Providing SoftEther VPN + DaloRADIUS service in BPI-M1

Platform: bananapi M1 Development Board（Dual core ARM Crotex-A7）
Operating System: Raspbian (2016-07-13-raspbian-jessie-bpi-m1-m1p-r1.img)
Aim:
Provide SoftEther VPN service to protect data transfer security in Public WLAN;
Provide DaloRADIUS service to enhance the security of WLAN authentication.

Part0 : Preparing

Prepare the OS

First download the OS image, then burning image to SD card, and start the OS. We can use raspi-config to Expand File System.

Prepare proxychains-ng to accelerate Software Downloading

Proxychains-ng is a UNIX program, that hooks network-related libc functions in DYNAMICALLY LINKED programs via a preloaded DLL, which can provide flexible proxy settings than using system environment.

1.download the source code:

git clone https://github.com/rofl0r/proxychains-ng
./configure --prefix=/usr/local --sysconfdir=/etc
make && make install
make install-config

2.configure proxychains-ng:

Proxychains-ng us proxychains.conf as default config file.
We can easily add server to [ProxyList]

vi /etc/proxychains.conf
[ProxyList]
socks5  127.0.0.1 1086
http    127.0.0.1 1080

3.use proxychains-ng:

the proxychains-ng use such syntax:

proxychains4 [program] [parameter]

Setting static IP:

The M1 should listening on a static IP address in your local network
We can modify /etc/dhcpcd.conf

interface eth0
static ip_address=192.168.0.10/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1

reboot the system after saving

Part1 : Compile SoftEther:

1.install Compiler:

apt install -y build-essential

2.configure firewall (optional):

if you want to use firewall, you can create a shell script:

#!/bin/bash
iptables -F
iptables -X
iptables -F -t mangle
iptables -t mangle -X
iptables -F -t nat
iptables -t nat -X

# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Permit ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Accept incoming SSH
iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# SoftEther
iptables -I INPUT -p udp --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 992 -j ACCEPT
iptables -I INPUT -p tcp --dport 992 -j ACCEPT
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I INPUT -p udp --dport 4500 -j ACCEPT

# Radius
iptables -I INPUT -p udp --dport 1812 -j ACCEPT
iptables -I INPUT -p udp --dport 1813 -j ACCEPT

# Save Changes
iptables-save >  /etc/iptables/rules.v4

# Service
service iptables restart
service iptables status

setting executable permission for setfirewall.sh :chmod +x setfirewall.sh then execute./ setfirewall.sh. Review the change using iptables -L -n -v.

3.download the source code:

curl -O http://www.softether-download.com/files/softether/v4.25-9656-rtm-2018.01.15-tree/Linux/SoftEther_VPN_Server/32bit_-_ARM_EABI/softether-vpnserver-v4.25-9656-rtm-2018.01.15-linux-arm_eabi-32bit.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6117k  100 6117k    0     0   451k      0  0:00:13  0:00:13 --:--:--  726k 

4.decompression the source code:

decompress source code to /usr/local/, this operation require root

tar xzvf softether-vpnserver-v4.20-9608-rtm-2016.04.17-linux-x64-64bit.tar.gz -C /usr/local/
vpnserver/
vpnserver/Makefile
vpnserver/.install.sh
vpnserver/ReadMeFirst_License.txt
vpnserver/Authors.txt
vpnserver/ReadMeFirst_Important_Notices_ja.txt
vpnserver/ReadMeFirst_Important_Notices_en.txt
vpnserver/ReadMeFirst_Important_Notices_cn.txt
vpnserver/code/
vpnserver/code/vpnserver.a
vpnserver/code/vpncmd.a
vpnserver/lib/
vpnserver/lib/libcharset.a
vpnserver/lib/libcrypto.a
vpnserver/lib/libedit.a
vpnserver/lib/libiconv.a
vpnserver/lib/libintelaes.a
vpnserver/lib/libncurses.a
vpnserver/lib/libssl.a
vpnserver/lib/libz.a
vpnserver/lib/License.txt
vpnserver/hamcore.se2 

5.compile:

cd /usr/local/vpnserver
make

we can find vpnserver and vpncmd in this folder

6.setting permission:

update the file permissions:

chown -R root:root /usr/local/vpnserver  
cd /usr/local/vpnserver/  
chmod -R 600 *  
chmod 700 vpncmd  
chmod 700 vpnserver

7.Create systemd Script:

Create a systemd script to auto-start/stop SoftEther

vi /etc/systemd/system/softether.service

[Unit]
Description=SoftEther VPN Server  
After=network.target auditd.service  
ConditionPathExists=!/usr/local/vpnserver/do_not_run

[Service]
Type=forking  
EnvironmentFile=-/usr/local/vpnserver  
ExecStart=/usr/local/vpnserver/vpnserver start  
ExecStop=/usr/local/vpnserver/vpnserver stop  
KillMode=process  
Restart=on-failure

