Is anyone successfully running OpenVPN with Active Directory integration? Are you using the openvpn.net or the openvpn.net/opensource version of OpenVPN? Any tips, tricks or gotchas or did it "just work?" (yes, I've seen this How To but sometimes how tos aren't as simple as they look for me).
Backstory: I have a very old Cisco Concentrator (3000 series) that needs to be replaced. I'd like the replacement to be something that integrates with AD user/passwords. I have a stack of reasonably modern HP DL320 boxes laying around and that led me to the OpenVPN idea...
With the open source version you can write your own authentication script using the 'auth-user-pass-verify' option.
I never put it into production, but I did hack together a working script that authenticates users against my directory.
Another option is the openvpn-auth-ldap plugin.
I prefer having OpenVPN auth against PAM (with LDAP, or Kerberos), since this is the most flexible solution. I've had the impression that the LDAP plugin provided by OpenVPN is sorta dirty ad-hoc solution -- nothing compared to the LDAP or Kerberos plug-ins for PAM. I've had problems from time to time where proper user credentials where refused access, a retry solved that problem. My current (production) setup authenticates against PAM. The PAM stack has Kerberos (pam_krb5) on top for OpenVPN authentication. Daily use by nearly 100 users. You can do a lot of stuff with PAM (multiple authentication mechanisms, multiple sources, etc. etc.).
we require AD authentication for our openvn installation(which group/OU integration) and found the easiest was using the radius plugin using windows internet authentication services (i.e. win2003 radius)
not that the auth-ldap doesn't work well, just the radius integration ended up being easier for us to get working (YMMV)
for what it's worth, discovered in hindsight: the commercial offering - openvpn-AS (or openvpn.net as you've referred to it) - works really well out of the box, for both radius and LDAP authentication, and the license fee is really low - works with concurrent connections rather than named users (at $250 for 50 concurrent connections with smaller bundles available). Also, the user take-on is well put together and makes new user and migration of existing clients relatively painless.
I've implemented solution like that :
OpnVPNClient ---> OpenVPNServeur + plugin Radius---> Windows2003SRV(IAS+AD)
It's working fine !
You could find it with search "blog laurent besson"...
This article made from many others, don't forget it :)
I guess my only question is why deal with open VPN when MS has a perfectly acceptable vpn solution built in. Of course it does depend on your situation, but my god is it easy to implement.