FreeRadius: PPTP - RADIUS and client IP address
-
Dear Jeroen,
It looks so good. Pfsense will have the strong radius server functions.
Dear Hoba,
As I mentioned before, we need some modifictions on pfsense's pptp so that it uses the reply from radius server for assigning the ip address from radius server to pptp users. The files involved in it are vpn.inc and vpn_pptp.php. I'm posting my new files here for your information.
vpn.inc
/* vpn.inc Copyright (C) 2004-2006 Scott Ullrich All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* include all configuration functions */ require_once("functions.inc"); /* master setup for vpn (mpd) */ function vpn_setup() { /* start pptpd */ vpn_pptpd_configure(); /* start pppoe server */ vpn_pppoe_configure(); } function vpn_ipsec_failover_configure() { global $config, $g; $sasyncd_text = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { $enabled = isset($sasyncd['enable']); if(!$enabled) return; if($sasyncd['peerip'] <> "") $sasyncd_text .= "peer {$sasyncd['peerip']}\n"; if($sasyncd['interface']) $sasyncd_text .= "carp interface {$sasyncd['interface']}\n"; if($sasyncd['sharedkey'] <> "") $sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n"; if($sasyncd['mode'] <> "") $sasyncd_text .= "mode {$sasyncd['mode']}\n"; if($sasyncd['listenon'] <> "") $sasyncd_text .= "listen on {$sasyncd['listenon']}\n"; if($sasyncd['flushmodesync'] <> "") $sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n"; } $fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w"); fwrite($fd, $sasyncd_text); fclose($fd); chmod("{$g['varetc_path']}/sasyncd.conf", 0600); mwexec("killall sasyncd"); /* launch sasyncd, oh wise one */ /* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */ } function find_last_gif_device() { $regs = ""; $last_gif_found = -1; if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1; $ifconfig_data = fread($fp, 4096); pclose($fp); $ifconfig_array = split(" ", $ifconfig_data); foreach ($ifconfig_array as $ifconfig) { ereg("gif(.)", $ifconfig, $regs); if($regs[0]) { if($regs[0] > $last_gif_found) $last_gif_found = $regs[1]; } } return $last_gif_found; } function vpn_ipsec_configure($ipchg = false) { global $config, $g, $sa, $sn; /* get the automatic /etc/ping_hosts.sh ready */ unlink_if_exists("/var/db/ipsecpinghosts"); touch("/var/db/ipsecpinghosts"); if($g['booting'] == true) { /* determine if we should load the via padlock module */ $dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`; if(stristr($dmesg_boot, "ACE") == true) { //echo "Enabling [VIA Padlock] ..."; //mwexec("/sbin/kldload padlock"); //mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1"); //mwexec("/sbin/setkey -F"); //mwexec("/sbin/setkey -FP"); //echo " done.\n"; } } if(isset($config['ipsec']['preferredoldsa'])) { mwexec("/sbin/sysctl net.key.preferred_oldsa=0"); } else { mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30"); } $number_of_gifs = find_last_gif_device(); for($x=0; $x<$number_of_gifs; $x++) { mwexec("/sbin/ifconfig gif" . $x . " delete"); } $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; } $syscfg = $config['system']; $ipseccfg = $config['ipsec']; $lancfg = $config['interfaces']['lan']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; if ($g['booting']) { if (!isset($ipseccfg['enable'])) return 0; echo "Configuring IPsec VPN... "; } else { /* kill racoon */ mwexec("/usr/bin/killall racoon"); /* wait for process to die */ sleep(2); /* send a SIGKILL to be sure */ sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL"); } /* flush SPD and SAD */ mwexec("/sbin/setkey -FP"); mwexec("/sbin/setkey -F"); if (isset($ipseccfg['enable'])) { /* fastforwarding is not compatible with ipsec tunnels */ system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1"); if (!$curwanip) { /* IP address not configured yet, exit */ if ($g['booting']) echo "done\n"; return 0; } if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) || isset($ipseccfg['mobileclients']['enable'])) { if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) { /* generate spd.conf */ $fd = fopen("{$g['varetc_path']}/spd.conf", "w"); if (!$fd) { printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n"); return 1; } $spdconf = ""; $spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n"; $spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n"; foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if(is_domain($tunnel['remote-gateway'])) { $tmp = gethostbyname($tunnel['remote-gateway']); if($tmp) $tunnel['remote-gateway'] = $tmp; } /* add entry to host pinger */ if($tunnel['pinghost']) { $pfd = fopen("/var/db/ipsecpinghosts","a"); $srcip = find_interface_ip($config['interfaces']['lan']['if']); $dstip = $tunnel['pinghost']; fwrite($pfd, "$srcip|$dstip|3\n"); fclose($pfd); } if(isset($tunnel['creategif'])) { $number_of_gifs = find_last_gif_device(); $number_of_gifs++; $curwanip = get_current_wan_address(); if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; } mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']); mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32"); } $spdconf .