[strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?

Michael Schwartzkopff ms at sys4.de
Wed Aug 21 09:51:50 CEST 2019

Am 21.08.19 um 08:20 schrieb Houman:
> Hello,
> I have multiple StrongSwan VPN servers setup and each of them has its own
> FreeRadius server. Each of the freeradius servers then points to the
> central database in a separate location. This works without any problem.
> But I wonder if this is the right approach after all.
> Maybe I should have only one FreeRadius server installed next to the
> database, and have each VPN server connect to the central freeradius server
> instead?
> As in setting *accounting = yes* and *address= [remote IP of freeradius
> server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.
> What is the most optimal way?
> Many Thanks,
> Houman

As always, it depends ...

First of all you need to write down, what you want to achieve.

Then you have to find the best solution for you. The "best" might be the
most simple, the easiest to maintain, the one with the least effort in
setting up, the one that has least components, the one with the least
complexity or a combination of everything.

What do you want to acchieve? Authentication / Authorization of VPN
client through a central backend database? Do you need accouting?

If your VPN servers do not differ I would set up two RADIUS server (for
redundancy) that use the one database (master / slave setup for redundancy).

If your VPN servers differ and the outcome of your Authorization depends
on the VPN server, I would set up different virtual RADIUS servers.

But everything depends on your setup. Be sure you know what you want.

Mit freundlichen Grüßen,


[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190821/ea236563/attachment-0001.sig>

More information about the Users mailing list