关闭

CentOS 6.2 PPTP FreeRADIUS MySQL搭建VPN

3009人阅读 评论(0) 收藏 举报
分类:
本文描述尽可能使用系统自带的软件发行包来搭建VPN,考虑到使用尽可能高版本的PPTP,freeRadius等,选择了CentOS的最新版6.2
1、安装CentOS6.2 
为了简化系统,选择最下化安装,然后根据需要安装所需软件包
#yum install mysql mysql-server freeradius*  pptp* gcc make
2、配置freeRadius
[root@vpn3-1 ~]# cd /etc/raddb/
[root@vpn3-1 raddb]# cp sites-available/default sites-available/default.sav
[root@vpn3-1 raddb]# vi sites-enabled/default 
 在所有的unix和files前面加上注释,并去掉所有sql前面的注释。如果要减少日志数量,把 detail注视掉
[root@vpn3-1 raddb]# vi radiusd.conf 
去掉$include sql.conf前面的注释。
[root@vpn3-1 raddb]# vi clients.conf
添加NAS信息
#client some.host.org {
#       secret          = testing123
#       shortname       = somehost
#}

#client 10.10.2.3 {
#       secret          = testing123
#       shortname       = localhost2
#}
其中,每一个NAS对应一组,提供的信息有:NAS的IP或域名;加密字符串(Nas配置一致);accounting用的名字
对应localhost,已有缺省配置。
[root@vpn3-1 raddb]# vi sql.conf
        # Connection info:
        server = "localhost"
        #port = 3306
        login = "radius"
        password = "radpass"

        # Database table configuration for everything except Oracle
        radius_db = "radius"
以上是缺省值,可根据实际需要修改的是 server、port、login、password。
[root@vpn3-1 raddb]# vi sql/mysql/dialup.conf 
取消
sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"
前面的注释,把下一行注释掉。

同时如果需要打开simultanoues-use(控制同时在线用户数)的话需要把simul_query_check取消注释。

3、建立基本数据库:
[root@vpn3-1 raddb]# service mysqld start
初次启动,数据库初始化
并执行了
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h vpn3-1.xxx.com  password 'new-password'

[root@vpn3-1 raddb]# mysql -u root -p
mysql> create database radius;
Query OK, 1 row affected (0.00 sec)

mysql> grant all privileges on radius.* to radius@localhost identified by "radpass";
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit

[root@vpn3-1 raddb]# mysql -uradius -p radius < /etc/raddb/sql/mysql/schema.sql 
Enter password: 

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Auth-Type',':=','Local');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Service-Type',':=','Framed-User');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Address',':=','255.255.255.255');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Netmask',':=','255.255.255.0');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Acct-Interim-Interval',':=','600');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Max-Monthly-Traffic',':=','5368709120');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('user','Simultaneous-Use',':=','1');
Query OK, 1 row affected (0.00 sec)

mysql> select * from radgroupreply;
+---- +-------------------+-------------------------------+------+-----------------+
| id | groupname | attribute                        | op | value           |
+---- +-------------------+--------------------------------+----+-----------------+
|  8  | user               | Auth-Type                      | := | Local           |
|  9  | user               | Service-Type                 | := | Framed-User   |
| 10 | user               | Framed-IP-Address     | := | 255.255.255.255 |
| 11 | user               | Framed-IP-Netmask   | := | 255.255.255.0   |
| 12 | user               | Acct-Interim-Interval  | := | 600                    |
| 13 | user               | Max-Monthly-Traffic   | := | 5368709120      |
+----+-------------------+--------------------------------+----+-----------------+
6 rows in set (0.00 sec)

以上前四行是PPP用的参数,不用改动,acct-interim-interval是计算流量的间隔(600秒),意味着每隔10分钟记录当前流量。最后一行是每月最大流量,这里是5G(单位是字节)。
输入测试用户信息:
mysql> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('test','Cleartext-Password',':=','test111');
Query OK, 1 row affected (0.00 sec)

mysql> INSERT INTO radusergroup (username,groupname) VALUES ('test','user');
Query OK, 1 row affected (0.00 sec)

mysql> 

用户名与密码必须以明文/NTLM Crypt形式保存,因为MS-CHAPv2不支持MD5保存的密码。

4、测试freeRadius Server:

[root@vpn3-1 raddb]# radtest test test111 localhost 1649 testing123
radclient:: Failed to find IP address for vpn3-1.xxx.com
radclient: Nothing to send.
表明vpn3-1.xxx.com没有ip,编辑/etc/hosts

