Official plugin for Freeradius + OpenVPN?

classic Classic list List threaded Threaded
10 messages Options
| Threaded
Open this post in threaded view
|

Official plugin for Freeradius + OpenVPN?

Houman
Hello,

I have been using Freeradius and Strongswan (eap-radius) for a few years
now and for the first time I'm trying to achieve the same thing with
OpenVPN instead.

Based on my research it seems that the recommended plugin is a decade old.

http://www.nongnu.org/radiusplugin/

It's hard to imagine that this wasn't updated for so long. Am I missing
something? Is there any official Freeradius plugin for OpenVPN?

I found this tutorial to be very promising
https://www.vpsserver.com/community/tutorials/17/authenticate-openvpn-clients-thru-the-freeradius-server/
but I thought I ask here first if someone has experience with this topic,
and I'm on the right path.

Many Thanks,
Houman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Adrian Tschira
Hey Houman,

We're doing this using the openvpn-plugin-pam.so that ships with openvpn
and libpam-radius. In our ovpn conf:

     plugin path-to/openvpn-plugin-auth-pam.so ovpn-0

where ovpn-0 is declared in /etc/pam.d/ovpn-0:

     account sufficient      pam_permit.so
     auth    required        pam_radius_auth.so conf=/path/to/conf

Be aware that libpam-radius has not had a release since 2016 despite
numerous fixes, so you will probably want to compile it from source.

On 19/07/2020 21:18, Houman wrote:

> Hello,
>
> I have been using Freeradius and Strongswan (eap-radius) for a few years
> now and for the first time I'm trying to achieve the same thing with
> OpenVPN instead.
>
> Based on my research it seems that the recommended plugin is a decade old.
>
> http://www.nongnu.org/radiusplugin/
>
> It's hard to imagine that this wasn't updated for so long. Am I missing
> something? Is there any official Freeradius plugin for OpenVPN?
>
> I found this tutorial to be very promising
> https://www.vpsserver.com/community/tutorials/17/authenticate-openvpn-clients-thru-the-freeradius-server/
> but I thought I ask here first if someone has experience with this topic,
> and I'm on the right path.
>
> Many Thanks,
> Houman
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Houman
Hello Adrian,

Thank you for your kind reply.

I'm struggling to find *openvpn-plugin-pam.so *and *libpam-radius *in the
OpenVPN source code.
The closest I could find was:

openvpn-2.4.9/src/plugins/auth-pam

Did you mean *openvpn-auth-pam* by any chance?

I can't find *libpam-radius* at all.

Do you know of any tutorial for this by any chance? I keep looking, maybe I
find something.

Many Thanks,
Houman


On Sun, 19 Jul 2020 at 20:37, Adrian Tschira <[hidden email]>
wrote:

> Hey Houman,
>
> We're doing this using the openvpn-plugin-pam.so that ships with openvpn
> and libpam-radius. In our ovpn conf:
>
>      plugin path-to/openvpn-plugin-auth-pam.so ovpn-0
>
> where ovpn-0 is declared in /etc/pam.d/ovpn-0:
>
>      account sufficient      pam_permit.so
>      auth    required        pam_radius_auth.so conf=/path/to/conf
>
> Be aware that libpam-radius has not had a release since 2016 despite
> numerous fixes, so you will probably want to compile it from source.
>
> On 19/07/2020 21:18, Houman wrote:
> > Hello,
> >
> > I have been using Freeradius and Strongswan (eap-radius) for a few years
> > now and for the first time I'm trying to achieve the same thing with
> > OpenVPN instead.
> >
> > Based on my research it seems that the recommended plugin is a decade
> old.
> >
> > http://www.nongnu.org/radiusplugin/
> >
> > It's hard to imagine that this wasn't updated for so long. Am I missing
> > something? Is there any official Freeradius plugin for OpenVPN?
> >
> > I found this tutorial to be very promising
> >
> https://www.vpsserver.com/community/tutorials/17/authenticate-openvpn-clients-thru-the-freeradius-server/
> > but I thought I ask here first if someone has experience with this topic,
> > and I'm on the right path.
> >
> > Many Thanks,
> > Houman
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Alan DeKok-2
On Jul 19, 2020, at 4:21 PM, Houman <[hidden email]> wrote:
>
> I'm struggling to find *openvpn-plugin-pam.so *and *libpam-radius *in the
> OpenVPN source code.

  libpam-radius is a separate piece of software.  You should be able to install it via your local packaging system.

