OpenVPN + AD + Group + cert


Maybe this solution, isn’t problematic for most people, but when i configure vyos openvpn + Active Directory witch group authorization and certificate per person i have litlle problem to put together all part.

List to do:

  1. Generate cert for serwer site - vyos
  2. Instalation plugin for openvpn - openvpn-auth-ldap plugin
  3. Configuration ldap-auth
  4. Configuration openvpn on vyos
  5. Client configuration
  6. Config static route

1. Generate cert for serwer site - vyos

1.1 - Copy openvpn script to /etc/openvpn

vyatta@vyatta01# sudo su -
root@vyatta01:~# cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/

1.2 - Edit “vars” parametr

root@vyatta01:/etc/openvpn#nano vars
export KEY_CITY="US"
export KEY_ORG="vyosCA"
export KEY_EMAIL=""

1.3 - run vars command and “clean-all”

root@vyatta01:/etc/openvpn#source ./vars root@vyatta01:/etc/openvpn#./clean-all

1.4 - Create CA, Pub + priv key for VyOS

root@vyatta01:/etc/openvpn#./build-ca root@vyatta01:/etc/openvpn# ./build-key-server vyosserver root@vyatta01:/etc/openvpn#./build-dh

1.5 Copy keys to config folder

root@vyatta-test-1:~# mkdir /config/auth/keys root@vyatta-test-1:~# cp -R /etc/openvpn/keys/* /config/auth/keys/

1.6 - Create client keys

1.7- Create revoaction list (crl.pem format)

First, we must create “revokekey”:

Generate revoaction list:

In /eth/openvpn/keys show crl.pem file, we must copy this list to /config/auth/keys

2. Plugin installation

2.1 Change repo (20.05.2016 - actual is 1.2.x - “jessie”) + installation plugin

[code]$ configure

$ set system package repository squeeze components ‘main contrib non-free’
$set system package repository squeeze distribution ‘jessie’
$set system package repository squeeze url ‘

sudo apt-get update
sudo apt-get install openvpn-auth-ldap[/code]

3. Plugin configuration

[code]# LDAP server URL

URL ldap://

    #BindDN         uid=admin,ou=Users,dc=test,dc=com

    BindDN          "CN=User_Read,OU=ADMIN,DC=US,DC=local"

    # Bind Password

    Password        "pass_user_read"

    # Network timeout (in seconds) - 

    Timeout         15

    # Enable Start TLS - 

    TLSEnable       no

    # Follow LDAP Referrals (anonymously)

    FollowReferrals yes

    # TLS CA Certificate File

TLSCACertFile /config/auth/keys/ca.crt

    # TLS CA Certificate Directory

TLSCACertDir /config/auth/keys/

    # Client Certificate and key

    # If TLS client authentication is required

TLSCertFile /config/auth/keys/

TLSKeyFile /config/auth/keys/

    # Cipher Suite

    # The defaults are usually fine here

    # TLSCipherSuite        ALL:!ADH:@STRENGTH
# Base DN - Descripte AD Group to using openvpn
     BaseDN         "OU=ADMIN,DC=US,DC=local"

BaseDN “DC=US,DC=local”

#UserAttributw “DN”

    # User Search Filter

    #SearchFilter   "(&(uid=%u)(accountStatus=active))"

    #SearchFilter   "(&(sAMAccountName=%u)(msNPAllowDialin=TRUE))"

    SearchFilter    "(&(sAMAccountName=%u))"

    # Require Group Membership

RequireGroup true

    # Add non-group members to a PF table (disabled)

    #PFTable        ips_vpn_users
BaseDN "OU=ADMIN,DC=US,DC=local"
            SearchFilter    "(cn=ADMIN)"

            MemberAttribute "member"

            # Add group members to a PF table (disabled)

            #PFTable        ips_vpn_eng

4. Config openvpn in vyos:

[code]###global parm
set interfaces openvpn vtun0
edit interfaces openvpn vtun0
set local-port 1194
set protocol udp
set mode server

Route option to LAN network

set server push-route
set server subnet
####Cert config
set tls ca-cert-file /config/auth/keys/ca.crt
set tls cert-file /config/auth/keys/vyoskey.crt
set tls crl-file /config/auth/keys/crl.pem
set tls dh-file /config/auth/keys/dh1024.pem
set key-file /config/auth/keys/vyoskey.key
#####Plugin config
set openvpn-option “–plugin /usr/lib/openvpn/ /config/auth/ldap-auth.config”
set openvpn-option “–script-security 2”


5. Example client configuration:

client dev tun auth-user-pass tls-client auth-nocache persist-tun persist-key proto udp remote x.x.x.x resolv-retry infinite nobind persist-key persist-tun ca "C:\\Program Files (x86)\\OpenVPN\\keys\\ca.crt" cert "C:\\Program Files (x86)\\OpenVPN\\keys\\user.crt" key "C:\\Program Files (x86)\\OpenVPN\\keys\\user.key" ns-cert-type server verb 3

6. Config static route in routers:

In router witch openvpn configuration we must config routing to virtual network for openvpn:

And in other router we must config static protocol route:


  • Add config to revoaction list,
  • Add static route.
  • Change repository to 1.2.x “jessie”

Hi, question with regard to installing openvpn-auth-ldap plugin.
I’m following your procedure precisely and getting issue with openvpn-auth-ldap plugin:
-------------- my configs -----------
admin@TEMP-2# show system package repository
repository community {
components main
distribution helium
password “”
username “”
repository squeeze {
components “main contrib non-free”
distribution squeeze

firstly I get multiple errors about outdated indexes while exiecuting apt-get update (after adding squizee)
--------------- output after running update ---------------
root@TEMP-2:/home/admin# sudo apt-get update
Ign squeeze Release.gpg
Ign squeeze/contrib Translation-en
Ign squeeze/main Translation-en
Ign squeeze/non-free Translation-en
Ign squeeze Release
Ign helium Release.gpg
Ign helium/main Translation-en
Err squeeze/main amd64 Packages
404 Not Found [IP: 80]
Ign helium Release
Err squeeze/contrib amd64 Packages
404 Not Found [IP: 80]
Err squeeze/non-free amd64 Packages
404 Not Found [IP: 80]
Err helium/main amd64 Packages
404 Not Found
W: Failed to fetch 404 Not Found [IP: 80]

W: Failed to fetch 404 Not Found [IP: 80]

W: Failed to fetch 404 Not Found [IP: 80]

W: Failed to fetch 404 Not Found

E: Some index files failed to download, they have been ignored, or old ones used instead.

------------------end of output --------------------------------------------

secondly while executing apt-get install openvpn-auth-ldap I get error "can’t locate package.

----------- output after an attempt to install -----------------
root@TEMP-2:/home/admin# sudo apt-get install openvpn-auth-ldap
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package openvpn-auth-ldap
------------------- end of output.

any suggestions? thanks.

Hi, I’ve followed the steps of your configuration to ldap, however I could not connect into my server. I keep receiving error message that it was unable to bind from cn=xxx,ou=xxx,dc=xxx=,dc=xxx