I am new to openvpn. I have an openvpn setup on ubuntu 14.04 which has a radius AAA backend for authentication, authorization and accounting. In addition to this, we have configured freeradius to assign ips from a pool as framed-ip-address. From radius logs, it appears that freeradius returns framed-ip-address in response to access-request message when authentication and authorization is successful but openvpn seems to ignore it and uses its own ip pool specified in the server directive. What i want is that openvpn respects framed-ip-address returned by freeradius but it does not. Since i don't have prior experience with openvpn, i would appreciate help from experts.
Here is my openvpn side of configuration which i think has a problem.
OpenVPN configuration:
local 192.168.7.100
mode server
port 443
proto tcp
dev tun
tcp-queue-limit 256
tun-mtu 1500
mssfix 1460
sndbuf 0
rcvbuf 0
cipher AES-256-CBC
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
plugin /etc/openvpn/rad/radiusplugin.so /etc/openvpn/rad/443.cnf
client-cert-not-required
username-as-common-name
server 10.10.0.0 255.255.0.0
;ifconfig-pool 10.0.0.0 10.1.255.254
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
reneg-sec 0
keepalive 60 120
tcp-nodelay
comp-lzo
persist-key
persist-tun
status /etc/openvpn/443.log 1
status-version 1
verb 4
management 192.168.7.100 7505
Radius Plugin:
NAS-Identifier=openvpn_tcp_443
Service-Type=5
Framed-Protocol=1
NAS-Port-Type=5
NAS-IP-Address=192.168.7.100
OpenVPNConfig=/etc/openvpn/tcp_443.conf
subnet=255.255.255.0
overwriteccfiles=true
nonfatalaccounting=false
server
{
acctport=1813
authport=1812
name=192.168.7.102
retry=1
wait=1
sharedsecret=--redacted--
}
server
{
acctport=1813
authport=1812
name=192.168.7.103
retry=1
wait=1
sharedsecret=--redacted--
}
Thankyou.
======================
Update
I have made the following changes to config.
topology subnet
push "topology subnet"
client-config-dir clients
After adding client-config-dir, the framed-ip-address is being assigned. As mentioned earlier, now from my clients, I cannot browse anything. Seems the traffic cannot be routed properly. There seems to be a routing issue or the topology or something else that i expect openvpn to handle but it does not. Here is the relevant information that can help it understand.
The ip assigned to openvpn client is a public ip whose routing is set on the gateway of the machine. The same client ip works properly when used with strongswan. Which means it is properly routable. But with openvpn, it does not.
relevant output from ifconfig on server machine.
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.0.1 P-t-P:10.10.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
relevant output of route -n
0.0.0.0 --redacted-- 0.0.0.0 UG 0 0 0 em2
10.10.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
--redacted-- 0.0.0.0 255.255.255.248 U 0 0 0 em2
the rp_filter information:
root@us1-ps1:~# sysctl -a | grep rp_filter
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.em1.arp_filter = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.arp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.tun0.arp_filter = 0
net.ipv4.conf.tun0.rp_filter = 0
root@us1-ps1:~# ping 10.10.0.1
PING 10.10.0.1 (10.10.0.1) 56(84) bytes of data.
64 bytes from 10.10.0.1: icmp_seq=1 ttl=64 time=0.058 ms
64 bytes from 10.10.0.1: icmp_seq=2 ttl=64 time=0.037 ms
Internet is working properly.
root@us1-ps1:~# ping google.com
PING google.com (172.217.0.46) 56(84) bytes of data.
64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=1 ttl=51 time=20.3 ms
64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=2 ttl=51 time=20.2 ms
64 bytes from lga15s43-in-f14.1e100.net (172.217.0.46): icmp_seq=3 ttl=51 time=20.2 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 20.216/20.279/20.338/0.171 ms
default gateway can also be pinged.
let me know if other information you want to print.
Thankyou