Overview
As of 2012-02-23 this document is still up-to-date and I am using this setup on my production server. So don’t worry, if this article is old. There is simply nothing new to add except this comment.
This document describes how to setup a FreeRADIUS server. A MySQL server is used as backend and for the user accounting. OpenVPN and the radiusplugin from Ralf Lübben are used together as nas service.
I do not guarantee for anything in this howto. In my environment this setup is doing a great job here. So hopefully it will do the same for you.
Required software
The installation was done on Ubuntu Gutsy Gibbon and is still valid up to current Lucid Lynx (versions may differ at the moment):
Ubuntu 10.04:
- freeradius (2.1.8+dfsg-1ubuntu1)
- freeradius-mysql (2.1.8+dfsg-1ubuntu1)
- freeradius-ldap (2.1.8+dfsg-1ubuntu1)
- mysql-server-5.1 (5.1.41-3ubuntu12.10)
- openvpn (2.1.0-1ubuntu1.1)
- radiusplugin_v2.1a_beta1.tar.gz (Please download separately)
- libgcrypt11-dev (1.4.4-5ubuntu2)
As time goes by, the versions may change. But package names mostly exist in later releases as well.
I act on the assumption that there is an already running MySQL server.
RADIUS-Server
After having successfully installed freeradius and freeradius-mysql using aptitude (apt-get), you have to change the directory to /etc/freeradius.
radiusd.conf:
Please change the following variables under the section PROXY CONFIGURATION
Please comment out any files-entry and as you can see, please enable the sql statements. The changes should look similar like this::
preprocess
chap
mschap
suffix
eap
sql
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
detail
unix
radutmp
sql
}
For freeradius 2.x in file /etc/freeradius/sites-enabled/default:
sql
}
authenticate {
}
preacct {
acct_unique
}
accounting {
sql
}
session {
sql
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
As you can see, you only require the sql statements and no others. Please give a feedback, if you require more information on freeradius 2.x configuration.
You do not need to change anything else in this configuration files. It keeps as it is.
clients.conf:
secret = EinsupertollesSecret
shortname = localhost
}
The secret should be a secret as far as possible. It will be required in a later configuration file below.
sql.conf:
driver = "rlm_sql_mysql"
server = "127.0.0.1"
login = "radius"
password = "MySQL-passowrd-see-next-paragraph"
radius_db = "radius"
...
}
MySQL
Please insert the following schema into MySQL:
mysql -u root -prootpass radius
mysql -u root -prootpass
mysql> GRANT ALL ON radius.* to radius@'127.0.0.1' IDENTIFIED BY 'Use the same password as in sql.conf';
Next, some example entries:
+----+------------+----------------+----+---------------+
| id | UserName | Attribute | op | Value |
+----+------------+----------------+----+---------------+
| 1 | croessner | Crypt-Password | := | XXXXXXXXXXXXX |
+----+------------+----------------+----+---------------+
You can use the MySQL ENCRYPT() function to create the passwords.
+----+-----------+-----------+----+-------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------+----+-------------+
| 1 | dynamic | Auth-Type | := | Crypt-Local |
+----+-----------+-----------+----+-------------+
mysql> select * from radgroupreply;
+----+-----------+-----------------------+----+-------------+
| id | GroupName | Attribute | op | Value |
+----+-----------+-----------------------+----+-------------+
| 1 | dynamic | Acct-Interim-Interval | = | 60 |
+----+-----------+-----------------------+----+-------------+
mysql> select * from radreply;
+----+------------+-------------------+----+-------------------------------+
| id | UserName | Attribute | op | Value |
+----+------------+-------------------+----+-------------------------------+
| 1 | croessner | Framed-IP-Address | = | 10.10.0.153 |
| 2 | croessner | Framed-Route | = | 192.168.3.0/24 10.10.0.2/32 1 |
+----+------------+-------------------+----+-------------------------------+
Short description:
After the user croessner as logged on, the IP 10.10.0.153 is assigned to his computer as a point-to-point connection with the endpoint IP 10.10.0.154. At the same time, the OpenVPN server manipulates its internal routing table and adds the network 192.168.3.0/24. If you wish to assign more than one route, you have to use the ‘+=’ operator for any additional data set.
