 Remote Authentication Dial-In User Service, or RADIUS, is a networking protocol that operates on port 1812 and has been around since 1991. It provides centralized authentication, authorization, and accounting management to users who connect and use network services. So RADIUS has been around obviously for a little while and free RADIUS is a plugin that can be used within PF Sense and why would you use it? Well, if you want a little more features than just username, password, authentication. And in this video, we're gonna do it in two parts. The first part is how do I set up free RADIUS? Pretty straightforward. And then the next part is how do you integrate it into something such as OpenVPN? Because you may want to assign specific parameters to a user like a specific IP address each time they log in. And there are ways to do this with OpenVPN and using some config and text files you edit. But with free RADIUS and as a plugin inside of PF Sense, you can add them and add those specific features and settings and have them pushed right to the user when they log in all through the UI and PF Sense. One thing to note, if you get a very large number of users, this is going beyond the scope, but it's something to note in case you are doing this at larger scale and you wanna use it all inside of PF Sense with the free RADIUS package, you can use them high SQL. Now, the reason for this is the free RADIUS implementation in PF Sense is not using an entire like SQL backend for this. Therefore, you want something faster because if you have let's say 800 users you wanna put in here, it's gonna be a little bit slower to pull from the database inside of PF Sense, which uses like an XML file, I believe for this. And it saves these users into a flat file, essentially. So it's not as fast as a database query. So if you have 100 users, no problem. If you have 800 users, you may wanna consider going further and using this inside of SQL. All right, so let's get started. You go to the package manager, available packages, and type in free R. And currently, as of May 2019 here, it's free RADIUS three that we're gonna install. And confirm. That part's pretty pain-free. But as you're gonna see, when it installs this, it installs free RADIUS basically un-configured. It's very, very basic. It's just like package loaded, but no configuration. So that's what I'm gonna walk you through is each step of the configuration. All right, with the package installed, we'll close all these extra tabs we don't need and go to services, free RADIUS. First thing to set up is gonna be the interface. So we have to set up the interface and the listening ports. And we're just gonna use the default ports here. So for purposes of this demonstration, we're just gonna bind it to all the IP addresses on here, but of course, by default, the firewall rules for external, like the WAN, even though it does bind to all the ports, it is not going to be available externally to the WAN. You'd still have to open up the ports, just an FYI in case you're wondering, but you can just leave this at asterisk right here, port 1812, which is the default port for authentication, IPB4, and we can just type auth port here. And have it set up. You can see if you wanted to go not default ports, that's certainly an option. We're just gonna go everything at the default ports because when you start connecting devices to this, and you have things at non-default ports, well, that can be kind of a headache. Next port we're gonna do is 1813 and this is gonna be for accounting. That is a default accounting port. We'll just put ACCT here. And for the purposes of setting this up with a VPN, an open VPN, these are the only things that you need and requirement, but I will show in case you're doing something more. Yes, it does have status, COA, proxy detail, like some other detail connection informations that you could do. For example, some switches wanna monitor a status or some logging tools if you have people authenticating with this and it can then query for status of if that person's in there. I think you can do that in captive portal as well if we do that. But like I said, for this particular video, we're just gonna be doing open VPNs with only two needed ports. And I'm always on the side of caution. I never set up more than needs to be set up unless I'm using those features. The next thing to do is determine what clients are gonna connect to this. Now we have to set up the NAS-client. Now this is specifically about setting up the client as in what's gonna be connecting to it as in open VPN, which is running on this PF sense. So we're gonna add it and we're just gonna use 127.0.0.1 local host, client short name, rad server. So that's set up as rad server here, client shared secret. And the client short name actually can be whatever you want. So enter a short name for the client if you didn't know, but you do have to remember the shared secret here. So we'll set something there. All the other defaults are perfectly fine. We don't have to worry about any of these. Now, please note, if you were setting this up for others external authentication under devices, this is, you can set up more than one client. So if you have a switch or a Wi-Fi authenticating this, not related to this video, but this is where you would set those up as well and put the IP addresses for different things that are gonna be connecting. So now that that's added, we're gonna go over here to system, user manager, authentication server, and add the authentication server. Rad server, radius, default status, chat, 227.0.0.1. Attribute it to things connecting to LAN in case you're wondering. And these are the default ports 1812, 1813. So like I said, we used defaults. It just kind of falls in there. Other shared secret that we did and save. And that's pretty much it for getting it set up for authentication. Now we can go in, add a user. So we're gonna go over here to free radius, add a user, user one, put a password in here. And I'm just gonna save it since all, there's a lot of other options here, obviously, but for sake of testing here, we're gonna go over to user and we give that user a password. And from there, we