Automate OpenVPN / Research Alternative

[Scuzz3y]

We are currently using OpenVPN and PFSense to create individual user certificates and VPN configs based on user role. This is not a particularly easy thing to automate, since PFSense is GUI-based.

Deliverables

• Automation method to do the following
  • Create User Certificate from Intermediary CA
  • Append / modify VPN config for the newly generated certificate
  • Send this file / package to the user it was created for
    • Probably via email
• Bonus:
  • Would be cool if this can be integrated into the user creation process (PowerShell scripts)

[Z5T1]

I can help with this.

I'm thinking it would probably be easiest to stick with OpenVPN use BSD for the server, specifically OpenBSD. Since you're already using PFSense (which is essentially FreeBSD with a GUI), using BSD would make it easier to migrate the existing firewall rules and configuration. Additionally, OpenBSD offers increased security over FreeBSD/PFSense as well as an improved version of PF.

I can easily script all of the deliverables, and the bonus should be simple to achieve via SSH from PowerShell (assuming there is an SSH library for PowerShell; I don't know much about PowerShell at all so I'd need some assistance there).

[Scuzz3y]

So we wouldn't really need to migrate firewall rules fortunately since if we're migrating the actual VPN box then NSX would be the replacement router.

I definitely like the idea of using a more secure OS, there would just need to be better documentation for the overall box and the OpenVPN service since I've never used it from the command line.

If we wouldn't be using the GUI anymore, it would be very beneficial to script adding VPN servers (another instance of OpenVPN) or user based overrides for projects and specialized uses.