Search This Blog

Thursday, April 14, 2011

Using OpenVPN With FreeRADIUS

 http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS


WARNING: This community-contributed article describes risky changes that could easily break your firewall. This is for advanced users only, and is not recommended by the pfSense development team.

Contents

[hide]

OpenVPN setup on pfSense 1.2.2 /w 2-way authentication (Certificates & Freeradius user/pw)


Purpose

This document will show you how to setup OpenVPN on a pfSense 1.2.2 system while allowing for two-way authentication. This is so that you can use certificates as well as a username/password combination. You are also given centralized management over the Username/Password system. This will allow you to easily add or remove a user before creating the certificate/vpn installer. This is a plus because you can also set "login times" and access limits on users using free-radius.

What you need

List of items that you should have already or is assumed.
  • Computer or Virtual Machine with pfSense 1.2.2 installed (may work with earlier versions but only tested with 1.2.2).
  • Connection to the internet (fetching and installing files/packages/etc)
  • Computer configured with OpenVPN client (for testing, can be windows/linux/mac).
  • OpenVPN already configured on your pfSense system ( i used this document: http://www.pfsense.org/mirror.php?section=tutorials/openvpn/pfsense-ovpn.pdf )

Getting Started: Installing FreeRadius and getting it ready for OpenVPN

The first thing you need to do is install FreeRadius onto the pfSense system that you are using.
  • Navigate to "System->Packages"
  • Click the + sign on the right of "Freeradius"
  • Your pf-sense box will now install Freeradius from the pf-repositories. This might take a few minutes depending on how fast your system/network connection is.
  • From the PF-Sense web GUI navigate to "Services->FreeRADIUS".
  • Select the "Clients" tab.
  • We are setting OpenVPN up as a "Client" of the FreeRadius server. Click the + sign to get started.
  • In the "Client" field put in the LAN ip address of your pfsense box. Mine is: 192.168.1.1
  • In the "Shortname" field put something descriptive. ex. OpenVPN Server (Remote Client auth).
  • In the "Shared Secrete" field put in a password which is not easy to guess.
  • In the "Description" field put in something that will help you identify this connection.
  • Click "Save"

Setting up your Users

  • Now navigate to the "Users" tab. This is where you setup EVERY user you want to authenticate with FreeRadius/OpenVPN.
  • Click the + Sign to get started.
  • Make sure that you also fill out "Number of Multiple Connection" I suggest setting this to 1. It is the only other required field other than username/password. The rest is optional.
  • [optional] Set the "Session time" I have mine set at 21600. When this expires the user will be kicked off and will have to re-login. This would be close to a normal workday. This keeps users from staying logged in all the time. Even if they are not at the computer.
  • Click on the "Save" button.

Gain shell access on your pfSense system

  • We will be working in command line. You should either temperately enable SSH on your PF-Sense system or have access to the main console directly connected to your PF-Sense box.
  • Enable SSH: Navigate to "System->Advanced". Check "Enable Secure Shell" then Click "Save" at the bottom of the "Secure Shell" section.
  • You should now be able to ssh into your PF-Sense system.
  • If you are directly connected to your PF-Sense system with a console/monitor you can select option "8" to get a command prompt.

Connecting OpenVPN and FreeRadius

  • Now that you are at a Shell prompt on your pfSense system we can configure the PAM system to work with OpenVPN and FreeRadius.
  • Create the file /etc/pam.d/openvpn with the following commands
vi /etc/pam.d/openvpn
  • Insert the following into the file (Exactly! Or it may not work!)
#%PAM-1.0
auth required pam_radius.so debug=10
account sufficient pam_permit.so
session sufficient pam_permit.so
  • Save and exit the file. (Press "Esc" then type ":wq" without the quotes.
  • Create the file /etc/radius.conf with the following commands.
vi /etc/radius.conf
  • Insert the following into the file (Change the IP address to the IP of your PF-Sense LAN interface. The *****PassHere should be replaced with the password you set in the "Client" section of the FreeRadius configuration screen).
acct 192.168.1.1:1813 *****PassHere
auth 192.168.1.1:1812 *****PassHere
  • Save and exit the file. (Press "Esc" then type ":wq" without the quotes.
  • We are finished with this section. Go back to your PF-Sense Web GUI.

