OpenVPN提供了多种身份验证方式,用以确认参与连接双方的身份,,包括: 预享私钥,第三方证书以及用户名/密码组合。预享密钥最为简单,但同时它只能用于建立点对点的VPN;基于PKI的第三方证书提供了最完善的功能,但是需 要额外的精力去维护一个PKI证书体系。OpenVPN2.0后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需 要被用作加密。
一、安装所需的软件以及环境
安装LAMP环境,相信很多人多这块都很熟悉(略过)
所需软件:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.05.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz (建议用最新版 http://openvpn.net/release/openvpn-2.1_rc22.tar.gz)
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.8.tar.bz2 (这个freeradius不要用最新版,用1.1.8版即可)
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz (建议用最新版 http://www.nongnu.org/radiusplugin/radiusplugin_v2.1_beta9.tar.gz)
wget http://jaist.dl.sourceforge.net/sourceforge/daloradius/daloradius-0.9-8.tar.gz
lzo: 支持openvpn的压缩功能
openvpn:VPN主软件
freeradius:非常好的开源radius软件
daloradius:radius的web管理软件
二.OpenVpn的安装
01 #tar zxvf lzo-2.00.tar.gz
02 #cd lzo-2.00
03 #./configure
04 #make && make install
05
06 #tar zxvf openvpn-2.0.9.tar.gz
07 #cd openvpn-2.0.9
08 #./configure
09 #make && make install
10 #cd easy-rsa/
#/. . vars (注意:第一个点后面有空格)
#./clean-all
#./build-ca
#./build-key-server server
#./build-dh
#openvpn --genkey --secret ta.key
#make -p /etc/openvpn
将keys下的ca.crt server.crt server.key ta.key dh1024.pem都cp到/etc/openvpn目录下.
01 #tar zxvf radiusplugin_v2.1a_beta1.tar.gz
02 #cd radiusplugin_v2.1a_beta1
03 #make(这时如果出现错误提示:
将会生成radiusplugin.so 将其cp到/etc/openvpn目录下:
# cp radiusplugin.so /etc/openvpn/
04 #cp radiusplugin.cnf /etc/openvpn/
05 #nano /etc/openvpn/radiusplugin.cnf
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1
...
OpenVPNConfig=/etc/openvpn/openvpn.conf
...
06 server
07 {
08 # The UDP port for radius accounting.
09 acctport=1813
10 # The UDP port for radius authentication.
11 authport=1812
12 # The name or ip address of the radius server.
13 name=127.0.0.1
14 # How many times should the plugin send the if there is no response?
15 retry=1
16 # How long should the plugin wait for a response?
17 wait=1
18 # The shared secret.
19 sharedsecret=testing123 (testpw要改为testing123)
20 }
21
22 #nano /etc/openvpn/openvpn.conf
23 port 1194
24 proto udp
25 dev tun
26 ca /etc/openvpn/ca.crt
27 cert /etc/openvpn/server.crt
28 key /etc/openvpn/server.key
29 dh /etc/openvpn/dh1024.pem
30 server 10.99.0.0 255.255.255.0
31 ifconfig-pool-persist ipp.txt
32 #push "route 192.168.250.0 255.255.255.0"
33 #plugin /etc/openvpn/openvpn-auth-pam.so openvpn
34 plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
35 username-as-common-name
36 client-cert-not-required
37 client-to-client
38 ;duplicate-cn
39 keepalive 10 120
40 tls-auth /etc/openvpn/ta.key 0
41 comp-lzo
42 ;max-clients 100
43 user nobody
44 group nobody
45 persist-key
46 persist-tun
47 status openvpn-status.log
48 log /var/log/openvpn.log
49 log-append /var/log/openvpn.log
50 verb 4
51 mute 20
启动vpn
01 # /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf &
02 添加iptables SNAT规则,实现nat功能
03 #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source ur-vps-ip
04 #nano /etc/sysctl.conf
05 net.ipv4.ip_forward = 1 (0改成1)
06 #sysctl -p
07
