本文描述尽可能使用系统自带的软件发行包来搭建VPN,考虑到使用尽可能高版本的PPTP,freeRadius等,选择了CentOS的最新版6.2
1、安装CentOS6.2
为了简化系统,选择最下化安装,然后根据需要安装所需软件包
#yum install mysql mysql-server freeradius* pptp* gcc make
2、配置freeRadius
[root@vpn3-1 ~]# cd /etc/raddb/
[root@vpn3-1 raddb]# cp sites-available/default sites-available/default.sav
[root@vpn3-1 raddb]# vi sites-enabled/default
在所有的unix和files前面加上注释,并去掉所有sql前面的注释。如果要减少日志数量,把 detail注视掉
[root@vpn3-1 raddb]# vi radiusd.conf
去掉$include sql.conf前面的注释。
[root@vpn3-1 raddb]# vi clients.conf
添加NAS信息
#client some.host.org {
# secret = testing123
# shortname = somehost
#}
或
#client 10.10.2.3 {
# secret = testing123
# shortname = localhost2
#}
其中,每一个NAS对应一组,提供的信息有:NAS的IP或域名;加密字符串(Nas配置一致);accounting用的名字
对应localhost,已有缺省配置。
[root@vpn3-1 raddb]# vi sql.conf
# Connection info:
server = “localhost”
#port = 3306
login = “radius”
password = “radpass”
# Database table configuration for everything except Oracle
radius_db = “radius”
以上是缺省值,可根据实际需要修改的是 server、port、login、password。
[root@vpn3-1 raddb]# vi sql/mysql/dialup.conf
取消
sql_user_name = “%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}”前面的注释,把下一行注释掉。同时如果需要打开simultanoues-use(控制同时在线用户数)的话需要把simul_query_check取消注释。
3、建立基本数据库:
[root@vpn3-1 raddb]# service mysqld start
初次启动,数据库初始化
并执行了
/usr/bin/mysqladmin -u root password ‘new-password’
/usr/bin/mysqladmin -u root -h vpn3-1.xxx.com password ‘new-password’
[root@vpn3-1 raddb]# mysql -u root -p
mysql> create database radius;
Query OK, 1 row affected (0.00 sec)
mysql> grant all privileges on radius.* to radius@localhost identified by “radpass”;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
[root@vpn3-1 raddb]# mysql -uradius -p radius < /etc/raddb/sql/mysql/schema.sql
Enter password:
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Auth-Type’,':=’,’Local’);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Service-Type’,':=’,’Framed-User’);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Framed-IP-Address’,':=’,’255.255.255.255′);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Framed-IP-Netmask’,':=’,’255.255.255.0′);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Acct-Interim-Interval’,':=’,’600′);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES (‘user’,’Max-Monthly-Traffic’,':=’,’5368709120′);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES (‘user’,’Simultaneous-Use’,':=’,’1′);
Query OK, 1 row affected (0.00 sec)
mysql> select * from radgroupreply;
+—- +——————-+——————————-+——+—————–+
| id | groupname | attribute | op | value |
+—- +——————-+——————————–+—-+—————–+
| 8 | user | Auth-Type | := | Local |
| 9 | user | Service-Type | := | Framed-User |
| 10 | user | Framed-IP-Address | := | 255.255.255.255 |
| 11 | user | Framed-IP-Netmask | := | 255.255.255.0 |
| 12 | user | Acct-Interim-Interval | := | 600 |
| 13 | user | Max-Monthly-Traffic | := | 5368709120 |
+—-+——————-+——————————–+—-+—————–+
6 rows in set (0.00 sec)
以上前四行是PPP用的参数,不用改动,acct-interim-interval是计算流量的间隔(600秒),意味着每隔10分钟记录当前流量。最后一行是每月最大流量,这里是5G(单位是字节)。
输入测试用户信息:
mysql> INSERT INTO radcheck (username,attribute,op,VALUE) VALUES (‘test’,’Cleartext-Password’,':=’,’test111′);
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO radusergroup (username,groupname) VALUES (‘test’,’user’);
Query OK, 1 row affected (0.00 sec)
mysql>
用户名与密码必须以明文/NTLM Crypt形式保存,因为MS-CHAPv2不支持MD5保存的密码。
4、测试freeRadius Server:
[root@vpn3-1 raddb]# radtest test test111 localhost 1649 testing123
radclient:: Failed to find IP address for vpn3-1.xxx.com
radclient: Nothing to send.
