freeradius2 – How to setup a proxy radius server (FreeRadius 3)

I am trying to setup a proxy Freeradius server that forwards all requests to another Freeradius server.

For reference see the following picture:

Proxy radius server via VPN

The reason for this setup is I want users to be to onnect to the local LAN via VPN, but the local site is not accessible due to NAT implementet at the ISP.

I am however able to make a site2site VPN connection from local LAN to the VPN server, so I want users to be able to make a VPN connection to the local network via the public VPN server, provided they are a valid user on the local net.

I have a Freeradius server running on local LAN that validates users against a database – and that part is working fine.

Configuration VPN server side

As far as I understand the only thing I need to modify on the server is the file proxy.conf.

Assuming usernames logging onto the VPN is on the form users@example.com then I would only need to add the following entry to proxy.conf:

realm example.com {
    type = radius
    secret = VeryS3cretPassw0rd

    authhost = local-radius.example.com:1812
    accthost = local-radius.example.com:1813

    nostrip
}

The nostrip entry is making sure that the proxied request does not remove the @-postfix from username.

I would also need to add the following to /etc/hosts:

   # VPN Address of local-radius.example.com
 
   192.168.100.2   local-radius.example.com

Configuration local radius server side

On the local radius server I need to update client.conf so any queries to the local radius server and originating from the VPN ip adress is permittet. Like for instance this entry:

client vpn-net {

        # Allow requests originating from VPN subnet.

        ipaddr          = 192.168.100.0/24
        secret          = VeryS3cretPassw0rd
}

Running the following command on VPN server works as expected:

radtest -t mschap user@example.com SecretPassword local-radius.example.com:1812 0 VeryS3cretPassw0rd

I get the following response back:

Sent Access-Request Id 108 from 0.0.0.0:47466 to 192.168.100.2:1812 length 148
        User-Name = "user@example.com"
        MS-CHAP-Password = "SecretPassword "
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ....
        MS-CHAP-Response = ...
Received Access-Accept Id 108 from 192.168.100.2:1812 to 192.168.100.1:47466 length 84
        MS-CHAP-MPPE-Keys = ...
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4

However running the following command on the VPN server fails:

radtest -t mschap user@example.com SecretPassword localhost:18120 0 testing123

The output from the command is:

Sent Access-Request Id 104 from 0.0.0.0:39558 to 127.0.0.1:18120 length 148
        User-Name = "user@example.com"
        MS-CHAP-Password = "SecretPassword"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "SecretPassword"
        MS-CHAP-Challenge = ...
        MS-CHAP-Response = ...
Received Access-Reject Id 104 from 127.0.0.1:18120 to 127.0.0.1:39558 length 20
(0) -: Expected Access-Accept got Access-Reject

Running the command freeradius -X on VPN server gives among others this output:

(0) mschap: Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)     (mschap) = ok
(0) suffix: Checking for suffix after "@"
(0) suffix: Looking up realm "example.com" for User-Name = "user@example.com"
(0) suffix: Found realm "example.com"
(0) suffix: Adding Realm = "example.com"
(0) suffix: Proxying request from user user@example.com to realm example.com
(0) suffix: Preparing to proxy authentication request to realm "example.com"
(0)     (suffix) = updated
(0) ntdomain: Request already has destination realm set.  Ignoring
(0)     (ntdomain) = noop
(0) eap: No EAP-Message, not doing EAP
(0)     (eap) = noop
(0)     (files) = noop
(0)     (expiration) = noop
(0)     (logintime) = noop
(0)     (pap) = noop
(0)   } # authorize = updated
(0) There was no response configured: rejecting request

Monitoring freeradius on local net indicates that the server was never called, from the vpn server, so what am I missing?