Success! I've successfully gotten OpenVPN + PAM + FreeRADIUS authenticating!!



  • Yay, it took me forever to hack this but I have openvpn authenticating against FreeRADIUS using the PAM module.  I think this would be a great feature to implement into the next release of pfSense as we were looking for an extra added layer of security on our vpn aside from using the certificates only.  We could have easily used IAS in Server 2003 to authenticate against but we wanted to keep this list of users off our domain.  I can drum up a real how to if you guys want but here's what I did roughly:

    Edit: this howto has been moved here: http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS

    That should get FreeRADIUS authentication going with OpenVPN.  What I liked was that I can see a list of "VPN" users in FreeRADIUS and I could control who had the right to login, say if an employee left or we wanted to restrict VPN access to a certain user or something like that.  I can write up a tutorial on how to design a pfSense CARP cluster using a public DMZ zone and OpenVPN with FreeRADIUS accounting if you guys would like as thats the way I designed our setup.  Let me know.

    Thanks!



  • Great tutorial - thanks!

    But I can't get it working. It says:

    Apr 4 00:41:57 openvpn[7638]: OpenVPN 2.0.5 i386-portbld-freebsd6.1 [SSL] [LZO] built on Mar 15 2006
    Apr 4 00:41:57 openvpn[7638]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Cannot open "/usr/local/lib/openvpn-auth-pam.so": Too many links (errno=31)
    Apr 4 00:41:57 openvpn[7638]: Exiting

    I noticed that the FreeRaduis service is stopped, is that normal?

    /Daniel KJ



  • No thats not normal, but it looks like you did the pkg_add -r openvpn command and it downgraded you to v 2.0.5.  I dont know why that happens on the 1.0.1 platform but I upgraded to the latest pfsense snapshot and that seemed to correct the problem.  I would suggest applying the latest pfsense snapshot if you can, then perform the pkg_add -r openvpn command and it will fix the PLUGIN_INIT issue.  And yes, FREERADIUS should be running…



  • @j0emv:

    No thats not normal, but it looks like you did the pkg_add -r openvpn command and it downgraded you to v 2.0.5.  I dont know why that happens on the 1.0.1 platform but I upgraded to the latest pfsense snapshot and that seemed to correct the problem.  I would suggest applying the latest pfsense snapshot if you can, then perform the pkg_add -r openvpn command and it will fix the PLUGIN_INIT issue.  And yes, FREERADIUS should be running…

    Thank you!!

    That did the trick  8)



  • Awesome setup.

    "can write up a tutorial on how to design a pfSense CARP cluster using a public DMZ zone and OpenVPN with FreeRADIUS accounting if you guys would like as thats the way I designed our setup. "

    I'm sure a lot of us would benefit from that tutorial, if you could write it up that would be awesome.

    • Owen


  • This also works with the latest 1.2 beta, thank you!  :)



  • I am still getting the :

    May 22 15:23:43 openvpn[96569]: OpenVPN 2.0.6 i386-portbld-freebsd6.1 [SSL] [LZO] built on Apr 6 2006
    May 22 15:23:43 openvpn[96569]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)

    after trying all the suggestions in this thread.

    I assume the module should be at the path listed in the error message?

    I do not have the openvpn-auth-pam.so file on my system.  Is it I am running 1.2-Beta-1.

    Any ideas?



  • Did you try the pkg_add -r openvpn command from the shell or console?  Your log says it's still using the broken version of openvpn.  It should say April 2007 after it's gotten the correct version I think.



  • I got everything done on Server side but i dont know how to define username and password in conf file on Windows any ideas . Thanks :)



  • Thanks for the great info.

    How would i use this to authenticate against a windows 2003 Active directory using IAS?

    Cheers



  • Use the LDAP authentication module.
    http://code.google.com/p/openvpn-auth-ldap/



  • i don't suppose anyone has a pre-compiled plugin module?

    I don't mean to sound lazy but I have no idea how to do that deep stuff in linux. I guess i could learn but i thought I'd be cheeky first :)

    Thanks



  • Anyways, just going back to the above freeRADIUS setup, what do you need to add the the client file?

    I've added:

    auth-user-pass
    auth-retry interact

    but these don't work. the server comes back with AUTH FAILED (or something like that…)

    Is there something else, apart from username,password and max connections i need to add to the user in the freeradius setup page?

    Thanks



  • Here is my log:

    Jan 12 23:25:52 openvpn[343]: TUN/TAP device /dev/tun0 opened
    Jan 12 23:25:52 openvpn[343]: /sbin/ifconfig tun0 10.87.99.1 10.87.99.2 mtu 1500 netmask 255.255.255.255 up
    Jan 12 23:25:52 openvpn[343]: /etc/rc.filter_configure tun0 1500 1543 10.87.99.1 10.87.99.2 init
    Jan 12 23:25:55 openvpn[343]: Listening for incoming TCP connection on [undef]:443
    Jan 12 23:25:55 openvpn[343]: TCPv4_SERVER link local (bound): [undef]:443
    Jan 12 23:25:55 openvpn[343]: TCPv4_SERVER link remote: [undef]
    Jan 12 23:25:55 openvpn[343]: Initialization Sequence Completed
    Jan 12 23:26:14 openvpn[343]: Re-using SSL/TLS context
    Jan 12 23:26:14 openvpn[343]: TCP connection established with xx.xx.145.118:3680
    Jan 12 23:26:14 openvpn[343]: TCPv4_SERVER link local: [undef]
    Jan 12 23:26:14 openvpn[343]: TCPv4_SERVER link remote: xx.xx.145.118:3680
    Jan 12 23:26:27 openvpn[1253]: rad_send_request: No valid RADIUS responses received
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-pam.so
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 TLS Auth Error: Auth Username/Password verification failed for peer
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 [client1] Peer Connection Initiated with xx.xx.145.118:3680
    Jan 12 23:26:28 openvpn[343]: xx.xx.145.118:3680 Connection reset, restarting [0]

    I have a feeling that my radius server isn't running. I did telnet 10.87.0.1 1892 and it didn't connect (usually if something is listening it comes back with something at least…)



  • ok i did some testing with another RADIUS server on another machine.

    pfsense can communicate to it ok however with the current type of setting in the users file:

    user1 User-Password == "password"

    the RADIUS server always replies back with a Reject (according to tcpdump)

    If I force an accept reply by doing in the users file:

    lameusername Auth-Type != Accept

    tcpdump says that the Radius server is responding with an accept (as I've forced it) but openVPN server still send my openVPN client "Received AUTH_FAILED control message"

    Any ideas what openvpn wants?



  • Hi Jonny!
    I was having the same problem as you were but i found that i could fix it by making this change to the /etc/radius.conf file.

    (This is my /etc/radius.conf on my testVM)

    
    acct 192.168.1.1:1892 *passhere*
    auth 192.168.1.1:1892 *passhere*
    
    

    You will see that i just changed the file to add the port for the radius server. I found that without this the openvpn server was never even talking to my radius server (found after a LOT of log hunting and debugging). Try making that change then rebooting your box.. It should hopfully work at that point. If not post back here or PM me and ill try and help you out with it =)

    -Eureka

    @jonnytabpni:

    Here is my log:

    Jan 12 23:25:52 openvpn[343]: TUN/TAP device /dev/tun0 opened
    Jan 12 23:25:52 openvpn[343]: /sbin/ifconfig tun0 10.87.99.1 10.87.99.2 mtu 1500 netmask 255.255.255.255 up
    Jan 12 23:25:52 openvpn[343]: /etc/rc.filter_configure tun0 1500 1543 10.87.99.1 10.87.99.2 init
    Jan 12 23:25:55 openvpn[343]: Listening for incoming TCP connection on [undef]:443
    Jan 12 23:25:55 openvpn[343]: TCPv4_SERVER link local (bound): [undef]:443
    Jan 12 23:25:55 openvpn[343]: TCPv4_SERVER link remote: [undef]
    Jan 12 23:25:55 openvpn[343]: Initialization Sequence Completed
    Jan 12 23:26:14 openvpn[343]: Re-using SSL/TLS context
    Jan 12 23:26:14 openvpn[343]: TCP connection established with xx.xx.145.118:3680
    Jan 12 23:26:14 openvpn[343]: TCPv4_SERVER link local: [undef]
    Jan 12 23:26:14 openvpn[343]: TCPv4_SERVER link remote: xx.xx.145.118:3680
    Jan 12 23:26:27 openvpn[1253]: rad_send_request: No valid RADIUS responses received
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-pam.so
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 TLS Auth Error: Auth Username/Password verification failed for peer
    Jan 12 23:26:27 openvpn[343]: xx.xx.145.118:3680 [client1] Peer Connection Initiated with xx.xx.145.118:3680
    Jan 12 23:26:28 openvpn[343]: xx.xx.145.118:3680 Connection reset, restarting [0]

