How is user authentication and management handled?
OpenVPN Access Server supports many authentication systems: local, LDAP, RADIUS, SAML, and PAM.
These are the five available authentication systems:
- Local: The built-in, local authentication system.
- LDAP: Lightweight directory access protocol for querying user information from tools such as Active Directory, OpenLDAP, and others.
- RADIUS: Remote authentication dial-in user service protocol for authenticating remote users in a system such as JumpCloud, Okta, and others.
- SAML: Security assertion markup language using XML to transfer identity data from a system such as Azure AD, OneLogin, and others.
- PAM: Pluggable authentication modules, a centralized authentication in Linux where you manage the user accounts in the operating system of the server where you’ve installed Access Server.
Local authentication is the default system. Local relies on a built-in database to store user data. You manage your users, groups, and preferences in the Admin Web UI or the command-line interface.
LDAP, RADIUS, SAML, and PAM authentication
You can configure OpenVPN Access Server to authenticate against external authentication systems using LDAP, RADIUS, SAML, or PAM.
Many directory services work with LDAP, RADIUS, and SAML, just as Access Server does. You can configure Access Server to authenticate against the directory service with your preferred protocol. We provide guides on our site to help with the setup for many common providers. However, our guides don’t cover all possible scenarios and providers.
- OpenVPN Access Server on Active Directory via LDAP.
- Using Access Server with JumpCloud.
- Configuring Google Secure LDAP.
- Integrate Okta with OpenVPN Access Server via LDAP.
- Integrate Okta with OpenVPN Access Server via RADIUS.
- Configuring Active Directory (Windows Server) RADIUS Protocol.
- OpenVPN Access Server post_auth RADIUS group mapping script.
- How to configure SAML with Azure AD.
- How to configure SAML with Google Workspace.
- How to configure SAML with OneLogin.
- How to configure SAML with Keycloak.
- How to configure SAML with Okta.
- How to configure SAML with JumpCloud.
You can mix authentication systems, such as creating a VPN admin user authenticating against the local database while your users authenticate against an identity provider configured with SAML.
For more details, refer to OpenVPN Access Server’s user authentication system.