+-----------+-----------+----------+
| UserName | GroupName | priority |
+-----------+-----------+----------+
| croessner | dynamic | 1 |
+-----------+-----------+----------+
I have to mention for the table shown here that the usage of the operators seems not to be really trivial. But you can find more information in /usr/share/doc/freeradius/rlm_sql.gz.
I explicitly use “Crypt-Password” entries in these examples. If this is not desired, you can use the attribute “Cleartext-Password”. But doing so, you have to choose the value “Local” in the table “radgroupcheck”.
You can find more information in the README under http://wiki.freeradius.org/SQL_HOWTO.
OpenVPN
As of writing this howto, the freeradius plugin is not available as an Ubuntu package. Therefor you have to download and compile the source code. Please install the GNU compiler “g++” and “make”. Simply a basic installation of tools, giving you the ability to compile C++ applications. Maybe the package “build-essential”.
wget "http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz"
tar xvzf radiusplugin_v2.1a_beta1.tar.gz
Building the radius plugin:
make
mkdir -p /etc/openvpn/plugins/
cp radiusplugin.so /etc/openvpn/plugins/
cp radiusplugin.cnf /etc/openvpn
The configuration should look something like this (I have removed the comments for better reading):
radiusplugin.cnf:
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=127.0.0.1
OpenVPNConfig=/etc/openvpn/radiusvpn.conf
overwriteccfiles=true
server
{
acctport=1813
authport=1812
name=127.0.0.1
retry=1
wait=1
sharedsecret=Hier das Secret aus der client.conf des Radius-Servers
}
Point-to-Multipoint Server
Please setup a point-to-multipoint configuration. Tip: Use the easy-rsa-package, which you can install seperatly with aptitude:
i.e.:
cd /etc/easy-rsa/2.0/
Edit the file vars and change the lines below, like described in the README.
./clean-all
./build-ca
./build-key-server server
./build-dh
Now you can create one or more client certificates:
cd keys
openvpn --genkey --secret ta.key
Please change to the directory /etc/openvpn
mkdir ssl
cp -a /etc/easy-rsa/keys/{ca.crt,dh1024.pem,ta.key,server.crt,server.key} ssl/
Use an editor and put in the following sample configuration:
radiusvpn.conf:
dev tun
fast-io
user nobody
group nogroup
persist-tun
persist-key
server 10.10.0.0 255.255.255.0
management 127.0.0.1 7505
float
username-as-common-name
client-config-dir ccd
client-to-client
push "redirect-gateway def1"
push "dhcp-option NTP 10.10.0.1"
push "dhcp-option DOMAIN lan"
push "dhcp-option DNS 10.10.0.1"
ping-timer-rem
keepalive 10 60
# Use compression
comp-lzo
# Strong encryption
tls-server
tls-auth ssl/ta.key 0
dh ssl/dh1024.pem
cert ssl/server.crt
key ssl/server.key
ca ssl/ca.crt
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
verb 3
mute 10
status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log
mkdir /var/log/openvpn
That´s it 
The server is ready to go. Now you can start the services freeradius, mysql and openvpn.
Afterwards you can configure the client(s). The following output is just an idea of how it could look like. Any further documentation can be found on the project website.
Client example
dev tun
fast-io
persist-key
persist-tun
replay-persist radiusvpn.d/cur-replay-protection.cache
# Our remote peer
nobind
remote <HIER_REMOTE_ADRESSE_DES_OPENVPN_SERVERS> 1194
pull
# Use compression
comp-lzo
# Strong encryption
tls-client
tls-remote server
ns-cert-type server
tls-auth ssl/ta.key 1
cert ssl/common.crt
key ssl/common.key
ca ssl/ca.crt
verb 3
mute 10
auth-user-pass radiusvpn.d/auth-user-pass.conf
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
# log /var/log/openvpn.log
Change to the given directory and create the file auth-user-pass.conf. Please also refer to the openvpn manpage for the parameter –auth-user-pass.
Update 2010-08-31:
LDAP for authorization and authentication
Instead of using MySQL for authorization and authentication, you can bind FreeRADIUS at an LDAP server. I have not done this with OpenVPN as a NAS yet, but with pppoe-server (rp-pppoe) and the steps should be nearly the same. Here is what I have done.
