Use local, external, TOTP, custom – even multiple – authentication systems.
Access Server makes it easy to configure authentication that meets your – and users’ – needs. Have an existing directory service? Configure support for an external authentication system.
OpenVPN Access Server supports many authentication systems: local, LDAP, RADIUS, SAML, and
PAM. Full details for each are available here.
OpenVPN Access Server automatically locks out user accounts after repeated failed authentications as a security precaution. When this lockout is triggered on an account, the user receives a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures" when trying to sign in. This prevents brute-force guessing the password by endlessly trying different passwords.
The lockout triggers when a wrong password is entered three times consecutively within 15 minutes. The lockout expires after 15 minutes. You can modify these default settings. You can also manually lift the lockout if you don’t want to wait 15 minutes.
Exceptions to the lockout policy are authentications done with a user-locked connection profile and bootstrap accounts. Access Server requires authentication with valid credentials to obtain a user-locked connection profile; bootstrap accounts can only bypass the lockout policy on Access Server 2.9 and older.
To change the lockout policy from the default settings, refer to this command line documentation page regarding the lockout policy.
Yes, Access Server has built-in MFA support for adding another authentication layer with time-based one-time passwords (TOTP). You can enable it in the Admin Web UI for your users globally, by groups, or by individual users. TOTP MFA applications include Google Authenticator, Microsoft Authenticator, and password managers.
Yes, we provide example post-auth scripts you can use to extend and customize the authentication functionality of Access Server. With a customized script, you can integrate with Duo 2FA, automate group mapping with identity providers, add device registration addresses for increased security, and more. You can learn more about these plugins here.
Yes, we support automatic group mapping for users authenticating with LDAP, RADIUS, and SAML by using custom post-auth scripts. These scripts run after a user authenticates their credentials but before the VPN connection starts. Read our guides for more details on setting this up for LDAP, RADIUS, and SAML.
Connect to Access Server now with two free connections
OpenVPN helps you easily create a secure, virtualized, reliable network that ensures secure communications between your networks, applications, devices, and workforce.