= "spdadd {$sa}/{$sn} " . "{$tunnel['remote-subnet']} any -P out ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$ep}-" . "{$tunnel['remote-gateway']}/unique;\n"; $spdconf .= "spdadd {$tunnel['remote-subnet']} " . "{$sa}/{$sn} any -P in ipsec " . "{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" . "{$ep}/unique;\n"; } fwrite($fd, $spdconf); fclose($fd); /* load SPD */ mwexec("/sbin/setkey -c < {$g['varetc_path']}/spd.conf"); } /* generate racoon.conf */ $fd = fopen("{$g['varetc_path']}/racoon.conf", "w"); if (!$fd) { printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n"); return 1; } $racoonconf = ""; if($config['installedpackages']['sasyncd']['config'] <> "") foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) { if($sasyncd['ip'] <> "") $curwanip = $sasyncd['ip']; /* natt - turn on if <developer> exists */ if(isset($config['system']['developer']) <> "") { $lanip = $config['interfaces']['lan']['ipaddr']; if($lanip <> "") $natt = "isakmp_natt {$lanip}[4500];\n"; } $interface_ip = $sasyncd['ip']; $racoonconf .= <<<eod<br>listen { isakmp {$interface_ip} [500]; {$natt} } EOD; } $racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n"; $racoonconf .= "path certificate \"{$g['varetc_path']}\";\n\n"; /* generate CA certificates files */ $cacertnum = 0; if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert'])) foreach ($ipseccfg['cacert'] as $cacert) { ++$cacertnum; if (isset($cacert['cert'])) { $cert = base64_decode($cacert['cert']); $x509cert = openssl_x509_parse(openssl_x509_read($cert)); if(is_array($x509cert) && isset($x509cert['hash'])) { $fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w"); if (!$fd1) { printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600); fwrite($fd1, $cert); fclose($fd1); } } } $tunnelnumber = 0; if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) foreach ($ipseccfg['tunnel'] as $tunnel) { ++$tunnelnumber; if (isset($tunnel['disabled'])) continue; $ep = vpn_endpoint_determine($tunnel, $curwanip); if (!$ep) continue; vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn); if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $ep; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } else if (isset($tunnel['p1']['myident']['dyn_dns'])) { $myidentt = "dyn_dns"; $myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']); } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";"; if ($peercert!=''){ $fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $peercert); fclose($fd1); $certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem"; EOD; } } $racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt} "{$myident}"; {$certline} peers_identifier address {$tunnel['remote-gateway']}; initial_contact on; support_proxy on; proposal_check obey; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } /* mobile clients? */ if (isset($ipseccfg['mobileclients']['enable'])) { $tunnel = $ipseccfg['mobileclients']; if (isset($tunnel['p1']['myident']['myaddress'])) { $myidentt = "address"; $myident = $curwanip; } else if (isset($tunnel['p1']['myident']['address'])) { $myidentt = "address"; $myident = $tunnel['p1']['myident']['address']; } else if (isset($tunnel['p1']['myident']['fqdn'])) { $myidentt = "fqdn"; $myident = $tunnel['p1']['myident']['fqdn']; } else if (isset($tunnel['p1']['myident']['ufqdn'])) { $myidentt = "user_fqdn"; $myident = $tunnel['p1']['myident']['ufqdn']; } if (isset($tunnel['p1']['authentication_method'])) { $authmethod = $tunnel['p1']['authentication_method']; } else {$authmethod = 'pre_shared_key';} $certline = ''; if ($authmethod == 'rsasig') { if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) { $cert = base64_decode($tunnel['p1']['cert']); $private_key = base64_decode($tunnel['p1']['private-key']); } else { /* null certificate/key */ $cert = ''; $private_key = ''; } if ($tunnel['p1']['peercert']) $peercert = base64_decode($tunnel['p1']['peercert']); else $peercert = ''; $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600); fwrite($fd1, $cert); fclose($fd1); $fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w"); if (!$fd1) { printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n"); return 1; } chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600); fwrite($fd1, $private_key); fclose($fd1); $certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";"; } $racoonconf .= <<<eod<br>remote anonymous \{ exchange_mode {$tunnel['p1']['mode']}; my_identifier {$myidentt} "{$myident}"; {$certline} initial_contact on; passive on; generate_policy on; support_proxy on; proposal_check obey; proposal \{ encryption_algorithm {$tunnel['p1']['encryption-algorithm']}; hash_algorithm {$tunnel['p1']['hash-algorithm']}; authentication_method {$authmethod}; dh_group {$tunnel['p1']['dhgroup']}; EOD; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= " }\n"; if ($tunnel['p1']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p1']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; $p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']); $p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']); $racoonconf .= <<<eod<br>sainfo anonymous \{ encryption_algorithm {$p2ealgos}; authentication_algorithm {$p2halgos}; compression_algorithm deflate; EOD; if ($tunnel['p2']['pfsgroup']) $racoonconf .= " pfs_group {$tunnel['p2']['pfsgroup']};\n"; if ($tunnel['p2']['lifetime']) $racoonconf .= " lifetime time {$tunnel['p2']['lifetime']} secs;\n"; $racoonconf .= "}\n\n"; } fwrite($fd, $racoonconf); fclose($fd); /* generate psk.txt */ $fd = fopen("{$g['varetc_path']}/psk.txt", "w"); if (!$fd) { printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n"); return 1; } $pskconf = ""; if (is_array($ipseccfg['tunnel'])) { foreach ($ipseccfg['tunnel'] as $tunnel) { if (isset($tunnel['disabled'])) continue; $pskconf .= "{$tunnel['remote-gateway']} {$tunnel['p1']['pre-shared-key']}\n"; } } /* add PSKs for mobile clients */ if (is_array($ipseccfg['mobilekey'])) { foreach ($ipseccfg['mobilekey'] as $key) { $pskconf .= "{$key['ident']} {$key['pre-shared-key']}\n"; } } fwrite($fd, $pskconf); fclose($fd); chmod("{$g['varetc_path']}/psk.txt", 0600); /* start racoon */ mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf"); } } vpn_ipsec_failover_configure(); if (!$g['booting']) { /* reload the filter */ touch("{$g["tmp_path"]}/filter_dirty"); } if ($g['booting']) echo "done\n"; return 0; } function vpn_pptpd_configure() { global $config, $g; $syscfg = $config['system']; $pptpdcfg = $config['pptpd']; if ($g['booting']) { if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off")) return 0; echo "Configuring PPTP VPN service... "; } else { /* kill mpd */ killbypid("{$g['varrun_path']}/mpd-vpn.pid"); /* wait for process to die */ sleep(3); if(is_process_running("mpd -b")) { killbypid("{$g['varrun_path']}/mpd-vpn.pid"); log_error("Could not kill mpd within 3 seconds. Trying again."); } /* remove mpd.conf, if it exists */ unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links"); unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret"); } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pptpdcfg['mode']) { case 'server': /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n"); return 1; } $mpdconf = <<<eod<br>pptpd: EOD; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdconf .= " load pt{$i}\n"; } for ($i = 0; $i < $g['n_pptp_units']; $i++) { $clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pt{$i}: new -i {$ngif} pt{$i} pt{$i} {$isssue_ip_type} load pts EOD; } $mpdconf .= << <eod<br>pts: set iface disable on-demand set iface enable proxy-arp set iface enable tcpmssfix set iface idle 1800 set iface up-script /usr/local/sbin/vpn-linkup set iface down-script /usr/local/sbin/vpn-linkdown set bundle enable multilink set bundle enable crypt-reqd set link yes acfcomp protocomp set link no pap chap set link enable chap-msv2 set link mtu 1460 set link keep-alive 10 60 set ipcp yes vjcomp set bundle enable compression set ccp yes mppc set ccp yes mpp-e128 set ccp yes mpp-stateless EOD; if (!isset($pptpdcfg['req128'])) { $mpdconf .= << <eod<br>set ccp yes mpp-e40 set ccp yes mpp-e56 EOD; } if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n"; } else if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pptpdcfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pptpdcfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $g['n_pptp_units']; $i++) { $mpdlinks .= << <eod<br>pt{$i}: set link type pptp set pptp enable incoming set pptp disable originate set pptp disable windowing set pptp self 127.0.0.1 EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n"); return 1; } $mpdsecret = ""; if (is_array($pptpdcfg['user'])) { foreach ($pptpdcfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd"); break; case 'redir': break; } if (!