Access private network from the internet, support port forwarding from private network to outside via cloud.
- Docker image
- Keycloak authentication and authorization
- Radius client
- support RadSec protocol (Radius over TLS)
- Management routing and portforwarding using json file
- Connect to LAN from the internet
- Port forwarding
- Connect multiple networks
- Automatic installation(Ubuntu)
- Manual Installation steps (Ubuntu)
- Deny user access to VPN
Get the trusted build from the Docker Hub registry:
docker pull vassio/pptp-radius-docker
sudo apt-get update && sudo apt-get install -y curl
curl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/ubuntu.install -o ubuntu.install
chmod +x ubuntu.install
./ubuntu.install
- Create Realm with Radius client
- Create OIDC client to Radius Realm
- Enable Service Accounts for OIDC client
- Add role "Radius Session Role" to Service Accounts
- Download Keycloak.json
- add keycloak.json to config.json
{
"radsec": {
"privateKey": RADSEC_PRIVATE_KEY,
"certificateFile": RADSEC_CERTIFICATE_FILE,
"CACertificateFile": RADSEC_CA_CERTIFICATE_FILE,
"certificateKeyPassword": RADSEC_PRIVATE_KEY_PASSWORD
},
"keycloak": {
"json": {
"realm": "VPN",
"auth-server-url": "http://192.168.1.234:8090/auth/",
"ssl-required": "external",
"resource": "vpn-client",
"credentials": {
"secret": "12747feb-794b-4561-a54f-1f49e9366b21"
},
"confidential-port": 0
}
},
"radius": {
"protocol":"pap"
}
}{
"radsec": {
"privateKey": RADSEC_PRIVATE_KEY,
"certificateFile": RADSEC_CERTIFICATE_FILE,
"CACertificateFile": RADSEC_CA_CERTIFICATE_FILE,
"certificateKeyPassword": RADSEC_PRIVATE_KEY_PASSWORD
},
"keycloak": {
"json": KEYCLOAK_JSON
},
"radius": {
"protocol":"RADIUS_PROTOCOL"
},
"authorizationMap": {
"roles": {
"KEYCLOAK_ROLE": {
"routes": ROUTING_TABLE,
"forwarding":{
"sourceIp": APPLICATION_IP,
"sourcePort": APPLICATION_PORT,
"externalPort": REMOTE_PORT
}
}
}
}
}Where
- RADSEC_PRIVATE_KEY ssl privateKey
- RADSEC_CERTIFICATE_FILE ssl private certificate
- CACertificateFile ssl CA certificate
- certificateKeyPassword privateKey password
- KEYCLOAK_JSON Keycloak.json
- RADIUS_PROTOCOL Radius protocol. Supported pap,chap and mschap-v2. If used RadSec(Radius over TLS) then better to use PAP, otherwise mschap-v2
- APPLICATION_IP service IP behind NAT (port forwarding)
- APPLICATION_PORT service PORT behind NAT (port forwarding)
- REMOTE_PORT port accessible from the internet (port forwarding)
- ROUTING_TABLE ip with subnet for example 192.168.8.0/24
- KEYCLOAK_ROLE Role assigned to user
{
"radsec":{
"privateKey":"RADSEC_PRIVATE_KEY",
"certificateFile":"RADSEC_CERTIFICATE_FILE",
"CACertificateFile":"RADSEC_CA_CERTIFICATE_FILE",
"certificateKeyPassword":"RADSEC_PRIVATE_KEY_PASSWORD"
},
"keycloak":{
"json":{
"realm":"VPN",
"auth-server-url":"http://192.168.1.234:8090/auth/",
"ssl-required":"external",
"resource":"vpn-client",
"credentials":{
"secret":"12747feb-794b-4561-a54f-1f49e9366b21"
},
"confidential-port":0
}
},
"radius":{
"protocol":"pap"
},
"authorizationMap":{
"roles":{
"Role1":{
"routing":[
{
"route":"192.168.88.0/24"
}
]
}
}
}
}
Subnet contains service http://192.168.8.254:80 which is available at from http://195.138.164.211:9000
{
"radsec":{
"privateKey":"RADSEC_PRIVATE_KEY",
"certificateFile":"RADSEC_CERTIFICATE_FILE",
"CACertificateFile":"RADSEC_CA_CERTIFICATE_FILE",
"certificateKeyPassword":"RADSEC_PRIVATE_KEY_PASSWORD"
},
"keycloak":{
"json":{
"realm":"VPN",
"auth-server-url":"http://192.168.1.234:8090/auth/",
"ssl-required":"external",
"resource":"vpn-client",
"credentials":{
"secret":"12747feb-794b-4561-a54f-1f49e9366b21"
},
"confidential-port":0
}
},
"radius":{
"protocol":"pap"
},
"authorizationMap":{
"roles":{
"Role1":{
"forwarding":[
{
"sourceIp":"192.168.88.1",
"sourcePort":"80",
"destinationPort":9000
}
]
}
}
}
}
user1 - router with subnet 192.168.88.0/24 behind NAT. Subnet contains service http://192.168.88.254:80 which is available at from http://195.138.164.211:9000 
{
"radsec":{
"privateKey":"RADSEC_PRIVATE_KEY",
"certificateFile":"RADSEC_CERTIFICATE_FILE",
"CACertificateFile":"RADSEC_CA_CERTIFICATE_FILE",
"certificateKeyPassword":"RADSEC_PRIVATE_KEY_PASSWORD"
},
"keycloak":{
"json":{
"realm":"VPN",
"auth-server-url":"http://192.168.1.234:8090/auth/",
"ssl-required":"external",
"resource":"vpn-client",
"credentials":{
"secret":"12747feb-794b-4561-a54f-1f49e9366b21"
},
"confidential-port":0
}
},
"radius":{
"protocol":"pap"
},
"authorizationMap":{
"roles":{
"Role1":{
"forwarding":[
{
"sourceIp":"192.168.88.254",
"sourcePort":"80",
"destinationPort":9000
}
],
"routing":[
{
"route":"192.168.88.0/24"
}
]
},
"Role2":{
"routing":[
{
"route":"192.168.89.0/24"
}
]
}
}
}
}- Viewing logs in docker container:
docker logs pptp-radius-docker -f
- print routing tables
docker exec pptp-radius-docker bash -c "ip route"
- print iptable rules
docker exec pptp-radius-docker bash -c "iptables -S"
sudo apt-get update && sudo apt-get install -y curl
curl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/ubuntu.install -o ubuntu.install
chmod +x ubuntu.install
./ubuntu.install
- create client/realm role and add attribute:
REJECT_Connect-Info=L2TP
- assign a role to a user and after that the user will always be rejected
- install all dependencies
sudo apt-get update && sudo apt-get install -y iptables git iptables-persistent node
- install docker
sudo apt-get remove docker docker.io containerd runc
sudo curl -sSL https://get.docker.com | bash
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
- Configure host machine
echo "nf_nat_pptp" >> /etc/modules
echo "ip_gre" >> /etc/modules
iptables -I FORWARD -p gre -j ACCEPT
sudo iptables-save > /etc/iptables/rules.v4
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.netfilter.nf_conntrack_helper=1
sudo echo "net.ipv4.ip_forward=1">/etc/sysctl.conf
sudo echo "net.netfilter.nf_conntrack_helper=1">/etc/sysctl.conf
-
start docker image
export CONFIG_PATH=/opt/config.json
curl -sSL https://raw.githubusercontent.com/vzakharchenko/pptp-radius-docker/main/pptp-js/generateDockerCommands.js -o generateDockerCommands.js
`node generateDockerCommands.js`
- reboot machine