Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Adding OpenVPN Remote Access Users

At this point the VPN server is configured but there may not be any clients which can connect. The method for adding users to the VPN will depend upon the authentication method chosen when creating the OpenVPN server.

See also

More details on adding users can be found in User Management and Authentication. More information on managing user certificates can be found in User Certificates.

Local Users

To add a user that can connect to OpenVPN, they must be added to the User Manager as follows:

  • Navigate to System > User Manager

  • Click fa-plus Add to create a new user

  • Enter a Username, Password, and password confirmation

  • Fill in Full Name (optional)

  • Check Click to create a user certificate, which will open the certificate options panel

  • Enter the user’s name or some other pertinent information into the Descriptive Name field

  • Choose the same Certificate Authority used on the OpenVPN server

  • Choose a Key Length (may be left at the default)

  • Enter a Lifetime (may be left at the default)

  • Click Save

To view or change the user:

  • Navigate to System > User Manager

  • Click fa-pencil next to the row containing the user to see/edit

To export a user’s certificate and key:

Note

This part may be skipped if using the OpenVPN Client Export Package, described in OpenVPN Client Export Package. The client export package is a much easier way to download client configurations and installation files.

  • Navigate to System > Cert Manager on the Certificates tab

  • Locate the user certificate in the list

  • Click fa-certificate to download the user certificates

  • Click fa-key to download the key for the certificate

  • Click fa-archive to download a PKCS#12 bundle which includes the user certificate and key, and the CA Certificate (optional).

In most cases, the CA Certificate should also be downloaded with the user certificate. This can be done from its entry on System > Cert Manager, CAs tab, or by using the PKCS#12 bundle mentioned previously.

LDAP or RADIUS Users

Adding LDAP and RADIUS users will fully depend on the server implementation and management tools, which are beyond the scope of this documentation. Contact the server administrator or software vendor for assistance. Certificates for LDAP or RADIUS users cannot be created from within the firewall’s web interface in a way that reflects a user-certificate relationship. However, it is possible to create the certificates on their own using the certificate manager as described in User Certificates