VPN Configuration Guide

Follow one of these procedures depending on your VPN equipment.

Configure PfSense as VPN terminator

Follow these steps to integrate your PfSense server with PacketFence Gateway.
You can implement this configuration for the following use cases:

  • VPN server configured as a Radius client only
  1. To configure your PfSense server, log in to your PfSense console using your administrator credentials.

  2. In the PfSense navigation menu, VPN > OpenVPN.

  3. On the OpenVPN page, Select the Wizard tab.

  4. On the OpenVPN Remote Access Server Setup page, in Type of Server select Radius, and click Next.

  5. On the Radius Server Selection page, click Add new Radius Server.

  6. On the Add Radius Server page, go to Radius Authentication Server Parameters and configure these settings:
    a. In Name, enter the Radius server name.
    b. In Hostname or IP Address, enter the PacketFence IP address.
    c. In Authentication Port, enter 1815.
    d. In Shared Secret, enter the same secret that you entered when registering your OpenVPN with PacketFence.
    e. Click Add new Server.

  7. On the Certificate Authority Selection page, click Add new CA.

  8. On the Add Certificate Authority page, navigate to Create a New Certificate Authority (CA) Certificate and configure these settings:
    a. In Descriptive name, enter your CA name.
    b. Configure your CA localization data: Country Code in ISO format, State or Province, City, and Organization.
    c. Click Create new CA.

  9. On the Server Setup page, configure these settings:
    a. In Interface, select WAN.
    b. Scroll down to Tunnel Settings, and in Tunnel Network, enter the private IP address that you want to use for the PfSense and Client PC communication.
    d. In Local Network, enter your IP address and click Next.

  10. On the Firewall Rule Configuration page, enable Firewall rule and OpenVPN rule.

  11. Click Next and Finish.

  12. To enter the Radius server attribute meeting the PacketFence configuration, configure these settings:
    a. In the PfSense navigation menu, select System > User Manager.
    b. On the Users page, click the Authentication Servers tab.
    c. In the Authentication Servers tab, navigate to the PacketFence server configuration and click the Edit (pencil) icon.
    d. On the PacketFence server configuration page, scroll down to the bottom of the page and in Radius NAS IP Attribute, select LAN.
    e. Click Save.

  13. To download and install OpenVPN client software, follow these steps:
    a. Download OpenVPN client and install it to your PC.
    b. Login to the PfSense server console.
    c. In the navigation menu, select System > Package Manager > Available Packages.
    d. Use the search box to find the openvpn-client-export package and install it.
    e. In the navigation menu, select VPN > OpenVPN.
    f. In the provided menu, select Client Export.
    g. Scroll down to OpenVPN Clients and download Viscosity Inline Config.
    h. Send the file to your PC using Google drive or private email.
    i. Start OpenVPN connect and import the file.

Configure F5 Big-IP Access Policy Manager (APM)

This procedure provides you with the configuration steps to enable an external logon page for your F5 Big-IP APM. You can implement this configuration for the following use cases:

  • VPN server configured as a Radius client only
  • VPN server configured as a Radius client only that supports sending the passcode via Radius
  • VPN server that allows the user’s interaction with the VPN client
  • VPN server that supports an external login page and/or can use the PacketFence captive portal
  1. Log in to the F5 BIG-IP management console.

  2. In the navigation menu, select Access > Profiles/Policies > Access Profile (Per-Session Policies), and click Edit link.

  3. In Access policy, insert External Logon Page and add External Logon Server URI of the PacketFence Gateway, and click Save.
    For example enter the following login page: http://<Gateway ip address>/F5?id=%{session.logon.last.username.
    With this setting, the VPN server redirects the user to the external logon page, for example, the PacketFence captive portal. In the captive portal login screen, the user is prompted for their username and password.

  4. To add your Radius server, in the navigation menu, select Authentication >
    Radius > Access Profile, and enter VPN server settings such as the IP address and Secret of the Radius server.

    With this configuration, you can validate the session between the PacketFence server and the APM to check if the user has authenticated with MFA instead of bypassing the secondary authentication.

  5. Click Apply Access Policy.

You’ve just configured your F5 BIG-IP VPN server to display an external logon page where the user authenticates using their corporate credentials.

Now, you can test your setup.

Did this page help you?