PPTP/L2TP+FreeRadius+MySQL ***

 一、測試內核支持pppd

 

cat /etc/issue

modprobe ppp-compress-18 && echo "Test Ok"

#如果輸出Test OK!!!即表示支持

strings which pppd | grep -i mppe | wc -lines   

#如果輸出結果大於38即表示支持

 

yum install -y wget mysql mysql-server mysql-devel php php-mysql php-gd php-mbstring php-xml php-mcrypt php-devel httpd httpd-devel

service httpd start

service mysqld start

mysqladmin -u root password 'qwertyu'

 

二、下載安裝PPP

wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz

tar -xf ppp-2.4.5.tar.gz

cd ppp-2.4.5 && ./configure && make && make install

 

安裝輸出如下

cd pppd; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppd'

mkdir -p /usr/local/sbin /usr/local/share/man/man8

install -s -c -m 555 pppd /usr/local/sbin/pppd

if chgrp pppusers /usr/local/sbin/pppd 2>/dev/null; then \

 chmod o-rx,u+s /usr/local/sbin/pppd; fi

install -c -m 444 pppd.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppd'

cd pppstats; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppstats'

mkdir -p /usr/local/share/man/man8

install -s -c pppstats /usr/local/sbin

install -c -m 444 pppstats.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppstats'

cd pppdump; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppdump'

mkdir -p /usr/local/sbin /usr/local/share/man/man8

install -s -c pppdump /usr/local/sbin

install -c -m 444 pppdump.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppdump'

cd pppd; make  install-devel

make[1]: Entering directory `/root/ppp-2.4.5/pppd'

mkdir -p /usr/local/include/pppd

install -c -m 644 ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h upap.h eap.h md4.h chap_ms.h sha1.h pppcrypt.h tdb.h spinlock.h /usr/local/include/pppd

make[1]: Leaving directory `/root/ppp-2.4.5/pppd'

 

三、下載安裝PPTP和L2TP

1、PPTP

wget http://sourceforge.net/projects/poptop/files/pptpd/pptpd-1.3.4/pptpd-1.3.4.tar.gz/download

tar -xf pptpd-1.3.4.tar.gz

cd pptpd-1.3.4 && ./configure --prefix=/usr/local/pptpd/ && make && make install

mkdir /usr/local/pptpd/etc

cp samples/pptpd.conf /usr/local/pptpd/etc

##將配置文件放在/usr/local/pptpd/conf目錄中，啓動pptpd時要用-c參數指定配置文件位置

cp samples/options.pptpd /etc/ppp/

cp samples/chap-secrets /etc/ppp/

 

sed -i '/^#ppp.*/a ppp /usr/local/sbin/pppd' /usr/local/pptpd/etc/pptpd.conf

sed -i '/^logwtmp$/s/logwtmp/#logwtmp/' /usr/local/pptpd/etc/pptpd.conf

echo "localip 192.168.0.1" >> /usr/local/pptpd/etc/pptpd.conf

### 192.168.0.1爲***服務器端虛擬IP，可以爲單個地址或者一個網段，最好喝內網ip不在同一個網段

echo "remoteip 192.168.0.200-192.168.0.254" >> /usr/local/pptpd/etc/pptpd.conf

### 192.168.0.200爲相應的***客戶端虛擬IP

 

sed -i 's/#ms-dns 10\.0\.0\.1/ms-dns 8\.8\.8\.8/' /etc/ppp/options.pptpd

### ms-dns爲可選的給客戶端分配DNS，注意連接建立服務器端和客戶端都分配IP後 服務器端IP就是所有客戶端的網關

 

echo "test pptpd test *" >> /etc/ppp/chap-secrets

### 建立用戶名和密碼文件，格式爲：username servername password IP    servername和/etc/ppp/options.pptpd中的name的值相對應

 

/usr/local/pptpd/sbin/pptpd -c /usr/local/pptpd/etc/pptpd.conf

### 啓動PPTPD服務

 

使用windows客戶端連接測試PPTP服務是否正常

 

