This guide assumes you already have OpenVPN installed.
In this guide, we will show you how to set up OpenVPN to authenticate off FreeRADIUS – this allows you to control access via an external billing system, for example, using WHMCS or Hostbill, which provides a FreeRADIUS module.
Ok, so on a clean install of Centos 7 or Ubuntu 20.x and a clean install of OpenVPN, we need to grab a couple of packages so we can install the Radius Plugin:
On CentOS we run:
yum install libgcrypt libgcrypt-devel gcc-c++ lsof psmisc -y
On Ubuntu we run:
apt-get install libgcrypt20 libgcrypt20-dev gcc make build-essential
Now we need to grab the Radius Plugin:
wget https://vpnextra.com/download/radiusplugin_v2.1a_beta1.tar.gz
Decompress it:
tar xvfz radiusplugin_v2.1a_beta1.tar.gz
Move to its directory:
cd radiusplugin_v2.1a_beta1/
Compile it:
make
The output will be a single radiusplugin.so file. Now move the file and the .cnf file to the OpenVPN directory using the below commands:
cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/
First thing, edit the radiusplugin.cnf file and focus on the server section and ensure that the details are correct:
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=YOUR RADIUS SERVER IP
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=YOUR RADIUS SERVER SECRET
}
Now edit your OpenVPN config file and remove any other plugin lines, then add the following:
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
Example OpenVPN server config:
port 1194
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd41:19:19:19::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_YYGbjpdCVDUTmgsp.crt
key server_YYGbjpdCVDUTmgsp.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
Now restart OpenVPN with either of the commands below:
killall -9 openvpn
service openvpn restart
Or use systemctl:
sudo systemctl stop [email protected] #<--- stop server
{null@centos7:~ }$ sudo systemctl start [email protected] #<--- start server
{null@centos7:~ }$ sudo systemctl restart [email protected] #<--- restart server
{null@centos7:~ }$ sudo systemctl status [email protected] #<--- get server status
Now try logging in using a username/password pair that exists in the FreeRADIUS database.