$g['booting']) { /* reload the filter */ filter_configure(); } if ($g['booting']) echo "done\n"; return 0; } function vpn_localnet_determine($adr, &$sa, &$sn) { global $config, $g; if (isset($adr)) { if ($adr['network']) { switch ($adr['network']) { case 'lan': $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); break; } } else if ($adr['address']) { list($sa,$sn) = explode("/", $adr['address']); if (is_null($sn)) $sn = 32; } } else { $sn = $config['interfaces']['lan']['subnet']; $sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn); } } function vpn_endpoint_determine($tunnel, $curwanip) { global $g, $config; if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) { if ($curwanip) return $curwanip; else return null; } else if ($tunnel['interface'] == "lan") { return $config['interfaces']['lan']['ipaddr']; } else { $oc = $config['interfaces'][$tunnel['interface']]; if (isset($oc['enable']) && $oc['if']) { return $oc['ipaddr']; } } return null; } function vpn_pppoe_configure() { global $config, $g; $syscfg = $config['system']; $pppoecfg = $config['pppoe']; /* create directory if it does not exist */ if(!is_dir("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); if ($g['booting']) { if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off")) return 0; echo "Configuring PPPoE VPN service... "; } /* make sure mpd-vpn directory exists */ if (!file_exists("{$g['varetc_path']}/mpd-vpn")) mkdir("{$g['varetc_path']}/mpd-vpn"); switch ($pppoecfg['mode']) { case 'server': $pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']); /* write mpd.conf */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a"); if (!$fd) { printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n"); return 1; } $mpdconf = "\n\n"; $mpdconf .= <<<eod<br>pppoe: EOD; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdconf .= " load pppoe{$i}\n"; } for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i); $ngif = "ng" . ($i+1); if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0"; $isssue_ip_type .="\n\tset ipcp yes radius-ip"; } else { $isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32"; } $mpdconf .= << <eod<br>pppoe{$i}: new -i {$ngif} pppoe{$i} pppoe{$i} {$isssue_ip_type} load pppoe_standart EOD; } $mpdconf .= << <eod<br>pppoe_standart: set link type pppoe set pppoe iface {$pppoe_interface} set pppoe service "*" set pppoe disable originate set pppoe enable incoming set bundle no multilink set bundle enable compression set bundle max-logins 1 set iface idle 0 set iface disable on-demand set iface disable proxy-arp set iface enable tcpmssfix set iface mtu 1500 set link no pap chap set link enable chap set link keep-alive 60 180 set ipcp yes vjcomp set ipcp no vjcomp set link max-redial -1 set link mtu 1492 set link mru 1492 set ccp yes mpp-e40 set ccp yes mpp-e128 set ccp yes mpp-stateless set link latency 1 #set ipcp dns 10.10.1.3 #set bundle accept encryption EOD; if (isset($config['dnsmasq']['enable'])) { $mpdconf .= " set ipcp dns " . $config['interfaces']['lan']['ipaddr']; if ($syscfg['dnsserver'][0]) $mpdconf .= " " . $syscfg['dnsserver'][0]; $mpdconf .= "\n"; } else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) { $mpdconf .= " set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n"; } if (isset($pppoecfg['radius']['enable'])) { $mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}" set radius retries 3 set radius timeout 10 set bundle enable radius-auth set bundle disable radius-fallback EOD; if (isset($pppoecfg['radius']['accounting'])) { $mpdconf .= << <eod<br>set bundle enable radius-acct EOD; } } fwrite($fd, $mpdconf); fclose($fd); /* write mpd.links */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a"); if (!$fd) { printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n"); return 1; } $mpdlinks = ""; for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) { $mpdlinks .= << <eod<br>pppoe: set link type pppoe set pppoe iface {$pppoe_interface} EOD; } fwrite($fd, $mpdlinks); fclose($fd); /* write mpd.secret */ $fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a"); if (!$fd) { printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n"); return 1; } $mpdsecret = "\n\n"; if (is_array($pppoecfg['user'])) { foreach ($pppoecfg['user'] as $user) $mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n"; } fwrite($fd, $mpdsecret); fclose($fd); chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600); /* fire up mpd */ mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe"); break; case 'redir': break; } touch("{$g["tmp_path"]}/filter_dirty"); if ($g['booting']) echo "done\n"; return 0; } ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></developer></mk@neon1.net>It would be better that this modification be reflected on embedded version as well. The embedded user can use this fuction with other radius server even if they cannot use pfsense's freeradius package.
