Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN Active Directory Authentication

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GrueneNeun
      last edited by

      Hello,
      today i encountered an odd problem configuring OpenVPN access through Active Directory.

      Previously i managed to setup User Authentication for the pfSense WebConfigurator which works very well. Users in the appropriate groups can login and other users cant - so this works as intended. The Authentication Test in the Diagnostics section gives the right groups for each user as long as these groups are created in the User Manager.

      All Users and Groups are in the same OU since it's a very small setup based on Samba4 if this matters. I selected this OU at "Authentication Containers" and do not use an Extended Query.

      When i tried to setup OpenVPN Access for a specific group my steps were these:

      • Creating a group in AD named "OpenVPNRW" and adding the relevant users to it.
      • Creating a group in pfSense named "OpenVPNRW" with scope remote and the following privileges which i got from various tutorials:
        • User - VPN: IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create SSH tunnels)
          User - VPN: L2TP Dialin Indicates whether the user is allowed to dial in via L2TP
          User - VPN: PPPOE Dialin Indicates whether the user is allowed to dial in via PPPOE
      • Verifying that users are correct recognised as group members with the Authentication Test which succeded.
      • Setting firewall rules to allow OpenVPN traffic IN und OpenVPN users accessing the internal network.
      • Creating an OpenVPN Server which only uses User Authentication with username and password and the Active Directory as Backend.

      This worked pretty well and i was able to login and access the network remotely. Then i checked if a user who is not member of the "OpenVPNRW" group can login - and he could.

      Is this the intended behaviour and OpenVPN does not check for group membership so that i have to define a new Authentication Server with an Extended Query for the group ?
      Or did i miss something during the configuration and it is possible to use only one Authentication Server for pfSense webconfigurator and OpenVPN where privileges are assigned by group membership ?

      1 Reply Last reply Reply Quote 1
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yes. You have to use an extended query so the authentication fails unless the user is a member of that group.

        Those VPN access permissions have nothing to do with OpenVPN.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.