How To Configure FreeRadius on pfsense and static assign IP addresses to VPN users

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

remote authentication dial in user service or radius as a networking protocol that operates on port 1812 and has been around since 1991 it provides centralized authentication authorization and accounting management to users who connect to use network services so radius has been around obviously for a little while and free radius is a plug-in that can be used within PF sense and why would you use it well if you want a little more features than just username pastor authentication and in this video we're gonna do it in two parts the first part is how do I set up free radius pretty straightforward and then the next part is how do you integrate it into something such as openvpn because you may want to assign specific parameters to a user like a specific IP address each time they log in and there are ways to do this with open VPN using some config and text files you edit but with free radius and as a plugin inside a PF sense you can add them and add those specific features and settings and have them pushed right to the user when they log in all through the UI and pfSense one thing to note if you get a very large number of users this is going beyond the scope but it's something to note in case you are doing this at larger scale and you want to use it all inside a PF sense with a free radius package you can use them isequal now the reason for this is the free radius implementation free npf sense is not using an entire like sequel back-end for this therefore you want something faster because if you have let's say 800 users you want to put in here it's going to be a little bit slower to pull from the database inside of PF sense which uses like an XML file I believe for this and it saves these users into a flat file essentially so it's not as fast as a database query so if you have a hundred users no problem if you have 800 users you may want to consider going further and using this inside of sequel alright so let's get started you go to the package manager available packages and type in free R and currently as of May 2019 here it's free radius 3 that we're going to install pay and confirm that part's pretty pain-free but as you're gonna see when it installs this it installs free radius basically unconsidered it's very very basic it's just like package loaded but no configuration so that's I'm going to walk you through is each step of the configuration all right with the package installed we'll close all these extra tabs we don't need and go to services three radius seeking to set up is going to be the interface so we have to set up the interface and the listening port so we're just gonna use the default ports here so for purposes of this demonstration we're just going to bind it to all the IP addresses on here but of course by default the firewall rules for external like the LAN even though it does bind to all the ports it is not going to be available externally to the way and you'd still have to open up the ports just an FYI in case you're wondering but you can just leave this at asterisks right here port 1812 which is the default port for authentication ipv4 and we can just type auth ports here they have a set up now you see if you wanted to go not to default ports that's certainly an option we're just going to go everything at the default ports because when you start connecting devices to this you have things at non default ports well that could be kind of a headache next part we're gonna do is 1813 and this is going to be for accounting that is a default account accounting port here and for the purposes of setting this up with a VPN in Open VPN these are the only things that you need in requirement but I will show in case you're doing something more yes it does have a status Co a proxy detail like some other detail connection informations that you can do for example some switches want to monitor a status or some logging tools if you have people thinning heating with this and it can then query for status of if that person's enter I think you can do that in captive portal as well if we do that if but for like I said for this particular video we're just going to be doing Open VPN so there's only two needed ports and I'm always on the side of caution I never set up more than needs to be set up unless I'm using those features the next thing to do is determine what clients are going to connect to this now we have this up the NASS client now this is specifically about setting up the client is in what's going to be connecting to it as in open VPN which is running on this PF sense so we're going to add it and we're just going to use 127.0.0.1 localhost client short name rad server so that's setup as rad server here client shared secret and the client shortly makes you can be whatever you want so enter a short name for the client if you didn't know but you do have to remember the shared secret here so we'll set something there all the other defaults are perfectly fine we don't have to worry about any of these now please note if you were setting this up for others external authentication on the devices this is you can set up more than one client so if you have a switch or a Wi-Fi on eeking this not related to this video but this is where you would set those up as well put the IP addresses for different things are going to be connecting so now that that's added we're going to go over here to system user manager authentication server and add the authentication server rad server radius false image at two 27.0 at 0.1 attributed to things connecting to land in case you're wondering and these are the default port to 1812 1813 like I said we use defaults it just kind of falls in there the shared secret that we did and save and that's pretty much it for getting it set up for authentication now we can go and add a user so we're gonna go here to three radius at a user or one a password in here and I'm just gonna save it that's all there's a lot of other options here obviously but for sake of testing here where's user and we give that user a password and from there we can go to diagnostic authentication on the keet against our rad server user 1 and tests successfully authenticated that's the only thing you have to do to get the server set up and then verify it's working so this is you know load it run through make sure you test that in the authentication server and you can also do this like test against local database well that user doesn't work so once you know authentication is working then you can go in and have the fun so I'm gonna go ahead and I've walked through how to do open VPN it's really the same thing so I'm not going to go through in-depth on this but when you run the wizard you just choose the radius and the rad server or you can add a new radius server and I'll walk you through what I just did again and we're going to next and yes our way into a working VPN so everything here is fine port here nothing special we have to change 70 24 all these are just gonna leave everything at default next go ahead and add a firewall rule added OpenVPN rule all right so we now have a VPN setup and ready to work we're going to export it we're going to get my computer connected to this VPN let's download most clients because Linux and Linux works fine with this export and if you didn't know just make sure people are clear on this package manager available packages I mean could probably update to the latest one here but it's an open VPN client export will update it while I'm sitting here real quick ish everyone had an updated package and it goes really fast that's done so we have the openvpn export tool this is what allows me just to download this config file matter of fact we'll go ahead and download this file again so VP an open VPN client export there's our VPN download most clients all right now we're going to go ahead and connect to the VPN on this machine now first a couple little details that I want to cover so we know the network layout I do have a couple computer connected here so these two computers one at 104 M 1 at 107 so yes you seen doubt 40 there's actually just for clarification if we look at land to this IP address is in the 10 Network and we did bind it to for authentication purposes here but it doesn't matter because what does matter is that this network is configured and set up we will go to openvpn we got to make sure that network's been pushed over here 0/24 you and away we go you know this network's pushed so when we connect to this VPN using the user should work perfectly fine and we'll connect alright so from the command line and this is obviously if you're doing it in Windows you'd go through the whole Windows installer with the open VPN from the command line will su do open VPN and I called I renamed it free radical UPN these are 1password all right and I have been assigned one 92168 72 and let's go ahead and ping one of those IP addresses 104 I think was available VPN is up and running and if you look at my computer here you can see this is the tunnel network that's on there and here's the 192 168 now where you see I'm not on that network so it's obviously routing through the VPN have to take my word for it if you believe I'm doing some other trickery but anyways that works so now we know I can connect to the VPN so we're gonna go up here to the top window and we'll exit out of the VPN and let's go a step further so one of the things I talked about was how do you create the rules so that each computer can only talk to a certain thing or get assigned a very specific IP address using free radius so over here the order free radius we're gonna go over to this user and before I was given the one 92168 72 it's just if the next user can actually woody got 73 so on and so forth that's the default way openvpn assigns addresses nine two dot one six eight dot seventy dot let's start at 100 so 101 so 101 192 168 78 at 101 subnet mask of 255 255 dot 255 dot 0 now you do have to put both or you'll get an error you can't leave a plaint you don't really have to put the Gateway because it's only you what the goal this is only to be designed to access things on that local network so you don't have to specify any of that part here so what we are assigning know is at this user that we just called user one is going to get this IP address to this connection so we're gonna hit save and we're going to add another user at the same time we'll call this one user two user two gets one 92168 dot one 71002 save now we can see that this user gets that now for we even bother connecting I'm gonna go over here to the firewall and we'll go over to the rules as I already know he's going to sign those addresses but those addresses mean nothing if the rules let them go wherever they want so we're going to go ahead and delete delete and let's add a very specific rule start with any and then we'll say single host is one nine two one six eight dot seventy dot 101 and we'll let 101 go wherever they want so destination can be wherever they want so 101 has free rein you so wherever then we're going to add another user actually was happy the raw and 102 the only destination dress I want 102 to have is 101 102 104 so any protocol but you can restrict this down if you only wanted to have a single port for example or any specific thing we're gonna go ahead and allow any protocol but the only thing when they get connected they're allowed to talk to is this resource on the network and this can be across any network I have something on the 10 network it could be on the one 92168 40 network but this is user 2 gets to 104 machine save so we can follow this that if you're assigned this IP address you get here apply the changes so now let's try connecting as well try user two first user to and I've been assigned 102 that means I can paying 104 but what if I wanted to ping the Gateway so I can't route out what if I wanted to paying 107 it's on their computer on their doesn't work either all right so let's go back up to the top and we'll hit ctrl C just you know and cancel it login again we'll go user one took a second to connect because it's thought I was the same connection coming inside coming to the same IP address so it took a second but it connects and now with user one I'm able to ping 107 and 104 and the Gateway because the user restrictions on this are you know go wherever so this is a way you can create open VPN connections using pfSense and free radius and then have each user go to a very specific place we're over here back to the rules to show you and you can see that this is where you write each rule you can just copy and carry on so each user has a tool and you can put in description which user has which now a couple notes about this and we're going to go ahead and kind of sort of break something because this is a problem that I didn't notice at first but it makes complete sense when I explain why so we're logged in as user with IP address of 101 right here gonna go ahead and edit user 1 with IP address 101 and we're going to make it five so I saved it it took the save it's 105 so as soon as I log back in it should just go back to 105 so we're gonna ahead and go up here and disconnect to one but I got one-on-one again you're probably going how did that happen I did it right so then you get confused and you do it again you're like user1 and I got the seem IP address again so what happens is and we're going to go ahead and fix this by going here if even though I hit control-c it still thinks whoa no one's connected and by default it wants to re-establish a connection if there's a disruption to that connection so if you change it and the user happened to be logged in when you changed it and still had a connection which when you disconnect there's a delay between the disconnect from the user before it times the connection out here use it to kill the connection when you kill the connection here or restart you know you can just actually just restart it and it kills all the connections so you make a few user changes you can do that this is what will force that connection to drop and what by killing it here or restarting the open VPN service and drop the connections now when we reconnect you it'll take a second cuz I just the service is going to pause for a second while re-establishes but now the user will get the right address hey look I got the 105 address which by the way because I got a different address if I try to ping anything because I have the wrong address I can't get anywhere couple side notes about this they're not to any of my knowledge and I played around with this trying to break it to see if like if one of these users were able to force or change their IP address once assigned I wasn't able to get that to work it seems like once it's a sign from the open VPN server side you can't just rename your IP address in case you're wondering from a security standpoint now I may be wrong but I played around with this and tried to force changing my IP address and it wouldn't connect on the other end if I try to force any IP information I couldn't really figure out a way to do that so I will mention maybe I'm wrong please leave a comment if you know a way of a user connecting but this is one extra layer of security that you can add to Open VPN IBC open VPN is quite secure well-documented and the methodology that I'm did here and will actually go to the top just to talk about this part a little bit because of the file we downloaded so we'll just look at what's in here the user would have to have here's the certificates that are required so we have the certificate the TLS key then have the username a password for this attack for them to get into your open VPN server so you have those extra pieces and this is the remote IP I don't know there's no way to push a local IP from here and push it into the server like I was saying but hopefully this was helpful and I made you some future videos on how to use free radius for a few other things including captive portals it's another way you can do it so if you are setting up week after portal screen you can use free radius for that and it does works I've tested it like someone do a separate video on captive portals but with the you wanna do the free radius video first because one thing to know when you're doing a captive portal free radius this works for the accounting where you can set expiration dates length of time download upload time periods bandwidth and speed settings that's another feature you can do so if you're using this to authenticate with it that'll work so just want to get this out there it's a pretty cool tool to be able to have it all integrated right into the firewall and for a user that we just helped the other day or a client we helped the other day um they needed a setup because they actually have it set up so they only get to a specific machine and a specific port on a machine for each customer they define inside a PF sense via here so they have a lot of customers logging in when the customer logs in they only have access to only and specifically the thing that they were granted access to right down to the port level they created so it's definitely a nice secure way to have the encrypted secure layer and then the rule sets that keep people from wandering around the network once they get in and hopefully this clears up if you have any questions about that alright thanks thanks for watching if you like this video give it a thumbs up if you want to subscribe to this channel to see more content hit that subscribe button in the bell icon and maybe YouTube will sense you and notice when we post if you want to hire us for a project that you've seen or discussed in this video head over to Lauren systems comm where we offer both business IT services and consulting services and are excited to help you with whatever project you want to throw at us also if you want to carry on the discussion further ahead over to forums at Lauren systems comm where we can keep the conversation going and if you want to help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again thanks again for watching this video and see you next time

Info

Channel: Lawrence Systems

Views: 35,856

Rating: undefined out of 5

Keywords: pfsense firewall rules, pfsense freeradius, pfsense freeradius3, pfsense freeradius 3 setup, pfsense freeradius captive portal, pfsense freeradius setup, pfsense, firewall, pfsense freeradius openvpn, vpn, openvpn, tutorial, secure internet, pfsense freeradius mysql

Id: jEK-O3U3gdg

Channel Id: undefined

Length: 21min 15sec (1275 seconds)

Published: Fri May 31 2019