can go to diagnostic, authentication, authenticate against our rad server, user one, and test, successfully authenticated. That's the only thing you have to do to get the server set up and then verify it's working. So this is, you know, load it, run through, make sure you test on the authentication server. And you can also do this, like test against local database. Well, that user doesn't work. So once you know authentication is working, then you can go in and have the fun. So I'm gonna go ahead and I've walked through how to do open VPN. It's really the same thing. So I'm not gonna go through in depth on this, but when you run the wizard, you just choose the radius and the rad server, or you can add a new radius server and it'll walk you through what I just did again. And we're gonna next, yes, our way into a working VPN. So everything here is fine. Port here, nothing special, we have to change. It's 70.24. All these are just gonna leave everything at default. Next, go ahead and add a firewall rule, add it open VPN rule. All right, so we now have a VPN set up and ready to work. We're gonna export it and we're gonna get my computer connected to this VPN. I'll just download most clients because I'm running Linux and Linux works fine with this export. And if you didn't know, just to make sure people are clear on this, package manager, available packages, and solid packages, I mean, I could probably update to the latest one here, but it's open VPN client export. We'll update it while I'm sitting here real quick. Make sure everyone had an updated package and it goes really fast. That's done. So we have the open VPN export tool. This is what allows me just to download this config file. As a matter of fact, we'll go ahead and download this file again. So VPN, open VPN, client export. There's our VPN, download most clients. All right, now we're gonna go ahead and connect to the VPN on this machine. Now, first a couple little details that I wanna cover. So we know the network layout. I do have a couple computers connected here. So these two computers, one at 104 and one at 107. So yes, you've seen dot 40. There's actually just for clarification. If we look at LAN two, this IP address is in the 10 network and we did bind it to for authentication purposes here. But it doesn't matter because what does matter is that this network is configured and set up. We will go to open VPN and we gotta make sure that network's been pushed over here, zero slash 24. And away we go, we know this network's pushed. So when we connect to this VPN using the user, should work perfectly fine and we'll connect. All right, so from the command line, in this is obviously if you're doing it in Windows, you'd go through the whole Windows installer with the open VPN from the command line. We'll sudo open VPN and I renamed it freerad.ovpn. User one, password. All right, and I have been assigned 192.168.70.2. And let's go ahead and ping one of those IP addresses. 10.104 I think was available. VPN is up and running. And if you look at my computer here, you can see this is the tunnel network that's on there. And here's the 192.168 network. You see I'm not on that network so it's obviously routing through the VPN. You have to take my word for it if you believe I'm doing some other trickery. But anyways, that works. So now we know I can connect to the VPN. So we're gonna go up here to the top window and we'll exit out of the VPN. And let's go a step further. So one of the things I talked about was how do you create the rules so that each computer can only talk to a certain thing or get assigned a very specific IP address using freerad. So go over here. Go to freeradius. We're gonna go over to this user. And before I was given the 192.168.70.2 just if the next user can actually would have got 70.3 so on and so forth. That's the default way open VPN assigns addresses. 192.168.70. Let's start at 100. So 101. So 100, 192.168.70.101. Subnet mask of 255.255.255.0. Now you do have to put both or you'll get an error. You can't leave a blank. You don't really have to put the gateway because it's only, the goal of this is only to be designed to access things on that local network. So you don't have to specify any of that part here. So what we are assigning now is that this user that we just called user one is going to get this IP address to this connection. So we're gonna hit save. And we're gonna add another user at the same time. We'll call this one user two. User two gets 192.168.1.70.102 save. And now we can see that this user gets that. Now before we even bother connecting, I'm gonna go over here to the firewall and we'll go over to the rules. Cause I already know it's gonna assign those addresses but those addresses mean nothing if the rules let them go wherever they want. So we're gonna go ahead and delete, delete. And let's add a very specific rule. Start with any and then we'll say single host is 192.168.70.101. And we'll let 101 go wherever they want. So destination can be wherever they want. So 101 has free reign, go wherever. Then we're gonna add another user. Actually we'll just copy the rule. And 102, the only destination address I want 102 to have is 101.10.104. So any protocol, but you could restrict this down if you only wanted to have a single port for example or any specific thing. But we're gonna go ahead and allow any protocol but the only thing when they get connected they're allowed to talk to is this resource on the network. And this can be across any network. I have something on the 10 network. It could be on the 192.168.40 network. But this is user two gets to the 104 machine. Save. So we can follow this that if you're assigned this IP address you get here, we're gonna apply the changes. So now let's try connecting as, we'll try user two first. User two and I've been assigned 102. That means I can ping 104. But what if I wanted to ping the gateway? Can't do it, so I can't route out. What if I wanted to ping 107? That's on our computer on there. That didn't work either. All right, so let's go back up to the top and we'll hit control C, just cancel it, log in again. We'll go user one. Took a second to connect because it