Load the Pam plugin for OpenVPN

  • Navigate to your OpenVPN Server configuration screen. "VPN->OpenVPN". Make sure you are on the "Server" tab.
  • Click the "Edit" button next to the OpenVPN server you have setup.
  • When the new screen loads, scroll down to the bottom where you see the section marked "Custom Options". Insert the following into the textbox.
plugin /usr/local/lib/openvpn-auth-pam.so openvpn
  • Click "Save" at the bottom of the screen and navigate to the OpenVPN log screen "Status->System Logs" Click on the "OpenVPN" tab.
  • You should see something similar to what is listed below. (Borrowed from j0emv on pf-sense forums –Thanks! --)
Mar 20 13:16:26    openvpn[6837]: Need IPv6 code in mroute_extract_addr_from_packet
Mar 20 13:16:21    openvpn[6837]: Initialization Sequence Completed
Mar 20 13:16:21    openvpn[6837]: TCPv4_SERVER link remote: [undef]
Mar 20 13:16:21    openvpn[6837]: TCPv4_SERVER link local (bound): [undef]:1194
Mar 20 13:16:21    openvpn[6837]: Listening for incoming TCP connection on [undef]:1194
Mar 20 13:16:20    openvpn[6817]: /etc/rc.filter_configure tun0 1500 1543 192.168.3.1 192.168.3.2 init
Mar 20 13:16:20    openvpn[6817]: /sbin/ifconfig tun0 192.168.3.1 192.168.3.2 mtu 1500 netmask 255.255.255.255 up
Mar 20 13:16:20    openvpn[6817]: TUN/TAP device /dev/tun0 opened
Mar 20 13:16:20    openvpn[6817]: gw xx.xx.xx.xx
Mar 20 13:16:20    openvpn[6817]: WARNING: file '/var/etc/openvpn_server0.key' is group or others accessible
Mar 20 13:16:20    openvpn[6817]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Mar 3 2007
  • If your text looks more like the following output continue on. Otherwise your done. (Borrowed from j0emv on pf-sense forums –Thanks! --)
Mar 20 12:41:16    openvpn[341]: Exiting
Mar 20 12:41:16    openvpn[341]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
Mar 20 12:41:16    openvpn[341]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
  • If you have the above text output it means something broke with OpenVPN. The easy way to fix this is to use the pkg_add utility on your PF-Sense systems command line. So from your PF-Sense systems command line issue the following.
pkg_add -r openvpn
  • This will reinstall OpenVPN and should fix your problems. If not, you can post in the pf-sense forms: http://forum.pfsense.org/index.php/topic,4105.0.html or PM me (username: eureka on pf-sense forms).
  • You should now be able to connect to your OpenVPN system using Two-Way authentication. If you have problems i have listed an option that you can add to your OpenVPN system to help in your debugging.

Debugging your system

Sometimes things don't work how we think they should. The following options can be helpful in your debugging. It assumes that your are running these commands on the pfSense system either via directly connected monitor/keyboard or via SSH unless otherwise specified.
  • Make OpenVPN more Verbose and force it to log to a non-standard location so you can read it easier.
  • From the pfSense web GUI Navigate to "VPN->OpenVPN" and select the server you created earlier.
  • Go to the bottom of the screen and modify the "Custom Options" text box to have the following.
plugin/usr/local/lib/openvpn-auth-pam.so openvpn;
log /var/log/opvn.log;
log-append /var/log/opvn.log;
verb 7
  • This will log everything from OpenVPN to the /var/log/opvn.log file. You can watch it with the following command (while trying to connect/etc).
tail -f /var/log/opvn.log
  • You can also watch FreeRadius for attempted connections/authorizations (Failed or successful).
tail -f /var/log/radius.log
  • With this information in hand google and the pfSense forms can be a very good resource.
Reprinted with permission from Sky