FreeRadius: PPTP - RADIUS and client IP address
-
I have the same problem :( :( my 1st idea is probably sample from WARTA project they use ppptd.dial for dynamicly add rules witch VPN ip to firewall
-
I think it's a gui limitation of the current freeradius ipmlementation. Patches accepted ;)
-
where are there patches ?
-
Somebody has to add the functionality and generate a patch. If that is then send in to us we'll add it to the official package.
-
I also add FreeRadius to my pfsense…
but, for me.. nothing more important than ID security.
I think it much better if ID can't be share.. Now as I know, 1 ID can be share with many user at a same time..
Any tips to solve this..?
thanks -
At services>captive portal check this option:
Disable concurrent logins
If this option is set, only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected. -
Thanks for replying
actually, I already thick in this option… But its still allow many user using 1 ID at the same time. For your info.. I am using FreeRadius with RC2.
ThanksFrom portal Auth log
Oct 12 22:13:15 logportalauth[7489]: LOGIN: test, 00:0c:f1:20:b5:7c, 192.168.1.114
Oct 12 22:27:41 logportalauth[9545]: LOGIN: test, 00:14:a4:73:d5:9f, 192.168.1.104
Oct 12 22:56:52 logportalauth[24672]: LOGIN: test, 00:12:0e:4d:2d:cd, 192.168.1.116[/] Disable concurrent logins
If this option is set, only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected. -
Actually I think that option only works when using the local user manager. The radiusserver needs to deny the second login but there is no option for this in the gui of the freeradius package for this.
-
I succeeded in preventing multiple connetion with same ID. I used freeradius's "Simultaneous-User" function for it without gui configuration. Here is the tip I made.
1. If you havn't install freeradius package yet, install it from packages at pfsense.
2. uninstall freeradius package from installed package page.
It is needed becasue you will lost the contents of "users" file you made after rebooting if you don't remove the package gui from pfsene.3. I found some problem to start freeradius on pfsense1.0.1. I think it is due to missing libltdl-1.5.22 dependon and wrong configuration variable for the location of pidfile on radiusd.conf.
a. install libltdl-1.5.22
get it from ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/libltdl-1.5.22.tbz
and upload it to pfsese. You can use "command prompt -> uplaod" on pfsense.
logo on to pfsense console -> 8. shell
#cd /tmp
#pkg_add libltdl-1.5.22.tbzb. now you need to adjust radiusd.conf
#ee /usr/local/etc/raddb/radiusd.conf
find pidfile = ${run_dir}/radiusd and change it to pidfile = /var/run/radiusd.pidand set bind_address and port like below.
bind_address = *
port = 0and save.
4. and open /usr/local/etc/raddb/clients.conf file and edit it like below
client 127.0.0.1 {
secret = passward
shortname = local
}pls note the "passward" is the password for you to use for "RADIUS shared secret" on pptp configuration.
5. and go to pptp configuration page on pfsense
check 'Use a RADIUS server for authentication'
check 'Enable RADIUS accounting'
enter 127.0.0.1 for 'RADIUS server'
enter 'RADIUS shared secret' -> You should use the password that was used for "secret=" on clients.conf.
and save6. add the pptp users to /usr/local/etc/raddb/users as like following.
test1 User-Password == "test1"
Fall-Through = Yestest2 User-Password == "test2"
Fall-Through = YesDEFAULT Simultaneous-Use += 1
In this case, the pptp users are test1 and test2. And they can connect only one time simultaneously. If you want two simultaneous connetions, you can change "DEFAULT Simultaneous-Use += 1" to "DEFAULT Simultaneous-Use += 2"
7. restart freeradius to get read the new "users" file.
#killall radiusd
#radiusd
or
#/usr/local/etc/rc.d/radiusd.sh restart8. If you need to add more pptp user to freeradius's users file, you can edit it from 'Edit file' menu at pfsense or from the shell. And you should restart radiusd.
With this way, I succeded to prvent multiple pptp connetions but I failed to assign user ID to specific IP address with "Framed-IP-Address =" at freeradius user file.
test User-Password == "test"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 10.100.1.198Radiusd sends the reply for the IP address to pfsense but I think pfsense ignore it and give the dynamic ip address. I see the option of 'RADIUS issued IP's' on pppoe configuration page on pfsense. So I think geting ip address from radius is possible for pptp as well. Is there anyone who give me an advice how to make pfsense to accept the freeradies reply and assign the ip address from freeradius?
And hope that somebody will adjust Freeradius package gui to add the Simultaneous-User function to users file.
-
As you seem to know what you are doing, why not implementing this feature and providing diffs against the current code so we can commit them? ;D
-
I'd like to but I don't know how to. Sorry, I'm a begginer of freebsd and I'm not even a programer. I don't know about php and C language and even don't know exactly how pfsense is working. I read some documents of freeradius and I just got this infromation from the documents and log.
If you give me some documents about how to implement feature and provide diffs, I can figure out whether I can do or not.
-
I succeeded in assigning ip address from radius server with just modifying vpn_pptp.php and vpn.inc file. I didn't even know about php but I got some hits from vpn_pppoe.php and copied some codes from it.
Now it is possible that the pptp user will get the ip address from other radius and you can prevent multiple pptp connetion with same ID if you are using other radius.
If you want these pptp fuctions to be available with freeradius package on pfsene, pls use my previous tip.
I will try to modify freeradius package as well later but I'm not sure I can do that.
Dear Hoba,
Could you give me an advise which files are involved in for freeradius package configuration?
And pls adv me where I should send the new vpn_pptp.php and vpn.inc files to for your checking and commiting. -
i was planning on trying to add some things to the freeradius gui and the radiusd.conf this weekend
stuf like :
expire
session-timedon't now if the freeradius package is already on version 1.1.13 ?
then also:
logintime added to user file and radiusd.conf (alaws to only be online between the times and days that are given for that user)
user defined counters added to radiusd.conf
user defined counter atributs to user file
so that you can limet on the max sesions you can make
limet the max online time a day,week,month etcmaybe a extra textbox for extra things to add to a user like the static ip stuff ?
-
Now, I finished the freeradius package gui for assigning ip address to user and multiple connection control. I spent almost the day for it.
Dear Hoba,
If you don't mind, I will send the files of vpn.inc, vpn_pptp.php, freeradius.inc and freeradius.xml to you via e-mail.Dear Jeroen234,
It's good news. I'm waiting for your version that will support more functions. If you don't mind I'd like to send the files to you as well. I think it may help for your work. -
Can you just attach them as diffs against the latest version of the files that you changed here? This way maybe jeroen can merge them together with his changes too.
-
Dear Jeroen234,
It's good news. I'm waiting for your version that will support more functions. If you don't mind I'd like to send the files to you as well. I think it may help for your work.no problem send them to jeroenjohanzwarts at hotmail dot com
i will them add the extra functions to those files
don't now if you have made the Simultaneous-User function a user based one
or just a globel one
if it is globel then i will add a user based one -
I will send the files to your e-mail. And I'v made user based Simultaneous-Use fuction.
-
got them thanks
[edit]
this is what i have working now:
Expiration , Session-Timeout , Onlinetimeuser file:
john User-Password == "doe", Simultaneous-Use += 1, Expiration := "101020081010"Framed-IP-Address = 10.10.10.10,
Login-Time := "Any0800-2000",jeroen234 User-Password == "jeroen234", Simultaneous-Use += 1, Expiration := "121220071010"
joop User-Password == "joop", Simultaneous-Use += 1, Expiration := "201020081010"
sint User-Password == "sint", Simultaneous-Use += 1
Session-Timeout := 500,
-
Dear Jeroen,
It looks so good. Pfsense will have the strong radius server functions.
Dear Hoba,
As I mentioned before, we need some modifictions on pfsense's pptp so that it uses the reply from radius server for assigning the ip address from radius server to pptp users. The files involved in it are vpn.inc and vpn_pptp.php. I'm posting my new files here for your information.
vpn.inc
/* vpn.inc Copyright (C) 2004-2006 Scott Ullrich All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* include all configuration functions */ require_once("functions.inc"); /* master setup for vpn (mpd) */ function vpn_setup() { /* start pptpd */ vpn_pptpd_configure(); /* start pppoe server */ vpn_pppoe_configure(); } function vpn_ipsec_failover_configure() { global $config, $g; $sasyncd_text = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { $enabled = isset($sasyncd['enable']); if(!$enabled) return; if($sasyncd['peerip'] <> "") $sasyncd_text .= "peer {$sasyncd['peerip']}\n"; if($sasyncd['interface']) $sasyncd_text .= "carp interface {$sasyncd['interface']}\n"; if($sasyncd['sharedkey'] <> "") $sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n"; if($sasyncd['mode'] <> "") $sasyncd_text .= "mode {$sasyncd['mode']}\n"; if($sasyncd['listenon'] <> "") $sasyncd_text .= "listen on {$sasyncd['listenon']}\n"; if($sasyncd['flushmodesync'] <> "") $sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n"; } $fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w"); fwrite($fd, $sasyncd_text); fclose($fd); chmod("{$g['varetc_path']}/sasyncd.conf", 0600); mwexec("killall sasyncd"); /* launch sasyncd, oh wise one */ /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ } function find_last_gif_device() { $regs = ""; $last_gif_found = -1; if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; $ifconfig_data = fread($fp, 4096); pclose($fp); $ifconfig_array = split(" ", $ifconfig_data); foreach ($ifconfig_array as $ifconfig) { ereg("gif(.)", $ifconfig, $regs); if($regs[0]) { if($regs[0] > $last_gif_found) $last_gif_found = $regs[1]; } } return $last_gif_found; } function vpn_ipsec_configure($ipchg = false) { global $config, $g, $sa, $sn; /* get the automatic /etc/ping_hosts.sh ready */ unlink_if_exists("/var/db/ipsecpinghosts"); touch("/var/db/ipsecpinghosts"); if($g['booting'] == true) { /* determine if we should load the via padlock module */ $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; if(stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); //mwexec("/sbin/setkey -F"); //mwexec("/sbin/setkey -FP"); //echo " done.\n"; } } if(isset($config['ipsec']['preferredoldsa'])) { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } else { mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); } $number_of_gifs = find_last_gif_device(); for($x=0; $x<$number_of_gifs; $x++) { mwexec("/sbin/ifconfig gif" . $x . " delete"); } $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; } $syscfg = $config['system']; $ipseccfg = $config['ipsec']; $lancfg = $config['interfaces']['lan']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; if ($g['booting']) { if (!isset($ipseccfg['enable'])) return 0; echo "Configuring IPsec VPN... "; } else { /* kill racoon */ mwexec("/usr/bin/killall racoon"); /* wait for process to die */ sleep(2); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); } /* flush SPD and SAD */ mwexec("/sbin/setkey -FP"); mwexec("/sbin/setkey -F"); if (isset($ipseccfg['enable'])) { /* fastforwarding is not compatible with ipsec tunnels */ system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1"); if (!$curwanip) { /* IP address not configured yet, exit */ if ($g['booting']) echo "done\n"; return 0; } if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || isset($ipseccfg['mobileclients']['enable'])) { if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); return 1; } $spdconf = ""; $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if(is_domain($tunnel['remote-gateway'])) { $tmp = gethostbyname($tunnel['remote-gateway']); if($tmp) $tunnel['remote-gateway'] = $tmp; } /* add entry to host pinger */ if($tunnel['pinghost']) { $pfd = fopen("/var/db/ipsecpinghosts","a"); $srcip = find_interface_ip($config['interfaces']['lan']['if']); $dstip = $tunnel['pinghost']; fwrite($pfd, "$srcip|$dstip|3\n"); fclose($pfd); } if(isset($tunnel['creategif'])) { $number_of_gifs = find_last_gif_device(); $number_of_gifs++; $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; } mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } $spdconf .= "spdadd {$sa}/{$sn} " . "{$tunnel['remote-subnet']} any -P out ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . "{$tunnel['remote-gateway']}/unique;\n"; $spdconf .