The Problem with Certificates at Scale

In previous articles, we discussed that OpenVPN uses certificates for authentication. This method is reliable but has significant drawbacks:

• Inconvenience for users: Each user must manually receive and install their own certificate.
• Complex management: When an employee leaves, their certificate must be revoked, which requires extra steps.
• Lack of centralization: Each service that requires access has its own authorization system.

The solution to this problem is using a centralized identity provider such as Keycloak.

The Role of Keycloak: A Single Point of Entry

Keycloak is an open-source identity and access management system (Identity Provider, IdP). Its main purpose is to serve as a “single point of entry” (Single Sign-On, SSO) for all your services.

When integrated with OpenVPN, Keycloak takes over all tasks related to authentication:

• Storing the user database and passwords.
• Supporting two-factor authentication (2FA).
• Allowing login via social networks or other IdPs.

How Does It Work Conceptually?

Instead of authenticating users via certificates, OpenVPN redirects the request to the Keycloak server.

1. Connection attempt: The OpenVPN client tries to establish a connection.
2. Authentication request: The OpenVPN server sends a request to the Keycloak server, which acts as its “trusted authority.”
3. Browser-based login: The user’s browser opens the Keycloak login page. The user enters their username and password.
4. Verification and token: Keycloak verifies the credentials and, if successful, issues a special token to the OpenVPN server.
5. Connection established: The OpenVPN server validates the token, confirms the user’s authenticity, and grants access.

This way, authentication becomes simple and familiar for the user. They no longer need to worry about certificates, while the administrator gains centralized control over all accounts.

Advantages of OpenVPN and Keycloak Integration

• Convenience: Users log in with their familiar username and password.
• Security: You can enforce two-factor authentication for VPN login.
• Scalability: Users can be added and removed in one place — on the Keycloak server.
• Automation: Access management can be automated, for example, via API.

Conclusion

OpenVPN, originally built around certificate infrastructure, demonstrates remarkable flexibility. Its ability to integrate with modern identity providers such as Keycloak allows it to remain relevant and aligned with corporate security requirements. This combination merges the reliability and flexibility of the protocol with the convenience and security of centralized user management.