FreeRaDIUS+OpenVPN



  • hi

    I have freeRadius+openvpn, configured and work fine, but "Number of simultaneous connections" is not work. when i use 1

    simultaneous connections, second connection will establishe and drop first connection.

    Pfsense 2.1.2 and latest version of packages.

    thx



  • I realized the "radwho" command not working and reply this error "/usr/pbi/freeradius-i386/bin/radwho: No configuration information in

    radutmp section of radiusd.conf! "



  • Hi,

    radutmp needs accounting to be enabled to work. As long as OpenVPN (on pfsense) does not offer any option to configure accounting it will not be possible do do simultaneous checks for OpenVPN connections with freeradius.



  • Hi

    i believe the radump worked on previous version of FreeRadius, and i remember Openvpn+freeradius simultaneous check worked, but not sure .

    radutmp accounting is enable by default :

    this is the virtual-server-default accounting section :

    –-------------------------------------------------------------------------
    accounting {

    #  Create a 'detail'ed log of the packets.
    #  Note that accounting requests which are proxied
    #  are also logged in the detail file.
    detail
    daily
    weekly
    monthly
    forever

    This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates

    if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
    datacounterdaily
    datacounterweekly
    datacountermonthly
    datacounterforever
    }

    #  Update the wtmp file

    #  If you don't use "radlast", you can delete this line.
    unix

    #  For Simultaneous-Use tracking.

    #  Due to packet losses in the network, the data here
    #  may be incorrect.  There is little we can do about it.
    radutmp

    sradutmp

    #  Return an address to the IP Pool when we see a stop record.

    main_pool

    #  Log traffic to an SQL database.

    #  See "Accounting queries" in sql.conf

    sql DISABLED

    #  If you receive stop packets with zero session length,
    #  they will NOT be logged in the database.  The SQL module
    #  will print a message (only in debugging mode), and will
    #  return "noop".

    #  You can ignore these packets by uncommenting the following
    #  three lines.  Otherwise, the server will not respond to the
    #  accounting request, and the NAS will retransmit.

    if (noop) {

    ok

    }

    #  Instead of sending the query to the SQL server,
    #  write it into a log file.

    sql_log

    #  Cisco VoIP specific bulk accounting

    pgsql-voip

    For Exec-Program and Exec-Program-Wait

    exec

    #  Filter attributes from the accounting response.
    attr_filter.accounting_response

    #  See "Autz-Type Status-Server" for how this works.

    Acct-Type Status-Server {

    }
    }



  • @nimamhd:

    Hi

    i believe the radump worked on previous version of FreeRadius, and i remember Openvpn+freeradius simultaneous check worked, but not sure .

    radutmp accounting is enable by default :

    this is the virtual-server-default accounting section :

    –-------------------------------------------------------------------------
    accounting {

    #  Create a 'detail'ed log of the packets.
    #  Note that accounting requests which are proxied
    #  are also logged in the detail file.
    detail
    daily
    weekly
    monthly
    forever

    This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates

    if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
    datacounterdaily
    datacounterweekly
    datacountermonthly
    datacounterforever
    }

    #  Update the wtmp file

    #  If you don't use "radlast", you can delete this line.
    unix

    #  For Simultaneous-Use tracking.

    #  Due to packet losses in the network, the data here
    #  may be incorrect.  There is little we can do about it.
    radutmp

    sradutmp

    #  Return an address to the IP Pool when we see a stop record.

    main_pool

    #  Log traffic to an SQL database.

    #  See "Accounting queries" in sql.conf

    sql DISABLED

    #  If you receive stop packets with zero session length,
    #  they will NOT be logged in the database.  The SQL module
    #  will print a message (only in debugging mode), and will
    #  return "noop".

    #  You can ignore these packets by uncommenting the following
    #  three lines.  Otherwise, the server will not respond to the
    #  accounting request, and the NAS will retransmit.

    if (noop) {

    ok

    }

    #  Instead of sending the query to the SQL server,
    #  write it into a log file.

    sql_log

    #  Cisco VoIP specific bulk accounting

    pgsql-voip

    For Exec-Program and Exec-Program-Wait

    exec

    #  Filter attributes from the accounting response.
    attr_filter.accounting_response

    #  See "Autz-Type Status-Server" for how this works.

    Acct-Type Status-Server {

    }
    }

    Hi,

    OpenVPN needs do do accounting, too. If OpenVPN does not send any accounting information to freeradius then freeradius cannot do anything.
    Perhaps you used "SSL/TLS + Uther-Auth" on OpenVPN server. Then the simulataneous connection checks can be done based on the user certificate. But this must be configured on the OpenVPN server and has nothing to do with freeradius. Freeradius just can check the username/password.



  • Thank you for replying me , i`m already use "SSL/TLS + Uther-Auth" on OpenVPN server, but simultaneous check is not working.

    Openvpn was configured with Road-Warrior Tutorial that i found on https://doc.pfsense.org/index.php/Tutorials.


Log in to reply