freeradius+openvpn+mysql 연동 하는방법

freeradius+openvpn+mysql 연동 하는방법 ^^

(1) 프리라디우스인증서버를 받아야 합니다.
wget  ftp://ftp.freeradius.org:/pub/radius/freeradius-1.1.7.tar.gz
tar zxvf freeradius-1.1.7.tar.gz
cd freeradius-1.1.7
./configure
cp libltdl/ltdl.h src/include/
make
make install

(2) sql 을 설치 하세요.
ln -s /usr/local/mysql/bin/mysql_config /sbin/mysql_config
cd  /usr/local/src/freeradius-1.1.7/src/modules/rlm_sql/drivers/rlm_sql_mysql
./configure  --with-mysql-dir=/usr/local/mysql  --with-mysql-lib-dir=/usr/local/mysql/lib \
--with-mysql-include-dir=/usr/local/mysq/include
make
make install
 
다음 라디우스 접속 계정생성을 합니다.

/usr/local/mysql/bin/mysql –uroot –pXXXX

mysql>create database radius;

mysql>GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY  'AAAA';

mysql>\q
cd /usr/local/src/freeradius-1.1.7
/usr/local/mysql/bin/mysql -uroot -pXXXX radius < ./doc/examples/mysql.sql
 

radiusd.conf 와 sql.conf 파일을 수정 해야합니다.

(1)、radiusd.conf
vi /usr/local/etc/raddb/radiusd.conf
 
proxy_requests = no
 
authorize {
preprocess
chap
mschap
suffix
eap
sql
#      pap
#      files
}

preacct {
        preprocess
        acct_unique
        suffix
#       files
}

accounting {
      detail
      unix
      radutmp
      sql
}     

sql.conf
vi /usr/local/etc/raddb/sql.conf
driver = "rlm_sql_mysql"
server = "localhost"
login = "radius"
password = "AAAA"

radius_db = "radius"

vi /usr/local/etc/raddb/clients.conf

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
        nastype         = other
}
 

테스트 계정을 한번 생성해볼게요 계정생성은 나비켓이나 그런걸로 수정 하거나 삭제 하셔도 됩니다.

#mysql -u root -p
mysql> use radius;
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');
mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
mysql> insert into usergroup (username,groupname) values ('test','user');

라디우스 디버그 모드로 실행하세요
radiusd –x &

ln -s /usr/local/bin/radtest /sbin/radtest
/sbin/radtest test test localhost 0 testing123
Sending Access-Request of id 204 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=204, length=38
        Service-Type = Framed-User
        Framed-IP-Address = 255.255.255.255
        Framed-IP-Netmask = 255.255.255.0
/sbin/radtest sense 123456 localhost 0 testing123
Sending Access-Request of id 212 to 127.0.0.1 port 1812
        User-Name = "sense"
        User-Password = "123456"
        NAS-IP-Address = 255.255.255.255
        NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=212, length=20

 

OpenVpn 설치 방법

암호화 해주는 모듈 설치
rpm -aq|grep openssl
openssl-devel-0.9.8b-8.3.el5
openssl-0.9.8b-8.3.el5
 
opvvpn 설치
cd /usr/local/src
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
tar zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9

rpm -qa | grep pam
pam_passwdqc-1.0.2-1.2.2
pam-0.99.6.2-3.14.el5
pam_pkcs11-0.5.3-23
pam_krb5-2.2.11-1
pam-devel-0.99.6.2-3.14.el5
pam_smb-1.1.7-7.2.1
pam_ccreds-3-5
 
lzo 라이브러리 설치
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
tar zxvf lzo-2.02.tar.gz
cd lzo-2.02
./configure
make
make install

 
open vpn 컴파일
cd openvpn-2.0.9
./configure --prefix=/usr/local/openvpn --with-lzo-headers=/usr/local/include/lzo \
--with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/include/openssl \
--with-ssl-lib=/usr/lib
make
make install

