Configuring OpenVPN to authenticate with FreeRADIUS part 2

freeradius openvpn icon

Earlier, we configured our two main components to work with the desired setup, that is, authenticate openVPN users from free radius database. Previously, we installed/configured openVPN and freeRADIUS to work as stand alone servers. In this tutorial, we will bind them together so that the openVPN users can authenticate from freeRADIUS database. If you have landed on this page directly, I would recommend that you first have a look at configuring openVPN and configuring freeRADIUS guides first. So, without wasting any more time, let’s have a look at the configuration.

1. Get on the free radius server, edit the file: ‘/etc/raddb/client.conf’ and add/edit the following:

client your_openVPN_server_IP {
secret = shared_secret
shortname = OpenVPNServer
nastype = other
}

Make sure to replace “your_openVPN_server_IP” with the actual IP address of your VPN server. If radius and VPN is hosted on the same server, avoid ‘localhost’ or ‘127.0.0.1’. Just put in the the IP of the server as it is (If the setup is internal, fill in the internal IP, if the setup is supposed to entertain clients from the internet, then fill in the public IP. It totally depends upon how you have set it up).

2. Restart the freeRADIUS service so that the changes could take effect:

/etc/init.d/radiusd restart

3. Switch to openVPN server and install the pre-requisites which are, well, necessary:

yum install libgcrypt libgcrypt-devel gcc-c++

4. Next, we will download the ‘radiusplugin’ and build it from source. Believe me, it is hell lot easier with radiusplugin irrespective of those horror stories that you might have heard with compiling a package from source.

cd /tmp
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar -xvfz radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1/
make

5. Once that is complete (it will complete within seconds), copy the configuration file and library (*.so) file to /etc/openvpn/:

cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/

6. Open up the configuration file that we just copied with your favorite editor and make the following changes:

server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=X.X.X.X
# The shared secret.
sharedsecret=shared_secret
# How many times should the plugin send the if there is no response?
retry=2
# How long should the plugin wait for a response?
wait=1
}

7. Open up the server configuration file for openVPN with your favorite text editor and add/uncomment/edit the following line:

/etc/openvpn/server.conf
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

8. Also, comment out the following line if it is already not commented out:

plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login

9. Restart the openVPN service as:

/etc/init.d/openvpn restart

10. On the client machine, uncomment the following if not already uncommented:

auth-user-pass

11. Add a user from the web interface (daloRADIUS) that we installed previously.

12. Log into your openVPN server using the username and password that we just added in the previous step. If everything works well, you should be authenticated using freeRADIUS database.

Hope you enjoy this series, if you have any questions, feel free to comment here or you may always reach me at ‘questions@techlinux.net’.

Have fun!

Leave a Reply

Your email address will not be published. Required fields are marked *