Synology usage series 22 – Putting it all together – OpenVPN+FreeRadius+OpenLDAP


Pre-requisites

Install OpenVPN on DiskStation
Install OpenLDAP on DiskStation
Install FreeRadius and integrates with OpenLDAP

In order to let FreeRadius acting as authentication server for OpenVPN, we need a radius plugin. I’ve tried the RadiusPlugin and it is working well so far.

* I’m currently using version 2.0. The 2.1 beta plugin did not able to read the configuration file and so openvpn failed to initialize the plugin.

To install the plugin, we need to compile the plugin on the NAS. I’ve tried cross compiling, but the binary is not working for some reason.

Native compile the RadiusPlugin 2.0c

  1. Login as root
  2. Compile the plugin
    # ipkg --force-depends install gcc
    # ipkg --force-depends install make
    # ipkg --force-depends install libgcrypt
    # ipkg --force-depends install libstdc++
    # cd ~
    # wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0c.tar.gz
    # tar xvzf radiusplugin_v2.0c.tar.gz
    # cd radiusplugin_v2.0c
    # make
    
  3. Copy the config file and plugin to openvpn directory
    # mkdir /opt/etc/openvpn/lib
    # cp /root/radiusplugin_v2.0c/radiusplugin.so /opt/etc/openvpn/lib
    # cp /root/radiusplugin_v2.0c/radiusplugin.cnf /opt/etc/openvpn/config
    

Configure OpenVPN Server

  1. Edit the /opt/etc/openvpn/config/radiusplugin.cnf
    NAS-Identifier=OpenVpn
    Service-Type=5
    Framed-Protocol=1
    NAS-Port-Type=5
    
    # The NAS IP address which is sent to the RADIUS server
    NAS-IP-Address=127.0.0.1
    
    # Path to the OpenVPN configfile.
    OpenVPNConfig=/opt/etc/openvpn/config/openvpn.conf
    
    subnet=255.255.255.0
    
    # I don't wish the plugin to write the client's CCD
    # file for me, so I set false here. If you have
    # enabled client-config-dir and want the plugin
    # to write the client's file for you, set to true here.
    # Just make sure the ccd directory is writable by
    # the OpenVPN instance.
    overwriteccfiles=false
    
    server
    {
            # The UDP port for radius accounting.
            acctport=1813
            # The UDP port for radius authentication.
            authport=1812
            # The name or ip address of the radius server.
            name=127.0.0.1
            # How many times should the plugin send the if there is no response?
            retry=1
            # How long should the plugin wait for a response?
            wait=1
            # The shared secret. Refer to the Radius's config
            # /opt/etc/raddb/clients.conf (client localhost section)
            sharedsecret=testpw
    }
    
  2. Edit the /opt/etc/openvpn/config/openvpn.conf
    plugin /opt/etc/openvpn/lib/radiusplugin.so /opt/etc/openvpn/config/radiusplugin.cnf
    
  3. Restart OpenVPN Server
    # /bin/killall openvpn
    # /opt/etc/init.d/S20openvpn
    
  4. The plugin required to write a temporary file to /tmp directory. If you jailed the openvpn process, we need to create a tmp directory under the jail path.

    # mkdir /opt/etc/openvpn/jail/tmp
    # chmod 777 /opt/etc/openvpn/jail/tmp

Configure OpenVPN Client

  1. Edit the configuration file

    For windows client c:program filesOpenVPNclient.ovpn
    For linux/diskstation client /opt/etc/openvpn/config/openvpn.conf

    Add the following line to the configuration file

    auth-user-pass

Done! Now client’s will be asked for username and password. The data will then redirect to FreeRadius for both authorization and authentication.





3 thoughts


  1. I config freeradius2 and openvpn on Centos5.8, but i have unsucessful in compile radiusPlugin_v2.0.c although installed gcc, gcc-c++, make, libgcrypt, libst++

    i dont know how to fit
    ….
    ….
    this is error: make **** [RadiusClass/RadiusAttribute.o] Error 1

Leave a Reply

Your email address will not be published. Required fields are marked *