In the last post I’ve used Local User Database for authentication with the OpenVPN Server, but managing users in multiple places is redundant and should be avoided. If your users resides in Windows Domain why not use a Domain Controller for authenticating VPN users.
That’s way now we will use Active Directory.
For the purpose I’ve setup a Windows Server with Active Directory Domain Services. In a new Organization Unit called Test Users, there are a service account (domain\vpnsvc), and user account with witch we’ll do the tests (domain\user2).
On the pfSense go to System > User Manager > Servers
For Type select LDAP
Enter the IP address of your Domain Controller
Remove the tick from Use anonymous binds to resolve distinguished names, and enter the credentials for your service account. In my case this is the domain\vpnsvc service account.
For initial Template select Microsoft AD
Continue with the configuration of the OpenVPN server as usual, for references you can check my previous blog post on the topic pfSense 2.0 RC1 configuration of OpenVPN Server for Road Warrior with TLS and User Authentication
Now you can connect to the VPN using domain users account, in my example domain\user2.
I’ve test is and now if you disable some user account in Active Directory, you will not authenticate with the AD, and consequently connect to the OpenVPN.
To extend the configuration you can use multiple backend service to authenticate. Open you OpenVPN server configuration and in the section Backend for authentication select also the Local Database, or any other available to you. There is a little flow in this method. If you have a user with the same user name and the same password, the request is send first to the AD and after that the local database is queried for the user. I’ve guessed it after a little network sniffing. However how often would you have duplicate users in both databases at the same time? So this is just for your information.
Thank you for reading, have fun.