openvpn部署之基于daloridus认证
来源:互联网 发布:剑网三捏脸数据男 编辑:程序博客网 时间:2024/06/05 10:04
openvpn部署之基于daloridus认证
安装openvpn
New in version 1.0
- OS:
CentOS6.6 64 bit os
- Internal IP:
172.16.77.173
- OpenVPN Version:
openvpn-2.3.8-1.el6.x86_64
- Radius Version:
daloradius-0.9-9.tar.gz、freeradius-mysql-2.1.12-6.el6.x86_64、freeradius-2.1.12-6.el6.x86_64
1.Preparing Openvpn for Installation
#Disable selinuxsetenforce 0sed -i '/^SELINUX=/c\SELINUX=disabled' /etc/selinux/config# 安装openssl和lzo,lzo用于压缩通讯数据加快传输速度yum -y install openssl openssl-develyum -y install lzo#epel repo installtionyum -y install epel-release
2.Openvpn installtion
# Openvpn and Easy-rsa installtion by yumyum -y install openvpn easy-rsa# copy the "/easy-rsa/2.0" Directory into "/etc/openvpn"cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/#change directory into "/etc/openvpn/2.0"cd /etc/openvpn/2.0# edit the "vars" filesvim vars# 修改注册信息,比如公司地址、公司名称、部门名称等。export KEY_COUNTRY="CN" 国家export KEY_PROVINCE="ZJ" 省份export KEY_CITY="NingBo" 城市export KEY_ORG="TEST-VPN" 组织exportKEY_EMAIL="81367070@qq.com" 邮件export KEY_OU="baidu" 单位# 初始化环境变量source vars# 清除keys目录下所有与证书相关的文件# 下面步骤生成的证书和密钥都在/usr/share/easy-rsa/2.0/keys目录里./clean-all# 生成根证书ca.crt和根密钥ca.key(一路按回车即可)./build-ca# 为服务端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)./build-key-server server# 每一个登陆的VPN客户端需要有一个证书,每个证书在同一时刻只能供一个客户端连接,下面建立2份# 为客户端生成证书和密钥(一路按回车,直到提示需要输入y/n时,输入y再按回车,一共两次)./build-key client1# 创建迪菲·赫尔曼密钥,会生成dh2048.pem文件(生成过程比较慢,在此期间不要去中断它)./build-dh# 生成ta.key文件(防DDos攻击、UDP淹没等恶意攻击)openvpn --genkey --secret keys/ta.key#拷贝当前目录下的keys目录到"/etc/openvpn"cp -rf keys /etc/openvpn/
3.Openvpn server configuration
生成openvpn server配置文件:
cat /etc/openvpn/server.confport 1194proto udpdev tunca keys/ca.crtcert keys/server.crtkey keys/server.key # This file should be kept secretdh keys/dh1024.pemserver 10.30.0.0 255.255.255.0push "route 10.10.0.0 255.255.0.0"push "dhcp-option DNS 10.10.107.192";push "redirect-gateway"ifconfig-pool-persist ipp.txtkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.logverb 3log /var/log/openvpn.logplugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf client-cert-not-required username-as-common-name
安装raidus,并配置mysql验证
安装radius
yum install -y freeradius freeradius-mysql freeradius-utils
把其中最后一行的用户去掉注释
vi /etc/raddb/userstestuser Cleartext-Password := "testpassword"
chkconfig radiusd onservice radiusd startradtest testuser testpassword localhost 1812 testing123
如果看到
Sending Access-Request of id 86 to 127.0.0.1 port 1812User-Name = "testuser"User-Password = "testpassword"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=86, length=20
则表示radius服务器配置成功。
2.为radius配置mysql验证
yum install mysql mysql-server cp /etc/raddb/clients.conf /etc/raddb/clients.conf.bak
编辑clients.conf文件,修改client localhost为client 0.0.0.0
vim /etc/raddb/clients.confclient 0.0.0.0 { ipaddr=127.0.0.1 secret = testing123 shortname = localhost}
编辑用户文件,注释掉测试用户
vim /etc/raddb/users#testuser Cleartext-Password := "testpassword"
备份并导入数据库
cp /etc/raddb/sql/mysql/admin.sql /etc/raddb/sql/mysql/admin.sql.bak
vim /etc/raddb/sql/mysql/admin.sql CREATE USER 'radius'@'localhost'; SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('hehe123'); GRANT All ON radius.* TO 'radius'@'localhost';
数据库为radius,密码为hehe123,默认密码原来是radpass我这里改为自己设置的hehe123,所以设置完成后还要修改sql.conf
vim /etc/raddb/sql.conf change the password 'radpass' to 'hehe123'
导入radius数据库
mysql -u root -pcreate database radius;exitmysql -u root -p radius < /etc/raddb/sql/mysql/admin.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/schema.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/nas.sqlmysql -u root -p radius < /etc/raddb/sql/mysql/ippool.sql
编辑radius配置文件,使其使用sql认证,去掉INCLUDE sql.conf及$INCLUDE sql/mysql/counter.conf 前面的#号
vim /etc/raddb/radiusd.conf$INCLUDE sql.conf$INCLUDE sql/mysql/counter.conf
修改sql.conf
vim /etc/raddb/sql.confserver = "localhost"port = 3306login = "radius"password = "hehe123"radius_db = "radius"readclients = yes
修改认证的方式
vim /etc/raddb/sites-enabled/default
authorize { preprocess chap mschap suffix eap pap sql}accounting { detail sql}session { radutmp sql}
插入测试数据
mysql -u root -puse radius;INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('angel', 'Password','123456');exit
重启radius服务器
service radiusd restart
测试radius服务器执行
radtest angel 123456 localhost 1812 testing123
如果看到如下信息,表示radius服务器工作正常
Sending Access-Request of id 129 to 127.0.0.1 port 1812User-Name = "angel"User-Password = "hehe123"NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=129, length=20
如果看到以上信息,表示radius服务器可以用mysql验证了。
安装radiusplugin
radiusplugin是radius的一个插件,可以让openvpn使用radius服务器来验证yum install -y libgcrypt libgpg-error libgcrypt-develwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gztar -zxvf radiusplugin_v2.1.tar.gzcd radiuspluginmakecp radiusplugin.so /etc/openvpncp radiusplugin.cnf /etc/openvpn
编辑radiusplugin.cnf
vim /etc/openvpn/radiusplugin.cnf
server{# The UDP port for radius accounting.acctport=1813# The UDP port for radius authentication.authport=1812# The name or ip address of the radius server.name=127.0.0.1# How many times should the plugin send the if there is no response?retry=1# How long should the plugin wait for a response?wait=1# The shared secret.sharedsecret=testing123
部署daloradius
yum -y install php-xml php-mbstring php-ldap php-pear php-xmlrpc mysql-connector-odbc mysql-devel libdbi-dbd-mysql httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd
wget http://nchc.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gztar zxvf daloradius-0.9-9.tar.gzpear install DB-1.8.2.tgz //这个DB要装完php的pear才能安装,daloradius用的到cp -rf daloradius-0.9-8/* /var/www/html/daloradius/ vi /var/www/html/daloradius/library/daloradius.conf.php //修改一下数据库连接即可及如下一行。configValues['CONFIG_PATH_DALO_VARIABLE_DATA'] = '/var/www/html/daloradius/var';
导入mysql表
mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql
重启httpd,访问:http://vpnserver/daloradius
user:administrator
pass:radius
启动openvpn服务:
service openvpn start
Openvpn client configuration
- windows 7 64 bit
- ca.crt、daloradius
客户端配文件client.conf
clientdev tunproto udpremote 123.59.67.49 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtauth-user-passcomp-lzoverb 3
vpnclient:(安装linux客户端跟安装服务端一模一样,不在赘述)
openvpn –config /tmp/vpnclient/client.conf
0 0
- openvpn部署之基于daloridus认证
- 基于daloridus认证的openvpn部署
- openvpn部署之基于证书认证
- openvpn部署之部署基于AD域认证
- 架设基于FreeRadius带有认证计费功能的Openvpn Server
- CentOS 6.6 x64搭建基于用户密码认证的openvpn
- 基于用户名/密码认证和流量控制的OpenVPN系统配置
- OPENVPN开启用户密码认证
- openvpn+ldap认证
- 简单的openVPN部署 (证书登录以及用户名密码认证)
- ubuntu 快速部署openvpn
- openvpn+mysql+freeradius+daloradius认证
- openvpn pam mysql 账号认证
- OPENVPN+MYSQL认证+客户端配置
- Openvpn-2.3.8安装部署
- CentOS 7下部署openvpn
- Ubuntu搭建Radius认证的OpenVPN
- OpenVPN客户端免输密码认证方法
- swift实际使用中遇到的问题及解决(3)
- 深入理解预编译,编译,汇编,链接的过程——之编译
- 启动百宝云接口教程
- Minor GC、Major GC和Full GC之间的区别
- centOS下自带安装了apache和php,如何配置呢 ?
- openvpn部署之基于daloridus认证
- 关于tabLayout中标题栏加图片与文字
- 关于Zero MQ epgm协议的解释
- 知识点
- mac subclipse svn 报错
- OCP-1Z0-051-2015-47题
- openvpn部署之部署基于AD域认证
- JAVA常用框架和插件
- 如何写一篇好的技术博客