Duo Proxy, to sit between PFsense and your FreeRADIUS server (unless your using free radius in pfsense too. I’ve accomplished the same thing with Pfsense, openvpn and windows AD.

ITEM93 · ‎07-05-2021

Just hoping to follow up on this to see there has been any development on the Duo>pfSense integration?

Amy2 · ‎07-07-2021

Hi @ITEM93, currently there has not been any development on this request for OpenVPN support for pfSense. Your best bet for now is to protect pfSense using our generic RADIUS integration with the Duo Authentication Proxy as someone else stated earlier in this thread. You can also add your name to the existing feature request if you’d like by contacting Duo Support, or your Customer Success Manager or Account Executive if you have one. This can help add weight to the argument for implementing that feature in the future.

ITEM93 · ‎07-07-2021

Hi @Amy,

Thanks so much for the update!
I did find another article that showed how to use the generic RADIUS setup (DUO - Setting up Multi-Factor Authentication for OpenVPN on pfSense - Rocky Mountain Tech Team)

I’ll certainly reach out to our MSP account rep to add support for more pfSense development.