1

I am new to openvpn. I have an openvpn setup on ubuntu 14.04 which has a radius AAA backend for authentication, authorization and accounting. In addition to this, we have configured freeradius to assign ips from a pool as framed-ip-address. From radius logs, it appears that freeradius returns framed-ip-address in response to access-request message when authentication and authorization is successful but openvpn seems to ignore it and uses its own ip pool specified in the server directive. What i want is that openvpn respects framed-ip-address returned by freeradius but it does not. Since i don't have prior experience with openvpn, i would appreciate help from experts.

Here is my openvpn side of configuration which i think has a problem.

OpenVPN configuration:

local 192.168.7.100

mode server

port 443 

proto tcp 

dev tun

tcp-queue-limit 256

tun-mtu 1500

mssfix 1460

sndbuf 0

rcvbuf 0


cipher AES-256-CBC

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh2048.pem

tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0

plugin /etc/openvpn/rad/radiusplugin.so /etc/openvpn/rad/443.cnf

client-cert-not-required

username-as-common-name


server 10.10.0.0 255.255.0.0

;ifconfig-pool 10.0.0.0 10.1.255.254

ifconfig-pool-persist ipp.txt

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

reneg-sec 0

keepalive 60 120

tcp-nodelay

comp-lzo

persist-key

persist-tun

status /etc/openvpn/443.log 1

status-version 1

verb 4

management 192.168.7.100 7505

Radius Plugin:

NAS-Identifier=openvpn_tcp_443

Service-Type=5

Framed-Protocol=1

NAS-Port-Type=5

NAS-IP-Address=192.168.7.100

OpenVPNConfig=/etc/openvpn/tcp_443.conf


subnet=255.255.255.0


overwriteccfiles=true

nonfatalaccounting=false

server
{

        acctport=1813

        authport=1812

        name=192.168.7.102

        retry=1

        wait=1

        sharedsecret=--redacted--
}

server
{

        acctport=1813

        authport=1812

        name=192.168.7.103

        retry=1

        wait=1

        sharedsecret=--redacted--
}

Thankyou.

======================

Update

I have made the following changes to config.

topology subnet

push "topology subnet"

client-config-dir clients

After adding client-config-dir, the framed-ip-address is being assigned. As mentioned earlier, now from my clients, I cannot browse anything. Seems the traffic cannot be routed properly. There seems to be a routing issue or the topology or something else that i expect openvpn to handle but it does not. Here is the relevant information that can help it understand.

The ip assigned to openvpn client is a public ip whose routing is set on the gateway of the machine. The same client ip works properly when used with strongswan. Which means it is properly routable. But with openvpn, it does not.

relevant output from ifconfig on server machine.

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.10.0.1  P-t-P:10.10.0.1  Mask:255.255.255.0

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

relevant output of route -n

0.0.0.0         --redacted--     0.0.0.0         UG    0      0        0 em2

10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0

--redacted--     0.0.0.0         255.255.255.248 U     0      0        0 em2

the rp_filter information:

root@us1-ps1:~# sysctl -a | grep rp_filter

net.ipv4.conf.all.arp_filter = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.arp_filter = 0

net.ipv4.conf.default.rp_filter = 0

net.ipv4.conf.em1.arp_filter = 0

net.ipv4.conf.em1.rp_filter = 0

net.ipv4.conf.em2.arp_filter = 0

net.ipv4.conf.em2.rp_filter = 0

net.ipv4.conf.lo.arp_filter = 0

net.ipv4.conf.lo.rp_filter = 0

net.ipv4.conf.tun0.arp_filter = 0

net.ipv4.conf.tun0.rp_filter = 0


root@us1-ps1:~# ping 10.10.0.1

PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.

64 bytes from 10.10.0.1: icmp_seq=1 ttl=64 time=0.058 ms

64 bytes from 10.10.0.1: icmp_seq=2 ttl=64 time=0.037 ms

Internet is working properly.

root@us1-ps1:~# ping google.com

PING google.com (172.217.0.46) 56(84) bytes of data.

64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=1 ttl=51 time=20.3 ms

64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=2 ttl=51 time=20.2 ms

64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=3 ttl=51 time=20.2 ms

^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 20.216/20.279/20.338/0.171 ms

default gateway can also be pinged.

let me know if other information you want to print.

Thankyou

Teun Vink
  • 1,837
  • 11
  • 14
4_dev
  • 49
  • 1
  • 1
  • 6

1 Answers1

1

Specify the client-config-dir directive. Is where the radius plugin will put the files who will be used by openvpn to assign the ip.

Eg. client-config-dir clients

Catopleba
  • 26
  • 1
  • Thanks, it helps. However, now ip is assigned but I cannot browse anything after connecting to vpn. Any pointers? – 4_dev Aug 17 '16 at 14:13
  • I added an update to the original question, please see the three options that i added in section 'Update'. I would really appreciate this help. – 4_dev Aug 18 '16 at 10:25
  • it turns out that tunnel interface has to be on the same subnet as clients subnet. Anyways this is solved now. Thanks for your help. – 4_dev Aug 26 '16 at 12:57