PPTP/L2TP+FreeRadius+MySQL ***

 一、测试内核支持pppd

 

cat /etc/issue

modprobe ppp-compress-18 && echo "Test Ok"

#如果输出Test OK!!!即表示支持

strings which pppd | grep -i mppe | wc -lines   

#如果输出结果大于38即表示支持

 

yum install -y wget mysql mysql-server mysql-devel php php-mysql php-gd php-mbstring php-xml php-mcrypt php-devel httpd httpd-devel

service httpd start

service mysqld start

mysqladmin -u root password 'qwertyu'

 

二、下载安装PPP

wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.5.tar.gz

tar -xf ppp-2.4.5.tar.gz

cd ppp-2.4.5 && ./configure && make && make install

 

安装输出如下

cd pppd; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppd'

mkdir -p /usr/local/sbin /usr/local/share/man/man8

install -s -c -m 555 pppd /usr/local/sbin/pppd

if chgrp pppusers /usr/local/sbin/pppd 2>/dev/null; then \

 chmod o-rx,u+s /usr/local/sbin/pppd; fi

install -c -m 444 pppd.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppd'

cd pppstats; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppstats'

mkdir -p /usr/local/share/man/man8

install -s -c pppstats /usr/local/sbin

install -c -m 444 pppstats.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppstats'

cd pppdump; make  install

make[1]: Entering directory `/root/ppp-2.4.5/pppdump'

mkdir -p /usr/local/sbin /usr/local/share/man/man8

install -s -c pppdump /usr/local/sbin

install -c -m 444 pppdump.8 /usr/local/share/man/man8

make[1]: Leaving directory `/root/ppp-2.4.5/pppdump'

cd pppd; make  install-devel

make[1]: Entering directory `/root/ppp-2.4.5/pppd'

mkdir -p /usr/local/include/pppd

install -c -m 644 ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h upap.h eap.h md4.h chap_ms.h sha1.h pppcrypt.h tdb.h spinlock.h /usr/local/include/pppd

make[1]: Leaving directory `/root/ppp-2.4.5/pppd'

 

三、下载安装PPTP和L2TP

1、PPTP

wget http://sourceforge.net/projects/poptop/files/pptpd/pptpd-1.3.4/pptpd-1.3.4.tar.gz/download

tar -xf pptpd-1.3.4.tar.gz

cd pptpd-1.3.4 && ./configure --prefix=/usr/local/pptpd/ && make && make install

mkdir /usr/local/pptpd/etc

cp samples/pptpd.conf /usr/local/pptpd/etc

##将配置文件放在/usr/local/pptpd/conf目录中，启动pptpd时要用-c参数指定配置文件位置

cp samples/options.pptpd /etc/ppp/

cp samples/chap-secrets /etc/ppp/

 

sed -i '/^#ppp.*/a ppp /usr/local/sbin/pppd' /usr/local/pptpd/etc/pptpd.conf

sed -i '/^logwtmp$/s/logwtmp/#logwtmp/' /usr/local/pptpd/etc/pptpd.conf

echo "localip 192.168.0.1" >> /usr/local/pptpd/etc/pptpd.conf

### 192.168.0.1为***服务器端虚拟IP，可以为单个地址或者一个网段，最好喝内网ip不在同一个网段

echo "remoteip 192.168.0.200-192.168.0.254" >> /usr/local/pptpd/etc/pptpd.conf

### 192.168.0.200为相应的***客户端虚拟IP

 

sed -i 's/#ms-dns 10\.0\.0\.1/ms-dns 8\.8\.8\.8/' /etc/ppp/options.pptpd

### ms-dns为可选的给客户端分配DNS，注意连接建立服务器端和客户端都分配IP后 服务器端IP就是所有客户端的网关

 

echo "test pptpd test *" >> /etc/ppp/chap-secrets

### 建立用户名和密码文件，格式为：username servername password IP    servername和/etc/ppp/options.pptpd中的name的值相对应

 

/usr/local/pptpd/sbin/pptpd -c /usr/local/pptpd/etc/pptpd.conf

### 启动PPTPD服务

 

使用windows客户端连接测试PPTP服务是否正常

 

2.L2TP

#!/bin/bash

 

yum install -y wget openswawn libpcap-devel

##openswan为ipsec    libcap-devel被L2TP依赖

mv /etc/ipsec.conf /etc/ipsec.conf.bak

 

echo >> /etc/ipsec.conf <<EOF

version 2.0

config setup

nat_traversal=yes

vitual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

oe=off

protostack=netkey

 

conn L2TP-PSK-NAT

rightsubnet=vhost:%priv

also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

authby=secret

pfs=no

auto=add

keyingtries=3

rekey=no

ikelifetime=8h

keylife=1h

type=transport

leftprotoport=17/1701

right=%any

rightprotoport=17/%any

EOF

echo "left=$master_ip" >> /etc/ipsec.conf

 

