Before configuring FinchVPN with NAT-T and Radius authentication, ensure the following prerequisites are met:
A functional Radius server (e.g., FreeRadius, Microsoft NPS) is installed and configured. It should be reachable from the FinchVPN server.
A FinchVPN server is set up and running. Note the IP address of the FinchVPN server.
The NAT-T protocol is supported by both the FinchVPN client and server.
Appropriate user accounts exist on the Radius server for authentication.
Shared secret configuration between FinchVPN and the Radius server is in place.
Configuring FinchVPN for NAT-T with Radius authentication involves these steps:
Configure the Radius Client on FinchVPN: Access the FinchVPN server configuration file (e.g., vpn.conf). Add or modify the Radius client settings, including the Radius server IP address and shared secret.
radius_server = <Radius Server IP Address>
radius_secret = <Shared Secret>
Enable NAT-T: Ensure NAT-T is enabled within the FinchVPN server configuration. This might involve setting a specific parameter to "yes" or "true".
natt_enable = yes
Configure Authentication Protocol: Specify that Radius is to be used as the authentication protocol. This often involves setting an auth_protocol parameter.
auth_protocol = radius
Restart FinchVPN Service: After making the changes, restart the FinchVPN service to apply the new configuration.
systemctl restart finchvpn
Firewall Rules: Ensure that the firewall allows UDP traffic on port 1812 (default Radius authentication port) between the FinchVPN server and the Radius server. Also, confirm that the firewall allows UDP traffic on port 4500 (used by NAT-T).
DNS Resolution: Verify that the FinchVPN server can resolve the hostname of the Radius server, if a hostname is used instead of an IP address.
To verify the configuration:
Attempt to connect to the FinchVPN server using a client configured for NAT-T.
Check the Radius server logs for successful authentication attempts from the FinchVPN server. Look for entries indicating the username, source IP (the FinchVPN server's IP), and authentication status.
Examine the FinchVPN server logs for any errors related to Radius authentication or NAT-T negotiation.
Incorrect Shared Secret: A mismatch in the shared secret between the FinchVPN server and the Radius server will cause authentication failures.
Firewall Blocking Traffic: Firewalls blocking UDP traffic on ports 1812 or 4500 will prevent Radius authentication and NAT-T functionality.
Radius Server Unreachable: If the Radius server is down or unreachable, authentication will fail.
Incorrect NAT-T Configuration: Improper NAT-T settings on the FinchVPN server or client can lead to connection issues.
User Account Issues: Problems with user accounts on the Radius server (e.g., disabled accounts, incorrect passwords) will prevent successful authentication.
Radius server is installed and reachable.
FinchVPN server is installed and running.
Shared secret is configured correctly on both FinchVPN and Radius.
NAT-T is enabled in the FinchVPN configuration.
Radius is set as the authentication protocol in FinchVPN.
Firewall allows UDP traffic on ports 1812 and 4500.
FinchVPN server can resolve the Radius server's hostname (if applicable).
User accounts exist and are active on the Radius server.
FinchVPN service is restarted after configuration changes.
Verification steps completed successfully.