To use LDAP with freeradius, you need to install freeradius-ldap and slapd.
preprocess
files
sql
ldap
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql
}
session {
sql
}
post-auth {
ldap
exec
}
pre-proxy {
}
post-proxy {
}
Notice: You also need the files module, else you can not have LDAP looking up profiles for reply-items. At the moment I do not know, if there is another way for looking up GroupName stuff. Maybe someone else might give a hint here
Modify the users file like this (example):
Reply-Message = "Account disabled. Please call the helpdesk.",
Fall-Through = no
DEFAULT Ldap-Group == flat10000, User-Profile := "uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk."
I am currently unsure how to do some kind of traffic shaping here. The example above was for pppoe which generates ppp+ interfaces. For each interface that comes up, a script inside /etc/ppp/ip-up.d is called. Traffic shaping normally would take place there. But for tun interfaces I have not tried to figure this out, yet.
The ldap module configuration for freeradius might look like this:
server = "wl00.wl.example.org" # Insert your exact FQDN here, if using TLS
identity = "cn=proxyuser,dc=example,dc=org"
password = YOUR-LDAP-PROXYUSER-PW-HERE
basedn = "ou=wl,dc=example,dc=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertfile = /etc/ssl/certs/cacert_org.crt # I use certificates signed by http://www.cacert.org
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile))"
compare_check_items = no
}
Add the freeradius-schema for LDAP to the slapd.conf (or include it in slapd.d).
A sample init.ldif is shown here:
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: MyCompany
dn: ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: wl
dn: ou=users,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: radius
dn: ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: profiles
# This sample is from PPPoE and shows some vendor specific attributes
dn: uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
uid: flat10000
cn: flat10000
radiusReplyItem: Acct-Interim-Interval := 360
radiusReplyItem: RP-Downstream-Speed-Limit := 10240
radiusReplyItem: RP-Upstream-Speed-Limit := 10240
radiusIdleTimeout: 3600
radiusSessionTimeout: 86400
radiusSimultaneousUse: 1
dn: cn=proxyuser,dc=example,dc=example
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: proxyuser
userPassword: {SSHA}***************
description: LDAP administrator (read-only)
dn: uid=wl00000000,ou=users,ou=wl,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: radiusprofile
uid: wl00000000
cn: Christian Roessner
sn: Roessner
givenName: Christian
l: Cityname_here
postalCode: Zip_code_here
postalAddress: Foobar street 4711
homePhone: +49 000 00000000
mail: sample@example.org
userPassword: Test123West
description: Testuser
radiusGroupName: flat10000
Notice: Maybe you see that I am using cleartext passwords. This differs from using MySQL as source for storing users/pws. I do not see this as a security provlem.
I have configured LDAP to have a proxyuser that has access rights to all data with read-only support.
Here is my sample slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/freeradius.schema # You can find it in the doc folder somewhere in freeradius
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
loglevel 256
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile /etc/ssl/certs/cacert_org.crt
TLSCertificateFile /etc/ssl/certs/newcert.pem
TLSCertificateKeyFile /etc/ssl/private/newkey.pem
database frontend
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by self write
by users read
by anonymous auth
database config
rootdn cn=config
rootpw {SSHA}*****************
database hdb
suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org
rootpw {SSHA}*****************
directory /var/lib/ldap
index objectClass eq
# ... More indexes where added with Apache-Directory-Studio and not listed here
access to attrs=userPassword,shadowLastChange
by self write
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by anonymous auth
by * none
access to *
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by users read
by * none
After finishing, you can delete everything from the MySQL server concerning users. The only table that will still be used is the radacct table. All the other tables are empty. But you also can store users in both servers. Storing one user in both is a bad idea
See a final radtest here:
Sending Access-Request of id 215 to 127.0.0.1 port 1812
User-Name = "wl00000000"
User-Password = "PW_for_wl00000000"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=215, length=62
Idle-Timeout = 3600
Session-Timeout = 86400
Acct-Interim-Interval = 360
RP-Downstream-Speed-Limit = 10240
RP-Upstream-Speed-Limit = 10240
Well, again, you see results made for pppoe. Unsure, if this should remain here in this article, but maybe it gives you an idea, what you can do with LDAP and RADIUS…
If you run the ldap- and freeradius server on the same machine, you also could forget about using tls and use a unix socket instead (/etc/freeradius/module/ldap: server=”ldapi://%2fvar%2frun%2fslapd%2fldapi”). This works with ssf from slapd.conf aswell. I use ldapi and tls, so I can manage LDAP from remote with Apache Directory Studio and have a working setup, even I forgot to renew the server certificate
I know the part binding freeradisu to an ldap might be not as good as the first part of this howto, but I am short in time Hope it works for you.
-- Download OpenVPN RADIUS MySQL/LDAP Howto als PDF --
Deutsch
For Windows users:
The config file should look something like this:
[...]
ca ssl/ca.crt
verb 3
mute 10
auth-user-pass
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
[...]
Have a look at the documentation of the OpenVPN project for more information, why this feature is unavailable.
I have found another bug. Remove the up/down and log options under Windows, if using the OpenVPN-GUI
save to my Bookmarks
hi,
Im very new to FreeRADIUS,
i have been trying to setup a radius server for about a week now, am still unable to get the mysql authentication to freeradius, i have set everything for my best. but its not working, when i try from console, “sudo radtest mysqltest testsecret 127.0.0.1 0 radiussecret”, it just keep replying me “Sending Access-Request of id 204 to 127.0.0.1 port 1812″ for about 10 times and at the end it gives, “radclient: no response from server for ID 204 socket 3″.
I am sorry, but I am currently less in time. I have to write some tests next week.
Little problem.. Auth – All Fine.. But Accouting – nothing.. in log:
RADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for …. so in\out octets = 0 in mysql table..
version of software:
openvpn –version
OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008
—
radiusplugin_v2.1_beta
—
wtf? =(
Could you get your problem fixed? I did not have the time to answer, yet, sorry.
yes.. i fix this problem.. trouble was in status file format:
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
but radiusplugin read him as
Virtual Address,Bytes Received,Bytes Sent,Connected Since
in source file AcctScheduler.cpp in function parseStatusFile
so i replace parameter user->getKey() to user->getCommonname() (in my version CommonName is UNIQUE) like this:
this->parseStatusFile(context, &bytesin, &bytesout,user->getCommonname().c_str());
and accounting begin work..
P.S. sorry for my english – i’m russian..
Hi,
directly after your last answer, I posted this to Ralf. Today he wrote this over the mailing list:
[...]
I uploaded a new beta version. In the old beta version the accounting does not
work properly.
[...]
i’ve tried yout tutorial…. and it works great… thank you…
But i have one problem… the openvpn doesn’t read the profile user in freeradius…
i set the profile bandwidth max up/down to every user to 128 kbps / 128 kbps…
But users still get bandwidht more than 128/128 kbps…
how to limit bandwidth of every user ?
sorry, my english not so good,, but i hope you can understand my question…
please.. help me…
Just taken a short look at this topic, quite interesting, but since I never played around with OpenVPN & RADIUS before, I have no clue, what it can do for me. I am to setup OpenVPN, to connect our SOHO LAN with our rootserver, but I am not sure, what benefits I’d have with combining it with RADIUS.
Christian, how many users to you handle with this setup? And how exactly do you use this setup (means, you explained, how you have set it up, but not what it exactly does for you / what the benefit is compared to a setup without RADIUS)?
Well, I started doing this setup here, when I played around with Linksys WRT54G routers. I had set up a wireless distributed network over four house levels. All this with openwrt. Because the chipset inside the WRTs was a braodcom, the driver was proprietary. The nas-part which normally handles the wpa-2 stuff was broken. So I only could use unencrypted connections. So I decided to setup a RADIUS server with openvpn on my root-server, too, like you said. So people could log in with there username and password and could surf secured.
At the moment, this setup is only active for my family. I use it, if thes do have problems at home. But I had about 20 users, when the routers where active here (I have finished this service here with wireless distributed network).
The radius server has the advantage that you do not need a hand made auth-script for openvpn. I like the user information to be inside MySQL. And as described I think about doing authentication over ldap. So this setup actually is some kind of a testing platform for me to learn more about all this. Hope, you could understand me. I have not hda coffee, yet, this morning *g*
Looks like I really have to do some reading on RADIUS.