2.L2TP

#!/bin/bash

 

yum install -y wget openswawn libpcap-devel

##openswan爲ipsec    libcap-devel被L2TP依賴

mv /etc/ipsec.conf /etc/ipsec.conf.bak

 

echo >> /etc/ipsec.conf <<EOF

version 2.0

config setup

nat_traversal=yes

vitual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

oe=off

protostack=netkey

 

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

EOF

echo "left=$master_ip" >> /etc/ipsec.conf

 

 

echo "$master_ip %any: PSK \"pass\"" >> /etc/ipsec.secrets

##PSK "pass"   爲IPSEC共享密鑰

 

for i in /proc/sys/net/ipv4/conf/*

do

echo 0 > $i/accept_redirects

echo 0 > $i/send_redirects

done

 

/etc/init.d/ipsec start

 

wget http://downloads.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz

tar -xf rp-l2tp-04.tar.gz

cd rp-l2tp-04

./configure && make

cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/

ln -s /usr/local/sbin/l2tpd-control /var/run/xl2tpd/l2tp-control

 

wget http://ywko.googlecode.com/files/xl2tpd-1.2.4.tar.gz

tar -xf xl2tpd-1.2.4.tar.gz

cd xl2tpd-1.2.4 && make && make install

mkdir /etc/xl2tpd/

cp examples/xl2tpd.conf /etc/xl2tpd/

cp options.xl2tpd /etc/ppp/

 

cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak

 

cat >> /etc/xl2tpd/xl2tpd.conf <<EOF

[global]

ipsec saref = yes

[lns default]

ip range = 192.168.254.2-200

local ip = 192.168.254.1

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

EOF

 

cp /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak

cat >> /etc/ppp/options.xl2tpd <<EOF

name l2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns 8.8.8.8

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

EOF

 

echo “test l2tpd test *” >> /etc/ppp/chap-secrets

 

四、FreeRadius安裝

1.服務器端

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.0.tar.gz

tar -xf freeradius-server-2.2.0.tar.gz

cd freeradius-server-2.2.0 && ./configure --prefix=/usr/local/radius && make && make install

 

sed -i '/^#steve.*/s/#steve/steve/' /usr/local/radius/etc/raddb/users

###啓用測試用戶steve密碼爲testing

 

/usr/local/radius/sbin/radiusd -X

###以debug模式運行

###另外打開一個窗口輸入/usr/local/radius/bin/radtest steve testing localhost 1812 testing123

###如果收到消息rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20

###則表示運行正常    上面一段命令表示測試連接本機1812端口  密碼爲testing123

 

2.客戶端(本例中服務器和客戶端和mysql都在同一臺機器)

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2

tar -xf freeradius-client-1.1.6.tar.bz2

cd freeradius-client-1.1.6 && ./configure --prefix=/usr/local/radius-client/ && make && make install

 

echo "localhost testing123" >> /usr/local/radius-client/etc/radiusclient/servers

###在客戶端添加連接radius服務器的地址和密碼

 

wget -c http://small-script.googlecode.com/files/dictionary.microsoft

mv dictionary.microsoft /usr/local/radius-client/etc/radiusclient/

###下載 microsoft數據字典讓radius服務器可以識別windows客戶端

 

cat >>/usr/local/radius-client/etc/radiusclient/dictionary<<EOF

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.sip

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.merit

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.compat

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.microsoft

EOF

###將數據字典包含進配置文件內

 

sed -i 's/logwtmp/\#logwtmp/g' /usr/local/pptpd/etc/pptpd.conf

sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/radius-client/etc/radiusclient/radiusclient.conf

sed -i 's/bindaddr/\#bindaddr/g' /usr/local/radius-client/etc/radiusclient/radiusclient.conf

 

cat >>/etc/ppp/options.pptpd<<EOF

plugin /usr/local/lib/pppd/2.4.5/radius.so

radius-config-file /usr/local/radius-client/etc/radiusclient/radiusclient.conf

EOF

###PPTP啓用radius插件

 

cat >>/etc/ppp/options.xl2tpd<<EOF

plugin /usr/local/lib/pppd/2.4.5/radius.so

radius-config-file /usr/local/radius-client/etc/radiusclient/radiusclient.conf

EOF

###xl2tp啓用radius插件

 