上面修改了openvpn的配置文件openvpn.conf,我们需要重启openvpn,对openvpn的配置文件openvpn.conf所做的修改才能生效-
# killall -9 openvpn
# /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf &
(可能,有时编译好的openvpn的执行文件并不在/usr/local/sbin/下。你可用find命令查找一下:
# find / -name openvpn
我在debian vps下编译的openvpn的执行文件的路径为/usr/sbin/openvpn,而非/usr/local/sbin/openvpn)
08 #tar jxvf freeradius-1.1.8.tar.bz2
09 #cd freeradius-1.1.8
10 #./configure
11 #cp libltdl/ltdl.h src/include/
12 #make && make install
13 #nano /etc/ld.so.conf
14 加入以下:
15 /usr/local/lib
16 #ldconfig
17
18 #mysql -u root -p (如果mysql是编译安装的,且安装在/usr/local/mysql/,那么命令应该为/usr/local/mysql/bin/mysql -u root -p )
19 #create database radius;
20 #grant all on radius.* to radius@localhost identified by 'radius-pw';
21 #flush privileges;
22 #quit
23
24 导入数据库
25 #mysql -u root -p roots-pw radius < /root/freeradius-1.1.8/doc/examples/mysql.sql
(或者#mysql -u root -p radius < /root/freeradius-1.1.8/doc/examples/mysql.sql
# enter password: )
26 #nano /usr/local/etc/raddb/radiusd.conf (如果/usr/local/etc/下面没有raddb目录,则# cp /root/freeradius-1.1.8/raddb/ -r /usr/local/etc/)
#nano /usr/local/etc/raddb/sql.conf
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "radius"
password = "radius用户的密码"
# Database table configuration
radius_db = "radius"
#nano /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
# # secret and password are mapped through the "secrets" file.
secret = testing123
}
注释:
secret 这里是针对client 127.0.0.1的通讯密匙.
插入mysql 数据
01# mysql -u root -p
# mysql> use radius;
02 建立组信息
03 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
04 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
05 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Address',':=','255.255.255.255');
06 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Netmask',':=','255.255.255.0');
07 建立用户信息
08 mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
10 将用户加入组中:
11 mysql> insert into usergroup (username,groupname) values ('sense','user');
以后如果要添加新的openvpn帐号,则运行
# mysql -u root -p
mysql>use radius;
mysql> insert into radcheck (username,attribute,op,value) values ('myusername','User-Password',':=','mypassword');
mysql> insert into usergroup (username,groupname) values ('myusername','user');
把下面的命令加入启动项(加入到/etc/rc.local中):
radiusd -x & (建议使用绝对路径:/usr/local/sbin/radiusd -x &)
# reboot
(如果过一段时间,连不上openvpn了,则运行radiusd:
1 #tar zxvf daloradius-0.9-8.tar.gz
2 #cp -rf daloradius-0.9-8/* /var/www/html/radius/
3 vi /var/www/html/radius/library/daloradius.conf.php 修改参数
4 导入
5 mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql
登陆web测试 http://ip/radius
默认用户名administrator 密码radius
(此文不错,我按此文操作成功。注意:如果你的radiusplugin是2.1版,建议OpenVPN也用2.1版。否则运行/usr /local/sbin/openvpn --config /etc/openvpn/openvpn.conf &之后,会出现如下错误提示:
could not find required symbol ‘openvpn_plugin_open_v1′ in plugin shared object /etc/openvpn/radiusplugin.so: /etc/openvpn/radiusplugin.so: undefined symbol: openvpn_plugin_open_v1
参见http://lists.gnu.org/archive/html/radiusplugin-users/2009-05/msg00004.html)
------------------------------------------------------------------------------------------------------------------------------------------
