openvpn部署之基于daloridus认证

安装openvpn

New in version 1.0

• OS：CentOS6.6 64 bit os
• Internal IP：172.16.77.173
• OpenVPN Version：openvpn-2.3.8-1.el6.x86_64
• Radius Version: daloradius-0.9-9.tar.gz、freeradius-mysql-2.1.12-6.el6.x86_64、freeradius-2.1.12-6.el6.x86_64

1.Preparing Openvpn for Installation

#Disable selinuxsetenforce 0sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config# 安装openssl和lzo，lzo用于压缩通讯数据加快传输速度yum -y install openssl openssl-develyum -y install lzo#epel repo installtionyum -y install epel-release 

2.Openvpn installtion

# Openvpn and Easy-rsa installtion by yumyum -y install openvpn easy-rsa# copy the "/easy-rsa/2.0" Directory into "/etc/openvpn"cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/#change directory into "/etc/openvpn/2.0"cd /etc/openvpn/2.0# edit the "vars" filesvim vars# 修改注册信息，比如公司地址、公司名称、部门名称等。export KEY_COUNTRY="CN"                 国家export KEY_PROVINCE="ZJ"                省份export KEY_CITY="NingBo"                城市export KEY_ORG="TEST-VPN"               组织exportKEY_EMAIL="81367070@qq.com"       邮件export KEY_OU="baidu"                   单位# 初始化环境变量source vars# 清除keys目录下所有与证书相关的文件# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里./clean-all# 生成根证书ca.crt和根密钥ca.key（一路按回车即可）./build-ca# 为服务端生成证书和密钥（一路按回车，直到提示需要输入y/n时，输入y再按回车，一共两次）./build-key-server server# 每一个登陆的VPN客户端需要有一个证书，每个证书在同一时刻只能供一个客户端连接，下面建立2份# 为客户端生成证书和密钥（一路按回车，直到提示需要输入y/n时，输入y再按回车，一共两次）./build-key client1# 创建迪菲·赫尔曼密钥，会生成dh2048.pem文件（生成过程比较慢，在此期间不要去中断它）./build-dh# 生成ta.key文件（防DDos攻击、UDP淹没等恶意攻击）openvpn --genkey --secret keys/ta.key#拷贝当前目录下的keys目录到"/etc/openvpn"cp -rf keys /etc/openvpn/

3.Openvpn server configuration

生成openvpn server配置文件:

cat /etc/openvpn/server.confport 1194proto udpdev tunca keys/ca.crtcert keys/server.crtkey keys/server.key  # This file should be kept secretdh keys/dh1024.pemserver 10.30.0.0 255.255.255.0push "route 10.10.0.0 255.255.0.0"push "dhcp-option DNS 10.10.107.192";push "redirect-gateway"ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3log /var/log/openvpn.logplugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf  client-cert-not-required  username-as-common-name  

安装raidus，并配置mysql验证

安装radius

yum install -y freeradius freeradius-mysql freeradius-utils  

把其中最后一行的用户去掉注释

vi /etc/raddb/userstestuser Cleartext-Password := "testpassword"  

chkconfig radiusd onservice radiusd startradtest testuser testpassword localhost 1812 testing123 

如果看到

Sending Access-Request of id 86 to 127.0.0.1 port 1812User-Name = "testuser"User-Password = "testpassword"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20

则表示radius服务器配置成功。
2.为radius配置mysql验证

yum install mysql mysql-server cp /etc/raddb/clients.conf /etc/raddb/clients.conf.bak 

编辑clients.conf文件,修改client localhost为client 0.0.0.0

vim /etc/raddb/clients.confclient  0.0.0.0 {    ipaddr=127.0.0.1    secret = testing123    shortname = localhost}

编辑用户文件，注释掉测试用户

vim /etc/raddb/users#testuser Cleartext-Password := "testpassword"

备份并导入数据库

cp /etc/raddb/sql/mysql/admin.sql /etc/raddb/sql/mysql/admin.sql.bak

vim /etc/raddb/sql/mysql/admin.sql CREATE USER 'radius'@'localhost';  SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('hehe123');  GRANT All ON radius.* TO 'radius'@'localhost'; 

数据库为radius，密码为hehe123，默认密码原来是radpass我这里改为自己设置的hehe123，所以设置完成后还要修改sql.conf

vim /etc/raddb/sql.conf  change the password 'radpass' to 'hehe123'  

导入radius数据库

mysql -u root -pcreate database radius;exitmysql -u root -p radius < /etc/raddb/sql/mysql/admin.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius &nbsp;< /etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius &nbsp;< /etc/raddb/sql/mysql/ippool.sql

编辑radius配置文件，使其使用sql认证，去掉INCLUDE sql.conf及$INCLUDE sql/mysql/counter.conf 前面的#号

vim /etc/raddb/radiusd.conf$INCLUDE sql.conf$INCLUDE sql/mysql/counter.conf

修改sql.conf

vim /etc/raddb/sql.confserver = "localhost"port = 3306login = "radius"password = "hehe123"radius_db = "radius"readclients = yes

修改认证的方式

vim /etc/raddb/sites-enabled/default

authorize {    preprocess    chap    mschap    suffix    eap    pap       sql}accounting {    detail    sql}session {    radutmp    sql}

插入测试数据

mysql -u root -puse radius;INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('angel', 'Password','123456');exit

重启radius服务器

service radiusd restart

测试radius服务器执行

radtest angel 123456 localhost 1812 testing123 

如果看到如下信息，表示radius服务器工作正常

Sending Access-Request of id 129 to 127.0.0.1 port 1812User-Name = "angel"User-Password = "hehe123"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20

如果看到以上信息，表示radius服务器可以用mysql验证了。
安装radiusplugin

radiusplugin是radius的一个插件，可以让openvpn使用radius服务器来验证yum install -y libgcrypt libgpg-error libgcrypt-develwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gztar -zxvf radiusplugin_v2.1.tar.gzcd radiuspluginmakecp radiusplugin.so /etc/openvpncp radiusplugin.cnf /etc/openvpn

编辑radiusplugin.cnf

vim /etc/openvpn/radiusplugin.cnf

server{# The UDP port for radius accounting.acctport=1813# The UDP port for radius authentication.authport=1812# The name or ip address of the radius server.name=127.0.0.1# How many times should the plugin send the if there is no response?retry=1# How long should the plugin wait for a response?wait=1# The shared secret.sharedsecret=testing123

部署daloradius

yum -y install php-xml php-mbstring php-ldap php-pear php-xmlrpc mysql-connector-odbc mysql-devel libdbi-dbd-mysql httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd

wget http://nchc.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar zxvf daloradius-0.9-9.tar.gzpear install DB-1.8.2.tgz    //这个DB要装完php的pear才能安装，daloradius用的到cp -rf daloradius-0.9-8/* /var/www/html/daloradius/ vi /var/www/html/daloradius/library/daloradius.conf.php  //修改一下数据库连接即可及如下一行。configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';

导入mysql表

mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql

重启httpd，访问:http://vpnserver/daloradius
user:administrator
pass:radius

启动openvpn服务:

service openvpn start

Openvpn client configuration

• windows 7 64 bit
• ca.crt、daloradius

客户端配文件client.conf

clientdev tunproto udpremote 123.59.67.49 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtauth-user-passcomp-lzoverb 3

vpnclient:(安装linux客户端跟安装服务端一模一样,不在赘述)
openvpn –config /tmp/vpnclient/client.conf