• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can OpenVPN send "Calling-Station-ID" attribute to RADIUS as client IP?

Scheduled Pinned Locked Moved OpenVPN
2 Posts 1 Posters 162 Views 1 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    bitscrubber
    last edited by Mar 15, 2025, 6:22 PM

    Hi All! I'm on pfSense 2.7.2-RELEASE.

    So it looks like the OpenVPN server on pfSense sends "Calling-Station-ID" as the pfSense Interface IP, or at least the "RADIUS NAS IP Attribute" maybe? But I need Calling-Station-ID to be set as the end user client IP in order for Duo to properly filter connections. I see this code snippet in "/etc/inc/openvpn.auth-user.php":

    $attributes = array("nas_identifier" => "openVPN",
    "nas_port_type" => RADIUS_VIRTUAL,
    "nas_port" => $_GET['nas_port'],
    "calling_station_id" => get_interface_ip() . ":" . $_GET['nas_port']);

    I think I need "calling_station_ip" to instead be set to something like "get_client_ip()" (that's just a wild guess) or something, but I don't really know... I saw this post which kind of talks about what I want:

    https://redmine.pfsense.org/issues/8087

    Does anyone know if there is a way to somehow pass "calling_station_id" as the user's real internet IP? Or is there some other attribute passed that contains that information? I can tell my radius server to capture any relevant attribute and translate it to calling_station_id, if it's another one that it uses...?

    Thanks for any insight!

    1 Reply Last reply Reply Quote 0
    • B Offline
      bitscrubber
      last edited by Mar 16, 2025, 6:13 PM

      I see the remote user connection IP is recorded somewhere, I see it when I click on "Status" -> "OpenVPN", where it shows the table of connected users, and it shows their remote IP there.

      I see this in "/usr/local/www/status_openvpn.php":

      <td><?=$conn['remote_host'];?></td>
      

      Looks like that line builds the table data for the remote user's IP address (and port) and displays it in the OpenVPN status table. Is there a way to get that same data (remote user's IP) into "/etc/inc/openvpn.auth-user.php"? My familiarity with the code isn't so great so I'm having a hard time tracing back how this data is discovered, but it seems like there can be a way....?

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received