rhel6+pptpd+freeradius+mysql
虛擬專用網(***)被定義爲通過一個公用網絡(因特網)建立一個臨時的、安全的鏈接、是一條穿過混亂的公用網絡的安全、穩定的隧道。虛擬專用網是對企業內部網的擴展。
系統環境:RHEL6 x86_64 selinux and iptables disabled
軟件下載:http://poptop.sourceforge.net/yum/stable/rhel6/
ftp://ftp.samba.org/pub/ppp
安裝配置 pptpd server端(192.168.0.40)給這臺主機添加一塊虛擬網卡,配置如下:
DEVICE="eth1"
BOOTPROTO="static"
IPADDR=10.0.0.40
PREFIX=24
ONBOOT="yes"
[root@desktop40 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@desktop40 ~]# yum install ppp -y
[root@desktop40 ~]# rpm -ivh pptpd-1.3.4-2.el6.x86_64.rpm
pptpd 的配置文件
[root@desktop40 ~]# vim/etc/pptpd.conf
localip 192.168.0.40
remoteip10.0.0.234-238(企業內部IP網段)
localip: pptpd server 所在服務器 IP 地址,可以設置爲服務器上綁定的任意一個 IP 地址
remoteip:設置客戶端連接到 pptpd server 後可供分配的 Ip 地址範圍
添加測試用戶
[root@desktop40 ~]# vim/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
***user1 pptpd westos *
***user2 pptpd westos *
注意:server 名稱必須和 /etc/ppp/options.pptpd 中 name 處設置的名稱一致,否則登錄
驗證無法通過
[root@desktop40 ~]# service pptpd start
[root@desktop40 ~]# netstat -antlp|grep:1723
tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 0 46711 4449/pptpd
tcp 0 0 192.168.0.40:1723 192.168.0.37:43952 ESTABLISHED 0 1221
在另一臺虛擬機(192.168.0.37)上安裝pptp-setup-1.7.2-8.1.el6.x86_64.rpm
[root@desktop37 ~]yum localinstall pptp-setup-1.7.2-8.1.el6.x86_64.rpm -y(解決rpm包依賴性)
[root@desktop37 ~]# pptpsetup --create my*** --server 192.168.0.40 --username ***user1 --password westos --encrypt --start
用***user1這個虛擬用戶通過加密的方式來連接server端
Using interface ppp0
Connect: ppp2 <--> /dev/pts/4
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local IP address 10.0.0.234(這是給本機分配的專用ip地址)
remote IP address 192.168.0.40
接下來用一臺虛擬機來測試一下:
[root@desktop39 ~]yum install vsftpd httpd -y
[root@desktop39 ~]echo www.westos.org > /var/www/html/index.html
[root@desktop39 ~]touch goodluck /var/ftp/
[root@desktop39 ~]ifconfig eth0 10.0.0.177 netmask 255.255.255.0 up
[root@desktop39 ~]/etc/init.d/http start
[root@desktop39 ~]/etc/init.d/vsftpd start
在server端測試連接這臺虛擬機
[root@desktop40 ~]lftp 10.0.0.177
lftp 10.0.0.177:~> ls
-rw-r--r-- 1 0 0 0 Aug 05 00:53 goodluck(剛剛在39上創建的那個goodluck哦)
drwxr-xr-x 2 0 0 4096 Feb 12 2013 pub
lftp 10.0.0.177:/>
[root@desktop40 ~]# links -dump http://10.0.0.177
www.westos.org
在38上添加一條路由規則就可以ping通10.0.0.177
[root@desktop38 ~]#route add default dev ppp0
安裝配置 freeradius
[root@desktop40 ~]yum install freeradius -y
[root@desktop40 ~]rpm -ivh freeradius-mysql-2.1.12-4.el6_3.x86_64.rpm freeradius-utils-2.1.12-4.el6_3.x86_64.rpm
[root@desktop40 ~]tar zxf ppp-2.4.5.tar.gz
[root@desktop40 ~]mkdir /etc/radiusclient
[root@desktop40 ~]cp ppp-2.4.5/pppd/plugins/radius/etc/* /etc/radiusclient
[root@desktop40 ~]cd /etc/radiusclient
在 servers 文件中添加 radius 服務器的地址和密碼
localhost
westos
修改 radiusclient.conf 文件中確保這個文件中所有與 radiusclient 相關的路徑都是
以/etc/radiusclient 開頭的。例如:
servers /usr/local/etc/radiusclient/servers
修改爲:
servers /etc/radiusclient/servers
修改/etc/ppp/options.ptpd,添加如下行:
plugin /usr/lib64/pppd/2.4.5/radius.so
cd /etc/raddb
修改 clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = westos (與/etc/radiusclient/servers 裏設置的一致)
....
}
支持 mysql
修改/etc/raddb/radius.conf
$INCLUDE sql.conf
#去掉註釋
修改/etc/raddb/sites-available/default
authorize {
#files
sql
....
}
accounting {
#radutmp
sql
....
}
session{
#radutmp
sql
}
post-auth {
sql
}
修改/etc/raddb/sql.conf
sql {
database = “mysql“
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
....
}
修改/etc/raddb/sql/mysql/dialup.conf,去掉如下行的註釋:
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
[root@desktop40 ~]yum install mysql mysql-server -y
service mysqld start
cd /etc/raddb/sql/mysql/
mysqladmin create radius
mysql radius < schema.sql
mysql < admin.sql
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Address',':=','255.255.255.254');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Netmask',':=','255.255.255.0');
mysql>insert into radcheck (username,attribute,op,value) values ('***user1','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user1','user');
mysql>insert into radcheck (username,attribute,op,value) values ('***user2','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user2','user');
以後添加帳戶只需要進行以上兩步操作即可
[root@desktop40 ~]service radiusd start
[root@desktop40 ~]service pptpd stop
[root@desktop40 ~]service pptpd start
執行命令進行測試:
[root@desktop40 ~]radtest ***user1 westos localhost 0 westos
Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "***user1"
User-Password = "westos"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
看到 Access-Accept 字樣即表示成功