OpenVPN Server with remote RADIUS authentication

One of my friends had some issues with OpenVPN server using remote RADIUS authentication. So I did some tests and thought it is a good topic to blog!

I am also adding a video tutorial about this (first attempt, so forgive the mistakes!)

 

For this setup, I am using 2 servers:

1. A DigitalOcean Ubuntu instance of $5,  which will be the OpenVPN Access Server. Quoting from the website ” OpenVPN Access Server is a full featured secure network tunnelling VPN software solution that integrates OpenVPN server capabilities, enterprise management capabilities, simplified OpenVPN Connect UI, and OpenVPN Client software packages that accommodate Windows, MAC, Linux, Android, and iOS environments”
2. A local Ubuntu server on Virtualbox, which will have dalo RADIUS configured. With daloRADIUS you can easily and quickly manage your FreeRADIUS deployment, with an easy to use GUI

Lets start:

On the DigitalOcean Server (from now on we will call this as the VPN server), lets configure OpenVPN Access Server. Its a super simple 3 step process.

1. Download the package

   sudo wget http://swupdate.openvpn.org/as/openvpn-as-2.0.7-Ubuntu12.amd_64.deb

2. Install the package

   dpkg -i openvpn-as-2.0.7-Ubuntu12.amd_64.deb

3. During the installation, OpenVPN will create a default admin user called ‘openvpn’. We need to set a password for that.

   sudo passwd openvpn

And you are done!

After the installation, you can access the interface as below:

Admin  UI: https://YourIpAddress:943/admin

Client UI: https://YourIPAddress:943/

Now lets configure the RADIUS server before we enable the authentication part on VPN server.

On the RADIUS server, follow the steps below:

1. Install Free radius and additional libraries, tools etc

   aptitude install freeradius freeradius-mysql freeradius-postgresql freeradius-dialupadmin freeradius-utils php5-gd php-pear php-db mysql-server  php5-mysql

   apt-get install build-essential binutils libssl-dev openssl libmysqlclient-dev

2. After this, install PhpMyAdmin

   apt-get install phpmyadmin

   During the setup process when asked, select Apache2 and click “OK” to complete the setup and on the second screen select “YES” for the question “Configure database for phpmyadmin with dbconfig-common?”, enter MySQL password of your root account and for phpmyadmin. If it installed properly, you will be able to access it from a browser- http://yourserver_ip_address/phpmyadmin

3. We need to install few more packages before proceeding with daloRADIUS installation.

   apt-get install php-pear php5-gd php-db

4. Also needs to install php pear

    wget  pear.php.net/go-pear.pharphp go-pear.phar
   

   Just press ENTER to accept the default installation options.

5. To avoid Apache’s error “Could not reliably determine the server’s fully qualified domain name” lets add one more thing.

   vi /etc/apache2/httpd.conf
   

   then add below line:

   ServerName localhost
    
    *This is only for testing purpose. We need to change it to something that reflects the production environment.

6. Restart Apache

   apachectl restart

7. Do the config test on Apache to make sure everything is ok

   apachectl configtest

8. Now lets download daloradius software:

   wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz

9. Extract it

   tar zxfv daloradius-0.9-9.tar.gz

10. Move it to www directory

    mv daloradius-0.9-9 /var/www/

11. Go to that directory
    cd /var/www/daloradius-0.9-9

12. Now create MySQL database for FreeRADIUS which will be used by daloradius too

    mysql -u root -p
    mysq>create database radiusdb;
    mysql> quit

13. While still inside the /var/www/daloradius-0.9-9/ folder issue the command below..
    

    mysql -u root -p radiusdb < contrib/db/fr2-mysql-daloradius-and-freeradius.sql

14. Login to mysql and confirm the database is successfully restored

Now lets configure freeradius

Lets first test freeradius and make sure its working fine.

