Using LDAP authentication with OpenVPN

August 02, 2017

Reading time ~2 minutes


With OpenVPN it is quite common to use Easy-RSA to create a Public Key Infrastructure (PKI) so that client certificates may be distributed. For my use case I much prefer to use LDAP authentication with OpenVPN. I use OpenLDAP but any LDAP server should be fine. I am also using an Arch PKGBUILD file to build the actual plugin that makes OpenVPN work with LDAP auth.

LDAP Prerequisite

Before anything can work we need to have an OpenVPN LDAP schema loaded into our environment. While this LDAP schema offers many attributes, for my use case I only care about having authorized VPN users connect. Once openvpn-ldap.schema is loaded, an LDAP record can contain a new VPN objectClass and attributes.

objectClass: openVPNUser
openvpnEnabled: TRUE

The nice thing about this is we can easily modify a People record to enable or disable VPN user access.

LDAP OpenVPN Config

There are only a few fairly simple things to do once our environment is ready for OpenVPN.

  1. Build and install the openvpn-auth-ldap plugin. On Arch Linux you can easily build and install the plugin from AUR.
  2. Add the following to your OpenVPN server configuration:
    plugin /usr/lib/openvpn/plugins/ /etc/openvpn/auth/auth-ldap.conf

    Adjust the paths for and auth-ldap.conf as needed.

  3. It is a good idea to keep a default copy of auth-ldap.conf. An example configuration can be found on GitHub. Since I like to be organized I keep my LDAP config inside /etc/openvpn/auth.
  4. Restart OpenVPN after modifying auth-ldap.conf accordingly. With systemd one can execute systemctl restart openvpn-server@server, respectively.


Upon restarting, openvpn.log should show a plugin initialization entry similar to

PLUGIN_INIT: POST /usr/lib/openvpn/plugins/ '[/usr/lib/openvpn/plugins/] [/etc/openvpn/auth/auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT

At this point we can now have our VPN client authenticate with a username and password using our LDAP auth backend. We can see successful LDAP connections in openvpn.log when a new client connects. TLS: Initial packet from [AF_INET], sid=42bec808 6635b5f5 peer info: IV_VER=2.4.3 peer info: IV_PLAT=mac peer info: IV_PROTO=2 peer info: IV_NCP=2 peer info: IV_LZ4=1 peer info: IV_LZ4v2=1 peer info: IV_LZO=1 peer info: IV_COMP_STUB=1 peer info: IV_COMP_STUBv2=1 peer info: IV_TCPNL=1 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/ status=0 TLS: Username/Password authentication succeeded for username 'tony' Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384 [] Peer Connection Initiated with [AF_INET] MULTI_sva: pool returned IPv4=, IPv6=(Not enabled) PLUGIN_CALL: POST /usr/lib/openvpn/plugins/ status=0 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_0e9bde0ccb231123af86cd70e8a6f37c.tmp MULTI: Learn: -> MULTI: primary virtual IP for PUSH: Received control message: 'PUSH_REQUEST' SENT CONTROL [UNDEF]: 'PUSH_REPLY,route,route,redirect-gateway def1 bypass-dhcp,dhcp-option DNS,dhcp-option DNS,route,topology net30,ping 10,ping-restart 120,ifconfig,peer-id 1,cipher AES-256-GCM' (status=1) Data Channel: using negotiated cipher 'AES-256-GCM' Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
comments powered by Disqus

Splunk Enterprise (Free) LDAP auth in Apache

Intro I have used Splunk for years and still use Splunk Enterprise at work and for my own use as part of the Free license group. With Splunk…… Continue reading

Increase email security with S/MIME

Published on September 03, 2017

LDAP Mail Distribution Groups with Postfix

Published on May 01, 2018