Best OpenVPN authentication method

I’m looking for some help on setting up authentication for openvpn. I’m starting a paid VPN service (starting out small with 1 or 2 locations to connect to) in which I want the end user the create their username and password through a sign up web page and then use those credentials as the login info for connecting to the VPN.

OS:Debian 10

server.conf using duplicate-cn to eliminate the need to generate ovpn files for each end-user.

The VPN setup is pretty easy and getting the web page sign-up in place shouldnt be too difficult either.

My issue is the in-bettween authentication handling. With OpenVPN you have a few options (using auth-user-pass switch in server.conf):

  1. via PAM and authenticate to the server shadow file (No)
  2. via radius server
  3. via LDAP to an OpenLDAP server

Given that I need the authentication to be centrally located for users connecting to multiple VPN locations, it seems option 3 is the best.

I just need a simple database holding username and hashed/salted passwords that the openvpn servers can query for existing login credentials.

If anyone uses ExpressVPN or other commercial options, this is what I’m going for in regards to connecting to the servers.

I’ve searched everywhere and seem to only come across pages referencing OpenVPN Access server which is openvpns paid service that uses a web UI or github pages with with bash scripts that dont do what im looking for.

If anyone has any pointers on making end user authentication / VPN connection process easy by other methods, I am open to any ideas. I just want to avoid the need to generate, sign certs with CA server, and distribute ovpn configs to each end user manually.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer