OpenVPN authentication with freeRADIUS

0
201

So this post we will be working on integrating them together making them a very useful infrastructure that facilitate user authentication from OpenVPN to freeRadius. The advantage of this design is that it allows central user account administration inside mysql database for any incoming OpenVPN user logins.

Couple of my last documents followed up on how to setup

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install libgcrypt11-dev build-essential

Step 02 — build radius plugin that helps to communicate from OpenVPN to freeRadius

Downloading and building

# wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
# tar xvf radiusplugin_v2.1a_beta1.tar.gz
# cd radiusplugin_v2.1a_beta1
# make

Copy the built plugin to appropriate location

# mkdir /etc/openvpn/radius
# cp -r radiusplugin.so /etc/openvpn/radius

Step 03 — Configure built Plugin to work with freeRadius server

# vim /etc/openvpn/radius/radius.cnf
NAS-Identifier=anyName
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=172.17.0.56
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)
# Path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well
OpenVPNConfig=/etc/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false
# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false
# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=172.17.0.55
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}

 

Step 04 — Template OpenVPN server configuration file

# vim /etc/openvpn/server.conf
port 443 
proto tcp 
dev tun 
server 10.11.0.0 255.255.255.0 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/server.crt 
key /etc/openvpn/easy-rsa/keys/server.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key 
persist-tun 
keepalive 10 60 
reneg-sec 0 
comp-lzo 
tun-mtu 1468 
tun-mtu-extra 32 
mssfix 1400 
push "persist-key" 
push "persist-tun" 
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
status /etc/openvpn/443.log 
verb 3
client-cert-not-required

 

Step 05 — Service start up

# systemctl start openvpn@server

Client Work-Station End

Step 06 — Required Package Installation

# apt-get update && apt-get install -y network-manager-openvpn

Step 07 — Launch `nm-connection-editor` & create new VPN profile

# nm-connection-editor

Next, Click (+) sign & Select “OpenVPN” from the drop-down menu


Check my previous post on getting required certificate. Also, once the new VPN profile is saved, start the launch by clicking the configured Profile name. Note that prior to VPN establishment, your credentials are being passed to OpenVPN server which in turn redirect them to freeRadius. However, actual process of credential verification is being performed at mysql database where we setup user details.

“I hope this has been informative”

LEAVE A REPLY

Please enter your comment!
Please enter your name here