In the last few posts , we had install L2TP over IPsec and freeradius. Today we will show you how to use Freeradius to authenticate L2TP login user, let’s go.

Server IP : 192.168.0.253
VPN IP range : 192.168.30.2 – 192.168.30.254
VPN Gateway : 192.168.30.1
Network Interface : enp0s3

Install Radius-Server

apt-get update
apt-get install build-essential libauthen-radius-perl libauthen-simple-radius-perl libgcrypt11-dev openssl
apt-get install freeradius freeradius-mysql

vim /etc/freeradius/sites-enabled/default

comment out the “files” and uncomment “sql” as below.

authorize {
# files
    sql
}
authenticate {
}
preacct {
#   files
}
accounting {
 sql
}
session {
 sql
}
post-auth {
 sql
 Post-Auth-Type REJECT {
    # log failed authentications in SQL, too.
    sql
    attr_filter.access_reject
    }
}

vim /etc/freeradius/radiusd.conf

uncomment this : $INCLUDE sql.conf


The information for database, we need to create an user and db with these settings.

vim /etc/freeradius/sql.conf

login = "cannon"
password = "cannon123"
radius_db = "radius"

vim /etc/freeradius/clients.conf

remember this secret , we need it later

secret = 123cannon

Install Mysql

apt-get install mysql-server -y

enter and repeat the password of root mysql

After that , create an user and database following the information we do above.

mysql -u root -p
mysql> create database radius;
mysql> CREATE USER 'cannon'@'localhost' IDENTIFIED BY 'cannon123';
mysql> GRANT ALL PRIVILEGES ON * . * TO 'cannon'@'localhost';
mysql> flush privileges;
mysql> exit

Insert these tables into the database we created just now.

mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql;
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql;
mysql -u root -p
mysql> use radius;
mysql> show tables;
+--------------------+
| Tables_in_radius |
+--------------------+
| nas                |
| radacct            |
| radcheck           |
| radgroupcheck      |
| radgroupreply      |
| radpostauth        |
| radreply           |
| radusergroup       |
+--------------------+
8 rows in set (0.00 sec)

L2TP Install

apt-get update
apt-get install xl2tpd ppp strongswan

Download the freeradius-client from GitHub.

cd /opt/
wget https://github.com/FreeRADIUS/freeradius-client/archive/master.zip
unzip master.zip
mv freeradius-client-master freeradius-client
cd freeradius-client/
./configure --prefix=/
make && make install

Add the following lines in the /etc/sysctl.conf file to enable forwarding on the Linux machine.

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1

Run the following command to apply changes.

sysctl -p

Remember the secret ?

vim /etc/radiusclient/servers

localhost 123cannon

vim /etc/radiusclient/radiusclient.conf

auth_order    radius,local
login_tries    4
login_timeout    60
nologin /etc/nologin
issue    /etc/radiusclient/issue
seqfile /var/run/freeradius/freeradius.pid
authserver     localhost
acctserver     localhost
servers        /etc/radiusclient/servers
dictionary     /etc/radiusclient/dictionary
login_radius    /sbin/login.radius
mapfile        /etc/radiusclient/port-id-map
default_realm
radius_timeout    10
radius_retries    3
bindaddr *
login_local    /bin/login

 

Following configuration (which is related to IPv6)  in /etc/radiusclient/dictionary file should be commented out to run the radius client

#ATTRIBUTE      NAS-IPv6-Address        95      string
#ATTRIBUTE      Framed-Interface-Id     96      string
#ATTRIBUTE      Framed-IPv6-Prefix      97      ipv6prefix
#ATTRIBUTE      Login-IPv6-Host         98      string
#ATTRIBUTE      Framed-IPv6-Route       99      string
#ATTRIBUTE      Framed-IPv6-Pool        100     string
#ATTRIBUTE      Framed-IPv6-Address     168     ipv6addr
#ATTRIBUTE      DNS-Server-IPv6-Address 169     ipv6addr
#ATTRIBUTE      Route-IPv6-Information  170     ipv6prefix

vim /etc/pptpd.conf

localip 192.168.0.1
remoteip 192.168.0.2-254

vim /etc/ppp/pptpd-options

ms-dns 208.67.222.222
ms-dns 208.67.220.220
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so

vim /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30
;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes
[lns default]
ip range = 192.168.30.2-192.168.30.254
local ip = 192.168.30.1
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

vim /etc/ipsec.secrets

192.168.0.253 %any : PSK "private"

vim /etc/ipsec.conf

conn L2TP-PSK-noNAT
    dpdaction=clear
    authby=secret
    auto=add
    keyingtries=3
    ikelifetime=8h
    keylife=1h
    ike=aes256-sha1,aes128-sha1,3des-sha1
    type=transport
    left=192.168.0.253
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

vim /etc/ppp/options.xl2tpd

logfd 2
logfile /var/log/l2tp.log
refuse-mschap-v2
refuse-mschap
ms-dns 208.67.222.222
ms-dns 208.67.220.220
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
plugin /usr/lib/pppd/2.4.7/radius.so
plugin /usr/lib/pppd/2.4.7/radattr.so

service mysql restart

service freeradius restart

service xl2tpd restart

service pptpd retart

ipsec restart

IPTABLES Rules

iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT
iptables -I INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j ACCEPT
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.253 -o enp0s3

Add User

mysql -u root -p

mysql>use radius;

mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES (‘testing’,’User-Password’,’:=’,’123123′);

Connect from a device, as example I using android phone , go to setting –> wireless options –> VPN –> add a new vpn –> VPN type choose L2TP/IPSEC PSK –> key in your server ip –> and the PSK key –> your account & password –> connect

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *