DEV Community

febryandana
febryandana

Posted on • Originally published at febryandana.xyz

OpenVPN with FreeRADIUS User Auth

Overview

OpenVPN can utilize RADIUS services as a source of authentication for its user accounts. In this article we will try to integrate OpenVPN with FreeRADIUS and utilize DaloRADIUS for the FreeRADIUS GUI dashboard service. That way, administrators can easily manage OpenVPN users in one place.

1. FreeRADIUS & DaloRADIUS Configuration

FreeRADIUS

1) Install Web Server

sudo -i
apt update && apt -y upgrade
apt -y install apache2
apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
php -v
Enter fullscreen mode Exit fullscreen mode

2) Install DB server

apt -y install mariadb-server
mysql_secure_installation
Enter fullscreen mode Exit fullscreen mode

3) Create RADIUS database

mysql -u root -p

MariaDB [(none)]> CREATE DATABASE radius;
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongPassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> QUIT
Enter fullscreen mode Exit fullscreen mode

4) Install & Configure FreeRADIUS

apt -y install freeradius freeradius-mysql freeradius-utils
Enter fullscreen mode Exit fullscreen mode

Import freeRADIUS sql database

mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
mysql -u root -p -e "use radius; show tables;"
Enter fullscreen mode Exit fullscreen mode

Create softlink to enable sql mod

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Enter fullscreen mode Exit fullscreen mode

Configure sql module

Comment SSL sections in mysql

nano /etc/freeradius/3.0/mods-enabled/sql

---
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"

# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "StrongPassword"

# Database table configuration for everything except Oracle
radius_db = "radius"
}

# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes

# Table to keep radius client info
client_table = "nas"
---
Enter fullscreen mode Exit fullscreen mode

Change Group

chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
Enter fullscreen mode Exit fullscreen mode

Restart freeradius service

sudo systemctl restart freeradius.service
Enter fullscreen mode Exit fullscreen mode

DaloRADIUS

1) Install daloRadius

apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius
cd daloradius
Enter fullscreen mode Exit fullscreen mode

2) Configure daloRadius

Import daloRadius tables

mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Enter fullscreen mode Exit fullscreen mode

Move daloRadius folder to Web Server

cd ..
mv daloradius /var/www/html/
mv /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
chown -R www-data:www-data /var/www/html/daloradius/
chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
Enter fullscreen mode Exit fullscreen mode

Configure daloRadius connection

nano /var/www/html/daloradius/library/daloradius.conf.php

---
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongPassword';
$configValues['CONFIG_DB_NAME'] = 'radius';
---

touch /tmp/daloradius.log
Enter fullscreen mode Exit fullscreen mode

Restart services

systemctl restart freeradius.service apache2.service
Enter fullscreen mode Exit fullscreen mode

3) Verify daloRadius

Access via http://IP_ADDRESS/daloradius/login.php

Default User & Password:
User = administrator
Password = radius
Enter fullscreen mode Exit fullscreen mode

daloradius login page

daloradius homepage

radtest

2. OpenVPN Installation

OpenVPN

We will install OpenVPN by easy way using automation shell script

apt install -y openvpn openvpn-auth-radius freeradius-utils
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh

---
Public IPv4 address / hostname [a.b.c.d]: IP_Server_OpenVPN
---

Change the settings whatever you like
Enter fullscreen mode Exit fullscreen mode

OpenVPN RADIUS Plugin

To connect OpenVPN with FreeRADIUS, we need to use external plugin named radiusplugin

apt update
apt install openvpn-auth-radius
Enter fullscreen mode Exit fullscreen mode

Binary file will be downloaded to /usr/lib/openvpn/radiusplugin.so

3. Integrate OpenVPN with FreeRADIUS

FreeRadius Side

1) Create NAS (Network Access Server) for OpenVPN server

  • Via DaloRadius:

    • NAS IP/Host = 192.168.1.12/24 //IP ADDRESS OPENVPN SERVER
    • NAS Secret = fb-ovpn
    • NAS Type = other
    • NA Shortname = fb-ovpn
  • Via clients.conf:

    ```bash
    nano clients.conf
    
    ---
    client fb-ovpn {
        ipaddr = 192.168.1.12 //IP ADDRESS OPENVPN SERVER
        netmask = 24
        secret = fb-ovpn
        shortname = fb-ovpn
        nastype = other
    }
    ---
    ```
    

Restart freeradius service everytime you need to create new NAS

systemctl restart freeradius.service
Enter fullscreen mode Exit fullscreen mode

OpenVPN Server Side

1) Create cnf file for connecting OpenVPN to FreeRADIUS

nano /etc/openvpn/radiusplugin.cnf

---
NAS-Identifier=openvpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.1.12
OpenVPNConfig=/etc/openvpn/server/server.conf
overwriteccfiles=true
server
{
acctport=1813
authport=1812
name=192.168.1.11
        retry=1
        wait=1
        sharedsecret=fb-ovpn
}
---
Enter fullscreen mode Exit fullscreen mode