[root@vpn3-1 raddb]# vi /etc/hosts

添加vpn3-1.xxx.com对应项

[root@vpn3-1 raddb]# radtest test test111 localhost 1649 testing123
Sending Access-Request of id 171 to 127.0.0.1 port 1812
    User-Name = "test"
    User-Password = "test111"
    NAS-IP-Address = 22.19.16.250
    NAS-Port = 1649
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=171, length=44
    Service-Type = Framed-User
    Framed-IP-Address = 255.255.255.255
    Framed-IP-Netmask = 255.255.255.0
    Acct-Interim-Interval = 600
[root@vpn3-1 raddb]# 


测试成功。

5、添加在认证时检测流量的语句

打开/etc/raddb/sites-enabled/default,找到authorize一节末尾插入

        update request {
                Group-Name := "%{sql:SELECT groupname FROM radusergroup WHERE \
                                username='%{User-Name}' ORDER BY priority}"
        }
        if ("%{sql: SELECT SUM(acctinputoctets+acctoutputoctets)\
                FROM radacct \
                WHERE username='%{User-Name}' AND \
                date_format(acctstarttime, '%Y-%m-%d') >= \
                date_format(now(),'%Y-%m-01') AND \
                date_format(acctstoptime, '%Y-%m-%d') <= \
                last_day(now());}" >= \
                "%{sql: SELECT value FROM radgroupreply \
                        WHERE groupname='%{Group-Name}' AND \
                        attribute='Max-Monthly-Traffic';}"\
        ) {
                reject
        }

由于第三节和本节中有非内置的attribute Max-Monthly-Traffic,所以需要在l/etc/raddb/dictionary里面定义:

ATTRIBUTE Max-Monthly-Traffic 3003 integer


**也可以通过修改/etc/raddb/sql/mysql/counter.conf 和/etc/raddb/sites-enabled/default实现相应功能

在 /etc/raddb/sql/mysql/counter.conf 文件末尾添加如下字段

sqlcounter monthlytrafficcounter {
    counter
-name = Monthly-Traffic
    check
-name = Max-Monthly-Traffic
    reply
-name = Monthly-Traffic-Limit
    sqlmod
-inst = sql
    key 
= User-Name
    reset 
= monthly
    query 
= "SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1024 FROM radacct \
WHERE UserName='%{%k}' AND UNIX_TIMESTAMP(AcctStartTime) > '%b'"

}

启用流量统计

在 /etc/raddb/sites-enabled/default 文件的 authorize 区块中,添加 monthlytrafficcounter ,在 字典文件 /etc/raddb/dictionary 末尾添加如下两行

ATTRIBUTE Max-Monthly-Traffic 3003 integer
ATTRIBUTE 
Monthly-Traffic-Limit 3004 integer

在数据库里面添加限制字段

INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES \
('user','Max-Monthly-Traffic',':=','5368709120');

添加到 radgroupcheck 表示针对所有组的生效

由于 Max-Monthly-Traffic 3003 integer 整数型的最大长度为2G,如果限额超过2G,会导致认证失败,所以解决方法就是 对查询到的用户的流量,除以 1024,然后对用户的限额也除以1024,这样可以解决问题

**引自介绍freeradius 的一些配置

6、设置radiusclient

centos(RHEL)上没有radiusclient包,为此,添加yum源dag

[root@vpn3-1 ~]#rpm -Uvh  http://apt.sw.be/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

[root@vpn3-1 ~]# yum install radiusclient-ng*

[root@vpn3-1 etc]# cd /etc/radiusclient-ng/

[root@vpn3-1 radiusclient-ng]# vi radiusclient.conf 

修改 authserver 和acctserver

authserver localhost:1812 #用户验证服务器(如果不是本机,请指定IP)(可以为多个,依次尝试)
acctserver localhost:1813 #用户账户记录服务器(如果不是本机,请指定IP)

*****注释掉bindaddr * (77行),pppd提示unrecognized keyword: bindaddr

[root@vpn3-1 radiusclient-ng]# vi /usr/share/radiusclient-ng/dictionary

添加

INCLUDE /usr/share/freeradius/dictionary.merit
INCLUDE /usr/share/freeradius/dictionary.microsoft

****本来想直接使用freeradius-server自带的dictionary,但是,server使用的和client用的不一致,还必须使用client自带的文件,因此上边两行要改写为

INCLUDE /usr/share/radiusclient-ng/dictionary.merit
INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft

其中dictionary.microsoft文件从http://wiki.freeradius.org/PopTop下载

修改server:

最后加上localhost secret(就是FreeRadius的client.conf里面定义的secret)

7、安装配置pptp

[root@vpn3-1 ~]# rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm

[root@vpn3-1 ~]# yum install pptpd

[root@vpn3-1 ~]# vi /etc/ppp/options.pptpd 

将ms-dns设置为本地DNS或 8.8.8.8

ms-dns 8.8.8.8 #客户端首要DNS
ms-dns 8.8.4.4 #客户端次要DNS

末尾处添加

plugin /usr/lib64/pppd/2.4.5/radius.so
plugin /usr/lib64/pppd/2.4.5/radattr.so
radius-config-file /etc/radiusclient-ng/radiusclient.conf

[root@vpn3-1 ~]# vi /etc/pptpd.conf 

修改pptpd.conf:

ppp路径改为/usr/sbin/pppd

option路径为/etc/options.pptpd

注释掉logwtmp避免619错误

最后的localip根据需要设置

示例:

localip 202.xxx.16.250                               //vpn 服务器地址
remoteip 172.16.6.5-250                          //分配给拨号PC的地址

8、测试记录

运行radiusd -X

1)连接测试,提示无法连接,/var/log/message无访问记录,关闭iptbles

2)连接测试,提示鉴定失败,/var/log/message有提示

Jan 22 13:05:19 vpn3-1 pppd[22537]: /etc/radiusclient-ng/radiusclient.conf: line 77: unrecognized keyword: 

Jan 22 14:52:33 vpn3-1 pppd[1562]: rc_read_dictionary: invalid type on line 11 of dictionary /usr/share/freeradius/dictionary.microsoft
bindaddr

Jan 22 13:18:07 vpn3-1 pppd[22555]: rc_read_dictionary: couldn't open dictionary /usr/share/radiusclient-ng/dictionary: Permission denied

这是由于server使用的和client用的dictionary文件不一致,还必须使用client自带的文件

3)修改后,再次连接,radius server 反映正常,认证OK,可以建立VPN连接。但是,网络不通。

由于iptables没有启动,应该是该问题导致

4)在测试iptables时,出现了认证无法通过,radiusd -X的诊断信息有Reply-Message = "\r\nYou are already logged in - access denied\r\n\n",清空了radacct还是没有解决,最后发现:

将/etc/raddb/site-enabled/default中,session段内的radutmp注释

session {
#       radutmp

        #
        #  See "Simultaneous Use Checking Queries" in sql.conf
        sql
}

9、iptables配置

编写/etc/rc.local
#
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
 
iptables -A FORWARD -s 172.16.6.0/24 -j ACCEPT   
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.6.0/24 -j SNAT --to 22.xxx.16.250
iptables -A FORWARD -p tcp --syn -s 172.16.6.0/24 -j TCPMSS --set-mss 1356
***注意22.xxx.16.250是服务器IP

或者编辑/etc/sysconfig/iptables

*filter
:INPUT ACCEPT [3603:650757]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.16.6.0/24 -j ACCEPT 
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 172.16.6.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356 
-A OUTPUT -j ACCEPT 
COMMIT
*nat
:PREROUTING ACCEPT [153:10779]
:POSTROUTING ACCEPT [4:493]
:OUTPUT ACCEPT [4:493]
-A POSTROUTING -s 172.16.6.0/24 -o eth0 -j SNAT --to-source 22.xxx.16.250 
COMMIT
***注意22.xxx.16.250是服务器IP

如果要限制某些IP访问VPN服务器(一般限制内网的人访问VPN),可以在rc.local添加

iptables -A INPUT -s 10.0.0.0/8 -j DROP

或在/etc/sysconfig/iptables中插入对应项

*filter
:INPUT ACCEPT [170:34471]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.0/8 -j DROP 
-A FORWARD -s 172.16.6.0/24 -j ACCEPT 
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 172.16.6.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356 
-A OUTPUT -j ACCEPT 
COMMIT
*nat
:PREROUTING ACCEPT [15:1443]
:POSTROUTING ACCEPT [3:377]
:OUTPUT ACCEPT [3:377]
-A POSTROUTING -s 172.16.6.0/24 -o eth0 -j SNAT --to-source 22.xxx.16.250 
COMMIT

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:909087次
    • 积分:9279
    • 等级:
    • 排名:第1969名
    • 原创:13篇
    • 转载:688篇
    • 译文:0篇
    • 评论:49条
    文章分类