# Hardening
PrivateTmp=yes  
ProtectHome=yes  
ProtectSystem=full  
ReadOnlyDirectories=/  
ReadWriteDirectories=-/usr/local/vpnserver  
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SYS_NICE CAP_SYS_ADMIN CAP_SETUID

[Install]
WantedBy=multi-user.target

enable and start the service.

systemctl enable softether
systemctl start softether

8.configure SoftEther VPN Server:

Next step is to use the vpncmd command or the SoftEther VPN Server Manager for Windows to configure SoftEther. (this time I use SoftEther VPN Server Manager)
first input the IP address of server, click connect bottom, to let the password blank, click ok

setting logon password:

configure service with initialization guide.

Tip:if you want to use the NAT function, you can read the Local Bridge and dnsmasq steeing in https://rharmonson.github.io/se4cos7.html, or use SecureNAT. I direct the dhcp of the Router.

Part2 : install FreeRADIUS + DaloRADIUS

I choose the FreeRADIUS as my Radius service. This opensource project is powerful, flexible. The Radius can realize AAA(Authentication, Authorization和Accounting) framework. I just use the Authentication function.

1.onstall FreeRADIUS and its requrement:

apt-get install freeradius freeradius-mysql apache2 php5 libapache2-mod-php5 mysql-server mysql-client php5-mysql php-pear php5-gd php-db

you need to input MySQL password while installing.

2.initialize FreeRADIUS:

FreeRADIUS ist /etc/freeradius folder to store configuration file. As the default mode FreeRADIUS looks up its users in a plain file.

vi /etc/freeradius/users

uncomment two lines

#"John Doe" Cleartext-Password := "hello"
# Reply-Message = "Hello, %{User-Name}"

stop service and enter the debug mode to ensure settings.

/etc/init.d/freeradius stop
freeradius -X

When you see “Info: Ready to process requests.” , the service has been successfully configured. Exit debug mode with ctrl+C, restart the service, then check the service with
radtest command.

/etc/init.d/freeradius start
radtest "John Doe" hello 127.0.0.1 0 testing123

if Authentication successfully, you will see following messages.

Sending Access-Request of id 180 to 127.0.0.1 port 1812
        User-Name = "John Doe"
        User-Password = "hello"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000 

Now you can setup SQL.

3.install DaloRADIUS:

We can use DaloRADIUS as GUI of the FreeRADIUS. First, download DaloRADIUS and decompress it to /var/www/html (the apache use /var/www/ as default document path before Raspbian jessie)

cd ~/Downloads
wget http://downloads.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
tar zxvf daloradius-0.9-9.tar.gz -C /var/www/html
mv /var/www/html/daloradius-0.9-9/ /var/www/html/daloradius
cd /var/www/html/daloradius

4.configure MySQL:

create a new MySQL user for daloRADIUS and execute a sql template provided by daloRADIUS:

mysql -u root -p
mysql>create database radiusdb;
mysql>exit
mysql -u root -p radiusdb < /var/www/html/daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
mysql -u root -p
mysql>CREATE USER 'radiususer'@'localhost';
mysql>SET PASSWORD FOR 'radiususer'@'localhost' = PASSWORD('radius_password');
mysql>GRANT ALL ON radiusdb.* to 'radiususer'@'localhost';
mysql>exit

uncomment two parts in FreeRADIUS configuration file
first: /etc/freeradius/radiusd.conf

# $INCLUDE sql.conf
# $INCLUDE sql/mysql/counter.conf

second: /etc/freeradius/sites-enabled/default

# See "Authorization Queries" in sql.conf
sql
# See "Accounting queries" in sql.conf
sql
# See "Simultaneous Use Checking Queries" in sql.conf
sql
# See "Authentication Logging Queries" in sql.conf
sql

modify /etc/freeradius/sql.conf, fill these information

server = "localhost"
#port = 3306
login = "radiususer"
password = "radius_password"
# Database table configuration for everything except Oracle
radius_db = "radiusdb" 

modify /etc/freeradius/clients.conf, add radius client

client 192.168.10.0/24 {
 secret = somesecret
 shortname = radius_wlan_guest
}

this will allow all the client in 192.168.10.0/24 IP, you can also use ipaddr= to specify client IP address
restart FreeRADIUS service:

/etc/init.d/freeradius restart

add connection information to /var/www/html/daloradius/library/daloradius.conf.php

$configValues['CONFIG_DB_ENGINE'] = 'mysql';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radiususer';
$configValues['CONFIG_DB_PASS'] = 'radius_password';
$configValues['CONFIG_DB_NAME'] = 'radiusdb'; 

GUI now on daloRADIUS is accessible via:
http://your_server/daloradius/
Default logon username=administrator password=radius.
you can change the password through Configuration -> Operators -> Edit administrator, then add New User in Management Tab.