2) Test connection to RADIUS via server OpenVPN. You need to create user first from DaloRADIUS

radtest {username} {password} {radius_hostname} 10 {radius_secret}

radtest febry febry 192.168.1.11 10 fb-ovpn
Enter fullscreen mode Exit fullscreen mode

3) Configure file server.conf on OpenVPN server so that OpenVPN will use users from FreeRADIUS server

nano /etc/openvpn/server/server.conf

---
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verify-client-cert
key-direction 0
duplicate-cn
local 192.168.1.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
---
Enter fullscreen mode Exit fullscreen mode

4) Create ovpn file for clients

nano /root/client.ovpn

---
key-direction 1
auth-user-pass
;user nobody
;group nogroup

client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...
---
Enter fullscreen mode Exit fullscreen mode

4. Test connection to OpenVPN with RADIUS user

Conducted on node fb-ubuntu (192.168.2.11 - lab6)

openvpn --config client.ovpn
Enter fullscreen mode Exit fullscreen mode

ovpn-radius test

Conducted on personal computer

sudo openvpn --config client.ovpn
Enter fullscreen mode Exit fullscreen mode

ovpn-radius pc cli

ovpn-radius pc gui 1

ovpn-radius pc gui 2

Known Issues

1) Unknown column 'acctupdatetime' in 'field list'

DaloRadius, RADIUS log :
ERROR: (21) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22 
Enter fullscreen mode Exit fullscreen mode

Solve: Rebuild table radacct

mysql -u root -p radius

DROP TABLE radacct;

CREATE TABLE radacct (
radacctid bigint(21) NOT NULL auto_increment,
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
nasporttype varchar(32) default NULL,
acctstarttime datetime NULL default NULL,
acctupdatetime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctinterval int(12) default NULL,
acctsessiontime int(12) unsigned default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,
acctinputoctets bigint(20) default NULL,
acctoutputoctets bigint(20) default NULL,
calledstationid varchar(50) NOT NULL default '',
callingstationid varchar(50) NOT NULL default '',
acctterminatecause varchar(32) NOT NULL default '',
servicetype varchar(32) default NULL,
framedprotocol varchar(32) default NULL,
framedipv6address varchar(32) default NULL,
framedipv6prefix varchar(32) default NULL,
framedinterfaceid varchar(32) default NULL,
delegatedipv6prefix varchar(32) default NULL,
framedipaddress varchar(15) NOT NULL default '',
PRIMARY KEY (radacctid),
UNIQUE KEY acctuniqueid (acctuniqueid),
KEY username (username),
KEY framedipaddress (framedipaddress),
KEY acctsessionid (acctsessionid),
KEY acctsessiontime (acctsessiontime),
KEY acctstarttime (acctstarttime),
KEY acctinterval (acctinterval),
KEY acctstoptime (acctstoptime),
KEY nasipaddress (nasipaddress)
) ENGINE = INNODB;
Enter fullscreen mode Exit fullscreen mode

2) Error reading log file: /tmp/daloradius.log

error reading log file: /tmp/daloradius.log
looked for log file in /tmp/daloradius.log but couldn't find it.
if you know where your daloradius log file is located, set it's location in your library/daloradius.conf file
Enter fullscreen mode Exit fullscreen mode

Solve: Create new log file

touch /tmp/daloradius.log
chown www-data:www-data daloradius.log
chmod 644 /tmp/daloradius.log
Enter fullscreen mode Exit fullscreen mode

3) Error reading log file: /var/log/syslog

error reading log file: /var/log/syslog
possible cause is file permissions or file does not exist.
Enter fullscreen mode Exit fullscreen mode

Solve: Change file permission

chmod 644 /var/log/syslog
Enter fullscreen mode Exit fullscreen mode

4) RADIUS user authentication's type that is compatible with OpenVPN

  • [x] cleartext-password
  • [ ] User-password (AUTH_FAILED)
  • [x] Crypt-password
  • [x] MD5-password
  • [ ] SHA1-password (AUTH_FAILED)
  • [ ] CHAP-password (AUTH_FAILED)

5) Some OS's dont have nogroup user & group but they use nobody, and vice versa. To solve issue with these groups, we can:

  • Create user nobody and group nogroup.
  • Cretae user nobody and group nobody. Then edit group nogroup to group nobody in client.ovpn file.
  • Comment out user nobody and group nogroup in client.ovpn file.

References

Oldest comments (1)

Collapse
 
hirokku profile image
Oswaldo Carabano

Hello and thanks for the tutorial, I followed it but when I create the client.ovpn with ca, crt, key and tls-crypt it works the conection. OVPN server never goes to RADIUS server to check the auth? any help? thanks.