-
Here is vpn_pptp.php
/* vpn_pptp.php part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1\. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2\. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require("guiconfig.inc"); if (!is_array($config['pptpd']['radius'])) { $config['pptpd']['radius'] = array(); } $pptpcfg = &$config['pptpd']; $pconfig['remoteip'] = $pptpcfg['remoteip']; $pconfig['localip'] = $pptpcfg['localip']; $pconfig['redir'] = $pptpcfg['redir']; $pconfig['mode'] = $pptpcfg['mode']; $pconfig['wins'] = $pptpcfg['wins']; $pconfig['req128'] = isset($pptpcfg['req128']); $pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']); $pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']); $pconfig['radiusserver'] = $pptpcfg['radius']['server']; $pconfig['radiussecret'] = $pptpcfg['radius']['secret']; $pconfig['radiusissueips'] = isset($pptpcfg['radius']['radiusissueips']); if ($_POST) { unset($input_errors); $pconfig = $_POST; /* input validation */ if ($_POST['mode'] == "server") { $reqdfields = explode(" ", "localip remoteip"); $reqdfieldsn = explode(",", "Server address,Remote start address"); if ($_POST['radiusenable']) { $reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret")); $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "RADIUS server address,RADIUS shared secret")); } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) { $input_errors[] = "A valid server address must be specified."; } if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) { $input_errors[] = "A valid remote start address must be specified."; } if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) { $input_errors[] = "A valid RADIUS server address must be specified."; } if (!$input_errors) { $_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']); $subnet_start = ip2long($_POST['remoteip']); $subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1; if ((ip2long($_POST['localip']) >= $subnet_start) && (ip2long($_POST['localip']) <= $subnet_end)) { $input_errors[] = "The specified server address lies in the remote subnet."; } if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) { $input_errors[] = "The specified server address is equal to the LAN interface address."; } } } else if ($_POST['mode'] == "redir") { $reqdfields = explode(" ", "redir"); $reqdfieldsn = explode(",", "PPTP redirection target address"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) { $input_errors[] = "A valid target address must be specified."; } } else { /* turning pptp off, lets dump any custom rules */ $rules = &$config['filter']['rule']; for($x=0; $x <count($rules); $x++)="" {<br="">if($rules[$x]['interface'] == "pptp") { unset($rules[$x]); } } unset($config['pptpd']['mode']); write_config(); } if (!$input_errors) { $pptpcfg['remoteip'] = $_POST['remoteip']; $pptpcfg['redir'] = $_POST['redir']; $pptpcfg['localip'] = $_POST['localip']; $pptpcfg['mode'] = $_POST['mode']; $pptpcfg['wins'] = $_POST['wins']; $pptpcfg['radius']['server'] = $_POST['radiusserver']; $pptpcfg['radius']['secret'] = $_POST['radiussecret']; if($_POST['req128'] == "yes") $pptpcfg['req128'] = true; else unset($pptpcfg['req128']); if($_POST['radiusenable'] == "yes") $pptpcfg['radius']['enable'] = true; else unset($pptpcfg['radius']['enable']); if($_POST['radacct_enable'] == "yes") $pptpcfg['radius']['accounting'] = true; else unset($pptpcfg['radius']['accounting']); if($_POST['radiusissueips'] == "yes") { $pptpcfg['radius']['radiusissueips'] = true; } else unset($pptpcfg['radius']['radiusissueips']); write_config(); $retval = 0; config_lock(); $retval = vpn_setup(); config_unlock(); $savemsg = get_std_save_message($retval); filter_configure(); } } $pgtitle = "VPN PPTP"; include("head.inc"); ?> <form action="vpn_pptp.php" method="post" name="iform" id="iform"> | $tab_array = array(); $tab_array[0] = array("Configuration", true, "vpn_pptp.php"); $tab_array[1] = array("Users", false, "vpn_pptp_users.php"); display_top_tabs($tab_array); ?