***---虛擬專用網服務器

rhel6+pptpd+freeradius+mysql

虛擬專用網(***)被定義爲通過一個公用網絡(因特網)建立一個臨時的、安全的鏈接、是一條穿過混亂的公用網絡的安全、穩定的隧道。虛擬專用網是對企業內部網的擴展。

系統環境:RHEL6 x86_64 selinux and iptables disabled
軟件下載:http://poptop.sourceforge.net/yum/stable/rhel6/
ftp://ftp.samba.org/pub/ppp
安裝配置 pptpd server端（192.168.0.40）給這臺主機添加一塊虛擬網卡，配置如下：

DEVICE="eth1"
BOOTPROTO="static"
IPADDR=10.0.0.40
PREFIX=24
ONBOOT="yes"

[root@desktop40 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@desktop40 ~]# yum install ppp -y
[root@desktop40 ~]# rpm -ivh pptpd-1.3.4-2.el6.x86_64.rpm
pptpd 的配置文件

[root@desktop40 ~]# vim/etc/pptpd.conf
localip 192.168.0.40
remoteip10.0.0.234-238（企業內部IP網段）
localip: pptpd server 所在服務器 IP 地址,可以設置爲服務器上綁定的任意一個 IP 地址
remoteip:設置客戶端連接到 pptpd server 後可供分配的 Ip 地址範圍
添加測試用戶

[root@desktop40 ~]# vim/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client    server    secret            IP addresses
***user1     pptpd    westos            *
***user2     pptpd    westos            *
注意:server 名稱必須和 /etc/ppp/options.pptpd 中 name 處設置的名稱一致,否則登錄
驗證無法通過

[root@desktop40 ~]# service pptpd start
[root@desktop40 ~]# netstat -antlp|grep:1723

tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      0          46711      4449/pptpd          
tcp        0      0 192.168.0.40:1723           192.168.0.37:43952          ESTABLISHED 0          1221

在另一臺虛擬機（192.168.0.37）上安裝pptp-setup-1.7.2-8.1.el6.x86_64.rpm

[root@desktop37 ~]yum localinstall pptp-setup-1.7.2-8.1.el6.x86_64.rpm -y(解決rpm包依賴性)

[root@desktop37 ~]# pptpsetup --create my*** --server 192.168.0.40 --username ***user1 --password westos --encrypt --start

用***user1這個虛擬用戶通過加密的方式來連接server端

Using interface ppp0
Connect: ppp2 <--> /dev/pts/4
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local  IP address 10.0.0.234（這是給本機分配的專用ip地址）
remote IP address 192.168.0.40
接下來用一臺虛擬機來測試一下：

[root@desktop39 ~]yum install vsftpd httpd -y

[root@desktop39 ~]echo www.westos.org > /var/www/html/index.html

[root@desktop39 ~]touch goodluck /var/ftp/

[root@desktop39 ~]ifconfig eth0 10.0.0.177 netmask 255.255.255.0 up

[root@desktop39 ~]/etc/init.d/http start

[root@desktop39 ~]/etc/init.d/vsftpd start

在server端測試連接這臺虛擬機

[root@desktop40 ~]lftp 10.0.0.177

lftp 10.0.0.177:~> ls
-rw-r--r--    1 0        0               0 Aug 05 00:53 goodluck(剛剛在39上創建的那個goodluck哦)
drwxr-xr-x    2 0        0            4096 Feb 12  2013 pub
lftp 10.0.0.177:/>
[root@desktop40 ~]# links -dump http://10.0.0.177
   www.westos.org
在38上添加一條路由規則就可以ping通10.0.0.177

[root@desktop38 ~]#route add default dev ppp0

安裝配置 freeradius
[root@desktop40 ~]yum install freeradius -y

[root@desktop40 ~]rpm -ivh freeradius-mysql-2.1.12-4.el6_3.x86_64.rpm freeradius-utils-2.1.12-4.el6_3.x86_64.rpm

[root@desktop40 ~]tar zxf ppp-2.4.5.tar.gz
[root@desktop40 ~]mkdir /etc/radiusclient
[root@desktop40 ~]cp ppp-2.4.5/pppd/plugins/radius/etc/* /etc/radiusclient
[root@desktop40 ~]cd /etc/radiusclient
在 servers 文件中添加 radius 服務器的地址和密碼
localhost
westos
修改 radiusclient.conf 文件中確保這個文件中所有與 radiusclient 相關的路徑都是
以/etc/radiusclient 開頭的。例如:
servers         /usr/local/etc/radiusclient/servers
修改爲:
servers        /etc/radiusclient/servers
修改/etc/ppp/options.ptpd,添加如下行:
plugin /usr/lib64/pppd/2.4.5/radius.so
cd /etc/raddb
修改 clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = westos (與/etc/radiusclient/servers 裏設置的一致)
....
}
支持 mysql
修改/etc/raddb/radius.conf
$INCLUDE sql.conf
#去掉註釋
修改/etc/raddb/sites-available/default
authorize {
#files
sql
....
}
accounting {
#radutmp
sql
....
}
session{
#radutmp
sql
}
post-auth {
sql
}
修改/etc/raddb/sql.conf
sql {
database = “mysql“
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
....
}
修改/etc/raddb/sql/mysql/dialup.conf,去掉如下行的註釋:
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
[root@desktop40 ~]yum install mysql mysql-server -y
service mysqld start
cd /etc/raddb/sql/mysql/
mysqladmin create radius
mysql radius < schema.sql
mysql < admin.sql
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Address',':=','255.255.255.254');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Netmask',':=','255.255.255.0');
mysql>insert into radcheck (username,attribute,op,value) values ('***user1','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user1','user');
mysql>insert into radcheck (username,attribute,op,value) values ('***user2','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user2','user');
以後添加帳戶只需要進行以上兩步操作即可
[root@desktop40 ~]service radiusd start
[root@desktop40 ~]service pptpd stop
[root@desktop40 ~]service pptpd start
執行命令進行測試:
[root@desktop40 ~]radtest ***user1 westos localhost 0 westos

Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "***user1"
User-Password = "westos"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
看到 Access-Accept 字樣即表示成功