OpenVPN LDAP User Group in Windows Active Directory

Recently I had to setup an OpenVPN server with user account details coming from Windows Server Active Directory (as LDAP). The OpenVPN server would be in Amazon's AWS (EC2). Using the walkthrough ( on the OpenVPN site got the basic server up very quickly. OpenVPN also has a guide ( on setting up LDAP authentication. As soon as I started setting up the LDAP authentication, things divered from the documentation.

The first item was the bind credentials for the OpenVPN server. In the guide it shows "domain\administrator." I found this would not work for me. I was using OpenVPN 2.0.11 (The newest as of Jan 2015). I had to create a new user in Active Directory, make the user a member of the Administrators group and ensure they had a login.

Using the newly created user I was able to authenticate against my AD server. One note here, I tested LDAP to the OpenVPN server by using ldapsearch from a SSH (putty) session. Like this:

ldapsearch -x -h -D "" -W -b "cn=users,dc=domain,dc=org" -s sub "(cn=*)" cn mail sn

When prompted, enter the password for the bind user. You should see a listing of all user accounts in the domain. With this test I knew the OpenVPN server had connectivity to the Windows server and the necessary ports were open for LDAP authentication.

Now that users could authenticate against Windows AD, I wanted to require membership in a specific group to be able to use the VPN. To accomplish I created a new group in AD within the User Groups folder (OU=User Groups). I added each user to my new group (lets call it "VPN Users"). Right in the OpenVPN server configuration it shows an example of:

memberOf=CN=VPN Users, CN=Users, DC=example, DC=net

Changing the DC= parts to the correct information did not work. After much searching and some trial and error, I came up with a line that did work:

memberOf=CN=VPN Users, OU=User Groups, DC=domain, DC=org

WIth this setting in the Advanced LDAP field I can control access to the VPN based on group membership in the "VPN Users" group.