***---虚拟专用网服务器

rhel6+pptpd+freeradius+mysql

虚拟专用网(***)被定义为通过一个公用网络(因特网)建立一个临时的、安全的链接、是一条穿过混乱的公用网络的安全、稳定的隧道。虚拟专用网是对企业内部网的扩展。

系统环境:RHEL6 x86_64 selinux and iptables disabled
软件下载:http://poptop.sourceforge.net/yum/stable/rhel6/
ftp://ftp.samba.org/pub/ppp
安装配置 pptpd server端（192.168.0.40）给这台主机添加一块虚拟网卡，配置如下：

DEVICE="eth1"
BOOTPROTO="static"
IPADDR=10.0.0.40
PREFIX=24
ONBOOT="yes"

[root@desktop40 ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@desktop40 ~]# yum install ppp -y
[root@desktop40 ~]# rpm -ivh pptpd-1.3.4-2.el6.x86_64.rpm
pptpd 的配置文件

[root@desktop40 ~]# vim/etc/pptpd.conf
localip 192.168.0.40
remoteip10.0.0.234-238（企业内部IP网段）
localip: pptpd server 所在服务器 IP 地址,可以设置为服务器上绑定的任意一个 IP 地址
remoteip:设置客户端连接到 pptpd server 后可供分配的 Ip 地址范围
添加测试用户

[root@desktop40 ~]# vim/etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client    server    secret            IP addresses
***user1     pptpd    westos            *
***user2     pptpd    westos            *
注意:server 名称必须和 /etc/ppp/options.pptpd 中 name 处设置的名称一致,否则登录
验证无法通过

[root@desktop40 ~]# service pptpd start
[root@desktop40 ~]# netstat -antlp|grep:1723

tcp        0      0 0.0.0.0:1723                0.0.0.0:*                   LISTEN      0          46711      4449/pptpd          
tcp        0      0 192.168.0.40:1723           192.168.0.37:43952          ESTABLISHED 0          1221

在另一台虚拟机（192.168.0.37）上安装pptp-setup-1.7.2-8.1.el6.x86_64.rpm

[root@desktop37 ~]yum localinstall pptp-setup-1.7.2-8.1.el6.x86_64.rpm -y(解决rpm包依赖性)

[root@desktop37 ~]# pptpsetup --create my*** --server 192.168.0.40 --username ***user1 --password westos --encrypt --start

用***user1这个虚拟用户通过加密的方式来连接server端

Using interface ppp0
Connect: ppp2 <--> /dev/pts/4
CHAP authentication succeeded
MPPE 128-bit stateless compression enabled
local  IP address 10.0.0.234（这是给本机分配的专用ip地址）
remote IP address 192.168.0.40
接下来用一台虚拟机来测试一下：

[root@desktop39 ~]yum install vsftpd httpd -y

[root@desktop39 ~]echo www.westos.org > /var/www/html/index.html

[root@desktop39 ~]touch goodluck /var/ftp/

[root@desktop39 ~]ifconfig eth0 10.0.0.177 netmask 255.255.255.0 up

[root@desktop39 ~]/etc/init.d/http start

[root@desktop39 ~]/etc/init.d/vsftpd start

在server端测试连接这台虚拟机

[root@desktop40 ~]lftp 10.0.0.177

lftp 10.0.0.177:~> ls
-rw-r--r--    1 0        0               0 Aug 05 00:53 goodluck(刚刚在39上创建的那个goodluck哦)
drwxr-xr-x    2 0        0            4096 Feb 12  2013 pub
lftp 10.0.0.177:/>
[root@desktop40 ~]# links -dump http://10.0.0.177
   www.westos.org
在38上添加一条路由规则就可以ping通10.0.0.177

[root@desktop38 ~]#route add default dev ppp0

安装配置 freeradius
[root@desktop40 ~]yum install freeradius -y

[root@desktop40 ~]rpm -ivh freeradius-mysql-2.1.12-4.el6_3.x86_64.rpm freeradius-utils-2.1.12-4.el6_3.x86_64.rpm

[root@desktop40 ~]tar zxf ppp-2.4.5.tar.gz
[root@desktop40 ~]mkdir /etc/radiusclient
[root@desktop40 ~]cp ppp-2.4.5/pppd/plugins/radius/etc/* /etc/radiusclient
[root@desktop40 ~]cd /etc/radiusclient
在 servers 文件中添加 radius 服务器的地址和密码
localhost
westos
修改 radiusclient.conf 文件中确保这个文件中所有与 radiusclient 相关的路径都是
以/etc/radiusclient 开头的。例如:
servers         /usr/local/etc/radiusclient/servers
修改为:
servers        /etc/radiusclient/servers
修改/etc/ppp/options.ptpd,添加如下行:
plugin /usr/lib64/pppd/2.4.5/radius.so
cd /etc/raddb
修改 clients.conf
client localhost {
ipaddr = 127.0.0.1
secret = westos (与/etc/radiusclient/servers 里设置的一致)
....
}
支持 mysql
修改/etc/raddb/radius.conf
$INCLUDE sql.conf
#去掉注释
修改/etc/raddb/sites-available/default
authorize {
#files
sql
....
}
accounting {
#radutmp
sql
....
}
session{
#radutmp
sql
}
post-auth {
sql
}
修改/etc/raddb/sql.conf
sql {
database = “mysql“
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "radpass"
radius_db = "radius"
....
}
修改/etc/raddb/sql/mysql/dialup.conf,去掉如下行的注释:
simul_count_query = "SELECT COUNT(*) \
FROM ${acct_table1} \
WHERE username = '%{SQL-User-Name}' \
AND acctstoptime IS NULL"
[root@desktop40 ~]yum install mysql mysql-server -y
service mysqld start
cd /etc/raddb/sql/mysql/
mysqladmin create radius
mysql radius < schema.sql
mysql < admin.sql
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Address',':=','255.255.255.254');
mysql> insert into radgroupreply (groupname,attribute,op,value) values
('user','Framed-IP-Netmask',':=','255.255.255.0');
mysql>insert into radcheck (username,attribute,op,value) values ('***user1','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user1','user');
mysql>insert into radcheck (username,attribute,op,value) values ('***user2','User-Password',':=','westos');
mysql>insert into radusergroup (username,groupname) values ('***user2','user');
以后添加帐户只需要进行以上两步操作即可
[root@desktop40 ~]service radiusd start
[root@desktop40 ~]service pptpd stop
[root@desktop40 ~]service pptpd start
执行命令进行测试:
[root@desktop40 ~]radtest ***user1 westos localhost 0 westos

Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "***user1"
User-Password = "westos"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=13, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.0
看到 Access-Accept 字样即表示成功