Configuring pfSense VPN for native Windows VPN client with no certificates or third-party software: how?

Alright, so this is a perennial favorite question that keeps getting asked, but I’ve yet to get an answer. Time to ask again in the hopes this might be the time!

So here’s the deal: I need to provide a VPN connection accessible by stock Windows 7+ machines through the built-in VPN client. Due to reasons (which I cannot explain and will not explain) these machines cannot have anything manually installed on them: no client certificates, no third-party VPN clients. The only authentication method that can be used for this setup is user/pass and/or PSK.

Obviously, this limits how secure the connection can be made, but I’d still like to do what I can. I was hoping to configure an IKEv2 connection or IPSEC/L2TP, but the only guides I can find require separate installs of certificates and/or third-party VPN clients. Unfortunately the need is unavoidable, so (shudder) we are currently using a separate device on the network to provide a PPTP VPN connection. I’d very much like to get rid of that and switch to something more secure, but (again) having to manually install anything on the client machines is an absolute no-go. It’s not happening, period.

So, I was hoping that someone here might know what magic config steps need to be done to have pfSense provide a VPN connection that Windows can use out of the box. Has anyone cracked it.

Also, since this happens literally every time I ask this question, let me just answer a few common replies before they’re even asked:

  • No, I cannot change the restriction on the client machines. They can’t have certificates installed in advance and they cannot have third-party VPN clients (or any third-party software) installed. That requirement is not going away.

  • I cannot explain why these limitations are in place. Not “will not”, cannot. The restrictions are what they are. Don’t ask why, you won’t get an answer.

  • The client machines are Windows 7+, but at this point I’d be happy to get a solution that worked for Windows 8+ or even only Windows 10. It’s at least possible to have the client machines get an OS upgrade.

  • No, I cannot have the client machines use an OS other than Windows. Oh how I wish I could, but no, that one’s straight out, too. Sadface.

Follow the guide in the book: IPsec Remote Access VPN Example Using IKEv2 with EAP-MSCHAPv2 | pfSense Documentation

Skip generating a certificate and use the one for your website instead.

I had this setup and working for a year or so. I liked this setup, because I could just connect Windows/macOS/iOS without anything besides going through the Add VPN connection wizards.

However, someone pointed out that this is likely compromised by the NSA and possibly others. I shut mine down and switched to OpenVPN last week.

If you find this to be possible, I’d like to know. I think the answer is that you can’t.

I’ve tried multiple times over 10+ years of using pfSense. I thought there was a way to do it with IPSEC over L2TP, and I forget the specific roadblock I ran into, but I DO remember spending 20 hours on trying to make this work and failing.

Captive Portal of some kind?

I found this guide. No certificates. No additional software. Worked on the first pull. IPSec/L2TP.

You said you COULD do PSK. This uses PSK. You said you COULD use user/pass. This uses user/pass. What’s wrong with this?

However, someone pointed out that this is likely compromised by the NSA and possibly others. I shut mine down and switched to OpenVPN last week.

This and many other reasons are why it would be best practices to go with a different solution, but the situation I’m in simply does not allow it. Sigh.

I’ll give the guide a shot. Thanks.

It is possible. You just use your certificate from a real CA instead of self generated.

I’m unclear what you mean. Is that a suggestion? A question?

I didn’t know it existed.

Also the video with no verbal explanations, just music, is not really that great for getting the point across. Nonetheless I’ll pull what I can from it.

To be fair it probably is compromised.

But also to be fair if the NSA is your adversary you’re probbaly already fucked.

That said, encrypt all the things. Don’t make it ez for any of them.

I may have had additional operational constraints that I had to work around, so if you say it’s possible, I believe you. I’ve been happily using OpenVPN for a very long time, so the details are fuzzy…

Sorry for waking up a 4 month post, but… Did you managed to do it? If so, I’ll appreciate if you can share the process.

Tks!

When I have full control, yeah, OpenVPN ftw. pfSense makes it pretty damn easy to generate everything I need to let people connect.

Fortunately the use case for this is something where the NSA’s involvement is neither likely nor problematic. Not that I’m exactly thrilled about the concept of Big Brother watching this traffic, but guaranteed there’s nothing actionable in there. That I can at least say with certainty.

Alright, I’m interested. What were you thinking exactly? Keep in mind that these client machines aren’t all on the same network or in the same physical location. Most of these are semi-mobile and may be connected through who knows what kind of network connection.

Tragically, no, at least for my purposes. As far as I can determine the problem is on the Windows end (as usual), because the built-in Windows IPSEC/L2TP client can’t seem to do NAT traversal, at least for 98% of the network setups anyone is apt to connect through. Basically if you have a router with an even half-functioning firewall on the client side it’ll block the connection by default, and opening up/forwarding the necessary ports isn’t something you can just have done automatically, at least that I’ve found.

As of now the only even remotely viable VPN method using the built-in Windows client which doesn’t require you to install certificates seems to be PPTP. L2TP can’t be relied on to do NAT traversal and every other method needs a certificate installed, and in advance as far as I can tell. It’s a pretty crap situation all around.

EDIT: Oh, and SSTP, but there are precious few devices which support that. PFSense certainly doesn’t.

I remembered one thing. After I set it up, it didn’t work initially. I had to connect from Windows (and the other OSs) and let it fail. I then would look at the IPSec logs on pfSense and compare the configured versus proposed settings in phase 1.

By the way, I had also set it up as L2TP before I changed to IPSec. It was actually easier to set that up and get working.

You’d need to look further into it yourself to see if it’s suitable - but hopefully it’ll point you to something helpful.

Thanks for the info.
Yes, I’m in a similar situation, but I guess it’ll be easier to push for the certs install in my case now that this seems a big roadblock.

Tks

Well that’s needlessly cryptic, but fuck it, it’s not like learning about more functionality is a bad thing. I’ll see if anything jives.