    I have a feeling that my radius server isn't running. I did telnet 10.87.0.1 1892 and it didn't connect (usually if something is listening it comes back with something at least…)



  • Hi All,
    Ive taken the information that j0emv posted and created a simple Howto with my troubleshooting tips and a fix or two. Ive sent it to the wiki-admin to post in the tutorials section but until then you can find it here:

    http://fusionnetwork.us/index.php/component/content/article/15-general-tutorials/23-pfsense-openvpn-freeradius

    Hope it help ;)

    -E



  • I am running pfsense 1.2Release.
    I followed the tutorial above but it looks like i do not have the openvpn-auth-pam.so plugin in /usr/local/lib and therefore i get the following error:
    Mar 17 19:43:12 openvpn[29060]: Exiting
    Mar 17 19:43:12 openvpn[29060]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
    Mar 17 19:43:12 openvpn[29060]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

    the tutorial suggest running pkg_add -r openvpn to update to the latest openvpn version, i already have Openvpn 2.0.6, but ran the command anyway, and got an FTP failure error (apparently th file isn't there anymore?):

    Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.2-release/Latest/openvpn.tbz: File unavailable (e.g., file not found, no access)

    Is there any way i can get openvpn-auth-pam.so copied over to my pfsense ?

    thanks

    ALEX



  • Hi Alexb,
    It looks like you might be running an old version of the 1.2-release. Can you try updating to the 1.2.2x?
    Make a backup of your system, then download the "latest.tgz" and start an update.
    http://updates.pfsense.com/_updaters/

    -E

    @alexb:

    I am running pfsense 1.2Release.
    I followed the tutorial above but it looks like i do not have the openvpn-auth-pam.so plugin in /usr/local/lib and therefore i get the following error:
    Mar 17 19:43:12 openvpn[29060]: Exiting
    Mar 17 19:43:12 openvpn[29060]: PLUGIN_INIT: could not load plugin shared object /usr/local/lib/openvpn-auth-pam.so: Service unavailable: Too many links (errno=31)
    Mar 17 19:43:12 openvpn[29060]: OpenVPN 2.0.6 i386-portbld-freebsd6.2 [SSL] [LZO] built on Sep 13 2007

    the tutorial suggest running pkg_add -r openvpn to update to the latest openvpn version, i already have Openvpn 2.0.6, but ran the command anyway, and got an FTP failure error (apparently th file isn't there anymore?):

    Error: FTP Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6.2-release/Latest/openvpn.tbz: File unavailable (e.g., file not found, no access)

    Is there any way i can get openvpn-auth-pam.so copied over to my pfsense ?

    thanks

    ALEX



  • Updating to a the 1.2.2 version of pfsense is a little too radical of a solution to include the auth-pam plugin to my system. Updating pfsense would require a lot of testing which i am not willing to do just to add the PAM plugin. Anyone has an idea as to :

    • Why i do not have the pam plugin on my system as oppose to everyone on this thread who was successful

    • How could i get the plugin loaded on my system without upgrading my pfsense version?



  • @alexb:

    Updating to a the 1.2.2 version of pfsense is a little too radical of a solution to include the auth-pam plugin to my system. Updating pfsense would require a lot of testing which i am not willing to do just to add the PAM plugin. Anyone has an idea as to :

    • Why i do not have the pam plugin on my system as oppose to everyone on this thread who was successful

    • How could i get the plugin loaded on my system without upgrading my pfsense version?



  • I've followed here and got everything installed, the RADIUS auth fails:

    Tue May 19 07:53:39 2009 us=971748 24.80.65.8:51670 ENVP[24] = 'link_mtu=1543'
    Tue May 19 07:53:39 2009 us=971772 24.80.65.8:51670 ENVP[25] = 'dev=tun0'
    AUTH-PAM: BACKGROUND: received command code: 0
    AUTH-PAM: BACKGROUND: USER/PASS: user1/password1
    AUTH-PAM: BACKGROUND: my_conv[0] query='RADIUS Password:' style=1
    AUTH-PAM: BACKGROUND: my_conv[0] query='pam_radius: pam_sm_authenticate: Radius failure
    ' style=3
    AUTH-PAM: BACKGROUND: user 'user1' failed to authenticate: authentication information is unavailable
    Tue May 19 07:53:48 2009 us=975656 x.x.x.x:51670 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
    Tue May 19 07:53:48 2009 us=975682 x.x.x.x:51670 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-pam.so
    Tue May 19 07:53:48 2009 us=975706 x.x.x.x:51670 TLS Auth Error: Auth Username/Password verification failed for peer
    Tue May 19 07:53:48 2009 us=975837 MULTI TCP: multi_tcp_post TA_SOCKET_READ_RESIDUAL -> TA_SOCKET_WRITE

    Does a port need to be opened for FreeRADIUS? What else can I do to debug this?



