[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Anyone using PPTP over openVPN ?


  • Subject: Re: [Openvpn-users] Anyone using PPTP over openVPN ?
  • From: "Jan Mulders" <lastchancehotel@xxxxxxxxx>
  • Date: Wed, 7 Mar 2007 22:04:36 +0000

OpenVPN has a working RADIUS authentication and accounting plugin, written by Ralf Lubben:

http://www.nongnu.org/radiusplugin/

It allows you to authenticate users using auth-user-pass against a RADIUS server, and will send accounting packets describing their time and bandwidth usage. It reauthenticates the user on each rekeying and sends accounting packets according to what Accounting-Interim-Interval (sent by the radius server) dictates.

If you email him about his vendor-supplied-attributes compatible plugin which supports running an external Perl script when the user is authenticated (for iptables rules, for example), I am using it in a limited production environment successfully. It occasionally crashes if it can't contact the RADIUS server, but is otherwise fine. (We're slowly working through the bugs...)

It also supports direct pushing of routes from the plugin itself, so if your RADIUS server sends routes, it'll add them automatically.

Hope this helps,

Jan

On 07/03/07, Jean Baptiste Favre <jean-baptiste.favre@xxxxxxxxxx> wrote:
Hi,

Thibault Le Meur a écrit :
> > Hi,
> >
> > I'm looking for replacement of a strongswan/l2tp roadwarrior vpn
> > solution and am thinking about having PPTP (or l2tp) over openVPN.
> >
> > I've noticed equivalent questions in the past but without true return
> > of experience.
> >
> > I need to keep my old solution features (rsa host authentication +
> > password-based user authentication + radius server accounting and IP
> > pool management + iptables tules). Here is what I imagine:
> > * get an ssl tunnel with mutual authentication of the server and the
> > client host (asymetric crypto authentication)
> > * then run a PPP-over-ip-like protocol (pptp or l2tp) to authenticate
> > the end user against a radius server (password based authentication)
Maybe you could use the --auth-user-pass-verify with a script to perform
authentication against the radius server, couldn't you ? There's an
example of such a script, shipped with OpenVpn, which perform pam
authentication, maybe another can deal with radius.

> > * the radius server will assign an IP address from a pool
> > corresponding to the user profile (several profiles defined) and
> > record accounting data
Since the SSL tunnel is active, OpenVPN already assigned an IP address
to the client. Do you really need the radius server to do the job ?

> > * the vpn server will then enforce different iptables rules to these
> > pre-defined IP addresses pools
> >
> > Is it possible ? Is anyone sucessfully using such a solution ?
> > Is there any good doc on such a setup ?
> >
> > Thanks in advance to guide me through my first steps toward a working
> > openVPN test platform.
> >
> > Thibault



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users