I have set up OpenVPN server (not the access server, the open source community version) and Freeradius 3 on my ubuntu machine. OpenVPN client authentication has been tested for both username/password and certificate/key mechanisms for users generated using Easy-RSA. Freeradius user creation and testing have been done by daloradius and ntradping respectively.
What I want, is to use RADIUS authentication for my VPN clients. Basically when the client prompts for username password, I want to login via the credentials I have created in freeradius.
There is very little info about it on the official documentation page of OpenVPN in this page
While following the guide, I have found that the openvpn-auth-pam plugin has been renamed, relocated and now comes prebuilt (if it's not feel free to correct me, I assumed that because the openvpn-plugin-auth-pam.so file was already there) into a different directory
According to the guide I have to add the following line to my server configuration file.
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so [name of the module to be used for authentication]
So here I need to call for a module that calls freeradius to perform the authentication. The guide uses the "login" PAM module which is located at /etc/pam.d directory, unless I found the wrong thing. In the same directory there is also a file named radiusd and the contents of the file are
/* /etc/pam.d/radiusd - PAM configuration for FreeRADIUS */
/* We fall back to the system default in /etc/pam.d/common-* */
@include common-auth
@include common-account
@include common-password
@include common-session
I am not sure what to do next. Is freeradius's own PAM module even relevant to the operation that I am trying to perform? Or do I need to use some external tools and libraries to integrate freeradius with OpenVPN? Or I need to create the module file by myself? Thanks in advance
Use Debian. Centos 7 is getting EOL soon. Centos 8+ does not have this plugin in repos, but you can compile it (see end of answer).
Install RADIUS authentication module and edit openvpn server configuration
apt update
# apt-cache search ".*openvpn.*radius.*"
apt install openvpn-auth-radius
# find / -name "radiusplugin*"
cp /usr/share/doc/openvpn-auth-radius/examples/radiusplugin.cnf /etc/openvpn/radiusplugin.cnf
nano /etc/openvpn/radiusplugin.cnf
Edit next sections in /etc/openvpn/radiusplugin.cnf. Rest - leave as is.
name=ip-of-your-radius
retry=10 # change if needed
wait=600 # change if needed
sharedsecret=paste-here-radius-secret
Server config
nano /etc/openvpn/server.conf
Add lines:
# For auth plugins. Uncomment if needed
# username-as-common-name
# RADIUS Auth
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
If you want to compile it (I didn't tested):
apt-get install libgcrypt11 libgcrypt11-dev gcc make build-essential
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvfz radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1/
make
cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/
List of OpenVPN plugins: https://community.openvpn.net/openvpn/wiki/PluginOverview
PS: similar algorithm for LDAP integration (find plugin in repo, use example config, add it in main config).