Comments on: Setting up OpenVPN using radius on FreeBSD http://blog.hongens.nl A systems administrator's diary Wed, 26 Oct 2011 21:58:04 +0000 hourly 1 http://wordpress.org/?v=3.0.5 By: acdmail http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-49347 acdmail Wed, 28 Sep 2011 12:41:57 +0000 http://blog.hongens.nl/?page_id=42#comment-49347 Hi Rain, If you are using OpenVPN with default settings proto: UDP 1194 try to add explicit-exit-notify in in client config, this will assure the client notifies the server as soon as it is disconnecting, otherwise server will disconnect the client a bit later after the default keepalive expires. Hi Rain,
If you are using OpenVPN with default settings proto: UDP 1194 try to add explicit-exit-notify in in client config, this will assure the client notifies the server as soon as it is disconnecting, otherwise server will disconnect the client a bit later after the default keepalive expires.

]]> By: Rain http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-48502 Rain Thu, 25 Aug 2011 14:14:12 +0000 http://blog.hongens.nl/?page_id=42#comment-48502 Hi everyone, I am facing a problem when user disconnected openvpn. I am using openvpn + freeradius on Debian 6.0 to authenticate user. To disable duplicate login(connect) to openvpn server I configure freeradius user parameter "Simultaneous-Use" to 1. I can successfully connect by freeradius. However, I can not reconnect after disconnect. The problem is user are still logged in. So I can not 'duplicate' log in since user login session limited to 1. I found the problem by executing "radwho" after user disconnect. The user should be log off after I disconnect. Is there any one have the same problem? How to fix this? Hi everyone,
I am facing a problem when user disconnected openvpn.
I am using openvpn + freeradius on Debian 6.0 to authenticate user. To disable duplicate login(connect) to openvpn server I configure freeradius user parameter “Simultaneous-Use” to 1. I can successfully connect by freeradius. However, I can not reconnect after disconnect.
The problem is user are still logged in. So I can not ‘duplicate’ log in since user login session limited to 1. I found the problem by executing “radwho” after user disconnect.
The user should be log off after I disconnect.
Is there any one have the same problem? How to fix this?

]]> By: krzee http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-39460 krzee Fri, 21 May 2010 04:43:17 +0000 http://blog.hongens.nl/?page_id=42#comment-39460 a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn. b) 2.1.1 has the windows gui built in, www.openvpn.net/download the .se link is no longer up to date sorry for the doublepost, i had a typo to fix a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn.

b) 2.1.1 has the windows gui built in, http://www.openvpn.net/download
the .se link is no longer up to date

sorry for the doublepost, i had a typo to fix

]]> By: krzee http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-39459 krzee Fri, 21 May 2010 04:42:16 +0000 http://blog.hongens.nl/?page_id=42#comment-39459 a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn. b) 2.1.1 has the windows gui built in, www.openvpn.net/download the .se link is no longer up to date a) you only need a bridge when you have a layer2 protocol going over the vpn. If using IP traffic use tun so you have less overhead and layer2 attacks will not work over the vpn.

b) 2.1.1 has the windows gui built in, http://www.openvpn.net/download
the .se link is no longer up to date

]]> By: vipera http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-33525 vipera Mon, 31 Aug 2009 14:56:23 +0000 http://blog.hongens.nl/?page_id=42#comment-33525 I have got a question, i want to use a script (client-connect & client-disconnet) on DebianEtch but i couldn't find a good script on the Net. Could anyone help me? and show a good script... thx, vipera I have got a question, i want to use a script (client-connect & client-disconnet) on DebianEtch but i couldn’t find a good script on the Net. Could anyone help me? and show a good script…

thx, vipera

]]> By: T. Bailey http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-32893 T. Bailey Tue, 04 Aug 2009 22:20:02 +0000 http://blog.hongens.nl/?page_id=42#comment-32893 Absolutely brilliant. Thanks for taking the time to share this! Absolutely brilliant. Thanks for taking the time to share this!

]]> By: Tom http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-8612 Tom Thu, 10 Apr 2008 21:35:44 +0000 http://blog.hongens.nl/?page_id=42#comment-8612 I found this document very useful, and combine the information in it with the information in the document http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html to eventually achieve a working solution. I'm actually not doing radius (yet), but this document was the best I found for the basic setup on wanted in my general situation. I am working with FreeBSD 7.0R, and thought I'd mention one thing which tripped me up. In my case 'tun' did not come 'up' without manual intervention, and I didn't notice it in 'ifconfig -a' for some time. In my case, I made my 'server-up.sh' script read: <code> #!/bin/sh ifconfig bridge0 addm $dev ifconfig $dev up </code> which addressed the problem. I had no need to specify any addresses for anything besides the standard for fxp0 (in my case.) Another thing which caused me confusion was the 'server-bridge' setting. In my case, for the first parameter, I used the internal IP of my router (a different FreeBSD host in my case) which is the standard gateway for all machines in my internal network. I did not need any 'push "route ..."' items in my situation. I found myself wishing for a diagram of Angelo's topology (but also, very happy for what he provided of course!) I also found better luck pushing DNS entries to the TAP-Win32 interface on my XP client test host by adding the directive: <code> push "ip-win32 dynamic" </code> but the jury is still out on how well it really works in practice. I'm just adding these comments early on while things are still fresh in my mind in case others find them helpful. I found this document very useful, and combine the information in it with the information in the document http://www.mired.org/home/mwm/papers/FreeBSD-OpenVPN-Bridging.html to eventually achieve a working solution. I’m actually not doing radius (yet), but this document was the best I found for the basic setup on wanted in my general situation.

I am working with FreeBSD 7.0R, and thought I’d mention one thing which tripped me up. In my case ‘tun’ did not come ‘up’ without manual intervention, and I didn’t notice it in ‘ifconfig -a’ for some time. In my case, I made my ‘server-up.sh’ script read:

#!/bin/sh
ifconfig bridge0 addm $dev
ifconfig $dev up

which addressed the problem. I had no need to specify any addresses for anything besides the standard for fxp0 (in my case.)

Another thing which caused me confusion was the ‘server-bridge’ setting. In my case, for the first parameter, I used the internal IP of my router (a different FreeBSD host in my case) which is the standard gateway for all machines in my internal network. I did not need any ‘push “route …”‘ items in my situation. I found myself wishing for a diagram of Angelo’s topology (but also, very happy for what he provided of course!)

I also found better luck pushing DNS entries to the TAP-Win32 interface on my XP client test host by adding the directive:

push "ip-win32 dynamic"

but the jury is still out on how well it really works in practice. I’m just adding these comments early on while things are still fresh in my mind in case others find them helpful.

]]> By: angelo http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-6833 angelo Wed, 06 Feb 2008 15:35:09 +0000 http://blog.hongens.nl/?page_id=42#comment-6833 Sebastiaan, Regis, you are right, I did not post the client config. Now I added it to the bottom of the post. It's quite default, but the most important line it the 'auth-user-pass', which tells the client it should use username and password authentication instead of certificate based authentication. Sebastiaan, Regis, you are right, I did not post the client config. Now I added it to the bottom of the post.

It’s quite default, but the most important line it the ‘auth-user-pass’, which tells the client it should use username and password authentication instead of certificate based authentication.

]]> By: Sebastiaan http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-6621 Sebastiaan Tue, 29 Jan 2008 02:17:24 +0000 http://blog.hongens.nl/?page_id=42#comment-6621 Any special options in the client.conf file on the client-side? or just the example .conf file? Any special options in the client.conf file on the client-side? or just the example .conf file?

]]> By: Regis A. Despres http://blog.hongens.nl/guides/setting-up-openvpn-using-radius-on-freebsd/comment-page-1/#comment-6072 Regis A. Despres Sun, 23 Dec 2007 11:26:09 +0000 http://blog.hongens.nl/?page_id=42#comment-6072 It would be lovely if you explain your openvpn client conf & package =) It would be lovely if you explain your openvpn client conf & package =)

]]>