Configuring authentication in OpenVPN Community Edition via Yandex Identity Hub over the OIDC protocol
OpenVPN Community Edition
For the users of your organization to be able to authenticate to OpenVPN Community Edition via OpenID Connect SSO, create an OIDC app and configure it both in Yandex Identity Hub and OpenVPN.
OIDC apps can be managed by users with the organization-manager.oauthApplications.admin role or higher.
To set up authentication to OpenVPN Community Edition via Yandex Identity Hub for the users of your organization:
- Get your cloud ready.
- Create the infrastructure.
- Install OpenVPN.
- Create a certificate authority.
- Configure an OpenVPN server.
- Create an OIDC app in Yandex Identity Hub.
- Install and configure openvpn-auth-oauth2.
- Test the integration.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console
and log in to Yandex Cloud or create a new account. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page
Learn more about clouds and folders here.
Required paid resources
The infrastructure support cost includes:
- Fee for a continuously running VM (see Yandex Compute Cloud pricing).
- Fee for using an OIDC app (see Yandex Identity Hub pricing).
Create the infrastructure
-
Create a VM on Ubuntu 24.04 with a public IP address. This VM will act as an OpenVPN server.
-
Connect to the VM over SSH:
ssh <username>@<VM_public_IP_address> -
Make sure you have the following:
- Domain name pointing to the VM's public IP address. You will need it to configure the
openvpn-auth-oauth2plugin. - TLS certificate for this domain name. You can use a certificate from Yandex Certificate Manager.
- Domain name pointing to the VM's public IP address. You will need it to configure the
Install OpenVPN
Note
The openvpn-auth-oauth2 plugin is supported starting from OpenVPN 2.6.2.
-
Update your package list and install OpenVPN and Easy-RSA:
sudo apt update && sudo apt install openvpn easy-rsa -
Check the OpenVPN version:
openvpn --versionResult:
OpenVPN 2.6.19 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10 ...Make sure the version is not lower than 2.6.2.
Create a certificate authority
-
Create a folder for Easy-RSA and copy the required files into it:
mkdir -p ~/openvpn-ca cd ~/openvpn-ca sudo mkdir /etc/openvpn/easy-rsa sudo cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ -
Initialize the public key infrastructure (PKI):
sudo ./easyrsa init-pki -
Create a root certificate authority (CA). This command will ask for a password (at least four characters) and a common name: any CA name, e.g.,
YC-OpenVPN-CA:sudo ./easyrsa build-ca -
Generate a certificate and a server key:
sudo ./easyrsa gen-req server nopass sudo ./easyrsa sign-req server serverWhen signing the certificate, enter
yesto confirm. -
Generate the Diffie-Hellman parameters:
sudo ./easyrsa gen-dh
Configure an OpenVPN server
Copy the certificates and keys
Copy the necessary files to the OpenVPN working folder:
sudo cp pki/ca.crt pki/private/server.key pki/issued/server.crt /etc/openvpn/
sudo cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
Create a server configuration file
-
Create a file named
/etc/openvpn/server.conf:sudo nano /etc/openvpn/server.conf -
Add the following content to the file:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem auth SHA256 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 cipher AES-256-GCM user nobody group nogroup persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Configure your network
-
Enable IP forwarding:
echo 'net.ipv4.ip_forward=1' | sudo tee -a /etc/sysctl.conf sudo sysctl -p -
Open a port for OpenVPN in your firewall:
sudo ufw allow 1194/udp sudo ufw allow OpenSSH -
Configure NAT masquerading for the VPN subnet:
sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sudo iptables-save | sudo tee /etc/iptables/rules.v4
Start the OpenVPN server
-
Start the OpenVPN server:
sudo systemctl start openvpn@server sudo systemctl enable openvpn@server -
Check the OpenVPN server status:
systemctl status openvpn@server
Create a client certificate
-
Go to the Easy-RSA folder and generate a client certificate:
cd /etc/openvpn/easy-rsa/ sudo ./easyrsa gen-req client1 nopass sudo ./easyrsa sign-req client client1 -
Create a client configuration file named
~/client1.ovpn:nano ~/client1.ovpn -
Add the following content to the file by specifying the certificates and keys:
client dev tun proto udp remote <public_IP_address_or_server_domain> 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA256 cipher AES-256-GCM verb 3 <ca> -----BEGIN CERTIFICATE----- # Paste the contents of /etc/openvpn/ca.crt -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- # Paste the contents of /etc/openvpn/easy-rsa/pki/issued/client1.crt -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- # Paste the contents of /etc/openvpn/easy-rsa/pki/private/client1.key -----END PRIVATE KEY----- </key> key-direction 1
Create an OIDC app in Yandex Identity Hub
-
Log in to Yandex Identity Hub
. -
In the left-hand panel, select
Apps. -
In the center of the page, click
Create application and in the window that opens:- Select the OIDC (OpenID Connect) single sign-on method.