openvpn+mysql+freeradius+daloradius认证
OpenVPN提供了多种身份验证方式,用以确认参与连接双方的身份,,包括:预享私钥,第三方证书以及用户名/密码组合。预享密钥最为简单, 但同时它只能用于建立点对点的VPN;基于PKI的第三方证书提供了最完善的功能,但是需要额外的精力去维护一个PKI证书体系。OpenVPN2.0后 引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。
二.编译安装freeradius
nano /usr/local/etc/raddb/sql.conf
经过实践,实现了openvpn2.0.9版本使用radius认证的配置功能。以下简要说明,与大家分享。
我的环境是server端是linux9.0,Client端是winxp。
基本的配置就不复述了,使用证书认证的文章很多,其中网友elm就有不少好的配置手册。
网 络上关于username/password认证的文章也不少,但不是需要用到mysql数据库就是要用到freeradius认证库,我就想 简单快速的实现把用户名密码提交到第三方radius服务器认证就可以了。第三方radius服务器很多比如 windows ActiveDirectory或WinRadius 2.01,我这里用WinRadius2.01作为radius服务器。
1.radiusplugin_v2.0.tar.gz: 可以编译得到radiusplugin.so
到http://www.nongnu.org/radiusplugin/下载
2.libgcrypt支持库: 可以编译得到/usr/lib/libgcrypt.so.11
到ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz下载
3.libgpg-error支持库: 可以编译得到/usr/local/lib/libgpg-error.so.0
到ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.5.tar.gz下载
简单的编译以上3个支持库,configure;make;make install。
我们要用到radiusplugin.so,其他是radiusplugin.so的支持库。
好了如果能够得到radiusplugin.so,已经成功了80%,其他的就是配置了。
把radiusplugin.so拷贝到/etc/openvpn下,并配置其配置文件radiusplugin.conf
内容如下:
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# 这是运行openvpn服务器的ip,作为radius客户端
NAS-IP-Address=192.168.2.8
#这里指明openvpn的配置位置
OpenVPNConfig=/etc/openvpn/cert_conf/server.conf
# 这里定义 radius server 参数可以超过1个作为备份
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# 这是我radius 服务器的ip,也就是运行winradius,并添加了用户。
name=192.168.2.2
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.共享密钥,在winradius里配置,设置-系统-NAS密钥
sharedsecret=winradius
}
以下配置openvpn服务器,server.conf
这个配置跟证书配置只需新增以下3行不同。
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius.conf
client-cert-not-required
username-as-common-name
客户端配置:在winxp下
去掉客户端证书,并添加提示用户密码的参数就可以了。
ca ca.crt
#cert client.crt
#key client.key
auth-user-pass
启动服务器
openvpn --config server.conf
如果出错查看日志文件如openvpn.log一般可以解决.
启动客户端,提示
Sat Aug 25 17:52:38 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2
006
Enter Auth Username:test
Enter Auth Password:
...
Sat Aug 25 17:55:22 2007 Route addition via IPAPI succeeded
Sat Aug 25 17:55:22 2007 Initialization Sequence Completed
认证通过,vpn隧道建立成功
查看winradius:
用户(test)认证通过
用户(test)呼叫()开始
查看linux server端日志
RADIUS-PLUGIN: Configfile name: /etc/openvpn/radiusplugin.conf .
Sun Apr 1 13:31:09 2007 PLUGIN_INIT: POST /etc/openvpn/radiusplugin.so '/etc/openvpn/radiusplugin.conf' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
...
Sun Apr 1 13:31:56 2007 192.168.2.2:3214 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr 1 13:31:56 2007 192.168.2.2:3214 TLS: Username/Password authentication succeeded for username 'test' [CN SET]
至此,radius认证成功。
from http://www.chinaunix.net/jh/50/981672.html
-----------------------------------------------------
网上找了很久,发现Debian下面安装freeradius的文章很少,于是就摸索了一下,大致情况如下:
mysql> use radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
mysql> FLUSH PRIVILEGES;
mysql> quit
#freeradius –X
Sending Access-Request of id 226 to 127.0.0.1 port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=226, length=20
看到以上的结果就成功了.