> | | > Off | | > Redirect incoming PPTP connections to: | PPTP redirection | Enter the IP address of a host which will accept incoming PPTP connections. | | > Enable PPTP server | Max. concurrent connections | | Server address | Enter the IP address the PPTP server should use on its side for all clients. | Remote address range | / Specify the starting address for the client IP address subnet. The PPTP server will assign addresses, starting at the address entered above, to clients. | RADIUS | > **Use a RADIUS server for authentication** When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used. > **Enable RADIUS accounting** Sends accounting packets to the RADIUS server. | RADIUS server | Enter the IP address of the RADIUS server. | RADIUS shared secret | Enter the shared secret that will be used to authenticate to the RADIUS server. | RADIUS issued IP's | > Issue IP Addresses via RADIUS server. | WINS Server | | | | > **Require 128-bit encryption** When set, 128-bit encryption will be accepted. Otherwise, 40-bit and 56-bit encryption will be accepted, too. Note that encryption will always be forced on PPTP connections (i.e. unencrypted connections will not be accepted). | | | | **Note:** don't forget to [add a firewall rule](firewall_rules.php?if=pptp) to permit traffic from PPTP clients! | | </form>   [/i][/i]</count($rules);></mk@neon1.net> -
:D WOW its looking good guys! ;)
-
Nice, but we need the files as diffs against the latest revisions of the files you changed to merge them into the pfSense code. Can you attach diffs?
-
here are my diff's for freeradius.xml and freeradius.inc
on the weekend i will add counter atrr. to freeradius.xml and freeradius.inc
the counters are already eneabled in radiusd.conf -
I have a problem. I don't know how to make the diffs file.
Pls adv me how to make the diffs file so that I can make diffs for vpn_pptp.php and vpn.inc.
-
http://forum.pfsense.org/index.php/topic,2972.0.html
-
Here are the diffs for vpn.inc and vpn_pptp.php.
I used vpn.inc version 1.12 and vpn_pptp.php version 1.38. -
Dear Jeroen,
Could you add the description column for freeradius users? I think it is needed for users contact number, email address or his real name.
Thank you.
-
oke than i will add it in frond of the username
there are comming 4 more colom's in the weekend
and suport for 3 more in the future ( upload en download speed settings and wisp redirect url) -
Hi All,
I haven;t checked the forums for a while since I posted this initial thread.
However, I am pleasantly surpised that some work has been done on the freeradius package :)
Just wanted to ask whether the new freeradius package is now available. I checked the package version and the latest one was 1.1.2 - so I installed this. However, I did not get any changes to the interface to allow config of the IP address in the account configuration.
Is the 1.1.2 version meant to include this feature - or is this feature still needs to be patched in and released?
Thanks for all your hard work.
Regards,
Mon
-
Have the radius extensions made it into CVS yet?
-
the last time i looked they were not yett in
-
Any updates on when these new features will be available?
-
Now I'm using it and it works great. PPTP users are now given the ip address from freeradius.
I tried 1.0.1-SNAPSHOT-01-13-2007 today but I found that this feature does not added on this snapshot.
Is there some problem to add this function into future pfsense version???
-
Not sure what you mean? Can you send a patch?
-
Jeroen and I already attached the diffs files for this functions on this thread. Pls read previous posts.@sbyoon:
Here are the diffs for vpn.inc and vpn_pptp.php.
I used vpn.inc version 1.12 and vpn_pptp.php version 1.38. -
That is not the proper sequence for sending patches. Please read:
http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches
-
Sorry, if the sequece was wrong. I checked the link but it does not meantion how to make patch. Could adv me how to make the patch?
-
from the console.
pkg_add -r diffutils
rehash
gdiff -urN <original file=""><new file="">And to put it into a filegdiff -urN <original file=""><new file="">> patch.txt
Then you can download or fetch the file from the diagnostics menu.</new></original></new></original>
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.