CentosFedoraLinux

Simple Guide to a FreeRADIUS VPN Failover Setup

In this tutorial i will show you how to setup a simple FreeRADIUS failover setup for OpenVPN, PPTP, L2TP and Dante, you can’t get any easier !

First lets start with OpenVPN, this is assuming you already have OpenVPN installed and configured to auth from FreeRADIUS..

OpenVPN

Under /etc/openvpn/ you will find the file radiusplugin.cnf, open it and look for the sections that contain below:

server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=192.168.0.153
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret=testpw
}

This will be your primary FreeRADIUS server, copy this section and paste below it the same section and just change the details to point to your failover FreeRADIUS server and so on, it will try radius servers in order they are listed, if you use multiple OpenVPN ports with multiple radiusplugin.cnf config files then you need to do the same for all of them. Remember and restart the openvpn service when done.

PPTP + L2TP:

Both PPTP and L2TP (xl2tpd) use the same radiusclient software under /etc/radiusclient/ so this applies to both protocols, once you have PPTP and L2TP installed and configured to auth against FreeRADIUS you should have the directory/etc/radiusclient/ – we need to open up this file /etc/radiusclient/radiusclient.conf and locate the below sections:

authserver 127.0.0.1

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 127.0.0.1

Once you have your 2/3 FreeRADIUS servers setup we need to modify these 2 lines to look like below:

authserver 123.123.123.123, 123.123.123.124, 123.123.123.125

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
acctserver 123.123.123.123, 123.123.123.124, 123.123.123.125

The FreeRADIUS servers in order are as below:

123.123.123.123 = Primary Radius
123.123.123.124 = Failover Radius
123.123.123.125 = Failover Radius

They will also be tried in a round robin fashion, if 123.123.123.123 is DOWN 123.123.123.124 will take over, if 123.123.123.124 is also DOWN 123.123.123.125 will take over, when 123.123.123.123 is back UP this will take over auth again.

Now we need to open up the file /etc/radiusclient/servers and add our radius servers and secrets, we need to list them in order as below:

123.123.123.123 mysecret
123.123.123.124 mysecret
123.123.123.125 mysecret

Now restart both PPTP and L2TP services.

Dante:

Dante is a simple one, open up /etc/raddb/server and list them like below in any order you please:

123.123.123.123 mysecret 6
123.123.123.124 mysecret 6
123.123.123.125 mysecret 6

Kill the dante sockd process and restart for them to take affect.

One Comment

  1. Hi very nice.
    Please create article How to install L2TP/IPSec VPN server in RHEL/Centos 5.4 Linux.
    Thank you so much.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close
Close