 

五、FreeRadius Mysql模塊

 

sed -i '/sql\.conf/s/#//' /usr/local/radius/etc/raddb/radiusd.conf

### 啓用Mysql

 

mysqladmin -uroot -pqwertyu create radius

###創建radius數據庫

 

mysql -uroot -pqwertyu < /usr/local/radius/etc/raddb/sql/mysql/admin.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/ippool.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/schema.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/wimax.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/cui.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/nas.sql

###注意 admin.sql中將創建radius用戶密碼radpass /usr/local/radius/etc/raddb/sql.conf中使用這個用戶名和密碼連接數據庫，如果要用其他用戶名密碼請修改相應文件

###如 sed -i 's/radpass/qwertyu/g' admin.sql   sed -i 's/radpass/qwertyu/g' sql.con

 

sed -i 's/\#readclients/readclients/g' /usr/local/radius/etc/raddb/sql.conf

###打開從數據庫查詢nas支持，默認從“/usr/local/radius/etc/raddb/clients.conf”文件讀取，開啓後可以從數據庫nas表讀取

 

sed -i '290,293s/#//' /usr/local/radius/etc/raddb/sql/mysql/dialup.conf

###打開在線人數查詢支持,注意：如果按照上面的版本和流程安裝的話是去掉290-293前面的#號，如果不是的話去掉simul_count_query和後面三行前的#號

 

sed -i '177s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '170s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在authorize{}模塊中註釋掉files，去掉sql前面的#號

 

sed -i '406s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '396s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在accounting{}模塊中註釋掉radutmp，去掉sql前面的#號

 

sed -i '565s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '475s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

###在post-auth{}模塊中去掉兩個sql前面的#號

 

sed -i '454s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '450s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在session{}模塊中註釋掉radutmp，去掉sql前面的#號

 

sed -i '132s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '125s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在authorize{}模塊中註釋掉files，去掉sql前面的#

 

sed -i '256s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '252s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在session{}模塊中註釋掉radutmp，去掉sql前面的#號

 

sed -i '278s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '302s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在post-auth{}模塊中去掉兩個sql前面的#號

 

 

用戶權限管理

# 連接 MySQL 數據庫

mysql -uroot -pqwertyu;

 

# 使用 radius 數據庫

USE radius;

 

# 添加用戶demo，密碼demo，注意是在radchec表

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('demo','Cleartext-Password',':=','demo');

 

# 將用戶demo加入VIP1用戶組

INSERT INTO radusergroup (username,groupname) VALUES ('demo','VIP1');

 

# 限制同時登陸人數，注意是在radgroupcheck表

INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('normal','Simultaneous-Use',':=','1');

 

# 其他

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Auth-Type',':=','Local');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Service-Type',':=','Framed-User');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Protocol',':=','PPP');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-MTU',':=','1500');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Compression',':=','Van-Jacobson-TCP-IP');

 

六、啓動radiusd

cp /usr/local/radius/sbin/rc.radiusd /etc/init.d/radiusd

/etc/init.d/radiusd start

 

###################################################################################

如果出現“rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory

”找不到驅動包的錯誤,就要

a:先安裝mysql-devel

b:然後進入到freeradius的安裝文件目錄下的src/modules/rlm_sql/drivers/rlm_sql_mysql 運行命令：./configure --with-mysql-dir=/usr/share/mysql/ --with-mysql-lib-dir=/usr/lib/mysql/

c:make；make intall　　這時候會把rlm_sql_mysql的驅動安裝到/usr/local/lib目錄下,但是必須把這些驅動copy到/usr/lib目錄下才能正常運行:#cp -a /usr/local/lib/rlm_sql_mysql* /usr/lib

還有可能出現關於eap的錯誤,說什麼server.pem證書讀取失敗,實際上server.pem證書根本沒有.進到/usr/local/etc/raddb/certs/目錄下.運行裏面的bootstrap文件#./bootstrap 會自動創建證書.實在不明白,