5.configure WAP2-Enterprise:

Example(ddwrt):
Wireless->Wireless Security, choose WPA2 Enterprise. WPA Choose TKIP+AES(best compatibility)set Radius Auth server address, port and shared secret, then save and apply.

This configuration can be usable by most of clients. But you will find such error in freeRADIUS log. Today’s Microsoft Client and new Android/IOS client stopped to suooprt default EAP type MD5(you can see logs after enable auth, auth_badpass, auth_goodpass in /etc/freeradius/radiusd.conf)

Wed Feb 28 16:36:20 2018 : Auth: Login incorrect: [username/<via Auth-Type = EAP>] (from client ddwrt port 0 via TLS tunnel) 
Wed Feb 28 16:36:20 2018 : Auth: Login incorrect: [username /<via Auth-Type = EAP>] (from client ddwrt port 20 cli 283f69c9f865) 
Wed Feb 28 17:01:17 2018 : Info: Signalled to terminate
Wed Feb 28 17:01:17 2018 : Info: Exiting normally.

so we need EAP-MSCHAPv2.

6.enable PEAP authentication

modify /etc/freeradius/eap.conf:

default-eap-type = md5 

to

default-eap-type = peap

7.Create certificates

The required files are under /usr/share/doc/freeradius/example/certs. Copy them to the cert store folder:

cd /usr/share/doc/freeradius/examples/certs
sudo cp Makefile ca.cnf server.cnf xpextensions /etc/freeradius/certs
cd /etc/freeradius/certs 

Edit ca.cnf and server.cnf, you should keep the same information in both conf.

[ CA_default ]
default_days = 3650 # 10 years
[ req ]
input_password = your_inputoutput_password
output_password = your_inputoutput_password
[certificate_authority]
countryName = CN
stateOrProvinceName = somestate
localityName = yourtown
organizationName = yourorg
emailAddress = [email protected]
commonName = "some cool short desription"

generate certificates:

make all

Because the certificate you just generated is not signed by a trusted root ca, you will have to import it in Windows Clients(especially old version)

Edit /etc/freeradius/eap.conf:

private_key_password = your_inputoutput_password

8.configure MSCHAPv2

in /etc/freeradius/modules/mschap:

use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes

Edit /etc/freeradius/sites-enabled/inner-tunnel, to tell FreeRADIUS that it has to use SQL in the inner CHAP tunnel edit

# See "Authorization Queries" in sql.conf
sql
# See "Simultaneous Use Checking Queries" in sql.conf
sql
# See "Authentication Logging Queries" in sql.conf
sql 

reload new libraries and restart freeRADIUS:

ldconfig
/etc/init.d/freeradius restart

this time you can connect WLAN with PEAP – MSCHAPv2 Authentication.

Tips:

It maybe have problem with Windows 7 to connect such WPA2-Enterprise, you can find following logs:

Wed Feb 28 18:05:51 2018 : Auth: Login incorrect (TLS Alert read:fatal:unknown CA): [host/hostname/<via Auth-Type = EAP>] (from client ddwrt port 9 cli 08570039addd) 
Wed Feb 28 18:06:32 2018 : Auth: Login incorrect: [domain \\username/<via Auth-Type = EAP>] (from client ddwrt port 0 via TLS tunnel) 
Wed Feb 28 18:06:32 2018 : Auth: Login incorrect: [domain \\ username /<via Auth-Type = EAP>] (from client ddwrt port 9 cli 08570039addd)

It means that Windows 7 will Validate server certificate and send Windows Credential in authentication. So you can:
1. Go to “Change adapter settings”
2. Right click on the Wired network and go to Properties.
3. In the authentication tab enable 802.1X and select PEAP. Enable Validate server certificate. Select EAP-MSCHAP v2 as the authentication method and DISABLE “Automaticaly use my Windows logon name and password”. Specify the Authentication mode as “User authentication” and DO NOT Save Credentials.
4. Right click on the WIRED network. DISABLE it then ENABLE it. A popup requesting additional logon information (credentials) will appear.

Reference: 
https://www.modmypi.com/blog/how-to-give-your-raspberry-pi-a-static-ip-address-update
https://www.jianshu.com/p/9125637e7aec
https://rharmonson.github.io/se4cos7.html
https://steven-england.info/2014/11/06/providing-802-1x-authentication-freeradius-peapv0eap-mschapv2-support-raspberry-pi/
https://social.technet.microsoft.com/Forums/Lync/en-US/ab547187-6c48-4624-b1e7-ef5658ff05d1/windows-7-is-not-prompting-for-peap-username-and-password-on-the-wired-network?forum=w7itprosecurity