1/6/2024 0 Comments Edgerouter x vpn![]() using DHCP for IP assignment (including DNS server assignment).using dnsmasq instead of the default DHCPD daemon (for local hostname resolution on my lan).My setup is probably different than your's so substitute settings where needed. If the edgerouter goes down, the internet will be down anyway so it's a non-issue. In doing this, I reduce the need for extra hardware and remove a point of failure. I have since moved to Adguard Home and offloaded this task to my Ubiquiti Edgerouter X. Running it this way creates another point of failure, if the Pi goes down so does access to the internet. My pihole ran on a seperate Raspberry Pi board but I never liked this solution, keeping the Pi running just to act as a DNS resolver and blocker. $ sudo vi /etc/freeradius/sites-enabled/defaultįind the following and comment them out.I used to run a pihole on my home network but recently moved to Adguard Home for simplicity. ![]() Remember, I only use this for remote access VPN and device authentication.Įdit the /etc/freeradius/sites-enabled/default file. If you are currently using or going to use this FreeRADIUS instance for other purposes, then be careful of what you comment out because it may break. Every time I made the change, I tested my VPN to make sure I was able to log in still. The lines that included noop, I figured they are not needed for my environment, so I commented them out. I just looked at the debug using sudo freeradius -X command and tried to interpret what it was saying. I am a FreeRADIUS newbie, so I do not know what all of these lines mean, but I commented them out to speed up the process of authentication. Related: How to implement Duo Security MFA In this section, we’re going to make some optimizations to speed up the process of authentication. However, when we try to access VPN, it takes a bit longer than using the local account. Aside from those modifications the files were left in the default state. In my FreeRADIUS blog post, there were only a few lines that needed to be changed or added to the config files. set vpn l2tp remote-access authentication require papĭon’t forget to commit and save the configuration. Unfortunately, Google Authenticator will only work with PAP, as far as I know. The last command is to change the default protocol from MS-CHAPv2 to PAP. set vpn l2tp remote-access authentication radius-server 192.168.250.250 key supersecretkey The second command is to point the device to the RADIUS server and enter the key you want to use. set vpn l2tp remote-access authentication mode radius The first command is to change user authentication mode to RADIUS. That said, we’re going to add another factor of authentication to the account. As previously discussed, username and password are no longer considered secure today. In my how-to guide, it showed the use of the local account which is separate from device management. The EdgeOS has two L2TP modes for user authentication, local and RADIUS. That is, however, out of the scope of this post. If you chose the local Google Authenticator route, there might be a way to tie that with user authentication. Check my blog post about it if you want to create your own. The configuration demonstrated here requires a RADIUS server, such as FreeRADIUS. ![]() User Authentication with 2FAĪs mentioned in my how-to configure guide, I prefer L2TP over IPsec, so this post will only cover that. In this post, I will demonstrate how to harden remote-access VPN connectivity on EdgeRouter Lite. The remote-access VPN configuration uses pre-shared secret for machine authentication and user authentication with no two-factor authentication (2FA). However, there are security concerns with that configuration. The commands shown in that blog post works great. In my How to configure EdgeRouter Lite via CLI – Part 2 post, there is an L2TP via IPsec section. How to configure EdgeRouter Lite via CLI – Part 2 How to configure EdgeRouter Lite via CLI – Part 1ĮdgeOS configuration guide for CLI junkies This blog post is part of a series on EdgeRouter Lite.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |