Authenticate OpenVPN users via Radius (Freeradius)

Question

I have set up OpenVPN server (not the access server, the open source community version) and Freeradius 3 on my ubuntu machine. OpenVPN client authentication has been tested for both username/password and certificate/key mechanisms for users generated using Easy-RSA. Freeradius user creation and testing have been done by daloradius and ntradping respectively.

What I want, is to use RADIUS authentication for my VPN clients. Basically when the client prompts for username password, I want to login via the credentials I have created in freeradius.

There is very little info about it on the official documentation page of OpenVPN in this page

While following the guide, I have found that the openvpn-auth-pam plugin has been renamed, relocated and now comes prebuilt (if it's not feel free to correct me, I assumed that because the openvpn-plugin-auth-pam.so file was already there) into a different directory

According to the guide I have to add the following line to my server configuration file.

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so [name of the module to be used for authentication] 

So here I need to call for a module that calls freeradius to perform the authentication. The guide uses the "login" PAM module which is located at /etc/pam.d directory, unless I found the wrong thing. In the same directory there is also a file named radiusd and the contents of the file are

/* /etc/pam.d/radiusd - PAM configuration for FreeRADIUS */

/* We fall back to the system default in /etc/pam.d/common-* */

@include common-auth

@include common-account

@include common-password

@include common-session

I am not sure what to do next. Is freeradius's own PAM module even relevant to the operation that I am trying to perform? Or do I need to use some external tools and libraries to integrate freeradius with OpenVPN? Or I need to create the module file by myself? Thanks in advance

Answer 1

Use Debian. Centos 7 is getting EOL soon. Centos 8+ does not have this plugin in repos, but you can compile it (see end of answer).

Install RADIUS authentication module and edit openvpn server configuration

apt update
# apt-cache search ".*openvpn.*radius.*"
apt install openvpn-auth-radius
# find / -name "radiusplugin*"
cp /usr/share/doc/openvpn-auth-radius/examples/radiusplugin.cnf /etc/openvpn/radiusplugin.cnf
nano /etc/openvpn/radiusplugin.cnf

Edit next sections in /etc/openvpn/radiusplugin.cnf. Rest - leave as is.

name=ip-of-your-radius
retry=10 # change if needed
wait=600 # change if needed
sharedsecret=paste-here-radius-secret

Server config

nano /etc/openvpn/server.conf

Add lines:

# For auth plugins. Uncomment if needed
# username-as-common-name
 
# RADIUS Auth
plugin /usr/lib/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

If you want to compile it (I didn't tested):

apt-get install libgcrypt11 libgcrypt11-dev gcc make build-essential
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
tar xvfz radiusplugin_v2.1a_beta1.tar.gz
cd radiusplugin_v2.1a_beta1/
make
cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/

List of OpenVPN plugins: https://community.openvpn.net/openvpn/wiki/PluginOverview

PS: similar algorithm for LDAP integration (find plugin in repo, use example config, add it in main config).