Configuring OpenVPN Client Authentication Using FreeRADIUS Server
Overview
FreeRADIUS server is a daemon designed for Unix-like operating systems, enabling the setup of a RADIUS protocol server. This server is instrumental for Authentication and Accounting in various network access scenarios. To leverage the server, a properly configured client is essential, such as hotspots, VPN protocols like OpenVPN, StrongSwan, SoftEther, and certain router OS.
OpenVPN, an open-source software application, implements virtual private network (VPN) techniques, establishing secure point-to-point or site-to-site connections and facilitating remote access. It employs a proprietary security protocol utilizing SSL/TLS for key exchange.
In this project, we aim to configure OpenVPN for authentication through our newly established FreeRADIUS server. When a client inputs their username, the radiusplugin will relay this information to FreeRADIUS for credential verification against the radius database. Once FreeRADIUS confirms the user’s legitimacy, it will respond with an access-accept packet to the OpenVPN server, granting access to the client.
Requirements
In this tutorial, we’ll proceed with the assumption that:
- You have successfully configured the OpenVPN server (refer to this guide[1] if needed).
- FreeRADIUS server is installed and configured for use (install it by following this tutorial[2]).
With all prerequisites in place, let’s proceed to modify the OpenVPN configuration to enable authentication via FreeRADIUS server. The steps outlined in this guide are applicable for both CentOS/Fedora and Ubuntu/Debian systems.
Radiusplugin Installation Guide
Access your OpenVPN server; in this instance, I’m using CentOS 7 64-bit. Log in as the root user and proceed to install the necessary dependencies for successfully compiling our radiusplugin.
Ubuntu/Debian:
apt-get install libgcrypt11 libgcrypt11-dev build-essential
CentOS/Fedora:
yum install libgcrypt libgcrypt-devel gcc-c++
After successfully installing the required dependencies, the next step is to download the source code for the radiusplugin. Begin by creating a dedicated folder and retrieving the source files into this directory.
Ubuntu/Debian/CentOS/Fedora:
mkdir /etc/radiusplugin
Following that, navigate into the newly created folder and proceed to download the source code.
Ubuntu/Debian/CentOS/Fedora:
cd /etc/radiusplugin/
Ubuntu/Debian/CentOS/Fedora:
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
Once the download is complete, it is necessary to extract the source files from the downloaded archive.
Ubuntu/Debian/CentOS/Fedora:
tar xvf radiusplugin_v2.1a_beta1.tar.gz
Having installed dependencies, create a folder, download the radiusplugin source, extract files, then enter the folder and run make.
Ubuntu/Debian/CentOS/Fedora:
cd radiusplugin_v2.1a_beta1
make
After compiling from source, the resulting file, radiusplugin.so, needs to be transferred to a more suitable location, likely within the OpenVPN folder. Before transferring, it’s essential to create a ‘radius‘ folder inside the OpenVPN directory.
Ubuntu/Debian/CentOS/Fedora:
mkdir /etc/openvpn/radius
Ubuntu/Debian/CentOS/Fedora:
cp -r radiusplugin.so /etc/openvpn/radiusGenerating a configuration file for Radiusplugin
Next, create a file named radius.cnf inside the ‘/etc/openvpn/radius/’ folder. This file will serve as the configuration for the radiusplugin, containing details such as the IP address and secret key of the Radius server.
Ubuntu/Debian/CentOS/Fedora:
nano /etc/openvpn/radius/radius.cnf
And then copy the below details and paste it in the file.
NAS-Identifier=000.000.000.000_TCP_443
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=000.000.000.000
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/etc/openvpn/443_tcp.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false
# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false
# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=192.168.0.153
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}
Where:
mysecret is the freeradius server secret we configured on freeradius. You can change this depending on your freeradius setup.
192.168.0.153 is the ip address of our radius server. This will surely need to be changed.
000.000.000.000 is the ip address of our OpenVPN server. This will also need to be changed.
/etc/openvpn/443_tcp.conf is the path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well. Again, this should be changed depending on your setup.
Once all adjustments are made, save the file and exit. With the radiusclient configuration completed, the next step is to configure OpenVPN.
Setting Up Radius Authentication with OpenVPN
To configure OpenVPN for Radius authentication, add the following lines into your OpenVPN configuration file. In a previous tutorial[3], we set up OpenVPN with certificate authentication, but for this guide, we will be using username/password authentication.
In the modified OpenVPN configuration below, we’ve integrated Radius authentication:
port 443
proto tcp
dev tun
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key
persist-tun
keepalive 10 60
reneg-sec 0
comp-lzo
tun-mtu 1468
tun-mtu-extra 32
mssfix 1400
push “persist-key”
push “persist-tun”
push “redirect-gateway def1”
push “dhcp-option DNS 8.8.8.8”
push “dhcp-option DNS 8.8.4.4”
status /etc/openvpn/443.log
verb 3
What we added:
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
Is the path to the radiusclient configuration file and program.
ifconfig-pool-persist ipp.txt
Is the file to be read by radiusplugin for accounting information.
Once all is done you can save the file and exit. Then we will restart openvpn to make the changes.
Ubuntu/Debian/CentOS/Fedora:
service openvpn restart
CentOS 7:
systemctl start openvpn@443_tcp.service
Connect from the OpenVPN client and login using your radius username & password credentials.
That’s it! You are now ready to connect to the OpenVPN server using your Radius account. If you have any questions or need clarification, please feel free to comment below.
[1]: https://www.blendhosting.com/kb/configuring-and-setting-up-an-openvpn-server-on-centos-7-2/
[2]: https://www.blendhosting.com/kb/freeradius-mysql-setup/
[3]: https://www.blendhosting.com/kb/configuring-and-setting-up-an-openvpn-server-on-centos-7-2/