9)给ACCEPT恢复增加其他的属性。假设配置表radcheck,列信息为UserName: 要求验证的用户名、Attribute: 要验证的属性、op: 要验证的操作符、Value: 属性的值。
如: insert into radcheck(username, attribute, op, value) vlaues('myuser','User-Password', '==', 'mypass');
如果配置无错误的话,验证就可以通过了。注意:attribute不要写错,否则会报“Unkown attribute”。关于属性的定义在本人的blog中可以找到,也可以查看share/dictionary。配置radreply表,列信息为 UserName: 响应对应的用户名、Attribute: 要响应的属性、op: 操作符号,默认为"="、value: 响应属性对应值。
如: insert into radrepy(username,attribute,op,value) values('myuser','Reply-Message','=','Yes,Good!')。可以在用户验证后,在Access-Accept 中加入响应信息。
#vi /etc/freeradius/clients.conf
client 172.16.10.80 {
secret=symbol
shortname=AP-5131
}
from http://blog.sina.com.cn/s/blog_4b2fe4d20100i2qv.html
--------------------------------------------------------------------------------------
FreeRADIUS+PostgreSQL+OpenVPN搭建VPN认证系统
1、安装组件
所需要的组件基本上都在Ubuntu的package source里面,用apt-get就可以装。
2、修改配置文件
Freeradius的配置文件位于/etc/freeradius
/etc/freeradius/clients.conf
这个文件控制连接的客户端的地址以及secret code。
地址不需要改变,因为我们是本地访问(openvpn到freeradius)。
secret要记下来,测试和写配置文件的时候要用。默认是testing123
/etc/freeradius/sql.conf
这个文件控制连接到sql的参数。
要改的地方:
database="sql" 改成 database="postgresql"
Connection info那里一般来说改密码就可以了。
/etc/freeradius/sql/postgresql/dialup.conf
取消sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"前面的注释,把下一行注释掉。
/etc/freeradius/sites-enabled/default
取消掉authorize、preacct和accounting段中sql前面的注释
注释掉所有的files和unix。
Postgresql的配置文件做如下修改:
/etc/postgresql/8.4/main/postgresql.conf
找到listen_addresses,把引号里面的地址改成*
/etc/postgresql/8.4/main/pg_hba.conf
把local all all那里的ident改成md5
加入一行
host all all 0.0.0.0/0 md5
3、建立数据库
密码与sql.conf中connection info的密码一致。
然后
然后连到sql上面,用psql或者pgadmin都可以。
psql里面输入如下命令:
最后\q退出。
4、初步测试
如果出现类似如下信息:
5、配置OpenVPN
首先要把OpenVPN和Freeradius连接起来,这里是通过OpenVPN的插件Radiusplugin for OpenVPN。
应该会在当前目录下生成radiusplugin.so和radiusplugin.cnf,拷到/etc/openvpn。
修改/etc/openvpn/radiusplugin.cnf:
OpenVPNConfig=/etc/openvpn/openvpn.conf
sharedsecret= testing123
这里secret要与clients.conf中间的一致。
同时后面server段中的name要改成FreeRadius服务器的IP(本例中是本机localhost)
然后生成OpenVPN的key:
然后把生成的ca.crt拖到客户端上,用winscp连到ssh就可以。
配置OpenVPN服务端:
再向/etc/rc.local中加入如下内容:
加到exit 0前面。
重启等一个小时之后连接服务器应该会提示输入用户名密码,之后看到OpenVPN变绿就表示成功了。可以连到whatsmyip.org检查。
用户名密码可以通过pgadmin连到sql上面去修改,在radcheck里面。
from https://tomem.info/blog/2010/06/207
---------------------------------------------------------------------
To use LDAP with freeradius, you need to install freeradius-ldap and slapd.
Notice: You also need the files module, else you can not have LDAP looking up profiles for reply-items. At the moment I do not know, if there is another way for looking up GroupName stuff. Maybe someone else might give a hint here
Modify the users file like this (example):
The ldap module configuration for freeradius might look like this:
Add the freeradius-schema for LDAP to the slapd.conf (or include it in slapd.d).
A sample init.ldif is shown here:
Notice: Maybe you see that I am using cleartext passwords. This differs from using MySQL as source for storing users/pws. I do not see this as a security provlem.
I have configured LDAP to have a proxyuser that has access rights to all data with read-only support.
