DEV Community

febryandana
febryandana

Posted on • Originally published at febryandana.xyz

OpenVPN with FreeRADIUS User Auth

Overview

OpenVPN can utilize RADIUS services as a source of authentication for its user accounts. In this article we will try to integrate OpenVPN with FreeRADIUS and utilize DaloRADIUS for the FreeRADIUS GUI dashboard service. That way, administrators can easily manage OpenVPN users in one place.

1. FreeRADIUS & DaloRADIUS Configuration

FreeRADIUS

1) Install Web Server



sudo -i
apt update && apt -y upgrade
apt -y install apache2
apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
php -v


Enter fullscreen mode Exit fullscreen mode

2) Install DB server



apt -y install mariadb-server
mysql_secure_installation


Enter fullscreen mode Exit fullscreen mode

3) Create RADIUS database



mysql -u root -p

MariaDB [(none)]> CREATE DATABASE radius;
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongPassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> QUIT


Enter fullscreen mode Exit fullscreen mode

4) Install & Configure FreeRADIUS



apt -y install freeradius freeradius-mysql freeradius-utils


Enter fullscreen mode Exit fullscreen mode

Import freeRADIUS sql database



mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
mysql -u root -p -e "use radius; show tables;"


Enter fullscreen mode Exit fullscreen mode

Create softlink to enable sql mod



ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/


Enter fullscreen mode Exit fullscreen mode

Configure sql module

Comment SSL sections in mysql



nano /etc/freeradius/3.0/mods-enabled/sql

---
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "StrongPassword"

# Database table configuration for everything except Oracle
radius_db = "radius"
}

# Set to β€˜yes’ to read radius clients from the database (β€˜nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"
---


Enter fullscreen mode Exit fullscreen mode

Change Group



chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql


Enter fullscreen mode Exit fullscreen mode

Restart freeradius service



sudo systemctl restart freeradius.service


Enter fullscreen mode Exit fullscreen mode

DaloRADIUS

1) Install daloRadius



apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius
cd daloradius


Enter fullscreen mode Exit fullscreen mode

2) Configure daloRadius

Import daloRadius tables



mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radius < contrib/db/mysql-daloradius.sql


Enter fullscreen mode Exit fullscreen mode

Move daloRadius folder to Web Server



cd ..
mv daloradius /var/www/html/
mv /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
chown -R www-data:www-data /var/www/html/daloradius/
chmod 664 /var/www/html/daloradius/library/daloradius.conf.php


Enter fullscreen mode Exit fullscreen mode

Configure daloRadius connection



nano /var/www/html/daloradius/library/daloradius.conf.php

---
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongPassword';
$configValues['CONFIG_DB_NAME'] = 'radius';
---

touch /tmp/daloradius.log


Enter fullscreen mode Exit fullscreen mode

Restart services



systemctl restart freeradius.service apache2.service


Enter fullscreen mode Exit fullscreen mode

3) Verify daloRadius

Access via http://IP_ADDRESS/daloradius/login.php



Default User & Password:
User = administrator
Password = radius


Enter fullscreen mode Exit fullscreen mode

daloradius login page

daloradius homepage

radtest

2. OpenVPN Installation

OpenVPN

We will install OpenVPN by easy way using automation shell script



apt install -y openvpn openvpn-auth-radius freeradius-utils
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh

---
Public IPv4 address / hostname [a.b.c.d]: IP_Server_OpenVPN
---

Change the settings whatever you like


Enter fullscreen mode Exit fullscreen mode

OpenVPN RADIUS Plugin

To connect OpenVPN with FreeRADIUS, we need to use external plugin named radiusplugin



apt update
apt install openvpn-auth-radius


Enter fullscreen mode Exit fullscreen mode

Binary file will be downloaded to /usr/lib/openvpn/radiusplugin.so

3. Integrate OpenVPN with FreeRADIUS

FreeRadius Side

1) Create NAS (Network Access Server) for OpenVPN server

  • Via DaloRadius:

    • NAS IP/Host = 192.168.1.12/24 //IP ADDRESS OPENVPN SERVER
    • NAS Secret = fb-ovpn
    • NAS Type = other
    • NA Shortname = fb-ovpn
  • Via clients.conf:

    ```bash
    
    nano clients.conf
    
    ---
    client fb-ovpn {
        ipaddr = 192.168.1.12 //IP ADDRESS OPENVPN SERVER
        netmask = 24
        secret = fb-ovpn
        shortname = fb-ovpn
        nastype = other
    }
    ---
    

