intro

When it comes to secure your access to an AWS VPC, the [Brocade Vyatta vRouter 5400] offers all the required functionalities in a quickly and easily deployable appliance.

You can get it from the AWS market place and in a few minutes you have a running firewall/VPN gateway!

Vyatta in two words

Vyatta is a software-based router, firewall and VPN. It is based on Debian. It offer a "CLI" that allow an easy an quick configuration (note: there is also a web interface, but I never seen it in action)

the RADIUS trick

The default setup is to use a local directory to authenticate your VPN users, which does not match centralized authentication requirements that you may have.

But! there is an undocumented feature that allows you to user an external RADIUS to authenticate your users.

First, you will need to tell openvpn to use the openvpn-auth-pam plugin, make sure you pass the following options:

set interfaces openvpn vtun0 openvpn-option '--plugin
/usr/lib64/openvpn/openvpn-auth-pam.so openvpn --comp-lzo
--client-cert-not-required --username-as-common-name --script-security 2'

Then, you need to configure PAM to use your RADIUS server.

1. create /etc/pam_radius_auth.conf with the following content:

ip.address.of.radius your_radius_secret

1. create /etc/pam.d/openvpn with the following:

`

%PAM-1.0

auth sufficient pamradiusauth.so debug account sufficient pam_permit.so `

You are now ready to go!!