I’m looking for some help on setting up authentication for openvpn. I’m starting a paid VPN service (starting out small with 1 or 2 locations to connect to) in which I want the end user the create their username and password through a sign up web page and then use those credentials as the login info for connecting to the VPN.
OS:Debian 10
server.conf using duplicate-cn to eliminate the need to generate ovpn files for each end-user.
The VPN setup is pretty easy and getting the web page sign-up in place shouldnt be too difficult either.
My issue is the in-bettween authentication handling. With OpenVPN you have a few options (using auth-user-pass switch in server.conf):
- via PAM and authenticate to the server shadow file (No)
- via radius server
- via LDAP to an OpenLDAP server
Given that I need the authentication to be centrally located for users connecting to multiple VPN locations, it seems option 3 is the best.
I just need a simple database holding username and hashed/salted passwords that the openvpn servers can query for existing login credentials.
If anyone uses ExpressVPN or other commercial options, this is what I’m going for in regards to connecting to the servers.
I’ve searched everywhere and seem to only come across pages referencing OpenVPN Access server which is openvpns paid service that uses a web UI or github pages with with bash scripts that dont do what im looking for.
If anyone has any pointers on making end user authentication / VPN connection process easy by other methods, I am open to any ideas. I just want to avoid the need to generate, sign certs with CA server, and distribute ovpn configs to each end user manually.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya,
Just came across this answer and decided to write some general guidelines for anyone who comes across this in the future despite the old question.
Given your requirements, I believe that setting up OpenVPN with LDAP as you mentioned is indeed a suitable approach, because it provides a centralized authentication system especially if you’re considering scaling up in the future. You could also look into deploying a VPN server with LDAP on Docker for easy management.
When you set up an LDAP server, you’ll be able to securely store and manage user credentials. When a user tries to log in, OpenVPN will simply query the LDAP server for authentication. You’ll be able to add, remove, or change user credentials with a single interface, making it much easier to manage.
There are a lot of guides on how to do this, but basically, you’d need to first install an LDAP server, then configure OpenVPN to use the LDAP server for authentication. After that, you’d just have to update your web signup form to add new users to the LDAP server.
Please note, implementing & managing an LDAP server requires proper security measures. This includes secure connection, securely storing user inputs and ensuring the server is not vulnerable to attacks.
Here is a link to DigitalOcean’s tutorial on OpenVPN: How To Set Up an OpenVPN Server on Debian 10 | DigitalOcean. While this guide doesn’t specifically talk about LDAP, it provides a general understanding of setting up OpenVPN.
Also here is another link from OpenVPN on using LDAP for auth: LDAP-based Authentication — openvpn.net
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.