I am trying to setup OpenVPN to authenticate using freeradius server. Both servers OpenVPN server and freeradius server run CentOS 6.6 (but they are on different servers).
When I authenticate with certificate OpenVPN works fine - but it does not work when I enable radius plugin
This is my server.conf for OpenVPN server
This is client.ovpnport 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 5
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
#client-cert-not-required
username-as-common-name
This is settings from freeradius clients.confclient
dev tun
proto udp
remote 31.170.104.255 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
comp-lzo
verb 3
this is radiusplugin.cnfclient 31.170.104.255 {
secret = testing@123
shortname = OpenVPNServer
nastype = other
}
This is log from radius server#Our name, can be anything...
NAS-Identifier=VPN
#some default RADIUS-parameters
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
#Our IP, if RADIUS is configured with IP based
#access restriction you better put the correct one in...
NAS-IP-Address=192.168.122.120
#The plugins needs to interpret the used configuration file
OpenVPNConfig=/etc/openvpn/server.conf
#The plugin may interfere with the client configuration directories
#if necessary
overwriteccfiles=true
server
{
#The authentification Port of the RADIUS server
authport=1812
#The IP of the RADIUS server
name=5.45.176.77
#How often should an authentifications be retried before marked as "failed"?
retry=1
wait=1
#Shared secret of the RADIUS server
sharedsecret=testing@123
}
This is log from openvpn serverSun Jul 26 19:10:32 2015 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [cveksoni/SCRV1:bmV3MTIz:Tm9uZQ==] (from client OpenVPNServer port 1 cli 109.245.135.69)
Sun Jul 26 19:10:33 2015 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password check failed): [cveksoni/SCRV1:bmV3MTIz:Tm9uZQ==] (from client OpenVPNServer port 1 cli 109.245.135.69)
Please tell me what I am doing wrong. Thank you.Sun Jul 26 19:06:58 2015 us=381017 Initialization Sequence Completed
Sun Jul 26 19:07:09 2015 us=653400 MULTI: multi_create_instance called
Sun Jul 26 19:07:09 2015 us=653579 109.245.135.69:49658 Re-using SSL/TLS context
Sun Jul 26 19:07:09 2015 us=653641 109.245.135.69:49658 LZO compression initialized
Sun Jul 26 19:07:09 2015 us=653834 109.245.135.69:49658 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Sun Jul 26 19:07:09 2015 us=653860 109.245.135.69:49658 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Jul 26 19:07:09 2015 us=654030 109.245.135.69:49658 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,
comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jul 26 19:07:09 2015 us=654051 109.245.135.69:49658 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,pr
oto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jul 26 19:07:09 2015 us=654091 109.245.135.69:49658 Local Options hash (VER=V4): '530fdded'
Sun Jul 26 19:07:09 2015 us=654114 109.245.135.69:49658 Expected Remote Options hash (VER=V4): '41690919'
RSun Jul 26 19:07:09 2015 us=654207 109.245.135.69:49658 TLS: Initial packet from [AF_INET]109.245.135.69:49658, sid=322d2479 281a8ec0
WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRRRRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRSun
Jul 26 19:07:11 2015 us=39913 109.245.135.69:49658 VERIFY OK: depth=1, C=US, ST=DE, L=Wilmington, O=SuperVPN, OU=SuperVPN, CN=SuperVP
N CA, name=server, emailAddress=contact@supervpn.net
Sun Jul 26 19:07:11 2015 us=40224 109.245.135.69:49658 VERIFY OK: depth=0, C=US, ST=DE, L=Wilmington, O=SuperVPN, OU=SuperVPN, CN=clie
nt, name=server, emailAddress=contact@supervpn.net
WRWRWRWRWRWRWRWRWRWRWRSun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND: OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY is called.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Auth_user_pass_verify thread started.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND: Commonname set to Username
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for new user.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND: Key: 109.245.135.69:49658.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user from OpenVPN!
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: FOREGROUND THREAD: New user: username: cveksoni, password: *****, newuser ip: 109.245.135.69,
newuser port: 49658 .
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: BACKGROUND AUTH: New user auth: username: cveksoni, password: *****, calling station: 109.245
.135.69, commonname: client.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: radius_server().
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: Build password packet: password: *****, sharedSecret: *****.
Sun Jul 26 19:07:11 2015 RADIUS-PLUGIN: Send packet to 5.45.176.77.
Sun Jul 26 19:07:12 2015 RADIUS-PLUGIN: Got no response from radius server.
Sun Jul 26 19:07:12 2015 Sun Jul 26 19:07:12 2015 Error: RADIUS-PLUGIN: BACKGROUND AUTH: Auth failed!.
Sun Jul 26 19:07:12 2015 RADIUS-PLUGIN: FOREGROUND THREAD: Waiting for new user.
Sun Jul 26 19:07:12 2015 us=344357 109.245.135.69:49658 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY st
atus=1
Sun Jul 26 19:07:12 2015 us=344434 109.245.135.69:49658 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1
: /etc/openvpn/radiusplugin.so
Sun Jul 26 19:07:12 2015 us=344538 109.245.135.69:49658 TLS Auth Error: Auth Username/Password verification failed for peer
WWWRRRSun Jul 26 19:07:12 2015 us=434197 109.245.135.69:49658 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit
RSA
Sun Jul 26 19:07:12 2015 us=434248 109.245.135.69:49658 [client] Peer Connection Initiated with [AF_INET]109.245.135.69:49658
RSun Jul 26 19:07:14 2015 us=903170 109.245.135.69:49658 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jul 26 19:07:14 2015 us=903245 109.245.135.69:49658 Delayed exit in 5 seconds
Sun Jul 26 19:07:14 2015 us=903309 109.245.135.69:49658 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
WWWSun Jul 26 19:07:19 2015 us=146275 109.245.135.69:49658 SIGTERM[soft,delayed-exit] received, client-instance exiting