febryandana

Posted on Aug 6, 2022 • Originally published at febryandana.xyz

OpenVPN with FreeRADIUS User Auth

#vpn #authentication #freeradius #cloud

Overview

OpenVPN can utilize RADIUS services as a source of authentication for its user accounts. In this article we will try to integrate OpenVPN with FreeRADIUS and utilize DaloRADIUS for the FreeRADIUS GUI dashboard service. That way, administrators can easily manage OpenVPN users in one place.

1. FreeRADIUS & DaloRADIUS Configuration

FreeRADIUS

1) Install Web Server



sudo -i
apt update && apt -y upgrade
apt -y install apache2
apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
php -v

2) Install DB server



apt -y install mariadb-server
mysql_secure_installation

3) Create RADIUS database



mysql -u root -p

MariaDB [(none)]> CREATE DATABASE radius;
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongPassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> QUIT

4) Install & Configure FreeRADIUS



apt -y install freeradius freeradius-mysql freeradius-utils

Import freeRADIUS sql database



mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
mysql -u root -p -e "use radius; show tables;"

Create softlink to enable sql mod



ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Configure sql module

Comment SSL sections in mysql



nano /etc/freeradius/3.0/mods-enabled/sql

---
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "StrongPassword"

# Database table configuration for everything except Oracle
radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"
---

Change Group



chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql

Restart freeradius service



sudo systemctl restart freeradius.service

DaloRADIUS

1) Install daloRadius



apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius
cd daloradius

2) Configure daloRadius

Import daloRadius tables



mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radius < contrib/db/mysql-daloradius.sql

Move daloRadius folder to Web Server



cd ..
mv daloradius /var/www/html/
mv /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
chown -R www-data:www-data /var/www/html/daloradius/
chmod 664 /var/www/html/daloradius/library/daloradius.conf.php

Configure daloRadius connection



nano /var/www/html/daloradius/library/daloradius.conf.php

---
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongPassword';
$configValues['CONFIG_DB_NAME'] = 'radius';
---

touch /tmp/daloradius.log

Restart services



systemctl restart freeradius.service apache2.service

3) Verify daloRadius

Access via http://IP_ADDRESS/daloradius/login.php



Default User & Password:
User = administrator
Password = radius

2. OpenVPN Installation

OpenVPN

We will install OpenVPN by easy way using automation shell script



apt install -y openvpn openvpn-auth-radius freeradius-utils
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh

---
Public IPv4 address / hostname [a.b.c.d]: IP_Server_OpenVPN
---

Change the settings whatever you like

OpenVPN RADIUS Plugin

To connect OpenVPN with FreeRADIUS, we need to use external plugin named radiusplugin



apt update
apt install openvpn-auth-radius

Binary file will be downloaded to /usr/lib/openvpn/radiusplugin.so

3. Integrate OpenVPN with FreeRADIUS

FreeRadius Side

1) Create NAS (Network Access Server) for OpenVPN server

Via DaloRadius:
- NAS IP/Host = 192.168.1.12/24 //IP ADDRESS OPENVPN SERVER
- NAS Secret = fb-ovpn
- NAS Type = other
- NA Shortname = fb-ovpn

Via clients.conf:

```bash

nano clients.conf

---
client fb-ovpn {
    ipaddr = 192.168.1.12 //IP ADDRESS OPENVPN SERVER
    netmask = 24
    secret = fb-ovpn
    shortname = fb-ovpn
    nastype = other
}
---


Restart freeradius service everytime you need to create new NAS

```bash


systemctl restart freeradius.service

OpenVPN Server Side

1) Create cnf file for connecting OpenVPN to FreeRADIUS



nano /etc/openvpn/radiusplugin.cnf

---
NAS-Identifier=openvpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.1.12
OpenVPNConfig=/etc/openvpn/server/server.conf
overwriteccfiles=true
server
{
acctport=1813
authport=1812
name=192.168.1.11
        retry=1
        wait=1
        sharedsecret=fb-ovpn
}
---

