How to authenticate OpenVPN via FreeRadius?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Wed Jul 22, 2020 8:33 pm

Hi,

I'm really struggling getting OpenVPN and FreeRadius working together.

I have these two binaries in

Code: Select all

/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
/usr/lib/x86_64-linux-gnu/security/pam_permit.so
/etc/pam.d/pam_radius_auth.conf

Code: Select all

127.0.0.1                  secret             3
/etc/pam.d/ovpn-0

Code: Select all

account sufficient      pam_permit.so
auth    required        pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf
But the moment I activate it like this in OpenVPN and restart it:

server.conf

Code: Select all

plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0
I can no longer establish the VPN connection and the local freeradius is not even hit. (freeradius -X)
I get this error in /var/log/openvpn/openvpn.log
89.32.123.xxx:18585 TLS Error: Auth Username/Password was not provided by peer
89.32.123.xxx:18585 TLS Error: TLS handshake failed
Many Thanks,
Houman

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Wed Jul 22, 2020 9:00 pm

houmie75 wrote:
Wed Jul 22, 2020 8:33 pm
Error: Auth Username/Password was not provided by peer
Looks quite obvious :roll:

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Wed Jul 22, 2020 11:09 pm

The VPN is set up to work with certificates. Only after setting up the PAM plugin into the config, it fails with that message.

plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0

But I'm expecting to see Freeradius service to be hit (verbose debug shows nothing), when trying to connect to the VPN.
May you elaborate what I may have missed please?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Wed Jul 22, 2020 11:12 pm

houmie75 wrote:
Wed Jul 22, 2020 11:09 pm
May you elaborate what I may have missed please?
I do not know because those are the only details you have provided.

viewtopic.php?f=30&t=22603

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Thu Jul 23, 2020 6:06 pm

Of course. Sorry about that.
Please let me know if you need to see anything else. I'm happy to provide it.
This issue is killing me for three days and I don't know how to proceed. Thank you

Server configuration file
Server Config

port 1111
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh none
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0


Client configuration file
Server Config

client
dev tun
proto udp
remote 18.132.xxx.xxx 1111
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: ecdsa-with-SHA512
Issuer: CN=Easy-RSA CA
Validity
Not Before: Jul 16 08:45:28 2020 GMT
Not After : Jul 1 08:45:28 2023 GMT
Subject: CN=client1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
3a:87:ad:dc:a1:e8:4b
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ecdsa-with-SHA512
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>


And log file is you need it:

Code: Select all

OpenVPN 2.4.9 [git:master/c53d65eae4c1ecfe+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 15 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020
PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so] [ovpn-0]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=02:f3:5c:78:33:da
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
/usr/sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
/usr/sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDPv4 link local (bound): [AF_INET][undef]:1111
UDPv4 link remote: [AF_UNSPEC]
GID set to nogroup
UID set to nobody
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
ifconfig_pool_read(), in='client1,10.8.0.4', TODO: IPv6
succeeded -> ifconfig_pool_set()
ifconfig_pool_read(), in='client1,10.8.0.8', TODO: IPv6
succeeded -> ifconfig_pool_set()
IFCONFIG POOL LIST
client1,10.8.0.4
client1,10.8.0.8
Initialization Sequence Completed
89.32.xxx.xxx:20413 TLS: Initial packet from [AF_INET]89.32.xxx.xxx:20413, sid=65b7bfaa fb7e7a59
89.32.xxx.xxx:20413 VERIFY OK: depth=1, CN=Easy-RSA CA
89.32.xxx.xxx:20413 VERIFY OK: depth=0, CN=client1
89.32.xxx.xxx:20413 peer info: IV_VER=3.5.4
89.32.xxx.xxx:20413 peer info: IV_PLAT=ios
89.32.xxx.xxx:20413 peer info: IV_NCP=2
89.32.xxx.xxx:20413 peer info: IV_TCPNL=1
89.32.xxx.xxx:20413 peer info: IV_PROTO=2
89.32.xxx.xxx:20413 peer info: IV_AUTO_SESS=1
89.32.xxx.xxx:20413 TLS Error: Auth Username/Password was not provided by peer
89.32.xxx.xxx:20413 TLS Error: TLS handshake failed
89.32.xxx.xxx:20413 SIGUSR1[soft,tls-error] received, client-instance restarting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Thu Jul 23, 2020 6:34 pm

houmie75 wrote:
Thu Jul 23, 2020 6:06 pm
TLS Error: Auth Username/Password was not provided by peer
Please see the Howto for further instructions.