 

cd /usr/local/src/openvpn-2.0.9
cp -rf ./easy-rsa/  /usr/local/openvpn/
cd /usr/local/openvpn/easy-rsa/2.0
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key cl1
cd keys
/usr/local/openvpn/sbin/openvpn --genkey --secret ta.key
cd /usr/local/openvpn
mkdir ssl
cp -a ./easy-rsa/keys/2.0/ca.crt ./ssl/
cp -a ./easy-rsa/keys/2.0/dh1024.pem ./ssl/
cp -a ./easy-rsa/keys/2.0/ta.key ./ssl/
cp -a ./easy-rsa/keys/2.0/server.crt ./ssl/
cp -a ./easy-rsa/keys/2.0/server.key ./ssl/
 
RadiusPlugin 을 설치 해서 open vpn 하고 연동 해줍니다.

cd /usr/local/src/
wget  wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0b_beta2.tar.gz
tar zxvf radiusplugin_v2.0b_beta2.tar.gz
cd radiusplugin_v2.0b_beta2
make
 
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.so /usr/local/openvpn/
cp /usr/local/src/radiusplugin_v2.0b_beta2/radiusplugin.cnf /usr/local/openvpn/
vi /usr/local/openvpn/radiusplugin.cnf

radiusplugin.cnf  파일 에서 인증서버 정보를 수정해주세요
 
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1
# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE                      (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)
OpenVPNConfig=/usr/local/openvpn/server.conf

 
 # Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK" 
#subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
#p2p=10.10.0.1
####################### Ich benutze die Default Option
 
# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true
 
# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl
 
# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe
 
# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=127.0.0.1
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret= testing123
}
 
 
注释：这里的sharedsecret=testing123跟radiusd的设置相关，注意/usr/local/etc/raddb/clients.conf中的client127.0.0.1 的设置，（这个clients.conf是调用radius的客户端配置）
 client 127.0.0.1 {
    secret = testing123
       shortname = localhost
    nastype = other
}
同时重要的是要在正式应用的时候 同时修改这2个地方的testing123，这个就是radius的密匙
 
4、配置openvpn的服务器设置文件server.conf
cp /usr/local/src/openvpn-2.0.9/sample-config-files/server.conf /usr/local/openvpn/server.conf
vi /usr/local/openvpn/server.conf
 
注释：注意这里的server.conf要与/usr/local/openvpn/radiusplugin.cnf中OpenVPNConfig的设置一致
这里的openvpn服务器端可以有多个配置文件，每一个配置等于开启了一个单独的vpn服务，但是要单独设置每个服务器端配置文件./build-key-server ser***  同时不同的客户端./build-key cl1*** 对应于相应 ser****的unitname，同时客户端要拷贝不同的ser***.crt
 
port 1194  
proto udp
# Which device
dev tun
;fast-io
user nobody
group nogroup
persist-tun
persist-key
server 10.14.0.0 255.255.0.0
management 127.0.0.1 7505
float
 
username-as-common-name
;client-config-dir ccd
client-cert-not-required
client-to-client
#push "redirect-gateway def1"
push "dhcp-option DNS 172.21.41.15"
ping-timer-rem
keepalive 10 120
# Use compression
comp-lzo
# Strong encryption
tls-server
tls-auth ssl/ta.key 0
dh ssl/dh1024.pem
ca ssl/ca.crt
cert ssl/server.crt
key ssl/server.key
max-clients 200
plugin /usr/local/openvpn/radiusplugin.so /usr/local/openvpn/radiusplugin.cnf
verb 3
mute 10
status /var/log/openvpn/status.log 1
log /var/log/openvpn/openvpn.log
 
 
mkdir /usr/local/openvpn/ccd
mkdir /var/log/openvpn
 
radiusd X 로 실행한데몬 정지 하시고 정상으로 실행하세요

radiusd &

 

클라이언트 설정 client.conf 입니다.
# Which device
dev tun
persist-key
persist-tun

# Our remote peer
nobind
remote *.*.*.* 1194

auth-user-pass
ns-cert-type server
tls-auth ta.key 1

route 172.16.0.0 255.240.0.0
# Use compression
comp-lzo
# Strong encryption
verb 3
mute 10