OpenVPN Active Directory Authentication



  • Hello,
    today i encountered an odd problem configuring OpenVPN access through Active Directory.

    Previously i managed to setup User Authentication for the pfSense WebConfigurator which works very well. Users in the appropriate groups can login and other users cant - so this works as intended. The Authentication Test in the Diagnostics section gives the right groups for each user as long as these groups are created in the User Manager.

    All Users and Groups are in the same OU since it's a very small setup based on Samba4 if this matters. I selected this OU at "Authentication Containers" and do not use an Extended Query.

    When i tried to setup OpenVPN Access for a specific group my steps were these:

    • Creating a group in AD named "OpenVPNRW" and adding the relevant users to it.
    • Creating a group in pfSense named "OpenVPNRW" with scope remote and the following privileges which i got from various tutorials:
      • User - VPN: IPsec xauth Dialin Indicates whether the user is allowed to dial in via IPsec xauth (Note: Does not allow shell access, but may allow the user to create SSH tunnels)
        User - VPN: L2TP Dialin Indicates whether the user is allowed to dial in via L2TP
        User - VPN: PPPOE Dialin Indicates whether the user is allowed to dial in via PPPOE
    • Verifying that users are correct recognised as group members with the Authentication Test which succeded.
    • Setting firewall rules to allow OpenVPN traffic IN und OpenVPN users accessing the internal network.
    • Creating an OpenVPN Server which only uses User Authentication with username and password and the Active Directory as Backend.

    This worked pretty well and i was able to login and access the network remotely. Then i checked if a user who is not member of the "OpenVPNRW" group can login - and he could.

    Is this the intended behaviour and OpenVPN does not check for group membership so that i have to define a new Authentication Server with an Extended Query for the group ?
    Or did i miss something during the configuration and it is possible to use only one Authentication Server for pfSense webconfigurator and OpenVPN where privileges are assigned by group membership ?


  • Netgate

    Yes. You have to use an extended query so the authentication fails unless the user is a member of that group.

    Those VPN access permissions have nothing to do with OpenVPN.