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Thu Jul 23, 2020 6:50 pm

Sorry, I'm a bit lost with your answer. Do you mean I should search for `TLS Error: Auth Username/Password was not provided by peer` in the HowTo section? I couldn't find anything that matches this. Thank you

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Thu Jul 23, 2020 7:01 pm

You have not read the Howto about how to setup password authentication.

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 24, 2020 7:30 am

The good news is that I got PAM working with Radius. But OpenVPN continues to refuse triggering PAM.

I have worked through the Howto. Some of the information seems a bit outdated.

e.g.
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login

should be
plugin /usr/share/openvpn/plugin/lib/openvpn-plugin-auth-pam.so login

But nonetheless that section won't help with FreeRadius connectivity. Based on my research it should work like this:

plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/ovpn-0

Where I have a ovpn-0 with this content waiting to kick off:

Code: Select all

account sufficient      /usr/lib/x86_64-linux-gnu/security/pam_permit.so
auth    required        /home/ubuntu/pam_radius/pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf
But this never gets triggered by OpenVPN.
e.g. if I change the server.conf to a fake path:
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/ovpn-01

The log still doesn't complain about it:

Code: Select all

OpenVPN 2.4.9 [git:master/c53d65eae4c1ecfe+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 15 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020
PLUGIN_INIT: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so] [/etc/pam.d/ovpn-01]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
ROUTE_GATEWAY 172.31.32.1/255.255.240.0 IFACE=eth0 HWADDR=02:f3:5c:78:33:da
TUN/TAP device tun0 opened
Is this because when I have compiled the latest OpenVPN, I had to do it with a special flag to enable PAM support to begin with? (e.g. --enable-plugin-auth-pam) ? What could be the reason that OpenVPN doesn't trigger PAM?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Fri Jul 24, 2020 10:16 am

TinCanTech wrote:
Thu Jul 23, 2020 6:34 pm
houmie75 wrote:
Thu Jul 23, 2020 6:06 pm
TLS Error: Auth Username/Password was not provided by peer
Please see the Howto for further instructions.
Read it again :ugeek:

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 24, 2020 4:58 pm

Oh dear....I really have put effort into it and showed you all my findings. At least tell me which line is the hint that I'm looking for. :-(

This is the HowTo https://community.openvpn.net/openvpn/wiki/HOWTO you mean, correct?

Perhaps you mean I should use login instead of pointing to my /etc/pam.d/ovpn-0 ?

Code: Select all

plugin /usr/share/openvpn/plugin/lib/openvpn-plugin-auth-pam.so login
Please be a bit more specific.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Fri Jul 24, 2020 7:06 pm

TinCanTech wrote:
Fri Jul 24, 2020 10:16 am
Username/Password was not provided by peer
:roll:

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Fri Jul 24, 2020 7:13 pm

I am going to cite this thread next time there is a developer meeting about:
  • Why Warnings in logs go unheeded !
By the way, we all make mistakes, all of us ...

But sometimes you have to take a deep breath and just step back a little to see the big picture ;)

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 24, 2020 8:45 pm

haha :lol: please don't shame me and hear me out.

I'm using Freeradius and StrongSwan (IKEv2) on a daily basis. But I'm just starting off with OpenVPN and may do stupid things.

My understanding is that the accounting is passed on to Radius, which in turn checks the RadiusDB for username/password and sends back an ACCEPT or REJECT. So even if I don't provide a password to my IKEv2 client, I still see FreeRadius being triggered.

But with OpenVPN this is not happening, and I thought this was because of my bad configuration and I'm going into circles.

Now you say that this is happening because my client isn't sending the username/password, and hence OpenVPN server rejects it straight away without triggering FreeRadius.

Ok I did now try again and this time with providing a username/password to see if freeradius triggers.

Code: Select all

89.32.xxx.xxx:17187 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5481_3.8.2a__build_5481)"
AUTH-PAM: BACKGROUND: user 'houmie' failed to authenticate: Module is unknown
89.32.xxx.xxx:17187 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
89.32.xxx.xxx:17187 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
89.32.xxx.xxx:17187 TLS Auth Error: Auth Username/Password verification failed for peer
89.32.xxx.xxx:17187 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
89.32.xxx.xxx:17187 [client1] Peer Connection Initiated with [AF_INET]89.32.xxx.xxx:17187
89.32.xxx.xxx:17187 PUSH: Received control message: 'PUSH_REQUEST'
89.32.xxx.xxx:17187 Delayed exit in 5 seconds
89.32.xxx.xxx:17187 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
And as you can guess, it still didn't work. I suppose it has something to do with `Module is unknown` error message. :shock:
Last edited by houmie75 on Sat Jul 25, 2020 9:12 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Fri Jul 24, 2020 9:02 pm

houmie75 wrote:
Fri Jul 24, 2020 8:45 pm
haha :lol: please don't shame me and hear me out.
No shame at all -- We all make mistakes ;)
houmie75 wrote:
Fri Jul 24, 2020 8:45 pm
Now you say that this is happening because my client isn't sending the username/password, and hence OpenVPN server rejects it straight away without triggering FreeRadius.
Maybe .. No user/pass is not the same as the wrong user/pass.
houmie75 wrote:
Fri Jul 24, 2020 8:45 pm
it still didn't work.
Try without these:
houmie75 wrote:
Thu Jul 23, 2020 6:06 pm
Server configuration file
user nobody
group nogroup

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 24, 2020 9:14 pm

Thank you. :)

I commented them out and restarted the server. But no joy. Could it be related to the `Module is unknown` error message?

Code: Select all

89.32.xxx.xxx:17841 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5481_3.8.2a__build_5481)"
AUTH-PAM: BACKGROUND: user 'houmie' failed to authenticate: Module is unknown
89.32.xxx.xxx:17841 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
89.32.xxx.xxx:17841 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
89.32.xxx.xxx:17841 TLS Auth Error: Auth Username/Password verification failed for peer
89.32.xxx.xxx:17841 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
89.32.xxx.xxx:17841 [client1] Peer Connection Initiated with [AF_INET]89.32.xxx.xxx:17841
89.32.xxx.xxx:17841 PUSH: Received control message: 'PUSH_REQUEST'
89.32.xxx.xxx:17841 Delayed exit in 5 seconds
89.32.xxx.xxx:17841 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
89.32.xxx.xxx:17842 TLS: Initial packet from [AF_INET]89.32.xxx.xxx:17842, sid=21e31045 017f4ae0
89.32.xxx.xxx:17841 SIGTERM[soft,delayed-exit] received, client-instance exiting

Just to make sure my PAM integration with freeradius works, I did this:

Code: Select all

sudo pamtester -v ovpn-0 user authenticate
And freeradius triggers. :roll:
Last edited by houmie75 on Sat Jul 25, 2020 9:12 am, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Fri Jul 24, 2020 10:24 pm

houmie75 wrote:
Fri Jul 24, 2020 9:14 pm
Could it be related to the `Module is unknown` error message?
Most likely.

Try using --verb 4 (A small but important change).

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Sat Jul 25, 2020 9:10 am

Good morning,

I'm sorry for the late reply. I passed out last night.

I applied verb 4 on server:

Code: Select all

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: houmie
AUTH-PAM: BACKGROUND: user 'houmie' failed to authenticate: Module is unknown
89.32.xxx.xxx:17220 PLUGIN_CALL: POST /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
89.32.xxx.xxx:17220 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
89.32.xxx.xxx:17220 TLS Auth Error: Auth Username/Password verification failed for peer
89.32.xxx.xxx:17220 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
89.32.xxx.xxx:17220 [client1] Peer Connection Initiated with [AF_INET]89.32.xxx.xxx:17220
89.32.xxx.xxx:17220 PUSH: Received control message: 'PUSH_REQUEST'
89.32.xxx.xxx:17220 Delayed exit in 5 seconds
89.32.xxx.xxx:17220 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
MULTI: multi_create_instance called
89.32.xxx.xxx:17223 Re-using SSL/TLS context
89.32.xxx.xxx:17223 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
89.32.xxx.xxx:17223 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
89.32.xxx.xxx:17223 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
89.32.xxx.xxx:17223 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
89.32.xxx.xxx:17223 TLS: Initial packet from [AF_INET]89.32.xxx.xxx:17223, sid=9df91257 163cc947
89.32.xxx.xxx:17220 SIGTERM[soft,delayed-exit] received, client-instance exiting
So the error is
plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1


It seems someone else had this issue three years ago. I checked and I don't miss CAP_AUDIT_WRITE in my systemd.
viewtopic.php?t=24497

/lib/systemd/system/openvpn-server.service

Code: Select all

[Unit]
Description=OpenVPN service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target
/lib/systemd/system/openvpn-server@.service

Code: Select all

[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=simple
PrivateTmp=true
WorkingDirectory=/etc/openvpn
ExecStart=/usr/local/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
Thank you

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7577
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Sat Jul 25, 2020 10:56 am

houmie75 wrote:
Sat Jul 25, 2020 9:10 am
sorry for the late reply. I passed out last night
Sleep is healthy -- Unless you want to start a Fight-Club :D
houmie75 wrote:
Sat Jul 25, 2020 9:10 am
I don't miss CAP_AUDIT_WRITE in my systemd
I presume you are using the correct unit file: /lib/systemd/system/openvpn-server@.service
houmie75 wrote:
Sat Jul 25, 2020 9:10 am
AUTH-PAM: BACKGROUND: user 'houmie' failed to authenticate: Module is unknown
You are using AUTH-PAM .. What happened to Radius .. ?

