Step -1: Install OpenVPN and OpenLdap package.

$ sudo  apt-get update
$ sudo apt-get install -y openvpn easy-rsa openvpn-auth-ldap dnsmasq phpldapadmin

The example VPN server configuration file needs to be extracted to /etc/openvpn so we can incorporate it into our setup. This can be done with one command:

$ gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf

Step 2-: Configure OpenVPN Server Configuration

Open server.conf at /etc/openvpn/server.conf

There are several changes to make in this file. You will see a section looking like this:

    1. From dh dh1024.pem to dh dh2048.pem
    2. Uncomment the line
;push "redirect-gateway def1 bypass-dhcp"


push "redirect-gateway def1 bypass-dhcp"
  1. Uncomment both user nobody and group nogroup. It should look like this when done:
    user nobody
    group nogroup


Step 3-: Packet Forwarding

Forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ /etc/sysctl.conf

Uncomment net.ipv4.ip_forward. It should look like this when done:


Step 4-: OpenVPN uses certificates to encrypt traffic.

First copy over the Easy-RSA generation scripts.

$ cp -r /usr/share/easy-rsa/ /etc/openvpn

Then make the key storage directory.

$  mkdir /etc/openvpn/easy-rsa/keys

We need to generate the Diffie-Hellman parameters; this can take several minutes.

$ openssl dhparam -out /etc/openvpn/dh2048.pem 2048

So that we’re working directly out of where we moved Easy-RSA’s scripts to earlier

$ cd /etc/openvpn/easy-rsa
$ . ./vars

Now we’ll clear the working directory of any possible old keys to make way for our new ones.

$ ./clean-all

This final command builds the certificate authority (CA) by invoking OpenSSL command.

$ ./build-ca

Generate a Certificate and Key for the Server

$ ./build-key-server server

Move the Server Certificates and Keys

$ cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn

Restart the OpenVpn Server

$ sudo systemctl restart openvpn

Step 5-: Configure OpenVPN auth OpenLDAP.

Create a directory for OpenVPN ldap plugin configuration

$ sudo mkdir /etc/openvpn/auth

Copy the default auth-ldap.conf file

$ cp /usr/share/doc/openvpn-auth-ldap/examples/auth-ldap.conf /etc/openvpn/auth

Open the auth-ldap.conf file and paste the below configurations

$ vi /etc/openvpn/auth/auth-ldap.conf

        # LDAP server URL
                URL                  ldap://localhost:389
             Timeout         15
        # Enable Start TLS
            TLSEnable       no
        # Follow LDAP Referrals (anonymously)
            FollowReferrals yes
                # TLS CA Certificate File
                   TLSCACertFile   /usr/local/etc/ssl/ca.pem
                  # TLS CA Certificate Directory
                TLSCACertDir    /etc/ssl/certs
            # If TLS client authentication is required
        TLSCertFile     /usr/local/etc/ssl/client-cert.pem
        TLSKeyFile      /usr/local/etc/ssl/client-key.pem

         BaseDN        dc=example,dc=com
        SearchFilter "(&(cn=%u))"
        # Require Group Membership
        RequireGroup    false
                    BaseDN          "dc=example,dc=com"
                SearchFilter    "(|(cn=developers)(cn=artists))"
                MemberAttribute uniqueMember

Step 6-: Configure the user and Phpldapadmin.

$ sudo nano /etc/phpldapadmin/config.php

Check the below line in the config.php


Open the phpldapadmin on Web Browser.

Login with admin user the password use during the installation of ldap.

Add another User in the ldap server.

  1. Click on the logged in profile and copy the entry
  2. Add user
  3. Create an object
  4. Commit new user

Now the Ldap User is ready for Authentication.

Create a file on windows OpenVPN Program Files -> OpenVpn -> Config

The sample client configuration file.

dev tun
proto tcp
;proto udp
remote ServerIP 1194
;remote my-server-2 1194
resolv-retry infinite

# Try to preserve some state across restarts.
ns-cert-type server
verb 3

Copy The CA certificate from /etc/openvpn/ca.crt and paste here

Open OpenVPN client on windows Machine -> right click on OpenVPN icon on taskbar right bottom.

Use the Ldap CN name and password here.


Leave a Reply

Your email address will not be published. Required fields are marked *

Instant Quote

Can't read the image? click here to refresh.