> The closest I could find was:
>
> openvpn-2.4.9/src/plugins/auth-pam

  OpenVPN calls PAM, which is that plugin.

  PAM then uses libpam-radius to do RADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Houman
Thank you Alan,

I have installed it. It is now in /usr/lib/security/pam_radius_auth.so

Then I have tried to utilise it like this:
*/etc/pam.d/ovpn-0:*
account sufficient      pam_permit.so
auth    required        pam_radius_auth.so
conf=/etc/pam.d/pam_radius_auth.conf

*pam_radius_auth.conf:*
127.0.0.1                   secret             3

But despite a restart, when I connect with OpenVPN freeradius is not hit at
all.

I'm running freeradius -X.

Maybe I have to use the full path to pam_radius_auth.so in ovpn-0? WHat
could I have missed?

Thanks,
Houman



On Tue, 21 Jul 2020 at 15:55, Alan DeKok <[hidden email]> wrote:

> On Jul 19, 2020, at 4:21 PM, Houman <[hidden email]> wrote:
> >
> > I'm struggling to find *openvpn-plugin-pam.so *and *libpam-radius *in the
> > OpenVPN source code.
>
>   libpam-radius is a separate piece of software.  You should be able to
> install it via your local packaging system.
>
> > The closest I could find was:
> >
> > openvpn-2.4.9/src/plugins/auth-pam
>
>   OpenVPN calls PAM, which is that plugin.
>
>   PAM then uses libpam-radius to do RADIUS.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Alan DeKok-2
On Jul 21, 2020, at 2:05 PM, Houman <[hidden email]> wrote:

>
> Thank you Alan,
>
> I have installed it. It is now in /usr/lib/security/pam_radius_auth.so
>
> Then I have tried to utilise it like this:
> */etc/pam.d/ovpn-0:*
> account sufficient      pam_permit.so
> auth    required        pam_radius_auth.so
> conf=/etc/pam.d/pam_radius_auth.conf
>
> *pam_radius_auth.conf:*
> 127.0.0.1                   secret             3

  That's good.

> But despite a restart, when I connect with OpenVPN freeradius is not hit at
> all.

  Did you configure OpenVPN to use PAM?

> I'm running freeradius -X.
>
> Maybe I have to use the full path to pam_radius_auth.so in ovpn-0? WHat
> could I have missed?

  Read the OpenVPN documentation for how to configure OpenVPN.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Houman
Hi Adrian and Alan,

I ended up compiling the master branch of pam_radius_auth.so to have the
latest. :)

However

*/etc/pam.d/pam_radius_auth.conf*
127.0.0.1                  secret             3

*/etc/pam.d/ovpn-0*
account sufficient      pam_permit.so
auth    required        pam_radius_auth.so
conf=/etc/pam.d/pam_radius_auth.conf

But the moment I activate it like this in OpenVPN and restart it:

*server.conf*
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0

I can no longer establish the VPN connection and the local freeradius is
not even hit.
I get this error in /var/log/openvpn/openvpn.log

89.32.123.xxx:18585 TLS Error: Auth Username/Password was not provided by
peer
89.32.123.xxx:18585 TLS Error: TLS handshake failed

Is there a way to get more verbose logs to see what the issue is?
Based on my research the only way to activate the PAM for OpenVPN is to use
the plugin in the config as I did above.