= "spdadd {$tunnel['remote-subnet']} " . "{$sa}/{$sn} any -P in ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . "{$ep}/unique;\n"; } fwrite($fd, $spdconf); fclose($fd); /* load SPD */ mwexec("/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); } /* generate racoon.conf */ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); if (!$fd) { printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); return 1; } $racoonconf = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; /* natt - turn on if <developer> exists */ if(isset($config['system']['developer']) <> "") { $lanip = $config['interfaces']['lan']['ipaddr']; if($lanip <> "") $natt = "isakmp_natt {$lanip}[4500];\n"; } $interface_ip = $sasyncd['ip']; $racoonconf .= <<<eod<br>listen { isakmp {$interface_ip} [500]; {$natt} } EOD; } $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; /* generate CA certificates files */ $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) foreach ($ipseccfg['cacert'] as $cacert) { ++$cacertnum; if (isset($cacert['cert'])) { $cert = base64_decode($cacert['cert']); $x509cert = openssl_x509_parse(openssl_x509_read($cert)); if(is_array($x509cert) && isset($x509cert['hash'])) { $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); if (!$fd1) { printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); fwrite($fd1, $cert); fclose($fd1); } } } $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { ++$tunnelnumber; if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } else if (isset($tunnel['p1']['myident']['dyn_dns'])) { $myidentt = "dyn_dns"; $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; if ($peercert!=''){ $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $peercert); fclose($fd1); $certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; } } $racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt} "{$myident}"; {$certline} peers_identifier address {$tunnel['remote-gateway']}; initial_contact on; support_proxy on; proposal_check obey; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } /* mobile clients? */ if (isset($ipseccfg['mobileclients']['enable'])) { $tunnel = $ipseccfg['mobileclients']; if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $curwanip; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";"; } $racoonconf .= <<<eod<br>remote anonymous \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt} "{$myident}"; {$certline} initial_contact on; passive on; generate_policy on; support_proxy on; proposal_check obey; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo anonymous \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } fwrite($fd, $racoonconf); fclose($fd); /* generate psk.txt */ $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); if (!$fd) { printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); return 1; } $pskconf = ""; if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; } } /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; } } fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); } } vpn_ipsec_failover_configure(); if (!$g['booting']) { /* reload the filter */ touch("{$g["tmp_path"]}/filter_dirty"); } if ($g['booting']) echo "done\n"; return 0; } function vpn_pptpd_configure() { global $config, $g; $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) return 0; echo "Configuring PPTP VPN service... "; } else { /* kill mpd */ killbypid("{$g['varrun_path']}/mpd-vpn.pid"); /* wait for process to die */ sleep(3); if(is_process_running("mpd -b")) { killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } /* remove mpd.conf, if it exists */ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pptpdcfg['mode']) { case 'server': /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } $mpdconf = <<<eod<br>pptpd: EOD; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } for ($i = 0; $i < $g['n_pptp_units']; $i++) { $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pt{$i}: new -i {$ngif} pt{$i} pt{$i} {$isssue_ip_type} load pts EOD; } $mpdconf .= << <eod<br>pts: set iface disable on-demand set iface enable proxy-arp set iface enable tcpmssfix set iface idle 1800 set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set bundle enable multilink set bundle enable crypt-reqd set link yes acfcomp protocomp set link no pap chap set link enable chap-msv2 set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 set ccp yes mpp-stateless EOD; if (!isset($pptpdcfg['req128'])) { $mpdconf .