How to set up OpenVPN with FreeRADIUS Authentication on CentOS 7 or Ubuntu 20

This guide assumes you already have OpenVPN installed.

In this guide, we will show you how to set up OpenVPN to authenticate off FreeRADIUS – this allows you to control access via an external billing system, for example, using WHMCS or Hostbill, which provides a FreeRADIUS module.

Ok, so on a clean install of Centos 7 or Ubuntu 20.x and a clean install of OpenVPN, we need to grab a couple of packages so we can install the Radius Plugin:

On CentOS we run:

yum install libgcrypt libgcrypt-devel gcc-c++ lsof psmisc -y

On Ubuntu we run:

apt-get install libgcrypt20 libgcrypt20-dev gcc make build-essential

Now we need to grab the Radius Plugin:

wget https://vpnextra.com/download/radiusplugin_v2.1a_beta1.tar.gz

Decompress it:

tar xvfz radiusplugin_v2.1a_beta1.tar.gz

Move to its directory:

cd radiusplugin_v2.1a_beta1/

Compile it:

make

The output will be a single radiusplugin.so file.  Now move the file and the .cnf file to the OpenVPN directory using the below commands:

cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/

First thing, edit the radiusplugin.cnf file and focus on the server section and ensure that the details are correct:

server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=YOUR RADIUS SERVER IP
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret=YOUR RADIUS SERVER SECRET
}

Now edit your OpenVPN config file and remove any other plugin lines, then add the following:

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

Example OpenVPN server config:

port 1194
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd41:19:19:19::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_YYGbjpdCVDUTmgsp.crt
key server_YYGbjpdCVDUTmgsp.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

Now restart OpenVPN with either of the commands below:

killall -9 openvpn
service openvpn restart

Or use systemctl:

sudo systemctl stop [email protected] #<--- stop server
{null@centos7:~ }$ sudo systemctl start [email protected] #<--- start server
{null@centos7:~ }$ sudo systemctl restart [email protected] #<--- restart server
{null@centos7:~ }$ sudo systemctl status [email protected] #<--- get server status

Now try logging in using a username/password pair that exists in the FreeRADIUS database.

Leave a reply:

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.