 

echo "$master_ip %any: PSK \"pass\"" >> /etc/ipsec.secrets

##PSK "pass"   为IPSEC共享密钥

 

for i in /proc/sys/net/ipv4/conf/*

do

echo 0 > $i/accept_redirects

echo 0 > $i/send_redirects

done

 

/etc/init.d/ipsec start

 

wget http://downloads.sourceforge.net/project/rp-l2tp/rp-l2tp/0.4/rp-l2tp-0.4.tar.gz

tar -xf rp-l2tp-04.tar.gz

cd rp-l2tp-04

./configure && make

cp handlers/l2tp-control /usr/local/sbin/

mkdir /var/run/xl2tpd/

ln -s /usr/local/sbin/l2tpd-control /var/run/xl2tpd/l2tp-control

 

wget http://ywko.googlecode.com/files/xl2tpd-1.2.4.tar.gz

tar -xf xl2tpd-1.2.4.tar.gz

cd xl2tpd-1.2.4 && make && make install

mkdir /etc/xl2tpd/

cp examples/xl2tpd.conf /etc/xl2tpd/

cp options.xl2tpd /etc/ppp/

 

cp /etc/xl2tpd/xl2tpd.conf /etc/xl2tpd/xl2tpd.conf.bak

 

cat >> /etc/xl2tpd/xl2tpd.conf <<EOF

[global]

ipsec saref = yes

[lns default]

ip range = 192.168.254.2-200

local ip = 192.168.254.1

refuse chap = yes

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

EOF

 

cp /etc/ppp/options.xl2tpd /etc/ppp/options.xl2tpd.bak

cat >> /etc/ppp/options.xl2tpd <<EOF

name l2tpd

ipcp-accept-local

ipcp-accept-remote

ms-dns 8.8.8.8

noccp

auth

crtscts

idle 1800

mtu 1410

mru 1410

nodefaultroute

debug

lock

proxyarp

connect-delay 5000

EOF

 

echo “test l2tpd test *” >> /etc/ppp/chap-secrets

 

四、FreeRadius安装

1.服务器端

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.2.0.tar.gz

tar -xf freeradius-server-2.2.0.tar.gz

cd freeradius-server-2.2.0 && ./configure --prefix=/usr/local/radius && make && make install

 

sed -i '/^#steve.*/s/#steve/steve/' /usr/local/radius/etc/raddb/users

###启用测试用户steve密码为testing

 

/usr/local/radius/sbin/radiusd -X

###以debug模式运行

###另外打开一个窗口输入/usr/local/radius/bin/radtest steve testing localhost 1812 testing123

###如果收到消息rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20

###则表示运行正常    上面一段命令表示测试连接本机1812端口  密码为testing123

 

2.客户端(本例中服务器和客户端和mysql都在同一台机器)

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2

tar -xf freeradius-client-1.1.6.tar.bz2

cd freeradius-client-1.1.6 && ./configure --prefix=/usr/local/radius-client/ && make && make install

 

echo "localhost testing123" >> /usr/local/radius-client/etc/radiusclient/servers

###在客户端添加连接radius服务器的地址和密码

 

wget -c http://small-script.googlecode.com/files/dictionary.microsoft

mv dictionary.microsoft /usr/local/radius-client/etc/radiusclient/

###下载 microsoft数据字典让radius服务器可以识别windows客户端

 

cat >>/usr/local/radius-client/etc/radiusclient/dictionary<<EOF

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.sip

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.ascend

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.merit

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.compat

INCLUDE /usr/local/radius-client/etc/radiusclient/dictionary.microsoft

EOF

###将数据字典包含进配置文件内

 

sed -i 's/logwtmp/\#logwtmp/g' /usr/local/pptpd/etc/pptpd.conf

sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/radius-client/etc/radiusclient/radiusclient.conf

sed -i 's/bindaddr/\#bindaddr/g' /usr/local/radius-client/etc/radiusclient/radiusclient.conf

 

cat >>/etc/ppp/options.pptpd<<EOF

plugin /usr/local/lib/pppd/2.4.5/radius.so

radius-config-file /usr/local/radius-client/etc/radiusclient/radiusclient.conf

EOF

###PPTP启用radius插件

 

cat >>/etc/ppp/options.xl2tpd<<EOF

plugin /usr/local/lib/pppd/2.4.5/radius.so

radius-config-file /usr/local/radius-client/etc/radiusclient/radiusclient.conf

EOF

###xl2tp启用radius插件

 