2) Test connection to RADIUS via server OpenVPN. You need to create user first from DaloRADIUS



radtest {username} {password} {radius_hostname} 10 {radius_secret}

radtest febry febry 192.168.1.11 10 fb-ovpn

3) Configure file server.conf on OpenVPN server so that OpenVPN will use users from FreeRADIUS server



nano /etc/openvpn/server/server.conf

---
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verify-client-cert
key-direction 0
duplicate-cn
local 192.168.1.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
---

4) Create ovpn file for clients



nano /root/client.ovpn

---
key-direction 1
auth-user-pass
;user nobody
;group nogroup

client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...
---

4. Test connection to OpenVPN with RADIUS user

Conducted on node fb-ubuntu (192.168.2.11 - lab6)



openvpn --config client.ovpn

Conducted on personal computer



sudo openvpn --config client.ovpn

Known Issues

1) Unknown column 'acctupdatetime' in 'field list'



DaloRadius, RADIUS log :
ERROR: (21) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22

Solve: Rebuild table radacct



mysql -u root -p radius

DROP TABLE radacct;

CREATE TABLE radacct (
radacctid bigint(21) NOT NULL auto_increment,
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
nasporttype varchar(32) default NULL,
acctstarttime datetime NULL default NULL,
acctupdatetime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctinterval int(12) default NULL,
acctsessiontime int(12) unsigned default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,
acctinputoctets bigint(20) default NULL,
acctoutputoctets bigint(20) default NULL,
calledstationid varchar(50) NOT NULL default '',
callingstationid varchar(50) NOT NULL default '',
acctterminatecause varchar(32) NOT NULL default '',
servicetype varchar(32) default NULL,
framedprotocol varchar(32) default NULL,
framedipv6address varchar(32) default NULL,
framedipv6prefix varchar(32) default NULL,
framedinterfaceid varchar(32) default NULL,
delegatedipv6prefix varchar(32) default NULL,
framedipaddress varchar(15) NOT NULL default '',
PRIMARY KEY (radacctid),
UNIQUE KEY acctuniqueid (acctuniqueid),
KEY username (username),
KEY framedipaddress (framedipaddress),
KEY acctsessionid (acctsessionid),
KEY acctsessiontime (acctsessiontime),
KEY acctstarttime (acctstarttime),
KEY acctinterval (acctinterval),
KEY acctstoptime (acctstoptime),
KEY nasipaddress (nasipaddress)
) ENGINE = INNODB;

2) Error reading log file: /tmp/daloradius.log



error reading log file: /tmp/daloradius.log
looked for log file in /tmp/daloradius.log but couldn't find it.
if you know where your daloradius log file is located, set it's location in your library/daloradius.conf file

Solve: Create new log file



touch /tmp/daloradius.log
chown www-data:www-data daloradius.log
chmod 644 /tmp/daloradius.log

3) Error reading log file: /var/log/syslog



error reading log file: /var/log/syslog
possible cause is file permissions or file does not exist.

Solve: Change file permission



chmod 644 /var/log/syslog

4) RADIUS user authentication's type that is compatible with OpenVPN

[x] cleartext-password
[ ] User-password (AUTH_FAILED)
[x] Crypt-password
[x] MD5-password
[ ] SHA1-password (AUTH_FAILED)
[ ] CHAP-password (AUTH_FAILED)

5) Some OS's dont have nogroup user & group but they use nobody, and vice versa. To solve issue with these groups, we can:

Create user nobody and group nogroup.
Cretae user nobody and group nobody. Then edit group nogroup to group nobody in client.ovpn file.
Comment out user nobody and group nogroup in client.ovpn file.

References

Top comments (1)

Oswaldo Carabano • Jan 17

Hello and thanks for the tutorial, I followed it but when I create the client.ovpn with ca, crt, key and tls-crypt it works the conection. OVPN server never goes to RADIUS server to check the auth? any help? thanks.

DEV Community