Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RADIUS + iroute (Client Specific Overrides)

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      getabc
      last edited by

      Is it possible to set an iroute attribute for a client using RADIUS?

      1 Reply Last reply Reply Quote 0
      • G
        getabc
        last edited by

        I tried the following RADIUS attribute for the VPN user, but did not seem to work … any ideas?

        cisco-avpair += "ip:route=10.20.11.0 255.255.255.0",|

        I believe V2.1 supports Cisco-AVPair for OpenVPN settings.

        Andrew

        1 Reply Last reply Reply Quote 0
        • G
          getabc
          last edited by

          Hello World!

          Ok, got it working with a few lines of code - can someone verify it will not break things?
          We need to look for Framed-Route attribute.

          /etc/inc/radius.inc

          under

          
case RADIUS_FRAMED_ROUTING:
	$this->attributes['framed_routing'] = radius_cvt_int($data);
	 break;

          add

          
case RADIUS_FRAMED_ROUTE:
	$this->attributes['framed_route'] = radius_cvt_string($data);
	break;

          If the systems receives the Framed-Route attribute we can generate a CCD file based on the code below.

          /etc/inc/openvpn.auth-user.php
          under

          
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");

          add

          
if (isset($attributes['framed_route'])) {  
	file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$attributes['framed_route']}\n");  
	syslog(LOG_NOTICE, "'{$username}' iroute '{$attributes['framed_route']}' created\n");

}
          1 Reply Last reply Reply Quote 0
          • G
            getabc
            last edited by

            I made some additional code changes to check the Framed-Route format to ensure it complies with the RFC.

            /etc/inc/openvpn.auth-user.php

            
/**
 *  Convert Framed-Route format to iroute for the CCD file
 */
 function FramedRoute($cidr) {
    $baseip = substr($cidr,0,strpos($cidr, '/'));
    $prefix = substr($cidr, strpos($cidr, '/') + 1) * 1;
    $netmask = str_split(str_pad(str_pad('', $prefix, '1'), 32, '0'), 8);
    $ipLong = ip2long($baseip);

    if ( ( ($ipLong << $prefix) ^ 0) == true ) {
        foreach ($netmask as &$element) $element = bindec($element);
        return $baseip.' '.join('.', $netmask);
    }
}

if (isset($attributes['framed_route'])) {
        $iroute = FramedRoute($attributes['framed_route']);
        if (!empty($iroute)) {
            file_put_contents("{$g['varetc_path']}/openvpn-csc/{$username}", "iroute {$iroute}\n");
            syslog(LOG_NOTICE, "user '{$username}' iroute '{$iroute}' created\n");
        }
}

            I'm creating static openvpn-csc file that could cause issues in the future.

            Should I be looking at,

            • deleting the created openvpn-csc on client disconnect

            • using the openvpn_resync_csc function

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.