Authenticating OpenVPN Users with FreeRADIUS

Using OpenVPN with the FreeRADIUS package.

Purpose

This document demonstrates how to setup OpenVPN with RADIUS user authentication provided by the FreeRADIUS package.

The firewall can centrally manage usernames and passwords and this method also supports additional RADIUS-specific options. This is a plus because login times, access limits, and other options are possible.

Requirements

Add an interface to FreeRADIUS

  • Navigate to Services > FreeRADIUS, Interfaces tab

  • Click fa-plus Add to create a new entry

  • Enter the following settings, which may already be the default values:

    Interface IP Address:

    * or 127.0.0.1 to bind only to Localhost

    Port:

    1812

    Interface Type:

    Authentication

    IP Version:

    IPv4

  • Click Save

Add a NAS client to FreeRADIUS

  • Navigate to Services > FreeRADIUS, NAS / Clients tab

  • Click fa-plus Add to create a new entry

  • Enter the following settings:

    Client IP Address:

    127.0.0.1

    Client Shortname:

    Enter the firewall hostname (without the domain)

    Client Shared Secret:

    Enter a secure password

    Description:

    Local firewall authentication or similar text to identify this entry

  • Click Save

Add Users

  • Navigate to Services > FreeRADIUS, Users tab.

    Note

    Manage every user which will authenticate with FreeRADIUS/OpenVPN on this tab.

  • Click fa-plus Add to create a new entry

  • Enter the following settings:

    Username / Password:

    The credentials for this user.

    Number of simultaneous connections:

    (Optional) The number of active connections this user may have at the same time. Leave empty for no limit.

    Session Timeout:

    (Optional) The amount of time, in seconds, before the user is disconnected and must login again.

    Set any other options as needed to configure or restrict the user in various ways.

  • Click Save

  • Repeat as needed for additional users

Add an Authentication Server

  • Navigate to System > User Manager, Authentication Servers tab

  • Click fa-plus Add to create a new entry

  • Enter the following settings:

    Descriptive name:

    Local FreeRADIUS

    Type:

    RADIUS

    Hostname or IP address:

    127.0.0.1

    Shared Secret:

    The password added to the NAS entry in a previous step

    Services offered:

    Authentication

    Authentication port:

    1812

  • Click Save

Test RADIUS Authentication

  • Navigate to Diagnostics > Authentication

  • Select the newly created authentication server (e.g. Local FreeRADIUS)

  • Fill in a Username and Password for a user entry in FreeRADIUS

  • Click Test

If the test succeeded, continue. Otherwise, see the Troubleshooting section.

Configure OpenVPN to use RADIUS

  • Navigate to VPN > OpenVPN, Servers tab

  • Edit the existing remote access OpenVPN server

  • Set the Mode to either Remote Access (User Auth) or Remote Access (SSL/TLS + User Auth) if it is not already set to one or the other.

  • Set Backend for authentication to the FreeRADIUS authentication server (e.g. Local FreeRADIUS)

  • Click Save

  • Attempt to connect and authenticate with an OpenVPN client

    If the test succeeded, the setup is complete. Otherwise, see the Troubleshooting section.

Troubleshooting

The following options can be helpful in troubleshooting FreeRADIUS and OpenVPN. Commands must be run at a shell prompt either via the console or via SSH unless otherwise specified.

See also

FreeRADIUS package contains additional troubleshooting information.

Increase the verbosity of OpenVPN Logs

  • Navigate to VPN > OpenVPN and select the server

  • Change Verbosity level to 7

    This will log everything from OpenVPN

  • Attempt to connect and authenticate with an OpenVPN client

  • Navigate to Status > System Logs, OpenVPN tab to check the OpenVPN log for relevant messages

    Alternately, watch the log from an SSH or console shell prompt:

    # tail -F /var/log/openvpn.log
    

Watch FreeRADIUS Logs

FreeRADIUS can also log attempted connections/authorizations to find potential problems.

  • Navigate to Services > FreeRADIUS, Settings tab

  • Set the options under Logging Configuration to help locate problems.

    At a minimum, set the following:

    RADIUS Logging Destination:

    System Logs

    RADIUS Logging:

    Enable

    The remaining options can be left at their defaults but can aid further in debugging if necessary.

  • Click Save

  • Attempt to connect and authenticate with an OpenVPN client

  • Navigate to Status > System Logs to check the system log for relevant messages

    Alternately, watch the log from an SSH or console shell prompt:

    # tail -F /var/log/system.log
    

Seek Additional Help

If the cause of the problem is not obvious from the logs, use the information gathered in the previous steps to search the web and/or post on the Netgate Forum for assistance.