OpenVPN with LDAP authentication on pfSense 2.0 RC1

In the last post I’ve used Local User Database for authentication with the OpenVPN Server, but managing users in multiple places is redundant and should be avoided. If your users resides in Windows Domain why not use a Domain Controller for authenticating VPN users.

That’s way now we will use Active Directory.

For the purpose I’ve setup a Windows Server with Active Directory Domain Services. In a new Organization Unit called Test Users, there are a service account (domain\vpnsvc), and user account with witch we’ll do the tests (domain\user2).

On the pfSense go to System > User Manager > Servers


Add new one with the + sign button.

For Type select LDAP
Enter the IP address of your Domain Controller


In the Search scope, you have to enter the Base DN, you can find it by using ADSI Edit.


Now for Authentication containers, click on Select button and choose the ones in which users that will have access through VPN are.


Remove the tick from Use anonymous binds to resolve distinguished names, and enter the credentials for your service account. In my case this is the domain\vpnsvc service account.
For initial Template select Microsoft AD

Now on the Wizard for creating new OpenVPN Server
As Type of Server select LDAP

As a LDAP server, select the connection that we have configured just now.

Continue with the configuration of the OpenVPN server as usual, for references you can check my previous blog post on the topic pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication

Now you can connect to the VPN using domain users account, in my example domain\user2.

I’ve test is and now if you disable some user account in Active Directory, you will not authenticate with the AD, and consequently connect to the OpenVPN.

To extend the configuration you can use multiple backend service to authenticate. Open you OpenVPN server configuration and in the section Backend for authentication select also the Local Database, or any other available to you. There is a little flow in this method. If you have a user with the same user name and the same password, the request is send first to the AD and after that the local database is queried for the user. I’ve guessed it after a little network sniffing. However how often would you have duplicate users in both databases at the same time? So this is just for your information.

Thank you for reading, have fun.