OpenVPN server + MFA on different domain to users domain

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
dedicatedorange
OpenVpn Newbie
Posts: 3
Joined: Tue May 16, 2023 8:32 am

OpenVPN server + MFA on different domain to users domain

Post by dedicatedorange » Tue May 16, 2023 8:35 am

Hi,
Is it possible to run Open VPN (including totp/google auth), on a server which is on a different domain from which the users accounts are on?

E.g openvpn linux host on domain abc.com

users accounts in xyz.com < wish users to log in with these creds, including totp/google auth. I have had a look through the docs and it seems like this uses the servers domain it is joined to but is unclear?

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: OpenVPN server + MFA on different domain to users domain

Post by Fadim » Tue May 16, 2023 10:12 am

Hi @dedicatedorange,
Yes, as far as I know, it's possible. OpenVPN doesn't care much about the domain of the server it's running on. It's more about the authentication methods you're using.
You can configure OpenVPN to authenticate against an LDAP or RADIUS server, which could be tied to the user accounts on xyz.com. For TOTP/Google Auth, you might need a plugin like openvpn-plugin-auth-pam.
Keep in mind, you'll need to correctly set up the network to allow the OpenVPN server to communicate with the authentication server.
Hope this helps!

dedicatedorange
OpenVpn Newbie
Posts: 3
Joined: Tue May 16, 2023 8:32 am

Re: OpenVPN server + MFA on different domain to users domain

Post by dedicatedorange » Tue May 16, 2023 12:53 pm

Fadim wrote:
Tue May 16, 2023 10:12 am
Hi @dedicatedorange,
Yes, as far as I know, it's possible. OpenVPN doesn't care much about the domain of the server it's running on. It's more about the authentication methods you're using.
You can configure OpenVPN to authenticate against an LDAP or RADIUS server, which could be tied to the user accounts on xyz.com. For TOTP/Google Auth, you might need a plugin like openvpn-plugin-auth-pam.
Keep in mind, you'll need to correctly set up the network to allow the OpenVPN server to communicate with the authentication server.
Hope this helps!
Does the openvpn-plugin-auth-pam plugin for the totp/google auth work with the openvpn-auth-ldap plugin for ldap authentication to the users domain?

thanks

Fadim
OpenVPN User
Posts: 40
Joined: Mon May 15, 2023 12:14 pm

Re: OpenVPN server + MFA on different domain to users domain

Post by Fadim » Thu May 18, 2023 9:11 am

Hey @dedicatedorange,

Yes, it's indeed possible to use both plugins simultaneously. OpenVPN can handle multiple authentication methods. You can use the openvpn-plugin-auth-pam for TOTP/Google Auth alongside openvpn-auth-ldap for LDAP authentication.

Keep in mind that the order in which you specify the plugins in your OpenVPN configuration file matters. If the first plugin fails to authenticate a user, OpenVPN will not proceed to the next. So, plan your authentication order accordingly.

Post Reply