Here is my sample slapd.conf:
After finishing, you can delete everything from the MySQL server concerning users. The only table that will still be used is the radacct table. All the other tables are empty. But you also can store users in both servers. Storing one user in both is a bad idea
See a final radtest here:
And LDAP sample output:
If you run the ldap- and freeradius server on the same machine, you also could forget about using tls and use a unix socket instead (/etc/freeradius/module/ldap: server=”ldapi://%2fvar%2frun%2fslapd%2fldapi”). This works with ssf from slapd.conf aswell. I use ldapi and tls, so I can manage LDAP from remote with Apache Directory Studio and have a working setup, even I forgot to renew the server certificate.
from http://www.roessner-network-solutions.com/beliebte-seiten-und-artikel/openvpn-radius-mysqlldap-howto/#radplug1
http://www.ldap-account-manager.org/
----------------------------------------------------------------------------------------------------------------------------------
1、获得文本口令认证的脚本
wget http://openvpn.se/files/other/checkpsw.sh -P /etc/openvpn
cd /etc/openvpn
chmod u+x checkpsw.sh
chown nobody.nobody checkpsw.sh
2、创建密码文件
譬如 /etc/openvpn/psw-file
文件的格式:用户名<Tab>密码
user1 pass
user2 pass
3、修改服务器的配置文件
在server.conf 配置文件里加上
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
4、修改客户端的配置文件
一是注释掉用
;cert client1.crt
;key client1.key
二是增加验证时询问用户名和密码
auth-user-pass
二、是支持 MYSQL 数据库的认证
1、需要 pam_mysql 模块
# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
该项目的网页是:
http://pam-mysql.sourceforge.net
2、编译该模块
# tar -zxvf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-openssl
或
# ./configure --with-mysql=/usr/lib/mysql/mysql_config --with-openssl
# make install
# cd .libs
# cp pam_mysql.sp /lib/security
3、相关的服务准备
# service saslauthd restart
修改 /etc/sysconfig/saslauthd
MECH=pam 改为 MECH=shadow
4、关于 MYSQL 的操作
简述安装的过程
# cd /usr/bin
# ./mysql_install_db
# service mysqld restart
# ./mysqladmin -u root password '????????'
# mysql -u root -p
> create database vpn;
> grant all on vpn.* to vpn@localhost identified by '????????';
> flush privileges;
> use vpn;
> create table vpnuser (name char(20) NOT NULL, password char(128) default NULL, active int(10) NOT NULL DEFAULT 1, PRIMARY KEY(name));
> insert into vpnuser(name,password) values ('......',password('......'));
5、配置 pam_mysql 模块
/etc/pam.d/openvpn
with sufficient pam_mysql.so user=vpn passwd=...... host=localhost db=vpn table=vpnuser usercolumn=name passwordcolumn=password where=active=1 sqllog=0 crypt=3
需要注意的是
crypt=0 表示用明文
crypt=1 表示 use crypt
crypt=2 表示 use MySQL PASSWORD() 函数
crypt=3 表示 use MySQL PASSWORD() 函数,用 MD5
6、修改 OpenVPN 设置
生成 ta.key
# openvpn --genkey --secret keys/ta.key
修改服务器配置文件
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
修改客户端配置文件
auth-user-pass
tls-auth ta.key 1
三、使用 LDAP 的方式认证
实际上也有二种,一种用 openvpn-auth-ldap 即直接通过 LDAP 验证,另一种与 mysql 认证相似,使用 pam-ldap ,通过 PAM ,然后再找 LDAP 验证。
这里主要用 openvpn-auth-ldap (另一方法,安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ,创建/etc/pam.d/openvpn)
1、安装
# yum install openvpn-auth-ldap
自行安装的话,下载 auth-ldap-2.0.3.tar.gz re2c-0.13.5.tar.gz
# tar -zxvf re2c-0.13.5.tar.gz
# ./configure
# make
# make install
# tar -zxvf auth-ldap-2.0.3.tar.gz
# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/root/openvpn-2.0.9
或
# ./configure --prefix=/usr/local --with-openldap=/usr/lib/openldap --with-openvpn=/usr/src/redhat/BUILD/openvpn-2.0.9
生成文件 /usr/local/lib/openvpn-auth-ldap.so