@ alexdob
can you past all AcctScheduler.cpp
becuase i try to modify like your modification but not work
How can configure radius with mysql ?
It works But can’t assign specific ip(10.10.0.153),Why can you tell me?
I want my vpnclient connect my sever will get a static ip address,but I could not Realize it,(openvpn rediusplugin mysql framed-ip-address ),I want use ‘auth-user-pass’ auth type
can you help me, thank you
At the moment I have less time, so pls maybe you can help yourself guys?
Ok,I will try it again and again untiall success,thanks for your reply.
I want to know ,openvpn server how push the mask to client, the cient can get the ip address from server but can’t get the mask, Anyways I set the mask in the redius to push the client get mask 255.255.255.0 always, I don’t know the server push the mask to client base on
Hey,
I have enabled DHCP but for some users I need to provide them a static IP address. It is not working with the use of RADIUS, RADIUS Is not replying with an IP address as listed in framed-IP-Address, it is still assigning dynamically.
Could you help please
Did you find the problem, yet? Or can you provide more details to your current configuration, so others have a chance to review it?
No, I have not found a solution yet, what configuration do you want me to put radius or Open VPN,
For openVPN i have defined a set of IP address to allocate to a user, same I have configured for PPTP on the same server, when some one request an IP through PPTP they get assigned with an static IP but for VPN connection, system allocates through a pool of dynamic IP address.
Hi,
Thanks for a good write-up
BTW if you are compiling the radiusplugin on Debian lenny as I was, and you are getting this error message:
RadiusClass/RadiusAttribute.h:24:20: error: gcrypt.h: No such file or directory
and you already have libgcrypt11 installed you will also need to “apt-get install libgcrypt11-dev” as well, only then will your platform has the libcrypt “headers” available to build the plugin.
This information was sourced from:
http://jan-krueger.net/development/truecrypt-system-drive-on-linux
Solution for ip address assignment via FreeRadius:
1. You will have to use at least OpenVPN 2.1
2. Add option “topology subnet” to openvpn.conf (server)
3. Uncomment option “subnet=255.255.255.0″ in radiusplugin.cnf
4. ???
5. PROFIT !!!
If this doesn’t help, provide some details.
I tried your solution for IP address assignment via FreeRadius and it works. Thanks a lot for posting this useful information. I was able to save a lot of time.
This is the best howto i’ve ever seen, well organized, well explained…
Thanks, BIG TIME …
Thank you very much
Thanks a lot!! I did it in Gentoo with little modifications and works!!
Hi
please i would like to know how to run the “make ” for radiusplugin_v2.0b_beta2 . cause i have not radiusplugin.so appears after run make
thanks
Hi, I had not updated the reuqirements for a long time, which I did right after your last comment. There is a newer version of the radiusplugin available. So see above (link included) and follow the instructions at the bottom of the howto. If it still does not build, maybe provide additional information to us.
Hi
ok i went to try it now
and give you the result after
thanks for all
I have to configure the LDAP authentication to my Open VPN server so please help me how can I do this?
Please guide me
Thanks
Harsh Shah
Have you already tried the addtions to LDAP shown above, yet?
Hi,
I’ve tried to configure IP address assigning from FreeRadius, but can’t do it, OpenVPN still assign addresses fom local pool.
I’m did everything what I can found here, topology etc etc,
but I saw from FreeRadius Logs that IP was assigned:
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 241 to 10.179.176.90 port 46971
Service-Type = Framed-User
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Framed-Compression = Van-Jacobson-TCP-IP
Acct-Interim-Interval = 5
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-IP-Address = 10.8.0.4
but server assigned to client 10.8.0.2.
Can you pls help?
Also accounting didn’t work,
ADIUS-PLUGIN: BACKGROUND ACCT: No accounting data was found for hostame,ip:60529.
a lof of these records, but no accounting inside DB.
Has anyone got Framed IP to work?
Heres the answear using radtest;
Sending Access-Request of id 133 to x.x.x.x port 1812
User-Name = “randomdude”
User-Password = “abc123″
NAS-IP-Address = x.x.x.x
NAS-Port = 0
rad_recv: Access-Accept packet from host x.x.x.x port 1812, id=133, length=32
Framed-IP-Address = 10.55.0.199
Acct-Interim-Interval = 60
But when I connect the server doesnt push this FramedIP.
