Hi all,
Created a ipsec ikev2 eap mschapv2 and I can connect to it via my mobile and a Windows 10 client no problem
Obviously need to install the CA on the client which is fine but what about if the user is a standard user on Windows 10 and they can't install the CA as he's a standard user, not admin
How can this be done please
Thanks,
Rob
any help in this please
as when i do install the CA as a standard user in "trusted root CAs" its saved it but when i then login to my ipsec server it doesnt connect, just gives me error
IKE authentication credentials are unacceptable
it works when i install the CA as admin tho
any help would be much appreciated
I import the CA certificate with a PowerShell script that I run as administrator with extended rights.
cool
thing is there are work pcs and they dont have admin rights to install the CA
It is not possible to change the certificate store as a normal user by design - for security reasons.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store
(https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store)
what about importing the server cert as a normal user instead of the CA, will that work?
No, that will not work.
Have you already tried to provide the OPNsense with an ACME certificate and use that for authentication ?
The CA certificates from Let's Encrpyt should already be in the cert store.
atm, im creating the cert both CA and server cert using the opnsense create self signed cert method
you thing i should change to lets encrypt certs?
Yes, then you no longer have to import the CA certificates into Windows, because they should already be there.
Thanks atom
Is there a good how to to do this
I imagine I need to install the lets encrypt package on opnsense
Yes, you're right - os-acme-client . You can find a short documentation of the plugin here:
https://github.com/opnsense/plugins/pull/66
(https://github.com/opnsense/plugins/pull/66)
Thanks atom,
Would I need to import the lets encrypt cert under
System > trust > authorities
No, you do not have to do this manually. It is installed automatically by ACME when the certificate process has been successfully completed.
thanks atom
obviously i will need to open port 80 to my WAN address ie opnsense firewall, is that a security risk
Every open port in a firewall is a potential security risk.
I'll use DNS-01. No port needs to be opened for this.
Will it work even tho I'm using the free no ip and only got one hostname
Edit - just went on no ip and have to pay extra to get a txt record for dns challenge
So I will need to open port 80 to fw
What do you suggest, get a txt record or open port 80?
I would prefer the 3rd variant and take my own CA. 8)
You mean just export the self signed CA?
Yes, but you had some restrictions to install certificates as admin.
not admin, as a standard user, they just couldnt import the CA
i really dont want to expose my firewall to WAN on any ports
i do port forwards to other servers on port 80 443
thanks so much atom for your help in this!!!!!!!!!!!
You have the choice: Either install the certificate in Windows once as an admin (the best method in my opinion) or regularly renew the certificate with ACME - then either via DNS (no port to open) or HTTP (port 80 / 443) must be open.
yeah i agree its a lot safer to use self signed cert instead of acme especially on firewall
Why should using ACME on the firewall pose any risk? If you use DNS challenge, it's perfectly safe ...
success!!!!!!!!!!
installed/configured the ACME client on my opnsense, it got the certs (using DNS challenge with dynu)
i then changed the cert on my ipsec server to the ACME client one instead of my self signed one
at a different location (at work) i did a test, i spinned up a vm, created a standard user, logged in as standard user
created the ikev2 vpn and i could connect straight away without installing any cert!!!!!
I'm glad to hear it.