Guide for deploying OpenVPN Access Server + OPNsense

[user290920]

We have replaced our Fortinet FW with OPNsense. One of the outstanding things is get VPN back up and running. With the Fortinet VPN we were using SAML for Authentication, and I'd really like to continue to do that for ease of use by our end-users. It seems like we need to implement OpenVPN Access Server to have SAML authentication (source).

I've scoured the internet for the past 2HRs, no luck finding a guide for deploying OpenVPN Access Server and configuring it to work with OPNsense. Can someone please refer one for me?

Also, if we deploy OpenVPN Access Server, can we still configure an a Site-to-Site IPSec VPN *on OPNsense*? Or, does configuring the OpenVPN Access Server disable the OPNsense Site-to-Site VPN feature and offload all VPN to OpenVPN Access Server?

Ideally, I would like Site-to-Site to be done through OPNsense. And, end-users to VPN using OpenVPN Access Server, authenticating using SAML authentication.

[user290920]

If you are a n00bie like me, and are coming across this article... I figured it out. Below are the steps:

• Install OpenVPN Access Server (OpenVPN AS) on a Virtual Appliance or Dedicated Device.
• On your firewall, "Pinhole" the OpenVPN port through the firewall (usually UDP Port 1194).
• Update the hostname to OpenVPN AS to a DNS entry that is accessible locally (e.g. 192.168.x.x) and globally (123.456.x.x).
• Get an SSL certificate from LetsEncrypt, and configure automatic renewals (guide).
• In OpenVPN Access Server, configure SAML Authentication with your Identity Provider (IdP) of choice (e.g. Entra, Google, IBM Verify, etc.)
• With OpenVPN Access Server, configure your Access Control policy via User Permissions or Group Permissions
• Use your phone to test the if your SAML authentication and OpenVPN Access Control policies are working.

As for forum moderators and OPNsense developers, I think it would be helpful if within your documentation you emphasised that OpenVPN Access Server is an easy option for organisations looking to implement a MFA-protected VPN solution. IMO everything on the web points to using OpenVPN embedded into OPNsense, making organisations think that authentication via RADIUS and LDAP are the only options.

Personally, for VPN I think it is safer to limit the number of times end-users need to enter their username/password. Instead, each time they access they should complete a push/biometric challenge. Since re-authentication is so much faster, you can make your VPN disconnect after a few minutes of inactivity. And, end-users can't really complain since reconnecting is so simple. OpenVPN AS as a FREE license that allows 2 concurrent connections. After that you have to purchase a subscription, which is reasonable, all things considered.