= OpenVPN Plugins =

OpenVPN functionality can be extended by plugins to bring in extra functionality.

Most frequently used are authentication plugins to bring in authentication against LDAP or Radius or other PAM backends, but there's also hooks to add per-client configuration etc.

This page is intended to collect information about existing plugins and pointers to documentation.

== Existing Plugins ==

||= **plugin name** =||= **hook(s)** =||= **async** =||= **source** =||= **remark** =||
|||||||||||| **fully maintained by OpenVPN maintainers** ||
|| auth-pam || up, auth || yes(opt) || openvpn repo (src/plugins/) || use operating system PAM stack for username+password (or 2FA...) authentication ||
|| down-root || up, down || no || openvpn repo (src/plugins/) || permit running a "cleanup" script at openvpn exit time if openvpn is running with reduced privileges and cannot cleanup itself ||
|||||||||| **sample plugins in the OpenVPN source tree** (not considered "ready for production") ||
||
|| defer || up, auth (*) || yes || sample/sample-plugins/ || sample plugin to show how a "deferred authentication" plugin operates ||
|| keying-material-exporter-demo || TLS_FINAL, TLS_VERIFY || no || sample/sample-plugins/ || shows how one could do a HTTP/SSO via OpenVPN ||
|| log || many || no || sample/sample-plugins/ || shows how to do logging from a plugin using the OpenVPN APIs ||
|| simple || many || no || sample/sample-plugins/ || hooks everything and logs when called ||
|||||||||| **plugins maintained elsewhere** ||
|| radiusplugin || auth, client-connect || yes || https://www.nongnu.org/radiusplugin/ https://github.com/ValdikSS/openvpn-radiusplugin.git https://github.com/comicchang/radiusplugin.git https://github.com/cuckoohello/radiusplugin.git https://github.com/OpenVPN-Community/openvpn-radiusplugin.git https://github.com/zelenkovsky/radiusplugin.git https://github.com/ArtemZ/radiusplugin-2x4.git https://github.com/PrivateCommunicationsCorp/radius-plugin.git || adds authentication and client configuration from RADIUS data ||
|| eurephia || auth || no (?) || http://www.eurephia.net/ || flexible authentication from database/rules ||
|| mozilla/openvpn-defer-auth || auth || yes || https://github.com/mozilla-it/openvpn_defer_auth || use the async/deferred auth plugin interface to run --auth-user-pass *scripts* in the background without blocking ||


== Documentation ==

(This section needs work).

Some information on the available hooks and calling convention can be found in the OpenVPN source tree in  {{{ include/openvpn-plugin.h }}}, and in the {{{ sample/sample-plugins/... }}} source files.