thought I was the same connection coming in because I couldn't see my IP address so it took a second but it connects and now with user one I'm able to ping 107 and 104. And the gateway because the user restrictions on this are go wherever. So this is a way you can create open VPN connections using PF sense and free radius and then have each user go to a very specific place. So we'll go here back to the rules to show you and you can see that this is where you write each rule and you can just copy and carry on so each user has each rule and you can put in description which user has which. Now a couple notes about this and we're gonna go ahead and kind of sort of break something because this is a problem that I didn't notice at first but it makes complete sense when I explain why. So we're logged in as user with IP address of 101 right here and so we're gonna go ahead and edit user one with IP address 101 and we're gonna make it 105. So I saved it, it took to save, it's 105. So as soon as I log back in it should just go back to 105. So we're gonna go ahead and go up here and disconnect user one but I got 101 again. You're probably going, how did that happen? I did it right. So then you get confused and you do it again. You're like user one and I got the same IP address again. So what happens is and we're gonna go ahead and fix this by going here. If even though I hit control C it still thinks 101's connected and by default it wants to reestablish a connection if there's a disruption to that connection. So if you change it and the user happened to be logged in when you changed it and still had a connection which when you disconnect there's a delay between the disconnect from the user before it times the connection out here. You just have to kill the connection. And when you kill the connection here or restart you can just actually just restart and it kills all the connections. So if you make a few user changes you can do that. This is what will force that connection to drop and by killing it here or restarting the open VPN service and drop the connections. Now when we reconnect it'll take a second because I just restarted the service and it's gonna pause for a second while it reestablishes but now the user will get the right address. And hey look I got the 105 address which by the way because I got a different address if I try to ping anything because I have the wrong address I can't get anywhere. Couple side notes about this. They're not to any of my knowledge and I played around with this trying to break it to see if one of these users were able to force or change their IP address once assigned. I wasn't able to get that to work. It seems like once it's assigned from the open VPN service side you can't just rename your IP address in case you're wondering from a security standpoint. Now I may be wrong but I played around with this and tried to force changing my IP address and it wouldn't connect on the other end if I tried to force any IP information. I couldn't really figure out a way to do that so I will mention maybe I'm wrong please leave a comment if you know a way of a user connecting but this is one extra layer of security that you can add to open VPN. IBC open VPN is quite secure, well documented and the methodology that I did here and we'll actually go to the top just to talk about this part a little bit. Because of the file we downloaded so we'll just look at what's in here. The user would have to have, here's the certificates that are required so we have the certificate, the TLS key, then have the username and password for this attack for them to get into your open VPN server so you have those extra pieces and this is the remote IP that I know if there's no way to push a local IP from here and push it into the server like I was saying. But hopefully this was helpful and I may do some future videos on how to use free radius for a few other things including captive portals is another way you can do it so if you are setting up a captive portal screen you can use free radius for that and it does work, I've tested it like so I'm gonna do a separate video on captive portals but I didn't wanna do the free radius video first because one thing to note when you're doing a captive portal or free radius this works for the accounting where you can set expiration dates, length of time, download, upload, time periods, bandwidth and speed settings that's another feature you can do so if you're using this to authenticate with it that'll work. So let's wanna get this out there it's a pretty cool tool to be able to have it all integrated right into firewall and for a user that we just helped the other day or a client we helped the other day they needed to set up because they actually have it set up so they only get to a specific machine and a specific port on a machine for each customer they define inside a PF sense via here so they have a lot of customers logging in when the customer logs in they only have access to only and specifically the thing that they were granted access to right down to the port level they created so it's definitely a nice secure way to have the encrypted security layer and then the rule sets that keep people from wandering around the network once they get in and hopefully this clears up if you have any questions about that. All right, thanks. Thanks for watching. If you liked this video, give it a thumbs up if you wanna subscribe to this channel to see more content, hit that subscribe button and the bell icon and maybe YouTube will send you a notice when we post. If you wanna hire us for a project that you've seen or discussed in this video head over to LawrenceSystems.com where we offer both business IT services and consulting services and are excited to help you with whatever project you wanna throw at us. Also, if you wanna carry on the discussion further head over to forums.laurancesystems.com where we can keep the conversation going and if you wanna help the channel out in other ways we offer affiliate links below which offer discounts for you and a small cut for us that does help fund this channel and once again thanks again for watching this video and see you next time.