- In the Name field, specify a name for the new app, e.g.,
openvpn-oidc-app. - In the Folder field, select the folder where you want to create an OAuth client for your app.
- Optionally, in the Description field, enter a description for the new app.
- Click Create application.
-
Click
Edit at the top right of the new app's page and in the window that opens:-
In the Redirect URI field, enter the Redirect URI in the following format:
https://<domain_name>:9000/oauth2/callback -
In the Scopes field, mark the
emailandprofileattributes. -
Click Save.
-
-
Under App secrets, click Add secret, and in the window that opens:
- Optionally, add a description for the new secret.
- Click Create.
The window will display the generated application secret. Save this value.
Warning
If you refresh or close the application information page, you will not be able to view the secret again.
If you closed or refreshed the page before saving the secret, click Add secret to create a new one.
To delete a secret, in the list of secrets on the OIDC app page, click
in the secret row and select Delete.Save the secret value for later to configure the
openvpn-auth-oauth2plugin. -
Under Identity provider (IdP) configuration, copy the ClientID field value for later to configure the plugin.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
Create an OAuth client:
yc iam oauth-client create \ --name openvpn-oauth-client \ --scopes openid,email,profile \ --redirect-uris "https://<domain_name>:9000/oauth2/callback"Where:
--name: OAuth client name.--scopes: User attributes available to OpenVPN:openid: User ID. Required attribute.email: User email address.profile: Additional user details.
--redirect-uris: Redirect URI after authentication.
Result:
id: ajeqqip130i1******** name: openvpn-oauth-client folder_id: b1g500m2195v******** status: ACTIVESave the
idfield value; you will need it later to create the app. -
Create a secret for your OAuth client:
yc iam oauth-client-secret create \ --oauth-client-id <OAuth_client_ID>Result:
oauth_client_secret: id: ajeq9jfrmc5t******** oauth_client_id: ajeqqip130i1******** masked_secret: yccs__939233b8ac**** created_at: "2025-10-21T10:14:17.861652377Z" secret_value: yccs__939233b8ac********Save the
secret_value; you will need it later to configure theopenvpn-auth-oauth2plugin. -
Create an OIDC app:
yc organization-manager idp application oauth application create \ --organization-id <organization_ID> \ --name openvpn-oidc-app \ --description "OIDC application for integration with OpenVPN Community Edition" \ --client-id <OAuth_client_ID> \ --authorized-scopes openid,email,profileWhere:
--organization-id: Organization ID.--name: OIDC app name.--description: Application description. This is an optional setting.--client-id: OAuth client ID you got in the previous step.--authorized-scopes: Same attributes as when creating the OAuth client.
Result:
id: ek0o663g4rs2******** name: openvpn-oidc-app organization_id: bpf2c65rqcl8******** client_grant: client_id: ajeqqip130i1******** authorized_scopes: - openid - email - profile status: ACTIVE created_at: "2025-10-21T10:51:28.790866Z"
Add users to the application
For the users of your organization to be able to authenticate to OpenVPN through the Yandex Identity Hub OIDC app, add the users and/or user groups to the app.
Note
Users and groups added to an OIDC application can be managed by a user with the organization-manager.oidcApplications.userAdmin role or higher.
- Log in to Yandex Identity Hub
. - In the left-hand panel, select
Apps and select the new app. - Navigate to the Users and groups tab.
- Click
Add users. - In the window that opens, select the required user or user group.
- Click Add.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
Get the user ID or user group ID.
-
Add a user or group to the application:
yc organization-manager idp application oauth application add-assignments \ --id <app_ID> \ --subject-id <user_or_group_ID>Where:
--id: OIDC app ID.--subject-id: User or user group ID.
