基于daridus認證的openvpn部署基于daridus認證的openvpn部署安裝openvpn1.安裝openvpn依賴包
#yum -y install gcc gcc-c++
#yum -y install openssl openssl-devel
#yum -y install lzo lzo-devel
2.安裝OpenVPN2.2.2
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz tar -zxvf openvpn-2.2.2.tar.gz cd openvpn-2.2.2 ./configure make make install
3.生成keys(注:生成key之前記得ntpdate同步好時間)
mkdir /etc/openvpncp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/cd /etc/openvpn/easy-rsa/2.0/ source vars./clean-all./build-ca./build-dh./build-key-server server./build-key client1
4.生成openvpn server配置文件:
cd /usr/src/openvpn-2.2.2/sample-config-files/grep -vE "^#|^;|^$" server.conf >/etc/openvpn/server.confgrep -vE "^#|^;|^$" client.conf >/tmp/client.confcp -R /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/
cat /etc/openvpn/server.confport 1194PRoto tcpdev tunca keys/ca.crtcert keys/server.crtkey keys/server.key # This file should be kept secretdh keys/dh1024.pemserver 10.8.0.0 255.255.255.0push "route 192.168.1.0 255.255.255.0"push "redirect-gateway" //修改客戶端的網關�,使其直接走vpn流量ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3log /var/log/openvpn.log
5.啟動openvpn服務:
cp /usr/src/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpnchkconfig --add openvpnservice openvpn start
6.修改openvpn客戶端文件并啟用連接:
scp /tmp/client.conf root@vpnclient:/tmp/vpnclient/cd /etc/openvpn/keys/tar zcf key.tar.gz ca.* client.*scp /etc/openvpn/keys/key.tar.gz root@vpnclient:/tmp/vpnclient/
vpnclient:cat /tmp/vpnclient/client.confclientdev tunproto tcpremote 172.16.77.173 1194 //中間ip為vpnserverresolv-retry infinitenobindpersist-keypersist-tunca ca.crtauth-user-passcert test.crtkey test.keycomp-lzoverb 3
vpnclient:(安裝linux客戶端跟安裝服務端一模一樣,不在贅述)openvpn --config /tmp/vpnclient/client.conf
安裝raidus�,并配置MySQL驗證1.安裝radius
yum install -y freeradius freeradius-mysql freeradius-utils
把其中最后一行的用戶去掉注釋
vi /etc/raddb/userstestuser Cleartext-PassWord := "testpassword"
chkconfig radiusd onservice radiusd startradtest testuser testpassword localhost 1812 testing123
如果看到
Sending access-Request of id 86 to 127.0.0.1 port 1812User-Name = "testuser"User-Password = "testpassword"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20
則表示radius服務器配置成功。2.為radius配置mysql驗證
yum install mysql mysql-server cp /etc/raddb/clients.conf /etc/raddb/clients.conf.bak
編輯clients.conf文件
vim /etc/raddb/clients.confclient 0.0.0.0 { ipaddr=127.0.0.1 secret = testing123 shortname = localhost}
編輯用戶文件��,注釋掉測試用戶
vim /etc/raddb/users#testuser Cleartext-Password := "testpassword"
備份并導入數據庫
cp /etc/raddb/sql/mysql/admin.sql /etc/raddb/sql/mysql/admin.sql.bak
vim /etc/raddb/sql/mysql/admin.sql CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('hehe123'); GRANT All ON radius.* TO 'radius'@'localhost';
數據庫為radius�,密碼為hehe123�,默認密碼原來是radpass我這里改為自己設置的hehe123,所以設置完成后還要修改sql.conf
vim /etc/raddb/sql.conf change the password 'radpass' to 'hehe123'
導入radius數據庫
mysql -u root -pcreate database radius;exitmysql -u root -p radius < /etc/raddb/sql/mysql/admin.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/ippool.sql
編輯radius配置文件����,使其使用sql認證,去掉INCLUDE sql.conf及$INCLUDE sql/mysql/counter.conf 前面的#號
vim /etc/raddb/radiusd.conf$INCLUDE sql.conf$INCLUDE sql/mysql/counter.conf
修改sql.conf
vim /etc/raddb/sql.confserver = "localhost"port = 3306login = "radius"password = "hehe123"radius_db = "radius"readclients = yes
修改認證的方式
vim /etc/raddb/sites-enabled/default
authorize { preprocess chap mschap suffix eap pap sql}accounting { detail sql} session { radutmp sql}
插入測試數據
mysql -u root -puse radius;INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('angel', 'Password','123456');exit
重啟radius服務器
service radiusd restart
測試radius服務器執行
radtest angel 123456 localhost 1812 testing123
如果看到如下信息��,表示radius服務器工作正常
Sending Access-Request of id 129 to 127.0.0.1 port 1812User-Name = "angel"User-Password = "hehe123"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20
如果看到以上信息��,表示radius服務器可以用mysql驗證了��。3.安裝radiusplugin
radiusplugin是radius的一個插件����,可以讓openvpn使用radius服務器來驗證yum install -y libgcrypt libgpg-error libgcrypt-develwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gztar -zxvf radiusplugin_v2.1.tar.gzcd radiuspluginmakecp radiusplugin.so /etc/openvpncp radiusplugin.cnf /etc/openvpn
編輯radiusplugin.cnf
vim /etc/openvpn/radiusplugin.cnf
server{# The UDP port for radius accounting.acctport=1813# The UDP port for radius authentication.authport=1812# The name or ip address of the radius server.name=127.0.0.1# How many times should the plugin send the if there is no response?retry=1# How long should the plugin wait for a response?wait=1# The shared secret.sharedsecret=testing123
部署daloradiusyum -y install php-xml php-mbstring php-ldap php-pear php-xmlrpc mysql-connector-odbc mysql-devel libdbi-dbd-mysql httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd
wget http://nchc.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar zxvf daloradius-0.9-9.tar.gzpear install DB-1.8.2.tgz //這個DB要裝完php的pear才能安裝,daloradius用的到cp -rf daloradius-0.9-8/* /var/www/html/daloradius/ vi /var/www/html/daloradius/library/daloradius.conf.php //修改一下數據庫連接即可及如下一行����。configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';
導入mysql表
mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql
重啟httpd,訪問:http://vpnserver/daloradiususer:administratorpass:radius