= << <eod<br>set ccp yes mpp-e40 set ccp yes mpp-e56 EOD; } if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; } else if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pptpdcfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pptpdcfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdlinks .= << <eod<br>pt{$i}: set link type pptp set pptp enable incoming set pptp disable originate set pptp disable windowing set pptp self 127.0.0.1 EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; } $mpdsecret = ""; if (is_array($pptpdcfg['user'])) { foreach ($pptpdcfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); break; case 'redir': break; } if (!$g['booting']) { /* reload the filter */ filter_configure(); } if ($g['booting']) echo "done\n"; return 0; } function vpn_localnet_determine($adr, &$sa, &$sn) { global $config, $g; if (isset($adr)) { if ($adr['network']) { switch ($adr['network']) { case 'lan': $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); break; } } else if ($adr['address']) { list($sa,$sn) = explode("/", $adr['address']); if (is_null($sn)) $sn = 32; } } else { $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); } } function vpn_endpoint_determine($tunnel, $curwanip) { global $g, $config; if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) { if ($curwanip) return $curwanip; else return null; } else if ($tunnel['interface'] == "lan") { return $config['interfaces']['lan']['ipaddr']; } else { $oc = $config['interfaces'][$tunnel['interface']]; if (isset($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } return null; } function vpn_pppoe_configure() { global $config, $g; $syscfg = $config['system']; $pppoecfg = $config['pppoe']; /* create directory if it does not exist */ if(!is_dir("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; echo "Configuring PPPoE VPN service... "; } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pppoecfg['mode']) { case 'server': $pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']); /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n"); return 1; } $mpdconf = "\n\n"; $mpdconf .= <<<eod<br>pppoe: EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdconf .= " load pppoe{$i}\n"; } for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pppoe{$i}: new -i {$ngif} pppoe{$i} pppoe{$i} {$isssue_ip_type} load pppoe_standart EOD; } $mpdconf .= << <eod<br>pppoe_standart: set link type pppoe set pppoe iface {$pppoe_interface} set pppoe service "*" set pppoe disable originate set pppoe enable incoming set bundle no multilink set bundle enable compression set bundle max-logins 1 set iface idle 0 set iface disable on-demand set iface disable proxy-arp set iface enable tcpmssfix set iface mtu 1500 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set ipcp no vjcomp set link max-redial -1 set link mtu 1492 set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 #set bundle accept encryption EOD; if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pppoecfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pppoecfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdlinks .= << <eod<br>pppoe: set link type pppoe set pppoe iface {$pppoe_interface} EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n"); return 1; } $mpdsecret = "\n\n"; if (is_array($pppoecfg['user'])) { foreach ($pppoecfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe"); break; case 'redir': break; } touch("{$g["tmp_path"]}/filter_dirty"); if ($g['booting']) echo "done\n"; return 0; } ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></developer></mk@neon1.net>
It would be better that this modification be reflected on embedded version as well. The embedded user can use this fuction with other radius server even if they cannot use pfsense's freeradius package.
-
Here is vpn_pptp.php
/* vpn_pptp.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require("guiconfig.inc"); if (!is_array($config['pptpd']['radius'])) { $config['pptpd']['radius'] = array(); } $pptpcfg = &$config['pptpd']; $pconfig['remoteip'] = $pptpcfg['remoteip']; $pconfig['localip'] = $pptpcfg['localip']; $pconfig['redir'] = $pptpcfg['redir']; $pconfig['mode'] = $pptpcfg['mode']; $pconfig['wins'] = $pptpcfg['wins']; $pconfig['req128'] = isset($pptpcfg['req128']); $pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']); $pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']); $pconfig['radiusserver'] = $pptpcfg['radius']['server']; $pconfig['radiussecret'] = $pptpcfg['radius']['secret']; $pconfig['radiusissueips'] = isset($pptpcfg['radius']['radiusissueips']); if ($_POST) { unset($input_errors); $pconfig = $_POST; /* input validation */ if ($_POST['mode'] == "server") { $reqdfields = explode(" ", "localip remoteip"); $reqdfieldsn = explode(",", "Server address,Remote start address"); if ($_POST['radiusenable']) { $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret")); $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "RADIUS server address,RADIUS shared secret")); } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) { $input_errors[] = "A valid server address must be specified."; } if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) { $input_errors[] = "A valid remote start address must be specified."; } if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) { $input_errors[] = "A valid RADIUS server address must be specified."; } if (!$input_errors) { $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']); $subnet_start = ip2long($_POST['remoteip']); $subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1; if ((ip2long($_POST['localip']) >= $subnet_start) && (ip2long($_POST['localip']) <= $subnet_end)) { $input_errors[] = "The specified server address lies in the remote subnet."; } if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) { $input_errors[] = "The specified server address is equal to the LAN interface address."; } } } else if ($_POST['mode'] == "redir") { $reqdfields = explode(" ", "redir"); $reqdfieldsn = explode(",", "PPTP redirection target address"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) { $input_errors[] = "A valid target address must be specified."; } } else { /* turning pptp off, lets dump any custom rules */ $rules = &$config['filter']['rule']; for($x=0; $x <count($rules); $x++)="" {<br="">if($rules[$x]['interface'] == "pptp") { unset($rules[$x]); } } unset($config['pptpd']['mode']); write_config(); } if (!$input_errors) { $pptpcfg['remoteip'] = $_POST['remoteip']; $pptpcfg['redir'] = $_POST['redir']; $pptpcfg['localip'] = $_POST['localip']; $pptpcfg['mode'] = $_POST['mode']; $pptpcfg['wins'] = $_POST['wins']; $pptpcfg['radius']['server'] = $_POST['radiusserver']; $pptpcfg['radius']['secret'] = $_POST['radiussecret']; if($_POST['req128'] == "yes") $pptpcfg['req128'] = true; else unset($pptpcfg['req128']); if($_POST['radiusenable'] == "yes") $pptpcfg['radius']['enable'] = true; else unset($pptpcfg['radius']['enable']); if($_POST['radacct_enable'] == "yes") $pptpcfg['radius']['accounting'] = true; else unset($pptpcfg['radius']['accounting']); if($_POST['radiusissueips'] == "yes") { $pptpcfg['radius']['radiusissueips'] = true; } else unset($pptpcfg['radius']['radiusissueips']); write_config(); $retval = 0; config_lock(); $retval = vpn_setup(); config_unlock(); $savemsg = get_std_save_message($retval); filter_configure(); } } $pgtitle = "VPN PPTP"; include("head.inc"); ?> <form action="vpn_pptp.php" method="post" name="iform" id="iform"> | $tab_array = array(); $tab_array[0] = array("Configuration", true, "vpn_pptp.php"); $tab_array[1] = array("Users", false, "vpn_pptp_users.php"); display_top_tabs($tab_array); ?> | | > Off | | > Redirect incoming PPTP connections to: | PPTP redirection | Enter the IP address of a host which will accept incoming PPTP connections. | | > Enable PPTP server | Max. concurrent connections | | Server address | Enter the IP address the PPTP server should use on its side for all clients. | Remote address range | / Specify the starting address for the client IP address subnet. The PPTP server will assign addresses, starting at the address entered above, to clients. | RADIUS | > **Use a RADIUS server for authentication** When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used. > **Enable RADIUS accounting** Sends accounting packets to the RADIUS server. | RADIUS server | Enter the IP address of the RADIUS server. | RADIUS shared secret | Enter the shared secret that will be used to authenticate to the RADIUS server. | RADIUS issued IP's | > Issue IP Addresses via RADIUS server. | WINS Server | | | | > **Require 128-bit encryption** When set, 128-bit encryption will be accepted. Otherwise, 40-bit and 56-bit encryption will be accepted, too. Note that encryption will always be forced on PPTP connections (i.e. unencrypted connections will not be accepted). | | | | **Note:** don't forget to [add a firewall rule](firewall_rules.php?if=pptp) to permit traffic from PPTP clients! | | </form> ![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb) ![pptp.jpg](/public/_imported_attachments_/1/pptp.jpg) ![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb)[/i][/i]</count($rules);></mk@neon1.net>