How to authenticate OpenVPN via FreeRadius?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by TinCanTech » Thu Jul 30, 2020 11:50 am

houmie75 wrote:
Thu Jul 30, 2020 9:49 am
I'm happy to compensate for it
I am happy to receive any donations ;-)

FYI: tincanteksup <at> gmail dot com / Paypal (Grateful for any and all help)

I see this in your log:
houmie75 wrote:
Thu Jul 30, 2020 9:49 am
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: houman
AUTH-PAM: BACKGROUND: user 'houman' failed to authenticate: Permission denied
3.11.xx.xxx:60836 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
3.11.xx.xxx:60836 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so
3.11.xx.xxx:60836 TLS Auth Error: Auth Username/Password verification failed for peer
Looks like your AUTH-PAM is refusing due to permission on the user not a user/pass fail at all ..

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by 300000 » Thu Jul 30, 2020 9:40 pm

you are going to the wrong road so it never work , you use pam for local user not for radius user so let look this and start do it again , you need radius client run on so it can authencation with radius server .radius server use for big job so this is your job to do and take time




INTRODUCTION
The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access. To use the server, you also need a correctly setup client which will talk to it. Samples are hotspots, vpn protocols such as openvpn, strongswan or softether and some other router OS.

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

For this project we will configure openvpn to authenticate over our newly setup freeradius server. Once the client enters his/her username the radiusplugin will then relay this information to freeradius to verify if the credentials exists in the radius database and if the user is allowed. Once radius has confirmed that the user is allowed to login it will reply with an access-accept packet to openvpn server to allow the client.

PREREQUISITES
In this tutorial we will assume the following:

That you have successfully setup openvpn server (if not please take a look at this guide)
That freeradius is already setup and configured for use (if it is not yet installed please follow this tutorial)
Once all the ingredients are ready we will start modifying our openvpn configuration to authenticate via freeradius. This guide will be applicable for CentOS/Fedora and Ubuntu/Debian.

INSTALLING RADIUSPLUGIN
Go to your openvpn server (in this case I am using CentOS 7 64bit) and login as root.
Then install the required dependencies to successfully compile our radiusplugin.

Ubuntu/Debian:

apt-get install libgcrypt11 libgcrypt11-dev build-essential
CentOS/Fedora:

yum install libgcrypt libgcrypt-devel gcc-c++
After installing the dependencies we can now download the radiusplugin source. We will create a folder and download the source files from there.

Ubuntu/Debian/CentOS/Fedora:

mkdir /etc/radiusplugin
Then we will go inside the folder and download the source.

Ubuntu/Debian/CentOS/Fedora:

cd /etc/radiusplugin/
Ubuntu/Debian/CentOS/Fedora:

wget http://www.nongnu.org/radiusplugin/radi ... ta1.tar.gz
After we download we need to extract the source files.

Ubuntu/Debian/CentOS/Fedora:

tar xvf radiusplugin_v2.1a_beta1.tar.gz
Then we will go inside the radiusplugin folder and execute the make command.
Ubuntu/Debian/CentOS/Fedora:

cd radiusplugin_v2.1a_beta1
make
We will get the file radiusplugin.so after compiling from source and we will need to transfer this file to a better location, most probably in the openvpn folder. But first we will need to create a radius folder inside openvpn.
Ubuntu/Debian/CentOS/Fedora:

mkdir /etc/openvpn/radius
Ubuntu/Debian/CentOS/Fedora:

cp -r radiusplugin.so /etc/openvpn/radius
CREATING RADIUSPLUGIN CONFIGURATION FILE
Next we will make a file we will call radius.cnf inside the '/etc/openvpn/radius/' folder. This will be the radiusplugin configuration file consisting of the details of our radius server including the radius server ip address and secret.
Ubuntu/Debian/CentOS/Fedora:

nano /etc/openvpn/radius/radius.cnf
And then copy the below details and paste it in the file.

NAS-Identifier=000.000.000.000_TCP_443

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=000.000.000.000

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)

OpenVPNConfig=/etc/openvpn/443_tcp.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=192.168.0.153
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=mysecret
}
Where:
mysecret is the freeradius server secret we configured on freeradius. You can change this depending on your freeradius setup.
192.168.0.153 is the ip address of our radius server. This will surely need to be changed.
000.000.000.000 is the ip address of our OpenVPN server. This will also need to be changed.
/etc/openvpn/443_tcp.conf is the path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well. Again, this should be changed depending on your setup.

if all else is done save the file and exit.

We are done with radiusclient and we will configure openvpn next.

CONFIGURING OPENVPN FOR RADIUS AUTHENTICATION
To configure OpenVPN for radius authentication we will need to add several lines of into our OpenVPN configuration file. In our earlier tutorial we setup OpenVPN with Certificate authentication and for this guide we will be using username / password authentication.

