It’s Your VPN – Use the Auth System You Want

Verify everyone and everything accessing your network.

Use local, external, TOTP, custom – even multiple – authentication systems.

Access Server makes it easy to configure authentication that meets your – and users’ – needs. Have an existing directory service? Configure support for an external authentication system.


Get unmatched flexibility and compatibility with the top authentication systems

Identity verification is critical to securing your network. With Access Server you can use the authentication system – or systems – you prefer.

  • Local Authentication

    By default, Access Server uses local authentication and password hashes (SHA256) stored in the user properties database to verify credentials during login.

  • PAM Authentication

    Manage PAM authentication on your server, using local user accounts in the operating system where Access Server is installed, or on a separate server reachable by Access Server.

  • LDAP Authentication

    Use the Access Server Admin UI to provide more secure authentication for your users and one source of truth for user management through integration with LDAP authentication services.

  • RADIUS Authentication

    Enable RADIUS authentication (PAP, CHAP, and MS-CHAP v2 supported), accounting reports, and case-sensitive matching with the toggles in the RADIUS settings section of Access Server.

  • SAML Authentication

    When you enable SAML authentication on Access Server users get a single sign-on (SSO) experience that uses IdP credentials instead of Access Server-specific credentials.

  • Custom Authentication

    You can write custom Python3 code, using post_auth scripts, to load into the Access Server post_auth programming hook as a supplemental or replacement authentication system.

  • Simultaneous Auth Systems

    Access Server lets you use multiple authentication systems simultaneously, so you can define one default system and optionally configure other systems by group or user.

  • TOTP Multi-factor Authentication

    Add another layer of security with multi-factor authentication (MFA) using time-based one-time passwords (TOTP), an industry-standard way to store a secret key on a user device.

  • Certificates and Private Keys

    On top of user-credential authentication, Access Server also uses private keys and public certificates to verify client and server identity.


OpenVPN Access Server supports many authentication systems: local, LDAP, RADIUS, SAML, and 

PAM. Full details for each are available here.

OpenVPN Access Server automatically locks out user accounts after repeated failed authentications as a security precaution.  When this lockout is triggered on an account, the user receives a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures" when trying to sign in. This prevents brute-force guessing the password by endlessly trying different passwords.

The lockout triggers when a wrong password is entered three times consecutively within 15 minutes. The lockout expires after 15 minutes. You can modify these default settings. You can also manually lift the lockout if you don’t want to wait 15 minutes.

Exceptions to the lockout policy are authentications done with a user-locked connection profile and bootstrap accounts. Access Server requires authentication with valid credentials to obtain a user-locked connection profile; bootstrap accounts can only bypass the lockout policy on Access Server 2.9 and older.

To change the lockout policy from the default settings, refer to this command line documentation page regarding the lockout policy.

Yes, Access Server has built-in MFA support for adding another authentication layer with time-based one-time passwords (TOTP). You can enable it in the Admin Web UI for your users globally, by groups, or by individual users. TOTP MFA applications include Google Authenticator, Microsoft Authenticator, and password managers.

Yes, we provide example post-auth scripts you can use to extend and customize the authentication functionality of Access Server. With a customized script, you can integrate with Duo 2FA, automate group mapping with identity providers, add device registration addresses for increased security, and more. You can learn more about these plugins here.

Yes, we support automatic group mapping for users authenticating with LDAP, RADIUS, and SAML by using custom post-auth scripts. These scripts run after a user authenticates their credentials but before the VPN connection starts. Read our guides for more details on setting this up for LDAP, RADIUS, and SAML.

Connect to Access Server now with two free connections

OpenVPN helps you easily create a secure, virtualized, reliable network that ensures secure communications between your networks, applications, devices, and workforce.