Last updated on July 28th, 2020 at 08:15 pm
In this guide, we are going to learn how to configure OpenVPN LDAP Based Authentication. Identification and authentication of users is usually the first step in implementing access control. OpenVPN server supports multiple authentication protocols and thus can be configured to obtain connecting client information from an LDAP server, and to use that information as a basis for authenticating the client in addition to the use of the Client certificates and keys.
Also, with OpenLDAP authentication, the issue of having to generate individual OpenVPN client certificates for every client connecting can be eliminated.
Learn how to install and setup OpenLDAP server on CentOS 8 by following the link below;
Install and Setup OpenLDAP on CentOS 8
Configure OpenVPN LDAP Based Authentication
Install OpenVPN plugin for LDAP authentication
To configure OpenVPN LDAP based authentication, you need to install OpenVPN plugin for LDAP authentication. The plugin is called
openvpn-auth-ldap and it implements username/password authentication via LDAP for OpenVPN.
On CentOS 7, you need EPEL repos to install the plugin;
yum install epel-release
yum install openvpn-auth-ldap
On Ubuntu systems;
apt install openvpn-auth-ldap
On CentOS 8, unfortunately, the EPEL repos don’t provide this package as of this writing.
In this demo, we are running an OpenVPN server on CentOS 7 system.
After the installation of the
openvpn-auth-ldap package, you should now be having the required modules under the
The modules can also be found under,
The package also installs OpenVPN LDAP authentication configuration file,
On Ubuntu systems, you will find the sample OpenVPN LDAP auth configuration under;
Configure OpenVPN server for LDAP Based Authentication
Once you have the necessary plugins in place, the next thing would be to configure OpenVPN server for LDAP based authentication.
Open the OpenVPN LDAP based authentication configuration file and define your OpenLDAP server specifics;
Create a backup of the configuration.
If the directory/file doesn’t exist, simply create one;
Once that is done, copy the sample configuration file;
cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth/ldap.conf
Next, open the configuration file for editing.
Below is our sample configuration (with no commented lines) as per our OpenLDAP server setup. Make your appropriate configurations;
<LDAP> URL ldap://ldapmaster.kifarunix-demo.com BindDN cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com Password [email protected] Timeout 15 TLSEnable no FollowReferrals no </LDAP> <Authorization> BaseDN "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" SearchFilter "(uid=%u)" RequireGroup false </Authorization>
In regards to group authentication, if you want to enforce a more fine grained OpenVPN access control such that only specific users authenticating via OpenLDAP can connect to OpenVPN server, you can utilize OpenLDAP group membership.
For example, in our OpenLDAP server, we have a VPN only group which contains only users that are allowed to connect to OpenVPN server;
ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q "(cn=vpnonly)"
dn: cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: groupOfNames cn: vpnonly member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com member: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
See how to create OpenLDAP group membership by following the guide below;
How to Create OpenLDAP Member Groups
Therefore, to enable group membership authentication, set the value of the
RequireGroup option to true and edit the group section such that you configuration may look like;
<LDAP> URL ldap://ldapmaster.kifarunix-demo.com BindDN cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com Password [email protected] Timeout 15 TLSEnable no FollowReferrals no </LDAP> <Authorization> BaseDN "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" SearchFilter "(uid=%u)" RequireGroup true <Group> BaseDN "ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com" SearchFilter "memberOf=cn=vpnonly,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com" MemberAttribute uniqueMember </Group> </Authorization>
In this case, only user koromicha and johndoe can connect to OpenVPN server.
Save and exit the configuration after making your appropriate changes.
Next, configure OpenVPN server to use OpenLDAP for authentication by adding the line below to the OpenVPN server configuration file.
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
You can simply add this line to the OpenVPN server configuration file as follows;
echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server/server.conf
Be sure to set the correct path to the module. For example, on Ubuntu 18.04/20.04, the path is
Hence, the line would look like;
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
Enable Client Username/Password Authentication
Next, edit the client configuration file to include the auth-user-pass directive to enable username/password authentication method.