  • OK, I noticed radiussd was core dumping, and that it was commenting on auth_log - so i commented these lines out:

    #log_auth =
    #log_auth_badpass =
    #log_auth_goodpass =

    Looks good now.



  • I've found a radiusplugin (http://www.nongnu.org/radiusplugin/) for OpenVPN, but it seems only to work in LINUX.

    My problem is that I would like to limit users with radius (Simultanous Use, et cetera), but it doesn't works, due to the PAM plugin doesn't send any accounting packages to RADIUS (works only with AUTH).

    Have anyone got it to work in FreeBSD or have any other clue how to work around this problem?

    I'll be running about 3-4 OpenVPN instances and each OpenVPN server will use the same certs - one client can connect to any server.
    The problem is that I don't want one client to connect to four different instances of OpenVPN with the same username/password at the same time. Therefore I must set up radius to work properly with OpenVPN so I can set up multi-connection limit (not only AUTH).

    It would be great to continue using pfsense on these servers.

    Best regards,

    Henry Parkon



  • Just incase anyony else has the issue with the missing pam.d plugin, try this:

    setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/Latest/
    pkg_add -r openvpn

    The first step will change the URL for packages to be donloaded, the second reinstalls openvpn which includes the plugin.  I hope that's of use to someone, I spent ages tearing my hair out over it!  Works great now though, excellent guide.



  • Hi,
    I've have problems getting the authenciation between the client and the Radius Server to work.  I do not get a login prompt on the client side.
    I've followed the instructions as per http://forum.pfsense.org/index.php/topic,4105.0.html

    I'm using pfsense 1.2.2.
    OpenVPN GUI 1.0.3.
    I've reinstalled openvpn using "pkg_add -r" and reinstalled FreeRadius.

    My radius server looks like its running and shows:

    ps ax | grep radi

    47602  ??  I      0:00.25 radiusd -s
    39020  p0  R+    0:00.00 grep radi
    My client can connect without the "plugin" option in the OpenVPN server config page.

    my /etc/radius.conf file:

    acct 192.168.100.1:1892 secret
    auth 192.168.100.1:1892 secret

    and my /etc/pam.d/openvpn

    auth    required        pam_radius.so  debug=10
    account suffient        pam_permit.so
    session suffient        pam_permit.so

    The errors in the openvpn.log are as follows:

    Jul 29 14:25:54 gw openvpn[471]: XXX.XXX.XXX.XXX:64045 TLS Error: TLS handshake failed
    Jul 29 14:25:54 gw openvpn[471]: 216.40.116.225:64045 Fatal TLS error (check_tls_errors_co), restarting
    Jul 29 14:25:59 gw openvpn[471]: Re-using SSL/TLS context
    Jul 29 14:25:59 gw openvpn[471]: TCP connection established with XXX.XXX.XXX.XXX:55929
    Jul 29 14:25:59 gw openvpn[471]: TCPv4_SERVER link local: [undef]
    Jul 29 14:25:59 gw openvpn[471]: TCPv4_SERVER link remote: XXX.XXX.XXX.XXX:55929
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting

    Any help is greatly appreciated.  Thanks.



  • Hi uz, I'm having a problem exactly as yours:

    –-------------- your log -------------------------
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting
    –----------------------------------------

    Would you please let me know how you solve it. Thanks.

    Also hope any one can give me some hint to solve it. Thanks.



  • @caigeliu:

    Hi uz, I'm having a problem exactly as yours:

    –-------------- your log -------------------------
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: Auth Username/Password was not provided by peer
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 TLS Error: TLS handshake failed
    Jul 29 14:26:00 gw openvpn[471]: XXX.XXX.XXX.XXX:55929 Fatal TLS error (check_tls_errors_co), restarting
    –----------------------------------------

    Would you please let me know how you solve it. Thanks.

    Also hope any one can give me some hint to solve it. Thanks.

    Add this parameter in your client config file (client.ovpn): auth-user-pass
    TIPS: The file /etc/radius.conf need to have an empty line after the 2 lines acct and auth

    Hope it helps


Log in to reply