Restart freeradius service everytime you need to create new NAS

```bash


systemctl restart freeradius.service


Enter fullscreen mode Exit fullscreen mode

OpenVPN Server Side

1) Create cnf file for connecting OpenVPN to FreeRADIUS



nano /etc/openvpn/radiusplugin.cnf

---
NAS-Identifier=openvpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.1.12
OpenVPNConfig=/etc/openvpn/server/server.conf
overwriteccfiles=true
server
{
acctport=1813
authport=1812
name=192.168.1.11
        retry=1
        wait=1
        sharedsecret=fb-ovpn
}
---


Enter fullscreen mode Exit fullscreen mode

2) Test connection to RADIUS via server OpenVPN. You need to create user first from DaloRADIUS



radtest {username} {password} {radius_hostname} 10 {radius_secret}

radtest febry febry 192.168.1.11 10 fb-ovpn


Enter fullscreen mode Exit fullscreen mode

3) Configure file server.conf on OpenVPN server so that OpenVPN will use users from FreeRADIUS server



nano /etc/openvpn/server/server.conf

---
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verify-client-cert
key-direction 0
duplicate-cn
local 192.168.1.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
---


Enter fullscreen mode Exit fullscreen mode

4) Create ovpn file for clients



nano /root/client.ovpn

---
key-direction 1
auth-user-pass
;user nobody
;group nogroup

client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...
---


Enter fullscreen mode Exit fullscreen mode

4. Test connection to OpenVPN with RADIUS user

Conducted on node fb-ubuntu (192.168.2.11 - lab6)



openvpn --config client.ovpn


Enter fullscreen mode Exit fullscreen mode

ovpn-radius test

Conducted on personal computer



sudo openvpn --config client.ovpn


Enter fullscreen mode Exit fullscreen mode

ovpn-radius pc cli

ovpn-radius pc gui 1

ovpn-radius pc gui 2

Known Issues

1) Unknown column 'acctupdatetime' in 'field list'



DaloRadius, RADIUS log :
ERROR: (21) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22 


Enter fullscreen mode Exit fullscreen mode

Solve: Rebuild table radacct



mysql -u root -p radius

DROP TABLE radacct;

CREATE TABLE radacct (
radacctid bigint(21) NOT NULL auto_increment,
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
nasporttype varchar(32) default NULL,
acctstarttime datetime NULL default NULL,
acctupdatetime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctinterval int(12) default NULL,
acctsessiontime int(12) unsigned default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,
acctinputoctets bigint(20) default NULL,
acctoutputoctets bigint(20) default NULL,
calledstationid varchar(50) NOT NULL default '',
callingstationid varchar(50) NOT NULL default '',
acctterminatecause varchar(32) NOT NULL default '',
servicetype varchar(32) default NULL,
framedprotocol varchar(32) default NULL,
framedipv6address varchar(32) default NULL,
framedipv6prefix varchar(32) default NULL,
framedinterfaceid varchar(32) default NULL,
delegatedipv6prefix varchar(32) default NULL,
framedipaddress varchar(15) NOT NULL default '',
PRIMARY KEY (radacctid),
UNIQUE KEY acctuniqueid (acctuniqueid),
KEY username (username),
KEY framedipaddress (framedipaddress),
KEY acctsessionid (acctsessionid),
KEY acctsessiontime (acctsessiontime),
KEY acctstarttime (acctstarttime),
KEY acctinterval (acctinterval),
KEY acctstoptime (acctstoptime),
KEY nasipaddress (nasipaddress)
) ENGINE = INNODB;


Enter fullscreen mode Exit fullscreen mode

2) Error reading log file: /tmp/daloradius.log



error reading log file: /tmp/daloradius.log
looked for log file in /tmp/daloradius.log but couldn't find it.
if you know where your daloradius log file is located, set it's location in your library/daloradius.conf file


Enter fullscreen mode Exit fullscreen mode

Solve: Create new log file



touch /tmp/daloradius.log
chown www-data:www-data daloradius.log
chmod 644 /tmp/daloradius.log


Enter fullscreen mode Exit fullscreen mode

3) Error reading log file: /var/log/syslog



error reading log file: /var/log/syslog
possible cause is file permissions or file does not exist.


Enter fullscreen mode Exit fullscreen mode

Solve: Change file permission



chmod 644 /var/log/syslog


Enter fullscreen mode Exit fullscreen mode

4) RADIUS user authentication's type that is compatible with OpenVPN

  • [x] cleartext-password
  • [ ] User-password (AUTH_FAILED)
  • [x] Crypt-password
  • [x] MD5-password
  • [ ] SHA1-password (AUTH_FAILED)
  • [ ] CHAP-password (AUTH_FAILED)

5) Some OS's dont have nogroup user & group but they use nobody, and vice versa. To solve issue with these groups, we can:

  • Create user nobody and group nogroup.
  • Cretae user nobody and group nobody. Then edit group nogroup to group nobody in client.ovpn file.
  • Comment out user nobody and group nogroup in client.ovpn file.

References

Top comments (1)

Collapse
 
hirokku profile image
Oswaldo Carabano

Hello and thanks for the tutorial, I followed it but when I create the client.ovpn with ca, crt, key and tls-crypt it works the conection. OVPN server never goes to RADIUS server to check the auth? any help? thanks.