表明vpn3-1.xxx.com没有ip,编辑/etc/hosts
[root@vpn3-1 raddb]# vi /etc/hosts
添加vpn3-1.xxx.com对应项
[root@vpn3-1 raddb]# radtest test test111 localhost 1649 testing123
Sending Access-Request of id 171 to 127.0.0.1 port 1812
User-Name = “test”
User-Password = “test111″
NAS-IP-Address = 22.19.16.250
NAS-Port = 1649
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=171, length=44
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
Acct-Interim-Interval = 600
[root@vpn3-1 raddb]#
测试成功。
5、添加在认证时检测流量的语句
打开/etc/raddb/sites-enabled/default,找到authorize一节末尾插入
update request {
Group-Name := “%{sql:SELECT groupname FROM radusergroup WHERE \
username=’%{User-Name}’ ORDER BY priority}”
}
if (“%{sql: SELECT SUM(acctinputoctets+acctoutputoctets)\
FROM radacct \
WHERE username=’%{User-Name}’ AND \
date_format(acctstarttime, ‘%Y-%m-%d’) >= \
date_format(now(),’%Y-%m-01′) AND \
date_format(acctstoptime, ‘%Y-%m-%d’) <= \
last_day(now());}" >= \
“%{sql: SELECT value FROM radgroupreply \
WHERE groupname=’%{Group-Name}’ AND \
attribute=’Max-Monthly-Traffic';}”\
) {
reject
}
由于第三节和本节中有非内置的attribute Max-Monthly-Traffic,所以需要在l/etc/raddb/dictionary里面定义:
ATTRIBUTE Max-Monthly-Traffic 3003 integer
**也可以通过修改/etc/raddb/sql/mysql/counter.conf 和/etc/raddb/sites-enabled/default实现相应功能
在 /etc/raddb/sql/mysql/counter.conf 文件末尾添加如下字段
sqlcounter monthlytrafficcounter {
counter-name = Monthly-Traffic
check-name = Max-Monthly-Traffic
reply-name = Monthly-Traffic-Limit
sqlmod-inst = sql
key = User-Name
reset = monthly
query = “SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1024 FROM radacct \
WHERE UserName=’%{%k}’ AND UNIX_TIMESTAMP(AcctStartTime) > ‘%b'”
}
启用流量统计
在 /etc/raddb/sites-enabled/default 文件的 authorize 区块中,添加 monthlytrafficcounter ,在 字典文件 /etc/raddb/dictionary 末尾添加如下两行
ATTRIBUTE Max-Monthly-Traffic 3003 integer
ATTRIBUTE Monthly-Traffic-Limit 3004 integer
在数据库里面添加限制字段
INSERT INTO radgroupcheck (groupname,attribute,op,VALUE) VALUES \
(‘user’,’Max-Monthly-Traffic’,':=’,’5368709120′);
添加到 radgroupcheck 表示针对所有组的生效
由于 Max-Monthly-Traffic 3003 integer 整数型的最大长度为2G,如果限额超过2G,会导致认证失败,所以解决方法就是 对查询到的用户的流量,除以 1024,然后对用户的限额也除以1024,这样可以解决问题
**引自介绍freeradius 的一些配置
6、设置radiusclient
centos(RHEL)上没有radiusclient包,为此,添加yum源dag
[root@vpn3-1 ~]#rpm -Uvh http://apt.sw.be/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
[root@vpn3-1 ~]# yum install radiusclient-ng*
[root@vpn3-1 etc]# cd /etc/radiusclient-ng/
[root@vpn3-1 radiusclient-ng]# vi radiusclient.conf
修改 authserver 和acctserver
authserver localhost:1812 #用户验证服务器(如果不是本机,请指定IP)(可以为多个,依次尝试)
acctserver localhost:1813 #用户账户记录服务器(如果不是本机,请指定IP)
*****注释掉bindaddr * (77行),pppd提示unrecognized keyword: bindaddr
[root@vpn3-1 radiusclient-ng]# vi /usr/share/radiusclient-ng/dictionary
添加
INCLUDE /usr/share/freeradius/dictionary.merit
INCLUDE /usr/share/freeradius/dictionary.microsoft
****本来想直接使用freeradius-server自带的dictionary,但是,server使用的和client用的不一致,还必须使用client自带的文件,因此上边两行要改写为
INCLUDE /usr/share/radiusclient-ng/dictionary.merit
INCLUDE /usr/share/radiusclient-ng/dictionary.microsoft
