Authenticating OpenVPN Users with FreeRADIUS¶
Using OpenVPN with the FreeRADIUS package.
Purpose¶
This document demonstrates how to setup OpenVPN with RADIUS user authentication provided by the FreeRADIUS package.
The firewall can centrally manage usernames and passwords and this method also supports additional RADIUS-specific options. This is a plus because login times, access limits, and other options are possible.
Requirements¶
A working OpenVPN remote access server (OpenVPN Remote Access Configuration Example)
The FreeRADIUS Package (FreeRADIUS package)
Add an interface to FreeRADIUS¶
Navigate to Services > FreeRADIUS, Interfaces tab
Click Add to create a new entry
Enter the following settings, which may already be the default values:
- Interface IP Address:
*
or127.0.0.1
to bind only to Localhost- Port:
1812
- Interface Type:
Authentication
- IP Version:
IPv4
Click Save
Add a NAS client to FreeRADIUS¶
Navigate to Services > FreeRADIUS, NAS / Clients tab
Click Add to create a new entry
Enter the following settings:
- Client IP Address:
127.0.0.1
- Client Shortname:
Enter the firewall hostname (without the domain)
- Client Shared Secret:
Enter a secure password
- Description:
Local firewall authentication
or similar text to identify this entry
Click Save
Add Users¶
Navigate to Services > FreeRADIUS, Users tab.
Note
Manage every user which will authenticate with FreeRADIUS/OpenVPN on this tab.
Click Add to create a new entry
Enter the following settings:
- Username / Password:
The credentials for this user.
- Number of simultaneous connections:
(Optional) The number of active connections this user may have at the same time. Leave empty for no limit.
- Session Timeout:
(Optional) The amount of time, in seconds, before the user is disconnected and must login again.
Set any other options as needed to configure or restrict the user in various ways.
Click Save
Repeat as needed for additional users
Add an Authentication Server¶
Navigate to System > User Manager, Authentication Servers tab
Click Add to create a new entry
Enter the following settings:
- Descriptive name:
Local FreeRADIUS
- Type:
RADIUS
- Hostname or IP address:
127.0.0.1
- Shared Secret:
The password added to the NAS entry in a previous step
- Services offered:
Authentication
- Authentication port:
1812
Click Save
Test RADIUS Authentication¶
Navigate to Diagnostics > Authentication
Select the newly created authentication server (e.g. Local FreeRADIUS)
Fill in a Username and Password for a user entry in FreeRADIUS
Click Test
If the test succeeded, continue. Otherwise, see the Troubleshooting section.
Configure OpenVPN to use RADIUS¶
Navigate to VPN > OpenVPN, Servers tab
Edit the existing remote access OpenVPN server
Set the Mode to either Remote Access (User Auth) or Remote Access (SSL/TLS + User Auth) if it is not already set to one or the other.
Set Backend for authentication to the FreeRADIUS authentication server (e.g. Local FreeRADIUS)
Click Save
Attempt to connect and authenticate with an OpenVPN client
If the test succeeded, the setup is complete. Otherwise, see the Troubleshooting section.
Troubleshooting¶
The following options can be helpful in troubleshooting FreeRADIUS and OpenVPN. Commands must be run at a shell prompt either via the console or via SSH unless otherwise specified.
See also
FreeRADIUS package contains additional troubleshooting information.
Increase the verbosity of OpenVPN Logs¶
Navigate to VPN > OpenVPN and select the server
Change Verbosity level to 7
This will log everything from OpenVPN
Attempt to connect and authenticate with an OpenVPN client
Navigate to Status > System Logs, OpenVPN tab to check the OpenVPN log for relevant messages
Alternately, watch the log from an SSH or console shell prompt:
# tail -F /var/log/openvpn.log
Watch FreeRADIUS Logs¶
FreeRADIUS can also log attempted connections/authorizations to find potential problems.
Navigate to Services > FreeRADIUS, Settings tab
Set the options under Logging Configuration to help locate problems.
At a minimum, set the following:
- RADIUS Logging Destination:
System Logs
- RADIUS Logging:
Enable
The remaining options can be left at their defaults but can aid further in debugging if necessary.
Click Save
Attempt to connect and authenticate with an OpenVPN client
Navigate to Status > System Logs to check the system log for relevant messages
Alternately, watch the log from an SSH or console shell prompt:
# tail -F /var/log/system.log
Seek Additional Help¶
If the cause of the problem is not obvious from the logs, use the information gathered in the previous steps to search the web and/or post on the Netgate Forum for assistance.