For example, this is a our sample Client configuration file based on our OpenVPN server setup.
client tls-client pull dev tun proto udp remote 192.168.2.132 1194 resolv-retry infinite nobind #user nobody #group nogroup persist-key persist-tun key-direction 1 remote-cert-tls server comp-lzo verb 3 auth-nocache dhcp-option DNS 220.127.116.11 dhcp-option DNS 10.8.0.1 auth SHA512 auth-user-pass tls-auth /home/johndoe/ta-key ca /home/johndoe/ca.crt cert /home/johndoe/johndoe.crt key /home/johndoe/johndoe.key
Restart OpenVPN Server service;
systemctl restart [email protected]
Verify OpenVPN Client LDAP Authentication
Our configuration is now done. To verify that all is well, initiate OpenVPN connection on the client;
sudo openvpn johndoe.ovpn
Sat Apr 18 08:50:11 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019 Sat Apr 18 08:50:11 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08 Enter Auth Username: johndoe Enter Auth Password: ************* ... Sat Apr 18 08:50:26 2020 /sbin/ip addr add dev tun0 10.8.0.60/24 broadcast 10.8.0.255 Sat Apr 18 08:50:26 2020 /sbin/ip route add 192.168.2.132/32 via 10.0.2.2 Sat Apr 18 08:50:26 2020 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Sat Apr 18 08:50:26 2020 /sbin/ip route add 18.104.22.168/1 via 10.8.0.1 Sat Apr 18 08:50:26 2020 Initialization Sequence Completed
If the authentication fails;
... Sat Apr 18 08:53:36 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sat Apr 18 08:53:36 2020 AUTH: Received control message: AUTH_FAILED Sat Apr 18 08:53:36 2020 SIGTERM[soft,auth-failure] received, process exiting
On the OpenVPN Server, you will see such a line on the logs;
tail -f /var/log/openvpn/openvpn.log
... 192.168.56.1:53489 [johndoe] Peer Connection Initiated with [AF_INET]192.168.56.1:53489 johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/johndoe johndoe/192.168.56.1:53489 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0 johndoe/192.168.56.1:53489 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_565148162b7cd88618c8c5e6efba7007.tmp johndoe/192.168.56.1:53489 MULTI: Learn: 10.8.0.60 -> johndoe/192.168.56.1:53489 johndoe/192.168.56.1:53489 MULTI: primary virtual IP for johndoe/192.168.56.1:53489: 10.8.0.60 johndoe/192.168.56.1:53489 PUSH: Received control message: 'PUSH_REQUEST'
Try to connect to OpenVPN server as
janedoe, who is not in the allowed
vpnonly group. This will automatically fail.
sudo openvpn janedoe.ovpn
Sat Apr 18 10:00:05 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019 Sat Apr 18 10:00:05 2020 library versions: OpenSSL 1.1.1 FIPS 11 Sep 2018, LZO 2.08 Enter Auth Username: janedoe Enter Auth Password: ************** ... Sat Apr 18 10:00:19 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sat Apr 18 10:00:19 2020 AUTH: Received control message: AUTH_FAILED Sat Apr 18 10:00:19 2020 SIGTERM[soft,auth-failure] received, process exiting
Great. You have successfully configured your OpenVPN clients to authenticate via OpenLDAP server.
That marks the end of our guide on how to configure OpenVPN LDAP Based Authentication. Enjoy.
Assign Static IP Addresses for OpenVPN Clients
Connect to OpenVPN using Network Manager on CentOS 8/Ubuntu 18.04
Setup OpenVPN Server on CentOS 8
2 thoughts on “Configure OpenVPN LDAP Based Authentication”
Thank you very much for this topic, a great help for me to set a new VPN with ldap authentication. Just a few remarks.
The openvpn-auth-ldap package is not yet available for centOS8, but you can install the one for for the Fedora 28 with its dependances : gnustep-base-libs libobjc-8.3.1-2. It works fine.
I had a problem with the routage. I did not use the : push “redirect-gateway def1 bypass-dhcp” in my server.conf because I did not want all the traffic of the clients to go through the vpn. I push the route with : “push route IP.0/24 255.255.255.0”, mais the client could not connect to the network I had pushed, the with the other networks, he could connect. But if I was pushing the “redirect-gateway def1 bypass-dhcp”, it was working. I understood that I had to exclude the IP of my VPN server who was in the subnet I wanted to push.
This was working with : push “route serverIP 255.255.255.255 net_gateway”.
This said that my VPN server go through the local gateway of the client, not in the tunnel.
Thanks for the feedback philippe.