Many Thanks,
Houman


On Tue, 21 Jul 2020 at 19:38, Alan DeKok <[hidden email]> wrote:

> On Jul 21, 2020, at 2:05 PM, Houman <[hidden email]> wrote:
> >
> > Thank you Alan,
> >
> > I have installed it. It is now in /usr/lib/security/pam_radius_auth.so
> >
> > Then I have tried to utilise it like this:
> > */etc/pam.d/ovpn-0:*
> > account sufficient      pam_permit.so
> > auth    required        pam_radius_auth.so
> > conf=/etc/pam.d/pam_radius_auth.conf
> >
> > *pam_radius_auth.conf:*
> > 127.0.0.1                   secret             3
>
>   That's good.
>
> > But despite a restart, when I connect with OpenVPN freeradius is not hit
> at
> > all.
>
>   Did you configure OpenVPN to use PAM?
>
> > I'm running freeradius -X.
> >
> > Maybe I have to use the full path to pam_radius_auth.so in ovpn-0? WHat
> > could I have missed?
>
>   Read the OpenVPN documentation for how to configure OpenVPN.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Alan DeKok-2
On Jul 22, 2020, at 3:04 PM, Houman <[hidden email]> wrote:

> But the moment I activate it like this in OpenVPN and restart it:
>
> *server.conf*
> plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0
>
> I can no longer establish the VPN connection and the local freeradius is
> not even hit.
> I get this error in /var/log/openvpn/openvpn.log
>
> 89.32.123.xxx:18585 TLS Error: Auth Username/Password was not provided by
> peer
> 89.32.123.xxx:18585 TLS Error: TLS handshake failed
>
> Is there a way to get more verbose logs to see what the issue is?

  Why are you asking OpenVPN questions on the FreeRADIUS list?

  We didn't write OpenVPN.  We don't know anything about it.

  Ask the OpenVPN people how their software works.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Houman
Calm down buddy.  I thought you were the author of pam_radius_auth.so and
had deep knowledge of the material and could point me to the right
direction.

You don't need to be so pedantic, this is completely unnecessary!!!  Even
if you think there is nothing wrong with the pam_radius_config and the
fault must be in OpenVPN, you could express it in a nicer way. This is just
a bad attitude.

If you don't want to help, simply ignore the message and maybe someone else
in the community can help.  Afterall we are supposed to be a community that
shares the same interest around Freeradius and the tools it integrates
with.

Just some food for thought.


On Wed, 22 Jul 2020 at 20:32, Alan DeKok <[hidden email]> wrote:

> On Jul 22, 2020, at 3:04 PM, Houman <[hidden email]> wrote:
> > But the moment I activate it like this in OpenVPN and restart it:
> >
> > *server.conf*
> > plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0
> >
> > I can no longer establish the VPN connection and the local freeradius is
> > not even hit.
> > I get this error in /var/log/openvpn/openvpn.log
> >
> > 89.32.123.xxx:18585 TLS Error: Auth Username/Password was not provided by
> > peer
> > 89.32.123.xxx:18585 TLS Error: TLS handshake failed
> >
> > Is there a way to get more verbose logs to see what the issue is?
>
>   Why are you asking OpenVPN questions on the FreeRADIUS list?
>
>   We didn't write OpenVPN.  We don't know anything about it.
>
>   Ask the OpenVPN people how their software works.
>
>   Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Official plugin for Freeradius + OpenVPN?

Alan DeKok-2
On Jul 22, 2020, at 4:15 PM, Houman <[hidden email]> wrote:
>
> Calm down buddy.  I thought you were the author of pam_radius_auth.so and
> had deep knowledge of the material and could point me to the right
> direction.

  I did.  Apparently you don't like my answers.

> You don't need to be so pedantic, this is completely unnecessary!!!  Even
> if you think there is nothing wrong with the pam_radius_config and the
> fault must be in OpenVPN, you could express it in a nicer way. This is just
> a bad attitude.

  Nothing was rude about my response.  You asked a technical question, I gave you a technical answer.  Unlike you, I didn't take it personally.  I didn't complain.  I didn't whine.

> If you don't want to help, simply ignore the message and maybe someone else
> in the community can help.  Afterall we are supposed to be a community that
> shares the same interest around Freeradius and the tools it integrates
> with.

  I'll make it simple.  Stop complaining, or you will get unsubscribed from the list and permanently banned.

  I don't put up with crap like this.  Grow up, or go away.

 Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html