系統環境:RHEL6 x86_64 selinux and iptables disabled
軟件下載:http://poptop.sourceforge.net/yum/stable/rhel6/
ftp://ftp.samba.org/pub/ppp
安裝配置 pptpd
- vim /etc/sysctl.conf
- # Controls IP packet forwarding
- net.ipv4.ip_forward = 1
- [root@server71 ~]# sysctl -p
- net.ipv4.ip_forward = 1
- yum install ppp -y
- rpm -ivh pptpd-1.3.4-2.el6.x86_64.rpm
- vim /etc/pptpd.conf
- localip 192.168.0.171
- remoteip 10.1.0.10-20
- #一般來說用作***服務器的機器都是雙網卡的,一塊網卡連上外網來使需要連接它的機器通過互聯網連接到它,另一塊網卡連接內網地址,並且外網的機器通過***連接到***服務器以後***服務器會分配給這個機器一個內網的ip,使它可以直接連接內網的服務器。localip: pptpd server 所在服務器 IP 地址,remoteip:設置客戶端連接到 pptpd server 後可供分配的 Ip 地址範圍。
- #在這次實驗中我們假設192.168.0.0這個網段是公網的網段,10.1.0.0這個網段使內網的網段來做實驗
添加用戶/etc/ppp/chap-secrets
- vim /etc/ppp/chap-secrets
- # Secrets for authentication using CHAP
- # client server secret IP addresses
- yejk pptpd westos *
- #server 名稱必須和 /etc/ppp/options.pptpd 中 name 處設置的名稱一致,否則登錄驗證無法通過,IP處如果指定一個IP,則通過這個帳號連接的機器都會分配給這個固定的內網ip,如果是*就會分配地址池裏的IP
啓動pptpd
- /etc/init.d/pptpd start
- [root@server71 network-scripts]# netstat -anltp|grep :1723
- tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1275/pptpd
這時候***服務器就搭建好裏,在window環境下連接***,只需要在網絡連接裏建立新連接,選擇第二個連接到工作網絡,再選擇第二個連接***,然後再輸入***用戶名密碼就可以連接上服務器,並且分配到一個內網ip。
在linux環境下進行連接
- yum install ppp pptp pptp-setup
- [root@desktop31 yum.repos.d]# pptpsetup --create ppp0 --server 192.168.0.171 --username yejk --password westos --encrypt --start
- Using interface ppp0
- Connect: ppp0 <--> /dev/pts/7
- CHAP authentication succeeded
- MPPE 128-bit stateless compression enabled
- local IP address 10.1.0.10
- remote IP address 192.168.0.171
如果要結束掉連接,在客戶端機器上可以
- [root@desktop31 yum.repos.d]# ifconfig down ppp0
或者在服務端用
- [root@server71 network-scripts]# /etc/init.d/pptpd restart-kill
- #注意,只用restart不會結束掉已經連接上的鏈接
如果***帳號很多的話每次都寫在文本里不方便管理,所以要通過freeradius這個軟件將pptpd和mysql整合起來做一個用戶認證。
安裝配置 freeradius
- yum install freeradius freeradius-mysql freeradius-utils
- mkdir /etc/radiusclient
- cd ppp-2.4.5/pppd/plugins/radius/etc/
- cp * /etc/radiusclient/
- cd /etc/radiusclient/
添加 radius 服務器的地址和密碼
- vim servers
- #Server Name or Client/Server pair Key
- #---------------- ---------------
- #portmaster.elemental.net hardlyasecret
- #portmaster2.elemental.net donttellanyone
- localhost westos
修改radiusclient.conf 文件中確保這個文件中所有與radiusclient 相關的路徑都是以/etc/radiusclient 開頭的。例如:
servers /usr/local/etc/radiusclient/servers
修改爲:
servers /etc/radiusclient/servers
修改/etc/ppp/options.pptpd,添加如下行:
- vim /etc/raddb/radiusd.conf
- $INCLUDE sql.conf #去掉註釋使之支持mysql
- vim /etc/ppp/options.pptpd
- # put plugins here
- # (putting them higher up may cause them to sent messages to the pty)
- plugin /usr/lib64/pppd/2.4.5/radius.so
- #這個插件由ppp包提供,可以通過rpm -ql ppp查看到
- cd /etc/raddb/
- vim clients.conf
- client localhost {
- ipaddr = 127.0.0.1
- secret = westos (與/etc/radiusclient/servers 裏設置的一致)
- ....
- }
- vim /etc/raddb/sites-available/default
- authorize {
- #files
- sql
- ....
- }
- accounting {
- #radutmp
- sql
- ....
- }
- session{
- #radutmp
- sql
- }
- post-auth {
- sql
- }
- #由於要使用mysql認證,所以對配置文件進行一些修改,註釋掉原來的認證方法,去掉sql的註釋
- vim /etc/raddb/sql.conf
- sql {
- database = “mysql“ #選擇所使用的數據庫,它支持多款數據庫
- driver = "rlm_sql_${database}"
- server = "localhost"
- login = "radius" #登錄數據庫的用戶名
- password = "westos" #登錄密碼
- radius_db = "radius"
- ....
- }
- vim /etc/raddb/sql/mysql/dialup.conf #去掉如下行的註釋,爲了實現控制賬戶同時可以由幾個客戶端登錄
- simul_count_query = "SELECT COUNT(*) \
- FROM ${acct_table1} \
- WHERE username = '%{SQL-User-Name}' \
- AND acctstoptime IS NULL"
- yum install mysql-server mysql mysql-libs -y
- /etc/init.d/mysqld start
- mysqladmin create radius
- mysql radius < schema.sql
- vim admin.sql
- SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('westos'); #此處將PASSWORD部分進行修改,因爲剛剛改過密碼
- mysql < admin.sql
- mysql
- mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
- Query OK, 1 row affected (0.00 sec)
- mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
- Query OK, 1 row affected (0.00 sec)
- mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.254');
- Query OK, 1 row affected (0.00 sec)
- mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
- Query OK, 1 row affected (0.00 sec)
- mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Simultaneous-Use',':=','1');
- Query OK, 1 row affected (0.00 sec) #(限制一個帳號只能撥一次,可選)
- mysql> insert into radcheck (username,attribute,op,value) values ('user1','User-Password',':=','westos');
- Query OK, 1 row affected (0.00 sec) #(添加帳戶user1,密碼westos)
- mysql> insert into radusergroup (username,groupname) values ('user1','user');
- Query OK, 1 row affected (0.00 sec)
- #以後添加帳戶只需要進行最後兩步操作即可
- /etc/init.d/radiusd start
- /etc/init.d/pptpd restart-kill
- /etc/init.d/pptpd start
在服務器端執行一下命令進行測試
- radtest user1 westos localhost 0 westos #0表示默認端口號
- Sending Access-Request of id 161 to 127.0.0.1 port 1812 User-Name = "user1" User-Password = "westos" NAS-IP-Address = 192.168.0.171 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=161, length=38 Service-Type = Framed-User Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.0
在客戶端連接***:
- ptpsetup --create ppp0 --server 192.168.0.171 --username user1 --password westos --encrypt --start
- Using interface ppp0
- Connect: ppp0 <--> /dev/pts/1
- CHAP authentication succeeded
- MPPE 128-bit stateless compression enabled
- local IP address 10.1.0.10
- remote IP address 192.168.0.171