This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.
- IPA join your VPN machine:
- Get a kerberos ticket:
- Create a Kerberos service principle and HBAC rule for openvpn access:
ipa service-add openvpn/`hostname`
- Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to: