Join Log in
Score:0
Comandante avatar Server

OpenVPN + PAM + Freeradius

ne flag
Comandante

Situation: I have fully configured and working Freeradius server. Installed OVPN 2.6.4 on other server. And goal is auth through Radius. Installed pam-radius-auth. Configured (confs below). Authentication is working just fine, but there are no Accounting packets from OVPN. When I'm trying pamtester - everyting is ok, accounting is here, but when I connected OVPN - no.

/etc/pam.d/ovpn

account required      pam_radius_auth.so
auth    required      pam_radius_auth.so conf=/etc/pam.d/pam_radius_auth.conf debug
session required      pam_radius_auth.so

/etc/pam.d/pam_radius_auth.conf

<My Radius server ip>  <Shared secret>       3

/etc/openvpn/server/server.conf

setenv deferred_auth_pam 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn
verify-client-cert none
key-direction 0
local *<IPaddr>*
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 fddd:1194:1194:1194::/64
push "redirect-gateway def1 ipv6 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 67.207.67.3"
push "dhcp-option DNS 67.207.67.2"
push "block-outside-dns"
push "explicit-exit-notify 3"
keepalive 10 120
cipher AES-128-GCM
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify 1
management 127.0.0.1 7555
log-append /var/log/openvpn/openvpn.log
txqueuelen 4000
mute-replay-warnings

What I missing?

170
2 + 1
pam
djdomi avatar
za flag
djdomi
welcome, Questions seeking installation, configuration or diagnostic help must include the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions. Questions without a clear problem statement are not useful to other readers and are unlikely to get good answers. as also verify that you applied all details of [ask]
0
Reply
Score:0
Bombaci avatar Server
br flag
Bombaci

I did several implementations like yours of Freeradius and learned a lot during that time. And I probably know what you are "missing" if I understood your question/problem correctly.

Here we go:

Your configuration looks fine.
However, authentication and accounting are two separate components of the Radius Protocol. The plugin/module you use pam-radius-auth only does authentication. The plugin/module does not have the capability to send Radius accounting packets.

If you check the following website of OpenVPN Plugin Overview, you will see in the plugin overview, the topic radiusplugin.
I used: ValdikSS openvpn-radiusplugin which worked for me at the time. It also had, still has I see, a nice readme with configuration examples. But I see there are more radius plugins available on the OpenVPN website, so check the plugins out and find the best one which suits your quality standards and needs.

Also a nice article that explains Radius Accounting: How does Radius accounting work

Good Luck!

+ 4
Comandante avatar
ne flag
Comandante
Can you show me really working configs. And versions of OVPN etc
0
Reply
Bombaci avatar
br flag
Bombaci
Sorry, it was in my job 4/5 years ago. So, no versions prolly you can see it when you check the version releases. Maybe I have some configuration examples in my old notes. If you still need it, I'll check it out tomorrow.
0
Reply
Comandante avatar
ne flag
Comandante
If you'll find some configs it will be great. Problem solved for me, but any additional information are very useful.
0
Reply
Bombaci avatar
br flag
Bombaci
I just checked my old notes. Nothing really in there about this. However, this tutorial is also very extensive: [how to configure accounting](https://link.medium.com/QkhFph3oJAb)
0
Reply
Score:0
Comandante avatar Server
ne flag
Comandante

Well, ok, I've found this patch https://github.com/ValdikSS/openvpn-radiusplugin/issues/14

And after recompiling accounting works, at least on Acc-Start. But on closing session from client there is no changes in DB. I have unclosed session in radius.

+ 1
Comandante avatar
ne flag
Comandante
I've got it. Old clients do not correctly send sigterm signal to 2.6 OVPN. OVPN disconnected session after some timeout. In any way I think - question solved.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.