A small helper application that makes it possible to authenticate OpenVPN users against a RADIUS server.
This is not an OpenVPN plugin. This is an auth-user-pass-verify script.
A (the?) RADIUS plugin is available at NonGNU.
The plugin is likely to be more powerful, it is also much larger. This script is
targeted toward scenarios where storage space is at a premium. Package feed for
OpenWRT Attitude Adjustment (and eventually newer versions)
ismight be available at melak/openwrt-feeds.
Include
auth-user-pass-verify /path/to/openvpn_radauth via-env
in openvpn.conf (via-file works too; see the OpenVPN documentation). Set your RADIUS server(s) in radius.conf (in /etc/openvpn/ by default, a different path may be set at compile-time):
auth 192.168.1.10 mekmitasdigoat
openvpn_radauth uses Juniper libradius snatched from FreeBSD, the full radius.conf manual can be found in FreeBSD Git repository. Only the auth service is used.
There is no way at present to use different RADIUS servers with separate OpenVPN instances (save for building a dedicated openvpn_radauth for each and every one of them). Should there be demand for such a feature, it is possible to implement something to that effect.
Have the AutoTools suite installed. autoreconf -ivf, then ./configure --help.
Most of the canned output is junk.
libradius has been slightly modified so that it uses picohash for all its hashing and HMAC'ing needs.
Cross-compilation using the OpenWRT SDK is possiblehas not been attempted in a long
while. You will likely have to tweak Makefile.rulesstuff.