1. vi /etc/freeradius/users

   locate the line containing 

   #"John Doe"     Cleartext-Password := "hello"
    and uncomment the line

2. Stop the freeradius service daemon.
    /etc/init.d/freeradius stop

3. Stop freeradius and run the freeradius server in debug mode

   /etc/init.d/freeradius stop

   freeradius -XXX

   The output should be something like this:

   Sat Jun 27 00:21:35 2015 : Debug: Listening on authentication address * port 1812

   Sat Jun 27 00:21:35 2015 : Debug: Listening on accounting address * port 1813

   Sat Jun 27 00:21:35 2015 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

   Sat Jun 27 00:21:35 2015 : Debug: Listening on proxy address * port 1814

   Sat Jun 27 00:21:35 2015 : Info: Ready to process requests.

4. Press Control-C to stop the freeradius debug mode.
5. Now start freeradius:

    /etc/init.d/freeradius start

6. Just to make sure all works fine, lets test freeradius authentication using a text file

   radtest "John Doe" "hello" 127.0.0.1 0 testing123

   If your setup is correct, you should be getting below output:

   Sending Access-Request of id 244 to 127.0.0.1 port 1812

    User-Name = "John Doe"

    User-Password = "hello"

    NAS-IP-Address = 127.0.1.1

    NAS-Port = 0

7. Now we need to set it up to use SQL database for authentication instead of the text file.
8. Stop freeradius again:

    /etc/init.d/freeradius stop

9. vi /etc/freeradius/radiusd.conf

   Locate the following line and uncomment it, save and quit

   $INCLUDE sql.conf

   $INCLUDE sql/mysql/counter.conf

   $INCLUDE sqlippool.conf

10. Edit another file vi  /etc/freeradius/sites-available/defaultlocate the following line under the “authorize” section and uncomment it

    #   sql

    locate the line under the “session” section and uncomment that as well, save and exit the file editing.

    #   sql

11. Now run freeradius  again in debug mode

    freeradius -XXX

12. You should see below output if everything works fine:

    Fri Jun 26 23:17:01 2015 : Debug: Listening on accounting address * port 1813

    Fri Jun 26 23:17:01 2015 : Debug: Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel

    Fri Jun 26 23:17:01 2015 : Debug: Listening on proxy address * port 1814

    Fri Jun 26 23:17:01 2015 : Info: Ready to process requests.

Create Freeradius mysql account

1. Login to mysql

   mysql -u root -p

2. Create user account

   mysql> CREATE USER 'raddbuser'@'localhost';

3. Set password

   mysql> SET PASSWORD FOR 'raddbuser'@'localhost' = PASSWORD('radpass');

4. Grant privilleges

   mysql> GRANT ALL ON radiusdb.* to 'raddbuser'@'localhost';

5. quit

   mysql>quit

Update sql account details for Freeradius

1. Edit the file /etc/freeradius/sql.conf
2. Locate the following line and update the details accordingly

   login = "radius"

   password = "radpass"

   radius_db = "radius"

   and change it to…

   login = "raddbuser"

   password = "radpass"

   radius_db = "radiusdb"

3. Uncomment the line.

   readclients = yes

4. save and exit

Configure daloRadius MySQL Account

1. Edit the file /var/www/daloradius-0.9-9/library/daloradius.conf.php

   vi var/www/daloradius-0.9-9/library/daloradius.conf.php

2. locate the lines

$configValues['CONFIG_DB_ENGINE'] = 'mysql';

$configValues['CONFIG_DB_HOST'] = 'localhost';

$configValues['CONFIG_DB_PORT'] = '3306';

$configValues['CONFIG_DB_USER'] = 'root';

$configValues['CONFIG_DB_PASS'] = '';

$configValues['CONFIG_DB_NAME'] = 'radius';

and change the value settings to.

$configValues['CONFIG_DB_ENGINE'] = 'mysql';

$configValues['CONFIG_DB_HOST'] = 'localhost';

$configValues['CONFIG_DB_PORT'] = '3306';

$configValues['CONFIG_DB_USER'] = 'raddbuser';

$configValues['CONFIG_DB_PASS'] = 'radpass';

$configValues[‘CONFIG_DB_NAME’] = ‘radiusdb’;
Save the file and exit..

Tip: Its better to rename the long daloradius name to a simple one.

cd /var/www/

mv daloradius-0.9-9 daloradius