Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRADIUS + OpenVPN + pfSense for multiple locations/instances

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    3
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mellowinottawa
      last edited by

      Hi everyone,

      I've been following the guides to get OpenVPN working with FreeRADIUS under pfSense and that's no problem thanks to the detailed documentation available.  What I am wondering though is if you had 4 instances of pfSense running OpenVPN servers and all instances had to be accessible to the same list of users with the same credentials, is there an easy way to have the four instances of FreeRADIUS sync up by having a "master" FreeRADIUS server or something like that?  I should add that the four instances are not on the same LAN but are on ESXi machines in four different locations, so they can't all sync to the same local FreeRADIUS server.  Ideal scenario would be a nice web GUI to manage users on a "master" server that would then distribute the updated info out to the other 4 FreeRADIUS servers.

      My company has a server for the west coast US, east coast US and two in Europe to reduce the latency for when employees travel and keeping them all in sync could be a huge headache!

      Thanks!

      Colin

      1 Reply Last reply Reply Quote 0
      • J
        jeffbearer
        last edited by

        I've solved this having pfsense query external radius servers who get their data out of LDAP that is replicated to multiple sites.

        You will find some tips online but I had to piece a lot together, it's not turnkey.  The trickiest part is getting freeradius and ldap dynamic clients hooked up to get all of their data from ldap.  I don't have time to document the whole thing but here is what I think is the least documented part. How i did dynamic clients:

        dynamic client:

        
client dynamic {
        #Include all IP's in the Dynamic Clients range
        ipaddr = 0.0.0.0
        netmask = 0
        dynamic_clients = dynamic_client_server
        lifetime = 86400
}

server dynamic_client_server {
	authorize {
		if ("%{ldap:ldap:///ou=Machines,dc=mycompany,dc=com?ou?one?ipHostNumber=%{Packet-Src-IP-Address}}") {
			update control {
				FreeRADIUS-Client-IP-Address = "%{Packet-Src-IP-Address}"
				FreeRADIUS-Client-Shortname = "%{ldap:ldap:///ou=Machines,dc=mycompany,dc=com?cn?sub?i
pHostNumber=%{Packet-Src-IP-Address}}"
				FreeRADIUS-Client-NAS-Type = "%{ldap:ldap:///ou=Machines,dc=mycompany,dc=com?radiusHun
tgroupName?sub?ipHostNumber=%{Packet-Src-IP-Address}}"
				FreeRADIUS-Client-Secret = "%{ldap:ldap:///ou=Machines,dc=mycompany,dc=com?ou?sub?ipHo
stNumber=%{Packet-Src-IP-Address}}"
			}
		}
		ok
	}
}

        And then a Machine ldif looks like:

        
dn: uid=firewall.mycompany.com$,ou=Machines,dc=mycompany,dc=com
objectClass: account
objectClass: posixAccount
objectClass: ipHost
objectClass: radiusprofile
cn: firewall.mycompany.com$
gidNumber: 10000
homeDirectory: /dev/null
ipHostNumber: 10.0.0.333
uid: firewall.mycompany.com$
uidNumber: 20000
description: Machine account
gecos: firewall.mycompany.com$
loginShell: /bin/false
ou: xxxxxxxxxxxxxxx
radiusHuntgroupName: vpn

        I misuse the ou field to hold the dynamic client radius secret. I couldn't find an appropriate field in the radiusprofile  object class for storing the secret.

        Sorry I don't have time to document the whole procedure.  I've already spent more time on this reply than I had budgeted for!

        1 Reply Last reply Reply Quote 0
        • M
          mellowinottawa
          last edited by

          That's exactly the help I needed, thanks so much Jeff!!!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post