SSL VPN - How to Authenticate VPN Users with Active Directory

Version 2.5

Applies to platform: UTM 2.5, Edge 2.5
Updated on: 4th of December 2015


Starting from version 3.0, external LDAP or NTLM authentication can be configured from the Endian GUI. See this howto for guidelines.

This lesson will illustrate the necessary steps to configure Active Directory integration with OpenVPN. Using this, you can now authenticate VPN users using just their Active Directory username and password and not have to (necessarily) create additional VPN-only accounts on the Endian.


When a user should be authenticated through an external authentication module, like Active Directory or LDAP, it is not required to create that user locally as an Endian VPN account. Keep in mind that any global options specified under VPN > Advanced tab will apply to all your authenticated users so there is nothing special necessary in this instance. However, if you want to configure specific VPN options that only apply to a single user (like the routing information) then you'll need to create that user as an Endian VPN user on your device as well.

Backup Original Configuration File

root@endian~#: cp /var/efw/openvpn/settings /var/efw/openvpn/settings.backup

Before you begin modifying anything, it's always wise to backup any files you'll be changing in case you make a mistake or wish to revert back to your original settings. From the CLI, use the command shown above to create a backup file before you begin.

Add Active Directory Authentication Settings

root@endian~#: nano /var/efw/openvpn/settings

The step shown above will open the text editor application on the Endian so you can add the lines directly (see here or here for an introduction on using this text editor). Now using the text editor from the CLI, you will edit the file and add the lines shown in the next steps but substituting your own Active Directory environment settings for the ones shown in this example.

Configuration Edit #1 - Authentication Order


This line defines which authentication modules OpenVPN should use and in which order they should be processed. In this case, we're specifying LDAP (Active Directory) and then local VPN users.

Configuration Edit #2 - Server URI (IP Address)


This line tells OpenVPN where to find the Active Directory server by using the IP Address.

The format of this field is: protocol://host[:port]

Configuration Edit #3 - Bind Information

LDAP_BIND_DN=cn=Administrator,cn=Users,dc=corp,dc=example,dc=com LDAP_BIND_PASSWORD=password

If you're Active Directory server does not allow anonymous binding, then you'll need to configure an distinguished name (DN) of an AD account to use that can query the required user tree(s). Normally it's recommended to use the 'Administrator' (or equivalent) account as this works best for the majority of deployment scenarios.

Configuration Edit #4 - User Base DN information


Here you can specify the tree in the Active Directory server where the users you wish to authenticate are located. Obviously, you're search string will vary depending on how your AD tree is setup.

Configuration Edit #5 - User Search Filter


Here you'll specify the search filter to use in locating the users to be authenticated and then pass the username and password (in the query).

Save the File and Exit

root@endian~#: cat /var/efw/openvpn/settings

Once you've added all of the configuration lines above into the settings file, you can now save and exit the program by hitting CTRL-X and typing 'Y" at the prompt to save the file. You're finished /var/efw/openvpn/settings file should resemble the one shown above (with your own settings of course).

Restart VPN Server


You must restart the VPN server in order for the new changes to take effect.

You can do so from the web interface by going to VPN and then select Save and Restart.

Test VPN User Account


You should now be able to test any user account that matches the settings you configured in the AD configuration.

Remember, the username will be the actual "User logon name" as defined on your Active Directory server (which could be different from the descriptive name given to the account)

Altre domande? Invia una richiesta