 

五、FreeRadius Mysql模块

 

sed -i '/sql\.conf/s/#//' /usr/local/radius/etc/raddb/radiusd.conf

### 启用Mysql

 

mysqladmin -uroot -pqwertyu create radius

###创建radius数据库

 

mysql -uroot -pqwertyu < /usr/local/radius/etc/raddb/sql/mysql/admin.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/ippool.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/schema.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/wimax.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/cui.sql

mysql -uroot -pqwertyu radius < /usr/local/radius/etc/raddb/sql/mysql/nas.sql

###注意 admin.sql中将创建radius用户密码radpass /usr/local/radius/etc/raddb/sql.conf中使用这个用户名和密码连接数据库，如果要用其他用户名密码请修改相应文件

###如 sed -i 's/radpass/qwertyu/g' admin.sql   sed -i 's/radpass/qwertyu/g' sql.con

 

sed -i 's/\#readclients/readclients/g' /usr/local/radius/etc/raddb/sql.conf

###打开从数据库查询nas支持，默认从“/usr/local/radius/etc/raddb/clients.conf”文件读取，开启后可以从数据库nas表读取

 

sed -i '290,293s/#//' /usr/local/radius/etc/raddb/sql/mysql/dialup.conf

###打开在线人数查询支持,注意：如果按照上面的版本和流程安装的话是去掉290-293前面的#号，如果不是的话去掉simul_count_query和后面三行前的#号

 

sed -i '177s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '170s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在authorize{}模块中注释掉files，去掉sql前面的#号

 

sed -i '406s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '396s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在accounting{}模块中注释掉radutmp，去掉sql前面的#号

 

sed -i '565s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '475s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

###在post-auth{}模块中去掉两个sql前面的#号

 

sed -i '454s/#//' /usr/local/radius/etc/raddb/sites-enabled/default

sed -i '450s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/default

###在session{}模块中注释掉radutmp，去掉sql前面的#号

 

sed -i '132s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '125s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在authorize{}模块中注释掉files，去掉sql前面的#

 

sed -i '256s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '252s/^/#/' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在session{}模块中注释掉radutmp，去掉sql前面的#号

 

sed -i '278s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

sed -i '302s/#//' /usr/local/radius/etc/raddb/sites-enabled/inner-tunnel

###在post-auth{}模块中去掉两个sql前面的#号

 

 

用户权限管理

# 连接 MySQL 数据库

mysql -uroot -pqwertyu;

 

# 使用 radius 数据库

USE radius;

 

# 添加用户demo，密码demo，注意是在radchec表

INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('demo','Cleartext-Password',':=','demo');

 

# 将用户demo加入VIP1用户组

INSERT INTO radusergroup (username,groupname) VALUES ('demo','VIP1');

 

# 限制同时登陆人数，注意是在radgroupcheck表

INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES ('normal','Simultaneous-Use',':=','1');

 

# 其他

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Auth-Type',':=','Local');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Service-Type',':=','Framed-User');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Protocol',':=','PPP');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-MTU',':=','1500');

INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('VIP1','Framed-Compression',':=','Van-Jacobson-TCP-IP');

 

六、启动radiusd

cp /usr/local/radius/sbin/rc.radiusd /etc/init.d/radiusd

/etc/init.d/radiusd start

 

###################################################################################

如果出现“rlm_sql (sql): Could not link driver rlm_sql_mysql: rlm_sql_mysql.so: cannot open shared object file: No such file or directory

”找不到驱动包的错误,就要

a:先安装mysql-devel

b:然后进入到freeradius的安装文件目录下的src/modules/rlm_sql/drivers/rlm_sql_mysql 运行命令：./configure --with-mysql-dir=/usr/share/mysql/ --with-mysql-lib-dir=/usr/lib/mysql/

c:make；make intall　　这时候会把rlm_sql_mysql的驱动安装到/usr/local/lib目录下,但是必须把这些驱动copy到/usr/lib目录下才能正常运行:#cp -a /usr/local/lib/rlm_sql_mysql* /usr/lib

还有可能出现关于eap的错误,说什么server.pem证书读取失败,实际上server.pem证书根本没有.进到/usr/local/etc/raddb/certs/目录下.运行里面的bootstrap文件#./bootstrap 会自动创建证书.实在不明白,