Overview Link to heading
Below is a step-by-step guide to adding 2FA to OpenVPN (specifically the OpenVPN implementation that comes bundled with pfSense). This setup has been slightly modified from an internal SOP.
Assumptions Link to heading
This guide assumes the following:
-
You have a domain controller or server that will act as your RADIUS (NPS) server running Windows Server.
-
Your users are synchronized to Entra ID via Entra Connect.
-
You have Global Administrator credentials and know your tenant ID
-
Your VPN implementation supports RADIUS.
Step 1 - Installing/configuring NPS Link to heading
-
On your domain controller or dedicated RADIUS host, open Server Manager -> Add Roles and Features.
-
Under Network Policy and Access Services, install Network Policy Server (NPS).
-
Once installed, open NPS.msc.
-
Register NPS in Active Directory by right-clicking NPS (Local) -> Register server in Active Directory -> confirm.
This allows NPS to query AD for user authentication.
Step 2 - Add Your VPN as a RADIUS Client Link to heading
- In NPS Console -> RADIUS Clients and Servers -> Radius Clients
- Add a new client –
- Friendly name: whatever you want.
- Address: local IP address of your VPN appliance
- Shared secret: Create a secret and record it, you’ll need this to configure RADIUS on the VPN later.
Step 3 - Create a Network Policy for VPN Authentication Link to heading
- Under Policies -> Network Policies -> create a new one:
- Conditions: Select the AD group that will be able to authenticate to the VPN.
- Constraints: typically just setting MS-CHAPv2.
- Access Permissoin: Grant Access.
Step 4 - Install and Configure NPS Extension for Azure MFA Link to heading
- Download the extension from Microsoft here
- Install it on your NPS server
- After install, run Powershell as an Administrator
cd "C:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1
- Sign in with Azure AD Global Administrator credentials when prompted.
- Input your tenant ID.
- This registers the NPS server in Azure AD and creates an app registration used for
MFA calls.
- Restart NPS service.
net stop ias
net start ias
At this rate you should be able to utilize Entra ID MFA for any system that supports RADIUS authentication, I just so happen to be aiming to protect a VPN, so the next step will be focused on pfSense.
Step 5 - Configure pfSense Link to heading
- System -> User Authentication -> Authentication Servers
- Set authentication type to RADIUS and fill out of the rest of the information for your RADIUS server, including the Shared Secret from earlier.
- For Services, Authentication is fine.
- I suggest at least 30 seconds for an Authentication timeout, sometimes 60 seconds in order to give users time to approve MFA requests.
- From pfSense if you now navigate to Diagnostics -> Authentication -> You can enter AD credentials here and, assuming you’re using Microsoft authenticator, it should prompt you to confirm the connection.
Step 6 (Optional) - Configure Timeouts and Force MFA Prompts Link to heading
After you set up your OpenVPN instance to authenticate against this RADIUS server, I suggest manually setting the reneg-sec value in the .ovpn file to avoid annoying MFA re-prompting during long hours of VPN usage. Simply adding reneg-sec 43200 will set renegotiation to 12 hours. This is a good timeframe for users who work from home and only want to authenticate once a day, but your risk tolerance may be lower. Whatever timeout you decide, you should also add it to the Advanced Server options of the pfSense’s OpenVPN in order to avoid server/client configuration conflicts.
In order to force the Approve/Deny user flow for MS Authenticator, add the registry entry OVERRIDE_NUMBER_MATCHING_WITH_OTP as FALSE in the key "HEYK_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa".
Final Notes Link to heading
Below I’ll link further reading and some links that I used to troubleshoot and build this guide, some of which may no longer be relevant, or may be relevant to only a few of you. Good luck!
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-vpn