MS Azure AD/Entra as auth server for OpenVPN

sgw

I browsed the archives etc and the howtos are old .. or say "never done that".

Is there a recent HOWTO somewhere on how to approach this?

I have to research how to setup authentication servers against Azure AD (now called "Entra", right?), to use with OpenVPN servers on pfSense.

thanks for any pointers, this looks rather intimidating so far.

(I have set up auth servers with Samba AD, so I am no complete newbie .. but ..)

luckman212

I've never seen this done. The pfrest/pfSense-pkg-saml2-auth package "supports" using Entra as an IdP for logging in to the WebConfigurator, but specifically mentions not supporting OpenVPN yet.

There's redmine #11920 for it, but it's approaching 5 years old so I wouldn't hold my breath for that.

You're honestly better off moving the OpenVPN server to a dedicated VM/LXC container (they also offer their prebuilt OpenVPN Access Server which is "free" for 2 concurrent users), and then following a guide to connect it to Entra via SAML auth e.g. https://openvpn.net/as-docs/tutorials/saml-entra-id.html

sgw

@luckman212 Thanks a lot.
Although that doesn't sound very promising.

The package you mention: does that authenticate via LDAP?

Maybe Entra isn't the only way of doing that?

The customer also considers deploying an additional on-premise domain controller ... maybe that could be a working local LDAP backend?

Although joining that sounds scary as well so far.

thanks

luckman212

@sgw no, not LDAP, it uses SAML (hence the name...) I'm not the author of that package, so if you need support on it, I suggest using the github repo

In 2026 I would not be looking to start building out a new on-prem AD infrastructure just for an OpenVPN server if I were you or your customer. None of what I mentioned is scary and is all pretty well documented. Based on the entry price of $0, I suggest you give it a try and see if it works for you!

sgw

@luckman212

We just thought "don't rely on a cloud service alone for auth etc"
That's why the idea of an on-premise (additional) DC came up.

At other customers I run samba-based AD and like it. Here that isn't available and wanted ... they have email and stuff in "whatever name that has"/MS Azure/Entra (?) and now they merge a 2nd company (~15 users), a new mail-domain etc / and the one CEO thinks it should be easy to auth VPNs against that as well (seems an LLM told him).

I am a complete noob with the MS-cloud-based stuff, so I have to look at least twice before deciding something ;-)

thank you

luckman212

Alright, yes I wasn't trying to be rude, just my opinion. I understand wanting something on-prem, I come from old school and am wary of relying on cloud for everything too. I always prefer to self host myself unless absolutely necessary.

Good luck with your project and keep us posted,

sgw

@luckman212 said in MS Azure AD/Entra as auth server for OpenVPN:

You're honestly better off moving the OpenVPN server to a dedicated VM/LXC container (they also offer their prebuilt OpenVPN Access Server which is "free" for 2 concurrent users), and then following a guide to connect it to Entra via SAML auth e.g. https://openvpn.net/as-docs/tutorials/saml-entra-id.html

Might check that route, thanks.

I assume I would simply portforward traffic to that VM then ... and disable OpenVPN on the pfSense completely (at least for those AD-users .. keep a ovpn-server with "local users" maybe for admin-purposes etc).

Haven't looked into that URL yet, another todo ... thanks anyway.

EDIT: "prebuilt server for 2 concurrent users" doesn't sound good enough for my case. But I will see.

sometechguy

@sgw this is the way to do it. And no it's not scary.