Authenticating OpenVPN Users with RADIUS via Active Directory

This recipe describes the procedure to setup OpenVPN on pfSense® software with user authentication handled via RADIUS on an Active Directory server.

Setup the Windows Server

  • Setup the Windows Server for an Active Directory role

  • Add users to the Windows Server (optionally in a common group for VPN users)

  • Setup the NPS role as described in Authenticating from Active Directory using RADIUS/NPS which allows the Windows Server to handle RADIUS requests

Add Authentication Server

  • Navigate to System > User Manager, Authentication Servers tab

  • Click fa-plus Add to create a new entry

  • Enter the following settings:

    Descriptive name

    Active Directory NPS



    Hostname or IP address – Replace this with the IP address of the Windows server

    Shared Secret

    The password added to the NAS entry in NPS

    Services offered


    Authentication port


  • Click Save

Setup OpenVPN Remote Access Server

The recipe OpenVPN Remote Access Configuration Example covers the OpenVPN server setup, so there is no need to duplicate the instructions here.

Choose the Active Directory NPS RADIUS authentication server entry during the wizard or configure it as the backend for authentication after completing the wizard.

Setup Clients

Use the OpenVPN Client Export Package to generate configuration files and/or installation packages for clients.

Clients are available for a wide variety of operating systems, see the installation guides at Installing OpenVPN Remote Access Clients.