其中dictionary.microsoft文件从http://wiki.freeradius.org/PopTop下载
修改server:
最后加上localhost secret(就是FreeRadius的client.conf里面定义的secret)
7、安装配置pptp
[root@vpn3-1 ~]# rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
[root@vpn3-1 ~]# yum install pptpd
[root@vpn3-1 ~]# vi /etc/ppp/options.pptpd
将ms-dns设置为本地DNS或 8.8.8.8
ms-dns 8.8.8.8 #客户端首要DNS
ms-dns 8.8.4.4 #客户端次要DNS
末尾处添加
plugin /usr/lib64/pppd/2.4.5/radius.so
plugin /usr/lib64/pppd/2.4.5/radattr.so
radius-config-file /etc/radiusclient-ng/radiusclient.conf
[root@vpn3-1 ~]# vi /etc/pptpd.conf
修改pptpd.conf:
ppp路径改为/usr/sbin/pppd
option路径为/etc/options.pptpd
注释掉logwtmp避免619错误
最后的localip根据需要设置
示例:
localip 202.xxx.16.250 //vpn 服务器地址
remoteip 172.16.6.5-250 //分配给拨号PC的地址
8、测试记录
运行radiusd -X
1)连接测试,提示无法连接,/var/log/message无访问记录,关闭iptbles
2)连接测试,提示鉴定失败,/var/log/message有提示
Jan 22 13:05:19 vpn3-1 pppd[22537]: /etc/radiusclient-ng/radiusclient.conf: line 77: unrecognized keyword:
Jan 22 14:52:33 vpn3-1 pppd[1562]: rc_read_dictionary: invalid type on line 11 of dictionary /usr/share/freeradius/dictionary.microsoft
bindaddr
Jan 22 13:18:07 vpn3-1 pppd[22555]: rc_read_dictionary: couldn’t open dictionary /usr/share/radiusclient-ng/dictionary: Permission denied
这是由于server使用的和client用的dictionary文件不一致,还必须使用client自带的文件
3)修改后,再次连接,radius server 反映正常,认证OK,可以建立VPN连接。但是,网络不通。
由于iptables没有启动,应该是该问题导致
4)在测试iptables时,出现了认证无法通过,radiusd -X的诊断信息有Reply-Message = “\r\nYou are already logged in – access denied\r\n\n”,清空了radacct还是没有解决,最后发现:
将/etc/raddb/site-enabled/default中,session段内的radutmp注释
session {
# radutmp
#
# See “Simultaneous Use Checking Queries” in sql.conf
sql
}
9、iptables配置
编写/etc/rc.local
#
echo “1” > /proc/sys/net/ipv4/ip_forward
iptables -F INPUT
iptables -F FORWARD
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -s 172.16.6.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 172.16.6.0/24 -j SNAT –to 22.xxx.16.250
iptables -A FORWARD -p tcp –syn -s 172.16.6.0/24 -j TCPMSS –set-mss 1356
***注意22.xxx.16.250是服务器IP
或者编辑/etc/sysconfig/iptables
*filter
:INPUT ACCEPT [3603:650757]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.16.6.0/24 -j ACCEPT
-A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.6.0/24 -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS –set-mss 1356
-A OUTPUT -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [153:10779]
:POSTROUTING ACCEPT [4:493]
:OUTPUT ACCEPT [4:493]
-A POSTROUTING -s 172.16.6.0/24 -o eth0 -j SNAT –to-source 22.xxx.16.250
COMMIT
***注意22.xxx.16.250是服务器IP
如果要限制某些IP访问VPN服务器(一般限制内网的人访问VPN),可以在rc.local添加
iptables -A INPUT -s 10.0.0.0/8 -j DROP
或在/etc/sysconfig/iptables中插入对应项
*filter
:INPUT ACCEPT [170:34471]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.0/8 -j DROP
-A FORWARD -s 172.16.6.0/24 -j ACCEPT
-A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.16.6.0/24 -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS –set-mss 1356
-A OUTPUT -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [15:1443]
:POSTROUTING ACCEPT [3:377]
:OUTPUT ACCEPT [3:377]
-A POSTROUTING -s 172.16.6.0/24 -o eth0 -j SNAT –to-source 22.xxx.16.250
COMMIT
--转自