OpenVPN FreeRadius Authentication

# Install OpenVPN
$ yum install openvpn \
              easy-rsa \
              haveged

# Install FreeRadius
$ yum install freeradius \
              freeradius-utils \
              pam_radius

# Config Firewall
$ firewall-cmd --get-active-zones
$ firewall-cmd --zone=external --change-interface=tun0 --permanent
$ firewall-cmd --add-service={openvpn,radius} --permanent
$ firewall-cmd --reload
$ cd /etc/raddb
$ ln -sf ../mods-available/sql mods-enabled/sql
$ sqlite3 freeradius.db < mods-config/sql/main/sqlite/schema.sql
$ echo "INSERT INTO radcheck VALUES('0','user','Cleartext-Password',':=','pass');" | sqlite3 freeradius.db
$ cat >> clients
client test.easypi.info {  
        ipaddr = 192.168.31.231
        secret = testing321
}
# Run in debug mode
$ radiusd -X

# Test from localhost (192.168.31.234)
$ radtest user pass localhost 0 testing123
Sending Access-Request Id 116 from 0.0.0.0:46035 to 127.0.0.1:1812  
        User-Name = 'user'
        User-Password = 'pass'
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
Received Access-Accept Id 116 from 127.0.0.1:1812 to 127.0.0.1:46035 length 20

# Test from remote (192.168.31.231)
$ radtest user pass 192.168.31.234 0 testing321
Sent Access-Request Id 3 from 0.0.0.0:58051 to 192.168.31.234:1812 length 74  
    User-Name = "user"
    User-Password = "pass"
    NAS-IP-Address = 192.168.31.231
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "pass"
Received Access-Accept Id 3 from 192.168.31.234:1812 to 0.0.0.0:0 length 20  
$ cat >> /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn  
client-cert-not-required

$ cat >> /etc/openvpn/client.conf
auth-user-pass

$ cat > /etc/pam.d/openvpn
auth     required        pam_radius_auth.so  
account  required        pam_radius_auth.so

$ cat > /etc/pam_radius.conf
# server[:port] shared_secret      timeout (s)
localhost       testing123         1

$ pamtester -v openvpn user authenticate
pamtester: invoking pam_start(openvpn, user, ...)  
pamtester: performing operation - authenticate  
Password: ****  
pamtester: successfully authenticated  
systemctl start radiusd openvpn  
systemctl enable radiusd openvpn