OpenVPN with FreeRADIUS User Auth
febryandana
Posted on August 6, 2022
Overview
OpenVPN can utilize RADIUS services as a source of authentication for its user accounts. In this article we will try to integrate OpenVPN with FreeRADIUS and utilize DaloRADIUS for the FreeRADIUS GUI dashboard service. That way, administrators can easily manage OpenVPN users in one place.
1. FreeRADIUS & DaloRADIUS Configuration
FreeRADIUS
1) Install Web Server
sudo -i
apt update && apt -y upgrade
apt -y install apache2
apt -y install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}
php -v
2) Install DB server
apt -y install mariadb-server
mysql_secure_installation
3) Create RADIUS database
mysql -u root -p
MariaDB [(none)]> CREATE DATABASE radius;
MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "StrongPassword";
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> QUIT
4) Install & Configure FreeRADIUS
apt -y install freeradius freeradius-mysql freeradius-utils
Import freeRADIUS sql database
mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
mysql -u root -p -e "use radius; show tables;"
Create softlink to enable sql mod
ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Configure sql module
Comment SSL sections in mysql
nano /etc/freeradius/3.0/mods-enabled/sql
---
sql {
driver = "rlm_sql_mysql"
dialect = "mysql"
# Connection info:
server = "localhost"
port = 3306
login = "radius"
password = "StrongPassword"
# Database table configuration for everything except Oracle
radius_db = "radius"
}
# Set to ‘yes’ to read radius clients from the database (‘nas’ table)
# Clients will ONLY be read on server startup.
read_clients = yes
# Table to keep radius client info
client_table = "nas"
---
Change Group
chgrp -h freerad /etc/freeradius/3.0/mods-available/sql
chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
Restart freeradius service
sudo systemctl restart freeradius.service
DaloRADIUS
1) Install daloRadius
apt -y install wget unzip
wget https://github.com/lirantal/daloradius/archive/master.zip
unzip master.zip
mv daloradius-master daloradius
cd daloradius
2) Configure daloRadius
Import daloRadius tables
mysql -u root -p radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p radius < contrib/db/mysql-daloradius.sql
Move daloRadius folder to Web Server
cd ..
mv daloradius /var/www/html/
mv /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
chown -R www-data:www-data /var/www/html/daloradius/
chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
Configure daloRadius connection
nano /var/www/html/daloradius/library/daloradius.conf.php
---
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'StrongPassword';
$configValues['CONFIG_DB_NAME'] = 'radius';
---
touch /tmp/daloradius.log
Restart services
systemctl restart freeradius.service apache2.service
3) Verify daloRadius
Access via http://IP_ADDRESS/daloradius/login.php
Default User & Password:
User = administrator
Password = radius
2. OpenVPN Installation
OpenVPN
We will install OpenVPN by easy way using automation shell script
apt install -y openvpn openvpn-auth-radius freeradius-utils
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh
---
Public IPv4 address / hostname [a.b.c.d]: IP_Server_OpenVPN
---
Change the settings whatever you like
OpenVPN RADIUS Plugin
To connect OpenVPN with FreeRADIUS, we need to use external plugin named radiusplugin
apt update
apt install openvpn-auth-radius
Binary file will be downloaded to /usr/lib/openvpn/radiusplugin.so
3. Integrate OpenVPN with FreeRADIUS
FreeRadius Side
1) Create NAS (Network Access Server) for OpenVPN server
-
Via DaloRadius:
- NAS IP/Host = 192.168.1.12/24 //IP ADDRESS OPENVPN SERVER
- NAS Secret = fb-ovpn
- NAS Type = other
- NA Shortname = fb-ovpn
-
Via clients.conf:
```bash
nano clients.conf --- client fb-ovpn { ipaddr = 192.168.1.12 //IP ADDRESS OPENVPN SERVER netmask = 24 secret = fb-ovpn shortname = fb-ovpn nastype = other } ---
Restart freeradius service everytime you need to create new NAS
```bash
systemctl restart freeradius.service
OpenVPN Server Side
1) Create cnf file for connecting OpenVPN to FreeRADIUS
nano /etc/openvpn/radiusplugin.cnf
---
NAS-Identifier=openvpn
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.1.12
OpenVPNConfig=/etc/openvpn/server/server.conf
overwriteccfiles=true
server
{
acctport=1813
authport=1812
name=192.168.1.11
retry=1
wait=1
sharedsecret=fb-ovpn
}
---
2) Test connection to RADIUS via server OpenVPN. You need to create user first from DaloRADIUS
radtest {username} {password} {radius_hostname} 10 {radius_secret}
radtest febry febry 192.168.1.11 10 fb-ovpn
3) Configure file server.conf on OpenVPN server so that OpenVPN will use users from FreeRADIUS server
nano /etc/openvpn/server/server.conf
---
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verify-client-cert
key-direction 0
duplicate-cn
local 192.168.1.12
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify
---
4) Create ovpn file for clients
nano /root/client.ovpn
---
key-direction 1
auth-user-pass
;user nobody
;group nogroup
client
dev tun
proto udp
remote 192.168.1.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...