I am not really sure what you are using or how you have it setup, however:
houmie75 wrote:
Sat Jul 25, 2020 9:10 am
AUTH-PAM: BACKGROUND: user 'houmie' failed to authenticate: Module is unknown
As far as I can tell, this error message is not generated by openvpn. Which would suggest you have not setup your authentication back-end correctly ..

Links to Howto:
https://community.openvpn.net/openvpn/w ... ionmethods
https://openvpn.net/community-resources ... n-methods/

That is more-or-less all I have ..

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Thu Jul 30, 2020 9:49 am

Hey buddy,

Hope all is well with you. I started from scratch. This time I didn't attempt to compile it but instead I installed the OpenVPN from the Ubuntu repo.

While unrelated, I found the reason why it kept saying Module is unknown.
It didn't like required in /etc/pam.d/ovpn-0

I have now replaced it with sufficient as mentioned in the Usage of https://github.com/FreeRADIUS/pam_radiu ... ster/USAGE of PAM_radius plugin.

Code: Select all

account sufficient /usr/lib/x86_64-linux-gnu/security/pam_permit.so
auth sufficient /home/ubuntu/pam_radius/pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf
Now I get this in the server log:

Code: Select all

MULTI: multi_create_instance called
3.11.xx.xxx:60836 Re-using SSL/TLS context
3.11.xx.xxx:60836 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
3.11.xx.xxx:60836 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
3.11.xx.xxx:60836 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-server'
3.11.xx.xxx:60836 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1549,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client'
3.11.xx.xxx:60836 TLS: Initial packet from [AF_INET]3.11.xx.xxx:60836, sid=88521bad 7a295892
3.11.xx.xxx:60836 VERIFY OK: depth=1, CN=Easy-RSA CA
3.11.xx.xxx:60836 VERIFY OK: depth=0, CN=client1
3.11.xx.xxx:60836 peer info: IV_VER=2.4.9
3.11.xx.xxx:60836 peer info: IV_PLAT=mac
3.11.xx.xxx:60836 peer info: IV_PROTO=2
3.11.xx.xxx:60836 peer info: IV_NCP=2
3.11.xx.xxx:60836 peer info: IV_LZ4=1
3.11.xx.xxx:60836 peer info: IV_LZ4v2=1
3.11.xx.xxx:60836 peer info: IV_LZO=1
3.11.xx.xxx:60836 peer info: IV_COMP_STUB=1
3.11.xx.xxx:60836 peer info: IV_COMP_STUBv2=1
3.11.xx.xxx:60836 peer info: IV_TCPNL=1
3.11.xx.xxx:60836 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5481_3.8.2a__build_5481)"
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: houman
AUTH-PAM: BACKGROUND: user 'houman' failed to authenticate: Permission denied
3.11.xx.xxx:60836 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
3.11.xx.xxx:60836 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
3.11.xx.xxx:60836 TLS Auth Error: Auth Username/Password verification failed for peer
3.11.xx.xxx:60836 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
3.11.xx.xxx:60836 [client1] Peer Connection Initiated with [AF_INET]3.11.xx.xxx:60836
3.11.xx.xxx:60836 PUSH: Received control message: 'PUSH_REQUEST'
3.11.xx.xxx:60836 Delayed exit in 5 seconds
3.11.xx.xxx:60836 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
And it is still not hitting the local freeradius server. It's such a shame, because when I do this:

Code: Select all

root@o1:/home/ubuntu# sudo pamtester -v ovpn-0 houman authenticate
pamtester: invoking pam_start(ovpn-0, houman, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
I can see it hits the local freeradius server and it even authenticates correctly. What gives that OpenVPN doesn't attempt to hit the local freeradius to fetch the username/password?

If you don't know the answer, do you know by any chance an OpenVPN colleague who has established a successful OpenVPN/Freeradius integration in the past and could advice me please? I'm happy to compensate for it.

Thank you so much,
Houman

Post Reply