Home A - Z
Page Index

An Otter Wiki

PluginOverview

OpenVPN Plugins

OpenVPN functionality can be extended by plugins to bring in extra functionality.

Most frequently used are authentication plugins to bring in authentication against LDAP or Radius or other PAM backends, but there's also hooks to add per-client configuration etc.

This page is intended to collect information about existing plugins and pointers to documentation.

Existing Plugins

Fully maintained by OpenVPN maintainers

plugin name hook(s) async source remark
auth-pam up, auth yes(opt) openvpn repo (src/plugins/) use operating system PAM stack for username+password (or 2FA...) authentication
down-root up, down no openvpn repo (src/plugins/) permit running a "cleanup" script at openvpn exit time if openvpn is running with reduced privileges and cannot cleanup itself

Sample plugins in the OpenVPN source tree (not considered "ready for production")

plugin name hook(s) async source remark
defer up, auth (*) yes sample/sample-plugins/ sample plugin to show how a "deferred authentication" plugin operates
keying-material-exporter-demo TLS_FINAL, TLS_VERIFY no sample/sample-plugins/ shows how one could do a HTTP/SSO via OpenVPN
log many no sample/sample-plugins/ shows how to do logging from a plugin using the OpenVPN APIs
simple many no sample/sample-plugins/ hooks everything and logs when called

Plugins maintained elsewhere

plugin name hook(s) async source remark
radiusplugin auth, client-connect yes https://github.com/FreeRADIUS/ https://www.nongnu.org/radiusplugin/ https://github.com/ValdikSS/openvpn-radiusplugin.git https://github.com/comicchang/radiusplugin.git https://github.com/cuckoohello/radiusplugin.git https://github.com/OpenVPN-Community/openvpn-radiusplugin.git https://github.com/zelenkovsky/radiusplugin.git https://github.com/ArtemZ/radiusplugin-2x4.git https://github.com/PrivateCommunicationsCorp/radius-plugin.git adds authentication and client configuration from RADIUS data
eurephia auth no (?) http://www.eurephia.net/ flexible authentication from database/rules
mozilla/openvpn-defer-auth auth yes https://github.com/mozilla-it/openvpn_defer_auth use the async/deferred auth plugin interface to run --auth-user-pass scripts in the background without blocking
openvpn-auth-ldap auth, OpenBSD pf //no// (PR exists) https://github.com/threerings/openvpn-auth-ldap Username/Password auth via LDAP, Integration with OpenBSD pf. Supports Challenge/Response.
auth-script-openvpn auth yes https://github.com/pdemonaco/auth-script-openvpn another plugin to run a script in deferred/async mode

Documentation

(This section needs work).

Some information on the available hooks and calling convention can be found in the OpenVPN source tree in include/openvpn-plugin.h, and in the sample/sample-plugins/... source files.