OpenVPN Plugins

OpenVPN functionality can be extended by plugins to bring in extra functionality.

Most frequently used are authentication plugins to bring in authentication against LDAP or Radius or other PAM backends, but there's also hooks to add per-client configuration etc.

This page is intended to collect information about existing plugins and pointers to documentation.

Existing Plugins

plugin name hook(s) async source remark
fully maintained by OpenVPN maintainers
auth-pam up, auth yes(opt) openvpn repo (src/plugins/) use operating system PAM stack for username+password (or 2FA...) authentication
down-root up, down no openvpn repo (src/plugins/) permit running a "cleanup" script at openvpn exit time if openvpn is running with reduced privileges and cannot cleanup itself
sample plugins in the OpenVPN source tree (not considered "ready for production")
defer up, auth (*) yes sample/sample-plugins/ sample plugin to show how a "deferred authentication" plugin operates
keying-material-exporter-demo TLS_FINAL, TLS_VERIFY no sample/sample-plugins/ shows how one could do a HTTP/SSO via OpenVPN
log many no sample/sample-plugins/ shows how to do logging from a plugin using the OpenVPN APIs
simple many no sample/sample-plugins/ hooks everything and logs when called
plugins maintained elsewhere
radiusplugin auth, client-connect yes adds authentication and client configuration from RADIUS data
eurephia auth no (?) flexible authentication from database/rules
mozilla/openvpn-defer-auth auth yes use the async/deferred auth plugin interface to run --auth-user-pass *scripts* in the background without blocking


(This section needs work).

Some information on the available hooks and calling convention can be found in the OpenVPN source tree in include/openvpn-plugin.h , and in the sample/sample-plugins/... source files.

Last modified 7 months ago Last modified on 07/31/20 11:38:55