freeradius+openvpn+mysql 연동 하는방법 ^^
(1) 프리라디우스인증서버를 받아야 합니다.
wget ftp://ftp.freeradius.org:/pub/radius/freeradius-1.1.7.tar.gz
tar zxvf freeradius-1.1.7.tar.gz
cd freeradius-1.1.7
./configure
cp libltdl/ltdl.h src/include/
make
make install
(2) sql 을 설치 하세요.
ln -s /usr/local/mysql/bin/mysql_config /sbin/mysql_config
cd /usr/local/src/freeradius-1.1.7/src/modules/rlm_sql/drivers/rlm_sql_mysql
./configure --with-mysql-dir=/usr/local/mysql --with-mysql-lib-dir=/usr/local/mysql/lib \
--with-mysql-include-dir=/usr/local/mysq/include
make
make install
다음 라디우스 접속 계정생성을 합니다.
/usr/local/mysql/bin/mysql –uroot –pXXXX
mysql>create database radius;
mysql>GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY 'AAAA';
mysql>\q
cd /usr/local/src/freeradius-1.1.7
/usr/local/mysql/bin/mysql -uroot -pXXXX radius < ./doc/examples/mysql.sql
radiusd.conf 와 sql.conf 파일을 수정 해야합니다.
(1)、radiusd.conf
vi /usr/local/etc/raddb/radiusd.conf
proxy_requests = no
authorize {
preprocess
chap
mschap
suffix
eap
sql
# pap
# files
}
preacct {
preprocess
acct_unique
suffix
# files
}
accounting {
detail
unix
radutmp
sql
}
sql.conf
vi /usr/local/etc/raddb/sql.conf
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "AAAA"
radius_db = "radius"
vi /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
테스트 계정을 한번 생성해볼게요 계정생성은 나비켓이나 그런걸로 수정 하거나 삭제 하셔도 됩니다.
#mysql -u root -p
mysql> use radius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');
mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
mysql> insert into usergroup (username,groupname) values ('test','user');
라디우스 디버그 모드로 실행하세요
radiusd –x &
ln -s /usr/local/bin/radtest /sbin/radtest
/sbin/radtest test test localhost 0 testing123
Sending Access-Request of id 204 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=204, length=38
Service-Type = Framed-User
Framed-IP-Address = 255.255.255.255
Framed-IP-Netmask = 255.255.255.0
/sbin/radtest sense 123456 localhost 0 testing123
Sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "sense"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=212, length=20
OpenVpn 설치 방법
암호화 해주는 모듈 설치
rpm -aq|grep openssl
openssl-devel-0.9.8b-8.3.el5
openssl-0.9.8b-8.3.el5
opvvpn 설치
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
tar zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
rpm -qa | grep pam
pam_passwdqc-1.0.2-1.2.2
pam-0.99.6.2-3.14.el5
pam_pkcs11-0.5.3-23
pam_krb5-2.2.11-1
pam-devel-0.99.6.2-3.14.el5
pam_smb-1.1.7-7.2.1
pam_ccreds-3-5
lzo 라이브러리 설치
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
tar zxvf lzo-2.02.tar.gz
cd lzo-2.02
./configure
make
make install
open vpn 컴파일
cd openvpn-2.0.9
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/include/lzo \
--with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/include/openssl \
--with-ssl-lib=/usr/lib
make
make install
cd /usr/local/src/openvpn-2.0.9
cp -rf ./easy-rsa/ /usr/local/openvpn/
cd /usr/local/openvpn/easy-rsa/2.0
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key cl1
cd keys
/usr/local/openvpn/sbin/openvpn --genkey --secret ta.key
cd /usr/local/openvpn
mkdir ssl
cp -a ./easy-rsa/keys/2.0/ca.crt ./ssl/
cp -a ./easy-rsa/keys/2.0/dh1024.pem ./ssl/
cp -a ./easy-rsa/keys/2.0/ta.key ./ssl/
cp -a ./easy-rsa/keys/2.0/server.crt ./ssl/
cp -a ./easy-rsa/keys/2.0/server.key ./ssl/
RadiusPlugin 을 설치 해서 open vpn 하고 연동 해줍니다.
cd /usr/local/src/
wget wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0b_beta2.tar.gz
tar zxvf radiusplugin_v2.0b_beta2.tar.gz
cd radiusplugin_v2.0b_beta2
make
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.so /usr/local/openvpn/
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.cnf /usr/local/openvpn/
vi /usr/local/openvpn/radiusplugin.cnf
radiusplugin.cnf 파일 에서 인증서버 정보를 수정해주세요
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH (searches for the path)
# status FILE (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name (if the option is used or not)
OpenVPNConfig=/usr/local/openvpn/server.conf
# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
#subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
#p2p=10.10.0.1
####################### Ich benutze die Default Option
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# The name or ip address of the radius server.
name=127.0.0.1
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.
sharedsecret= testing123
}
注释:这里的sharedsecret=testing123跟radiusd的设置相关,注意/usr/local/etc/raddb/clients.conf中的client127.0.0.1 的设置,(这个clients.conf是调用radius的客户端配置)
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
同时重要的是要在正式应用的时候 同时修改这2个地方的testing123,这个就是radius的密匙
4、配置openvpn的服务器设置文件server.conf
cp /usr/local/src/openvpn-2.0.9/sample-config-files/server.conf /usr/local/openvpn/server.conf
vi /usr/local/openvpn/server.conf
注释:注意这里的server.conf要与/usr/local/openvpn/radiusplugin.cnf中OpenVPNConfig的设置一致
这里的openvpn服务器端可以有多个配置文件,每一个配置等于开启了一个单独的vpn服务,但是要单独设置每个服务器端配置文件./build-key-server ser*** 同时不同的客户端./build-key cl1*** 对应于相应 ser****的unitname,同时客户端要拷贝不同的ser***.crt
port 1194
proto udp
# Which device
dev tun
;fast-io
user nobody
group nogroup
persist-tun
persist-key
server 10.14.0.0 255.255.0.0
management 127.0.0.1 7505
float
username-as-common-name
;client-config-dir ccd
client-cert-not-required
client-to-client
#push "redirect-gateway def1"
push "dhcp-option DNS 172.21.41.15"
ping-timer-rem
keepalive 10 120
# Use compression
comp-lzo
# Strong encryption
tls-server
tls-auth ssl/ta.key 0
dh ssl/dh1024.pem
ca ssl/ca.crt
cert ssl/server.crt
key ssl/server.key
max-clients 200
plugin /usr/local/openvpn/radiusplugin.so /usr/local/openvpn/radiusplugin.cnf
verb 3
mute 10
status /var/log/openvpn/status.log 1
log /var/log/openvpn/openvpn.log
mkdir /usr/local/openvpn/ccd
mkdir /var/log/openvpn
radiusd X 로 실행한데몬 정지 하시고 정상으로 실행하세요
radiusd &
클라이언트 설정 client.conf 입니다.
# Which device
dev tun
persist-key
persist-tun
# Our remote peer
nobind
remote *.*.*.* 1194
auth-user-pass
ns-cert-type server
tls-auth ta.key 1
route 172.16.0.0 255.240.0.0
# Use compression
comp-lzo
# Strong encryption
verb 3
mute 10
끝 입니다. 저두 이곳저곳 자료 찾아서 해본거인데 아주 잘됩니다.
문제는 리얼 아이피가 안되서 지금 연구 중인데 그것도 라우팅 설정 만 하면 가능할거 같더군요
일단 막긁어 오기.. 문제가 되시면 연락주세요.. 흄..
덧글 을 어디 써야 할지몰라서 몰래 퍼옵니다..