So this post we will be working on integrating them together making them a very useful infrastructure that facilitate user authentication from OpenVPN to freeRadius. The advantage of this design is that it allows central user account administration inside mysql database for any incoming OpenVPN user logins.
Couple of my last documents followed up on how to setup
Getting Started
Note that through out the document, I will stick to Ubuntu 18.04 OS version.
Step 01 — Required Package Installation
# apt-get update # apt-get install libgcrypt11-dev build-essential
Step 02 — build radius plugin that helps to communicate from OpenVPN to freeRadius
- Advertisement -
Downloading and building
# wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz # tar xvf radiusplugin_v2.1a_beta1.tar.gz
# cd radiusplugin_v2.1a_beta1 # make
Copy the built plugin to appropriate location
# mkdir /etc/openvpn/radius # cp -r radiusplugin.so /etc/openvpn/radius
Step 03 — Configure built Plugin to work with freeRadius server
# vim /etc/openvpn/radius/radius.cnf
NAS-Identifier=anyName
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=172.17.0.56
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
# Path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well
OpenVPNConfig=/etc/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false
# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false
# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=172.17.0.55
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}
Step 04 — Template OpenVPN server configuration file
# vim /etc/openvpn/server.conf
port 443 proto tcp dev tun server 10.11.0.0 255.255.255.0 ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key persist-tun keepalive 10 60 reneg-sec 0 comp-lzo tun-mtu 1468 tun-mtu-extra 32 mssfix 1400 push "persist-key" push "persist-tun" push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" status /etc/openvpn/443.log verb 3 client-cert-not-required
Step 05 — Service start up
# systemctl start openvpn@server
Client Work-Station End
Step 06 — Required Package Installation
# apt-get update && apt-get install -y network-manager-openvpn
Step 07 — Launch `nm-connection-editor` & create new VPN profile
# nm-connection-editor
Next, Click (+) sign & Select “OpenVPN” from the drop-down menu
Check my previous post on getting required certificate. Also, once the new VPN profile is saved, start the launch by clicking the configured Profile name. Note that prior to VPN establishment, your credentials are being passed to OpenVPN server which in turn redirect them to freeRadius. However, actual process of credential verification is being performed at mysql database where we setup user details.
“I hope this has been informative”
- Advertisement -
Subscribe
Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"
Hello,
Great tutorial! thanks! 🙂
I’m unable to make this configuration work… I’m getting “Options error: Unrecognized option or missing or extra parameter(s) in /etc/openvpn-auth-radius.conf:1: NAS-Identifier=VPNServer”
Do you have any idea about what can be causing this error?