OpenVPN with Active Directory integration

I prefer having OpenVPN auth against PAM (with LDAP, or Kerberos), since this is the most flexible solution. I've had the impression that the LDAP plugin provided by OpenVPN is sorta dirty ad-hoc solution -- nothing compared to the LDAP or Kerberos plug-ins for PAM. I've had problems from time to time where proper user credentials where refused access, a retry solved that problem. My current (production) setup authenticates against PAM. The PAM stack has Kerberos (pam_krb5) on top for OpenVPN authentication. Daily use by nearly 100 users. You can do a lot of stuff with PAM (multiple authentication mechanisms, multiple sources, etc. etc.).

With the open source version you can write your own authentication script using the 'auth-user-pass-verify' option.

I never put it into production, but I did hack together a working script that authenticates users against my directory.

Another option is the openvpn-auth-ldap plugin.

we require AD authentication for our openvn installation(which group/OU integration) and found the easiest was using the radius plugin using windows internet authentication services (i.e. win2003 radius)

not that the auth-ldap doesn't work well, just the radius integration ended up being easier for us to get working (YMMV)

for what it's worth, discovered in hindsight: the commercial offering - openvpn-AS (or openvpn.net as you've referred to it) - works really well out of the box, for both radius and LDAP authentication, and the license fee is really low - works with concurrent connections rather than named users (at $250 for 50 concurrent connections with smaller bundles available). Also, the user take-on is well put together and makes new user and migration of existing clients relatively painless.