[strongSwan] Should each StrongSwan have its own FreeRadius or should they share one?

Houman houmie at gmail.com
Wed Aug 21 13:20:29 CEST 2019

Hello Michael,

You brought up some very good points.

I'm currently only using the authentication in RADIUS by utilising the
username/password in the Radcheck table. I also make use of Radacct table
to see for how long a user was connected, from which location the
connection was made and to which VPN server the user is connected. Other
than that all VPN servers are the same and don't differ.

> If your VPN servers do not differ I would set up two RADIUS server (for
> > redundancy) that use the one database (master / slave setup for
> redundancy).

I have found this blog post
that explains how to run two freeradius and two mysql servers in
So it seems that two databases are needed after all.  But you advised to
just use one database with two FreeRadius in replication. Do I have to do
anything specifically in the configs to make them work in replication with
a single database? Or is it as simple as creating an AWS Loadbalancer that
points to both freeradius servers as round-robin? And in turn all VPN
servers are pointing to the same Load balancer endpoint? I suppose nothing
stops me of having two database/replication in this scenario to make it
more resilient, isn't it?

Many Thanks,

On Wed, 21 Aug 2019 at 08:52, Michael Schwartzkopff <ms at sys4.de> wrote:

> Am 21.08.19 um 08:20 schrieb Houman:
> > Hello,
> >
> > I have multiple StrongSwan VPN servers setup and each of them has its own
> > FreeRadius server. Each of the freeradius servers then points to the
> > central database in a separate location. This works without any problem.
> > But I wonder if this is the right approach after all.
> >
> > Maybe I should have only one FreeRadius server installed next to the
> > database, and have each VPN server connect to the central freeradius
> server
> > instead?
> >
> > As in setting *accounting = yes* and *address= [remote IP of freeradius
> > server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.
> >
> > What is the most optimal way?
> >
> > Many Thanks,
> > Houman
> >
> As always, it depends ...
> First of all you need to write down, what you want to achieve.
> Then you have to find the best solution for you. The "best" might be the
> most simple, the easiest to maintain, the one with the least effort in
> setting up, the one that has least components, the one with the least
> complexity or a combination of everything.
> What do you want to acchieve? Authentication / Authorization of VPN
> client through a central backend database? Do you need accouting?
> If your VPN servers do not differ I would set up two RADIUS server (for
> redundancy) that use the one database (master / slave setup for
> redundancy).
> If your VPN servers differ and the outcome of your Authorization depends
> on the VPN server, I would set up different virtual RADIUS servers.
> But everything depends on your setup. Be sure you know what you want.
> Mit freundlichen Grüßen,
> --
> [*] sys4 AG
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190821/7cff5404/attachment.html>

More information about the Users mailing list