Setting up OpenVPN AS with FreeRADIUS AND stunnel
If you’re ever curious as to how do VPN service providers manage all their users and their authentication. I hope this might give you a little peek.
This article will serve to setup FreeRADIUS as the authentication mechanism, OpenVPN as the VPN protocol and stunnel as an introduction to obfuscating censorship. With all these setup, you’re one step closer to start providing VPN services.
Setup FreeRADIUS
Install Freeradius
Centos
$ yum install freeradius freeradius-mysql
Create Freeradius Database
Install MySQL
$ yum install mysql-server
Login to MySQL as root and create databases
$ mysql -uroot -p
mysql> create database radius;
mysql> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
mysql> use radius;
mysql> SOURCE /etc/raddb/sql/mysql/schema.sql
_Create your first vpn user _
mysql> use radius;
mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES ('chantra','Cleartext-Password',':=','chantrapass');
Configure Freeradius
Create /etc/raddb/sql.conf
# Connection info:
server = "localhost"
#port = 3306
login = "radius"
password = "radpass"
# Database table configuration for everything except Oracle
radius_db = "radius"
Uncomment
# /etc/raddb/radiusd.conf
$INCLUDE sql.conf
Do the magical uncomments
# /etc/raddb/sites-available/default
# /etc/raddb/sites-available/inner-tunnel
authorize{
# uncomment the line containing 'sql'
}
# /etc/raddb/sites-available/inner-tunnel
accounting{
# uncomment the line containing 'sql'
}
Change freeradius secret
# /etc/raddb/clients.conf
secret = testing123 # into something more awesome
Lets check radius!
$ service radiusd start
$ service radiusd stop
Setup OpenVPN AS
Grab OpenVPN
$ wget http://swupdate.openvpn.org/as/openvpn-as-1.8.3-CentOS5.x86_64.rpm
$ rpm -i openvpn-as-1.8.3-CentOS5.x86_64.rpm
You should see:
The Access Server has been successfully installed in /usr/local/openvpn_as Configuration log file has been written to /usr/local/openvpn_as/init.log Please enter “passwd openvpn” to set the initial administrative password, then login as “openvpn” to continue configuration here: https://109.109.109.46:943/admin To reconfigure manually, use the /usr/local/openvpn_as/bin/ovpn-init tool.
Change OpenVPN password
$ passwd openvpn
Login to OpenVPN admin
Access https://x:943/admin and login with your username/password
Under Authentication > General
You should see 4 options:
- Local
- PAM
- Radius
- LDAP
Select “Radius” and “update running server”
Authentication > Radius
Select “CHAP”
In RADIUS SETTING
Add server ip of FreeRADIUS server and shared_secret (hint: “testing123” which was configured above)
Check “Enable RADIUS Accounting”
Hit “Update Running Server”
Hook FreeRADIUS and OpenVPN
Add OpenVPN server into FreeRADIUS records
In the FreeRADIUS server:
$ vim /etc/raddb/clients.conf
# find the line:
# coa_server = coa
# add the following below
client OPENVPN_IP_HERE {
secret = YOUR SECRET HERE
shortname = yourVPN # anyname
nastype = other
}
$ sudo service radiusd restart
Done!
Setup STunnel
What is Stunnel?
STunnel Server
You can run this on the same server as your OpenVPN. For this example, we will run it on our same server.
$ yum install stunnel
In your stunnel directory, sometimes at /etc/stunnel/
$ openssl genrsa -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
$ cat server.key > server.pem && cat server.crt >> server.pem
In /etc/stunnel/stunnel.conf
# create if file doesn't exist
sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Debugging stuff (may useful for troubleshooting)
; debug = 7
; output = /var/log/stunnel4/stunnel4.log
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
[openvpn]
accept = 127.0.0.1:443
connect = 127.0.0.1:1194
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
2 things here, accept and connect accept should be the port that is listening to openvpn connections. In the case of hiding from Deep Packet Inspection, setting this to 443 will hide your OpenVPN connections underneath an unblockable port (SSL) connect should be the ip:port of your actual OpenVPN server that is listening.
Note: Ensure that you’re only accepting TCP connection in your OpenVPN AS Web Panel
$ sudo service stunnel start
Stunnel Client
This should be run by your OpenVPN clients
Do the same setup as above, install stunnel via the distro’s package managers.
Your stunnel.conf on the client should look like this
client = yes
compression = zlib
[openvpn]
client = yes
accept = 127.0.0.1:8088
connect = STUNNEL_SERVER_IP:443
accept should always be your localhost with any port that you decide connect will point to your stunnel server and the port that it is listening to. In this example, its 443.
$ sudo service stunnel start
Connecting to OpenVPN
To make your life easier, just go to https://openvpn_ip:943 and login with your username/password from FreeRADIUS.
You should see a link to download your connection settings (profile) for yourself.
It should look something like:
setenv FORWARD_COMPATIBLE 1
client
proto tcp
remote localhost # always set this to point to localhost if you're using stunnel
port 8088 # this should be the port that your stunnel is accepting connection
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-user-pass
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
You’ll also need to add your own routing to your VPN server to ensure that traffic gets sent over there
# add the following just below
# ENDPOINT_IP being your OpenVPN server ip
setenv PUSH_PEER_INFO
route ENDPOINT_IP 255.255.255.255 net_gateway