---
4. Test connection to OpenVPN with RADIUS user
Conducted on node fb-ubuntu (192.168.2.11 - lab6)
openvpn --config client.ovpn
Conducted on personal computer
sudo openvpn --config client.ovpn
Known Issues
1) Unknown column 'acctupdatetime' in 'field list'
DaloRadius, RADIUS log :
ERROR: (21) sql: ERROR: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22
Solve: Rebuild table radacct
mysql -u root -p radius
DROP TABLE radacct;
CREATE TABLE radacct (
radacctid bigint(21) NOT NULL auto_increment,
acctsessionid varchar(64) NOT NULL default '',
acctuniqueid varchar(32) NOT NULL default '',
username varchar(64) NOT NULL default '',
groupname varchar(64) NOT NULL default '',
realm varchar(64) default '',
nasipaddress varchar(15) NOT NULL default '',
nasportid varchar(15) default NULL,
nasporttype varchar(32) default NULL,
acctstarttime datetime NULL default NULL,
acctupdatetime datetime NULL default NULL,
acctstoptime datetime NULL default NULL,
acctinterval int(12) default NULL,
acctsessiontime int(12) unsigned default NULL,
acctauthentic varchar(32) default NULL,
connectinfo_start varchar(50) default NULL,
connectinfo_stop varchar(50) default NULL,
acctinputoctets bigint(20) default NULL,
acctoutputoctets bigint(20) default NULL,
calledstationid varchar(50) NOT NULL default '',
callingstationid varchar(50) NOT NULL default '',
acctterminatecause varchar(32) NOT NULL default '',
servicetype varchar(32) default NULL,
framedprotocol varchar(32) default NULL,
framedipv6address varchar(32) default NULL,
framedipv6prefix varchar(32) default NULL,
framedinterfaceid varchar(32) default NULL,
delegatedipv6prefix varchar(32) default NULL,
framedipaddress varchar(15) NOT NULL default '',
PRIMARY KEY (radacctid),
UNIQUE KEY acctuniqueid (acctuniqueid),
KEY username (username),
KEY framedipaddress (framedipaddress),
KEY acctsessionid (acctsessionid),
KEY acctsessiontime (acctsessiontime),
KEY acctstarttime (acctstarttime),
KEY acctinterval (acctinterval),
KEY acctstoptime (acctstoptime),
KEY nasipaddress (nasipaddress)
) ENGINE = INNODB;
2) Error reading log file: /tmp/daloradius.log
error reading log file: /tmp/daloradius.log
looked for log file in /tmp/daloradius.log but couldn't find it.
if you know where your daloradius log file is located, set it's location in your library/daloradius.conf file
Solve: Create new log file
touch /tmp/daloradius.log
chown www-data:www-data daloradius.log
chmod 644 /tmp/daloradius.log
3) Error reading log file: /var/log/syslog
error reading log file: /var/log/syslog
possible cause is file permissions or file does not exist.
Solve: Change file permission
chmod 644 /var/log/syslog
4) RADIUS user authentication's type that is compatible with OpenVPN
- [x] cleartext-password
- [ ] User-password (AUTH_FAILED)
- [x] Crypt-password
- [x] MD5-password
- [ ] SHA1-password (AUTH_FAILED)
- [ ] CHAP-password (AUTH_FAILED)
5) Some OS's dont have nogroup
user & group but they use nobody
, and vice versa. To solve issue with these groups, we can:
- Create user
nobody
and groupnogroup
. - Cretae user
nobody
and groupnobody
. Then editgroup nogroup
togroup nobody
in client.ovpn file. - Comment out
user nobody
andgroup nogroup
in client.ovpn file.
References
- https://book.btech.id/books/riset-freeradius
- https://bytexd.com/freeradius-ubuntu/
- https://computingforgeeks.com/how-to-install-freeradius-and-daloradius-on-ubuntu/
- https://github.com/Nyr/openvpn-install
- https://go.btech.id/ops/skk/-/wikis/Riset/OpenVPN-Dnsmasq-FreeRADIUS
- https://linux.die.net/man/5/clients.conf
- https://serverfault.com/questions/1095415/daloradius-error-3-sql-error-rlm-sql-mysql-error-1054-unknown-column-acc
- https://sourceforge.net/p/daloradius/support-requests/27/
- https://www.osradar.com/openvpn-authentication-with-freeradius/
Posted on August 6, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.