Using OpenVPN With FreeRADIUS

From pfSense Documentation
Jump to: navigation, search
This article was contributed or cited from an outside source. The style and formatting may not match other articles.
This article is part of the How-To series.

Using OpenVPN with the FreeRADIUS 2.x package.

Purpose

This document will show how to setup OpenVPN on while allowing for authentication via RADIUS. This is so that certificates may be used as well as a username/password. Usernames and Passwords can also be managed centrally on the firewall, and additional RADIUS-specific options may be used. This is a plus because login times, access limits, and other options are possible.

Requirements

After installing FreeRADIUS2, perform the initial configuration to allow access from the firewall as a NAS client.

Add an interface to FreeRADIS2

  • Navigate to Services > FreeRADIUS
  • Select the Interfaces tab
  • Click + to add a new entry
  • Enter * for the Interface IP Address, or 127.0.0.1 to bind only to Localhost
  • Enter 1812 for the Port
  • Select Authentication for the Interface Type
  • Click Save

Add a NAS client to FreeRADIUS

  • Navigate to Services > FreeRADIUS
  • Select the NAS / Clients tab
  • Click + to add a new entry
  • Enter 127.0.0.1 in the Client IP Address field
  • Enter pfSense, OpenVPN, or similar in the Client Shortname field
  • Enter a random/long password in the Client Shared Secret field
  • Enter a Description that will help identify this connection.
  • Click "Save"

Add Users

  • Navigate to Services > FreeRADIUS
  • Select the Users tab.
This is where every user to authenticate with FreeRadius/OpenVPN is managed
  • Click + to add a new entry
  • Enter a Username and Password
  • Enter any additional desired options, such as Number of simultaneous connections
  • [optional] Set the Session Timeout When this timer expires, the user will be kicked off and will have to login again
  • Repeat as needed for additional users
  • Click "Save"

Configure a pfSense Authentication Server

  • Navigate to System > User Manager
  • Select the Servers tab
  • Click + to add a new entry
  • Enter a Descriptive name such as FreeRADIUS
  • Select RADIUS for the Type
  • Enter 127.0.0.1 for the Hostname or IP address
  • Enter the password created above for Shared Secret
  • Select Authentication for Services offered
  • Enter 1812 for Authentication port value
  • Click Save

Test RADIUS Authentication

  • Navigate to Diagnostics > Authentication
  • Select the authentication server entered above
  • Fill in a Username and Password configured in FreeRADIUS
  • Click Test

If the test succeeded, continue. Otherwise, see the Troubleshooting section below.

Configure OpenVPN to use RADIUS

  • Navigate to VPN > OpenVPN
  • Select the Servers tab
  • Edit the existing Remote Access server
  • Ensure that the Mode is either Remote Access (User Auth) or Remote Access (SSL/TLS + User Auth)
  • Select FreeRADIUS or the Descriptive Name chosen above for the FreeRADIUS authentication server in the Backend for authentication field.
  • Click Save

Troubleshooting

Sometimes things don't work how we think they should. The following options can be helpful in troubleshooting FreeRADIUS and OpenVPN. Commands should be run on the pfSense system either via the console or via SSH unless otherwise specified.

  • Make OpenVPN more Verbose and force it to log to a non-standard location so it can be read it easier.
    • Navigate to VPN > OpenVPN and select the server
    • Modify the "Advanced" text box to include the following:
verb 7
This will log everything from OpenVPN to the OpenVPN tab under Status > System Logs. It can be watched with the following command (while trying to connect/etc).
clog -f /var/log/openvpn.log
  • FreeRADIUS may also be watched for attempted connections/authorizations (Failed or successful).
clog -f /var/log/system.log
  • With this information in hand, Google and the pfSense forum can be a very good resource.

Adapted from / Previously reprinted with permission from Sky