基于daridus认证的openvpn部署

1.安装openvpn依赖包

#yum -y install gcc gcc-c++ 

#yum -y install openssl openssl-devel

#yum -y install lzo lzo-devel  

2.安装OpenVPN2.2.2

wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.2.tar.gz  tar -zxvf openvpn-2.2.2.tar.gz  cd openvpn-2.2.2  ./configure     make  make install 

3.生成keys(注：生成key之前记得ntpdate同步好时间)

mkdir /etc/openvpncp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/cd /etc/openvpn/easy-rsa/2.0/ source vars./clean-all./build-ca./build-dh./build-key-server server./build-key client1

4.生成openvpn server配置文件:

cd /usr/src/openvpn-2.2.2/sample-config-files/grep -vE "^#|^;|^$" server.conf >/etc/openvpn/server.confgrep -vE "^#|^;|^$" client.conf >/tmp/client.confcp -R /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/

cat /etc/openvpn/server.confport 1194PRoto tcpdev tunca keys/ca.crtcert keys/server.crtkey keys/server.key  # This file should be kept secretdh keys/dh1024.pemserver 10.8.0.0 255.255.255.0push "route 192.168.1.0 255.255.255.0"push "redirect-gateway"   //修改客户端的网关，使其直接走vpn流量ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3log /var/log/openvpn.log

5.启动openvpn服务:

cp /usr/src/openvpn-2.2.2/sample-scripts/openvpn.init /etc/init.d/openvpnchkconfig --add openvpnservice openvpn start

6.修改openvpn客户端文件并启用连接:

scp /tmp/client.conf root@vpnclient:/tmp/vpnclient/cd /etc/openvpn/keys/tar zcf key.tar.gz ca.* client.*scp /etc/openvpn/keys/key.tar.gz root@vpnclient:/tmp/vpnclient/

vpnclient:cat /tmp/vpnclient/client.confclientdev tunproto tcpremote 172.16.77.173 1194   //中间ip为vpnserverresolv-retry infinitenobindpersist-keypersist-tunca ca.crtauth-user-passcert test.crtkey test.keycomp-lzoverb 3

vpnclient:(安装linux客户端跟安装服务端一模一样,不在赘述)openvpn --config /tmp/vpnclient/client.conf

1.安装radius

yum install -y freeradius freeradius-mysql freeradius-utils  

把其中最后一行的用户去掉注释

vi /etc/raddb/userstestuser Cleartext-PassWord := "testpassword"  

chkconfig radiusd onservice radiusd startradtest testuser testpassword localhost 1812 testing123 

如果看到

Sending access-Request of id 86 to 127.0.0.1 port 1812User-Name = "testuser"User-Password = "testpassword"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20

则表示radius服务器配置成功。2.为radius配置mysql验证

yum install mysql mysql-server cp /etc/raddb/clients.conf /etc/raddb/clients.conf.bak 

编辑clients.conf文件

vim /etc/raddb/clients.confclient  0.0.0.0 {    ipaddr=127.0.0.1    secret = testing123    shortname = localhost}

编辑用户文件，注释掉测试用户

vim /etc/raddb/users#testuser Cleartext-Password := "testpassword"

备份并导入数据库

cp /etc/raddb/sql/mysql/admin.sql /etc/raddb/sql/mysql/admin.sql.bak

vim /etc/raddb/sql/mysql/admin.sql CREATE USER 'radius'@'localhost';  SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('hehe123');  GRANT All ON radius.* TO 'radius'@'localhost'; 

数据库为radius，密码为hehe123，默认密码原来是radpass我这里改为自己设置的hehe123，所以设置完成后还要修改sql.conf

vim /etc/raddb/sql.conf  change the password 'radpass' to 'hehe123'  

导入radius数据库

mysql -u root -pcreate database radius;exitmysql -u root -p radius < /etc/raddb/sql/mysql/admin.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius &nbsp;< /etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius &nbsp;< /etc/raddb/sql/mysql/ippool.sql

编辑radius配置文件，使其使用sql认证，去掉INCLUDE sql.conf及$INCLUDE sql/mysql/counter.conf 前面的#号

vim /etc/raddb/radiusd.conf$INCLUDE sql.conf$INCLUDE sql/mysql/counter.conf

修改sql.conf

vim /etc/raddb/sql.confserver = "localhost"port = 3306login = "radius"password = "hehe123"radius_db = "radius"readclients = yes

修改认证的方式

vim /etc/raddb/sites-enabled/default

authorize {    preprocess    chap    mschap    suffix    eap    pap       sql}accounting {    detail    sql} session {    radutmp    sql}

插入测试数据

mysql -u root -puse radius;INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('angel', 'Password','123456');exit

重启radius服务器

service radiusd restart

测试radius服务器执行

radtest angel 123456 localhost 1812 testing123 

如果看到如下信息，表示radius服务器工作正常

Sending Access-Request of id 129 to 127.0.0.1 port 1812User-Name = "angel"User-Password = "hehe123"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20

如果看到以上信息，表示radius服务器可以用mysql验证了。3.安装radiusplugin

radiusplugin是radius的一个插件，可以让openvpn使用radius服务器来验证yum install -y libgcrypt libgpg-error libgcrypt-develwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gztar -zxvf radiusplugin_v2.1.tar.gzcd radiuspluginmakecp radiusplugin.so /etc/openvpncp radiusplugin.cnf /etc/openvpn

编辑radiusplugin.cnf

vim /etc/openvpn/radiusplugin.cnf

server{# The UDP port for radius accounting.acctport=1813# The UDP port for radius authentication.authport=1812# The name or ip address of the radius server.name=127.0.0.1# How many times should the plugin send the if there is no response?retry=1# How long should the plugin wait for a response?wait=1# The shared secret.sharedsecret=testing123

yum -y install php-xml php-mbstring php-ldap php-pear php-xmlrpc mysql-connector-odbc mysql-devel libdbi-dbd-mysql httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd

wget http://nchc.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar zxvf daloradius-0.9-9.tar.gzpear install DB-1.8.2.tgz    //这个DB要装完php的pear才能安装，daloradius用的到cp -rf daloradius-0.9-8/* /var/www/html/daloradius/ vi /var/www/html/daloradius/library/daloradius.conf.php  //修改一下数据库连接即可及如下一行。configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';

导入mysql表

mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql

重启httpd，访问:http://vpnserver/daloradiususer:administratorpass:radius