Result:
assignment_deltas: - action: ADD assignment: subject_id: ajetvnq2mil8********
Install and configure openvpn-auth-oauth2
Install the plugin
On the VM with OpenVPN, run the following commands:
curl -L https://raw.githubusercontent.com/jkroepke/openvpn-auth-oauth2/refs/heads/main/packaging/apt/openvpn-auth-oauth2.sources | sudo tee /etc/apt/sources.list.d/openvpn-auth-oauth2.sources
sudo apt update
sudo apt install openvpn-auth-oauth2
Prepare a TLS certificate
The openvpn-auth-oauth2 plugin requires a TLS certificate to protect the connection on port 9000.
Tip
The plugin developers recommendopenvpn-auth-oauth2. Use a separate reverse proxy server instead. You can implement this approach using Yandex Application Load Balancer.
-
If you have a certificate in Yandex Certificate Manager, export it using the Yandex Cloud CLI:
yc certificate-manager certificates content \ --id <certificate_ID> \ --chain tls.crt \ --key tls.key -
Create a folder for the plugin files and move the certificate and key into it:
sudo mkdir -p /etc/openvpn-auth-oauth2 sudo mv tls.crt tls.key /etc/openvpn-auth-oauth2/ sudo chown root:openvpn-auth-oauth2 /etc/openvpn-auth-oauth2/tls.key sudo chown root:openvpn-auth-oauth2 /etc/openvpn-auth-oauth2/tls.crt
Create a plugin configuration file
-
Create a file named
/etc/openvpn-auth-oauth2/config.yaml:sudo nano /etc/openvpn-auth-oauth2/config.yaml -
Add the following content to the file:
http: listen: :9000 baseurl: https://<domain_name>:9000 tls: true key: /etc/openvpn-auth-oauth2/tls.key cert: /etc/openvpn-auth-oauth2/tls.crt secret: <any_16_character_long_string> openvpn: addr: unix:///run/openvpn/server.sock password: <management_interface_password> oauth2: issuer: https://auth.yandex.cloud client: id: <OAuth_client_ID> secret: <application_secret_value> endpoint: discovery: https://auth.yandex.cloud/.well-known/openid-configuration scopes: - openid - profile - emailWhere:
http.baseurl: Plugin's public URL inhttps://<domain_name>:9000format.http.secret: Any string of at least 16 characters for protection of sessions.openvpn.password: Password for connecting the plugin to the OpenVPN management interface. Save this value; it must match the contents of the file named/etc/openvpn/password.txt.oauth2.client.id: OAuth client ID you got when creating the OIDC app.oauth2.client.secret: Application secret value saved when creating the OIDC app.
For more on setup, see this openvpn-auth-oauth2 guide
.
Configure the OpenVPN management interface
-
Create a file with the management interface password:
echo '<management_interface_password>' | sudo tee /etc/openvpn/password.txt sudo chmod 600 /etc/openvpn/password.txtWarning
The password value in the
/etc/openvpn/password.txtfile must match the value of theopenvpn.passwordparameter in the/etc/openvpn-auth-oauth2/config.yamlfile. -
Open the
/etc/openvpn/server.conffile and add the following lines to the end:management /run/openvpn/server.sock unix /etc/openvpn/password.txt management-hold management-client-auth -
Restart OpenVPN:
sudo systemctl restart openvpn@server sudo systemctl status openvpn@server -
Open port
9000in the firewall:sudo ufw allow 9000/tcp
Run the plugin as a system service
-
Create a systemd unit file:
sudo nano /etc/systemd/system/openvpn-auth-oauth2.serviceAdd the following content to the file:
[Unit] Description=openvpn-auth-oauth2 Requires=openvpn@server.service After=openvpn@server.service [Service] ExecStart=openvpn-auth-oauth2 --config /etc/openvpn-auth-oauth2/config.yaml Restart=on-failure User=root [Install] WantedBy=multi-user.target -
Restart the systemd configuration, enable and start the service:
sudo systemctl daemon-reload sudo systemctl enable openvpn-auth-oauth2.service sudo systemctl start openvpn-auth-oauth2.service sudo systemctl status openvpn-auth-oauth2.service
Test the integration
-
Install the OpenVPN client
on the client device. -
Import the
client1.ovpnconfiguration file into the OpenVPN client. -
Initiate a connection to the VPN server. The OpenVPN client will open your browser and redirect you to the Yandex Cloud authentication page.
-
Enter the credentials of the user added to the OIDC app.
-
After successful authentication, the VPN connection will be established.
-
Check your connection to the VPN server:
ping 10.8.0.1The expected result is a successful zero packet loss ping.
How to delete the resources you created
To stop paying for the resources you created: