Simple Guide to a FreeRADIUS VPN Failover Setup

In this tutorial i will show you how to setup a simple FreeRADIUS failover setup for OpenVPN, PPTP, L2TP and Dante, you can’t get any easier !

First lets start with OpenVPN, this is assuming you already have OpenVPN installed and configured to auth from FreeRADIUS..


Under /etc/openvpn/ you will find the file radiusplugin.cnf, open it and look for the sections that contain below:

# The UDP port for radius accounting.
# The UDP port for radius authentication.
# The name or ip address of the radius server.
# How many times should the plugin send the if there is no response?
# How long should the plugin wait for a response?
# The shared secret.

This will be your primary FreeRADIUS server, copy this section and paste below it the same section and just change the details to point to your failover FreeRADIUS server and so on, it will try radius servers in order they are listed, if you use multiple OpenVPN ports with multiple radiusplugin.cnf config files then you need to do the same for all of them. Remember and restart the openvpn service when done.


Both PPTP and L2TP (xl2tpd) use the same radiusclient software under /etc/radiusclient/ so this applies to both protocols, once you have PPTP and L2TP installed and configured to auth against FreeRADIUS you should have the directory/etc/radiusclient/ – we need to open up this file /etc/radiusclient/radiusclient.conf and locate the below sections:


# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.

Once you have your 2/3 FreeRADIUS servers setup we need to modify these 2 lines to look like below:


# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.

The FreeRADIUS servers in order are as below: = Primary Radius = Failover Radius = Failover Radius

They will also be tried in a round robin fashion, if is DOWN will take over, if is also DOWN will take over, when is back UP this will take over auth again.

Now we need to open up the file /etc/radiusclient/servers and add our radius servers and secrets, we need to list them in order as below: mysecret mysecret mysecret

Now restart both PPTP and L2TP services.


Dante is a simple one, open up /etc/raddb/server and list them like below in any order you please: mysecret 6 mysecret 6 mysecret 6

Kill the dante sockd process and restart for them to take affect.

Related Articles

One Comment

  1. Hi very nice.
    Please create article How to install L2TP/IPSec VPN server in RHEL/Centos 5.4 Linux.
    Thank you so much.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button