From our last OpenVPN configuration, we will need to change it like below:

port 443
proto tcp
dev tun
server 10.11.0.0 255.255.255.0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key
persist-tun
keepalive 10 60
reneg-sec 0
comp-lzo
tun-mtu 1468
tun-mtu-extra 32
mssfix 1400
push "persist-key"
push "persist-tun"
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
status /etc/openvpn/443.log
verb 3

What we added:

plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf
Is the path to the radiusclient configuration file and program.

ifconfig-pool-persist ipp.txt
Is the file to be read by radiusplugin for accounting information.

Once all is done you can save the file and exit. Then we will restart openvpn to make the changes.
Ubuntu/Debian/CentOS/Fedora:

service openvpn restart
CentOS 7:

systemctl start openvpn@443_tcp.service
Connect from the OpenVPN client and login using your radius username & password credentials.

houmie75
OpenVPN Power User
Posts: 72
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 31, 2020 11:23 am

TinCanTech wrote:
Thu Jul 30, 2020 11:50 am
Looks like your AUTH-PAM is refusing due to permission on the user not a user/pass fail at all ..
Thank you, allow me to dig deeper and come back to you.
Last edited by houmie75 on Fri Jul 31, 2020 11:29 am, edited 1 time in total.

houmie75
OpenVPN Power User
Posts: 72
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Fri Jul 31, 2020 11:28 am

300000 wrote:
Thu Jul 30, 2020 9:40 pm
you are going to the wrong road so it never work , you use pam for local user not for radius user so let look this and start do it again , you need radius client run on so it can authencation with radius server .radius server use for big job so this is your job to do and take time
Thank you for your detailed response. Much appreciated. But you are using the decade old radiusplug that is not supported any longer. I can't even compile it on Ubuntu 20.04 due lack of outdated libraries such as libgcrypt11.

I'm using the newer https://github.com/FreeRADIUS/pam_radius that works entirely differently than the one you have mentioned. And this is where I'm struggling getting it properly to work.

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: How to authenticate OpenVPN via FreeRadius?

Post by dorr13 » Wed Jan 26, 2022 6:03 pm

Usually, in addition to the OpenVPN PAM plugin [openvpn-plugin-auth-pam.so], you may need to install libpam-radius-auth.

On Debian: apt-get install libpam-radius-auth

Typically, the configuration file is: /etc/pam_radius_auth.conf

pam_radius_auth.conf includes an example. It needs the RADIUS server address [and port, if non-standard], as well as the shared secret, and timeout.

houmie75
OpenVPN Power User
Posts: 72
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by houmie75 » Thu Feb 17, 2022 1:40 pm

dorr13 wrote:
Wed Jan 26, 2022 6:03 pm
Usually, in addition to the OpenVPN PAM plugin [openvpn-plugin-auth-pam.so], you may need to install libpam-radius-auth.

On Debian: apt-get install libpam-radius-auth

Typically, the configuration file is: /etc/pam_radius_auth.conf

pam_radius_auth.conf includes an example. It needs the RADIUS server address [and port, if non-standard], as well as the shared secret, and timeout.
Thanks for your reply. I'm not sure if I have used that combination that you mentioned here.

Back then when I was still using Ubuntu, I started using ibpam0g-dev, which worked ok, but was suboptimal.

I ended up using openvpn-auth-radius on Debian, which is a big improvement over PAM. But even there the handshake suffers if the server is too far apart from the client. Maybe I should give your solution a chance after all.

Have you ever tried openvpn-auth-radius?

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: How to authenticate OpenVPN via FreeRadius?

Post by dorr13 » Fri Mar 04, 2022 11:13 pm

I have not used openvpn-auth-radius, although that seems like it might be more straightforward in some ways. It might be worth experimenting, as I have a new use-case that differs enough from the original that I am going to have to re-do some of my work. [Required to support Yubikey as well as TOTP from a device-based authenticator even though the available RADIUS can't distinguish between them.]

If RADIUS servers are distant, and latency is great, you can use deferred authentication. It looks like this is for openvpn-auth-pam though. Not sure if asynchronous/deferred authentication is available for openvpn-auth-radius.

For openvpn-auth-pam, enabling asynchronous/deferred is like this:

setenv deferred_auth_pam 1

# I ended up hacking the openvpn-auth-pam plugin to get what I needed.

Comandante
OpenVpn Newbie
Posts: 3
Joined: Thu Jun 08, 2023 6:30 pm

Re: How to authenticate OpenVPN via FreeRadius?

Post by Comandante » Thu Jun 08, 2023 9:50 pm

And what about accounting? Auth works fine, but is there any ability (another module or so on) to send acct requests to radius&

Post Reply