Thu Nov 4 16:39:39 2010 us=267838 client1/x.x.x.x:3045 SENT CONTROL [client1]: ‘PUSH_REPLY,redirect-gateway,dhcp-option DNS 8.8.8.8,route 10.55.0.1,topology net30,ping 10,ping-restart 30,ifconfig 10.55.0.6 10.55.0.5′ (status=1)
Fredik, You must set up in your OPENVPN config file: client-config-dir ( directory must exist)
sample:
ON linux: mkdir ccd
openvpn config file:
client-config-dir ccd
I have this line in my config but i don’t have directory and I have similar problem.
I compared my current config on the server with the one above. Still the old same config and it works. So maybe you have missed some part from the howto?
Firstable, I’d like to thank you Chris for your work and effort. This is very nice howto, especialy for newbies in this sphere – like me
I’ve a question, about i’ve searched in google, but nothing found. When i try to authenticate with my openvpn client, i recieve this message: “AUTH: Received AUTH_FAILED control message”
The openvpn/radius server is giving this strange error in the message log:
====
openvpn[11168]: Libgcrypt warning: missing initialization – please fix the application
====
The server is – Centos 5.5 (i386)
OpenVpn: 2.1.1-2
radiusplugin:
===
RadiusPlugin: 2.0b/2.1a (the same problem in both versions)
===
libgcrypt:
===
libgcrypt-devel-1.4.4-5.el5
libgcrypt-1.4.4-5.el5
===
Any suggestions ?
Thx in advance !
To be honest?? I have no idea on that. I still use that setup on Ubuntu LTS (Lucid) and I did not yet stumble over this problem. Maybe someone else does know a soulution.
Sorry for posting that, before i’ve fully investigated the case.
After some debugging i made, realize that the problem was in openvpn authentication to radiusd (i.e. different secrets). I corrected the issue, and everything is just fine now. The log entries mislead me, because of the strange error..
radius plugin version 2.0 wont compile with latest g++ versions ..
but they fixed the problem and using radius plugin v2.1 fixes the problem :
http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
I have modified the article today. Still not perfect, but at least pointing to up-to-date version of radiusplugin. Thanks
I have set up openvpn + freeradius and its working except Framed-IP-Address .
openvpn is selecting an IP from its IP Pool list and ignoring the IP that sents by freeradius ..
Does anybody have any idea to fix this problem ?
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module “preprocess” returns ok for request 4
modcall[authorize]: module “chap” returns noop for request 4
modcall[authorize]: module “mschap” returns noop for request 4
rlm_eap: EAP packet type response id 1 length 21
rlm_eap: No EAP Start, assuming it’s an on-going EAP conversation
modcall[authorize]: module “eap” returns updated for request 4
users: Matched entry stacked.35.31241 at line 1
modcall[authorize]: module “files” returns ok for request 4
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module “pap” returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type “EAP”
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
auth: Failed to validate the user.
I need to know the cause for this error
Have you enabled any EAP modules? You do not need them here.
I have experienced Framed IP Address problem too. And after several hours of debugging I found solution, at least for my problem.
– I was running openvpn directly from openvpn folder(/etc/openvpn):
openvpn –daemon vpnserver1 –config vpnserver1.conf
– Radius plugin was writing to ccd folder (which it was reading from vpnserver1.conf file) correctly.
– But openvpn itself, was not able to find “ccd” folder despite “client-config-dir ccd” configuration line.
– At the end, adding this line to the vpnserver1.conf file did the trick(without using “topology subnet” option):
cd /etc/openvpn
– Running this from command line would do the same:
openvpn –daemon vpnserver1 –config vpnserver1.conf –cd /etc/openvpn
So, it is basically a relative path/absolute path problem…
ENVIRONMENT
CentOS 5.6 x86_64
freeradius2-2.1.7-7.el5
radiusplugin_v2.1a_beta1
OpenVPN 2.2.1
Yes, this document was written on top of Ubuntu/Debian distributions. Their init scripts are using –cd and therefor you never would get this problem. But thanks for your help.