2、配置文件
修改配置文件:auth-ldap.conf
使用yum安装的,会在 /usr/share/doc/openvpn-auth-ldap-2.0.3 存在相应文件,如果是自行安装的,在 /usr/local/etc/auth-ldap.conf 。
实例:(根据实际情况修改)
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
openvpn 的配置文件类似 mysql
plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name
--------------------------------------------------------------------------
二:用户名和密码的方式验证
2.1 :明文的用户名和密码
这个利用openvpn官方提供的脚本,已经实现,倒是简单,保存一个文本文件,里面是用户名和密码,就可以了。
2.2:pop 方式
这是斑竹的脚本,通过pop验证,这个我也已经实现。
2.3 : pam验证
2.3.1 pam+mysql
外面很多文章都介绍这个,基本没有什么问题。
2.3.2 pam+linux用户
这个是我今天刚看到的,也就是用linux下的用户验证。
[url]http://forum.mandriva.com/viewtopic.php?t=52399[/url]
2.3.3 pam+radius+mysql
这种方式是没有明白为什么要这样做,
[url]http://code.google.com/p/autosetup[/url]
2.3.4 pam+ldap
这个的文档不多,没有搞定,
2.4 ldap
直接通过ldap验证。
[url]http://code.google.com/p/openvpn-auth-ldap/[/url]
一、安装所需的软件以及环境
安装LAMP环境,相信很多人多这块都很熟悉(略过)
所需软件:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.05.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz (建议用最新版 http://openvpn.net/release/openvpn-2.1_rc22.tar.gz)
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.8.tar.bz2 (这个freeradius不要用最新版,用1.1.8版即可)
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz (建议用最新版 http://www.nongnu.org/radiusplugin/radiusplugin_v2.1_beta9.tar.gz)
wget http://jaist.dl.sourceforge.net/sourceforge/daloradius/daloradius-0.9-8.tar.gz
lzo: 支持openvpn的压缩功能
openvpn:VPN主软件
freeradius:非常好的开源radius软件
daloradius:radius的web管理软件
二.OpenVpn的安装
01 #tar zxvf lzo-2.00.tar.gz
02 #cd lzo-2.00
03 #./configure
04 #make && make install
05
06 #tar zxvf openvpn-2.0.9.tar.gz
07 #cd openvpn-2.0.9
08 #./configure
09 #make && make install
10 #cd easy-rsa/
#/. . vars (注意:第一个点后面有空格)
#./clean-all
#./build-ca
#./build-key-server server
#./build-dh
#openvpn --genkey --secret ta.key
#make -p /etc/openvpn
将keys下的ca.crt server.crt server.key ta.key dh1024.pem都cp到/etc/openvpn目录下.
01 #tar zxvf radiusplugin_v2.1a_beta1.tar.gz
02 #cd radiusplugin_v2.1a_beta1
03 #make(这时如果出现错误提示:
gcrypt.h not found,no such file or directory,如果你的vps是centos系统,则
yum -y install libgcrypt-devel即可;如果你的vps是debian/ubuntu系统,则apt-get install -y
libgcrypt11-dev)将会生成radiusplugin.so 将其cp到/etc/openvpn目录下:
# cp radiusplugin.so /etc/openvpn/
04 #cp radiusplugin.cnf /etc/openvpn/
05 #nano /etc/openvpn/radiusplugin.cnf
# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1
...
OpenVPNConfig=/etc/openvpn/openvpn.conf
...
06 server
07 {
08 # The UDP port for radius accounting.
09 acctport=1813
10 # The UDP port for radius authentication.
11 authport=1812
12 # The name or ip address of the radius server.
13 name=127.0.0.1
14 # How many times should the plugin send the if there is no response?
15 retry=1
16 # How long should the plugin wait for a response?
17 wait=1
18 # The shared secret.
19 sharedsecret=testing123 (testpw要改为testing123)
20 }
21
22 #nano /etc/openvpn/openvpn.conf
23 port 1194
24 proto udp
25 dev tun
26 ca /etc/openvpn/ca.crt
27 cert /etc/openvpn/server.crt
28 key /etc/openvpn/server.key
29 dh /etc/openvpn/dh1024.pem
30 server 10.99.0.0 255.255.255.0
31 ifconfig-pool-persist ipp.txt
32 #push "route 192.168.250.0 255.255.255.0"
33 #plugin /etc/openvpn/openvpn-auth-pam.so openvpn
34 plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
35 username-as-common-name
36 client-cert-not-required
37 client-to-client
38 ;duplicate-cn
39 keepalive 10 120
40 tls-auth /etc/openvpn/ta.key 0
41 comp-lzo
42 ;max-clients 100
43 user nobody
44 group nobody
45 persist-key
46 persist-tun
47 status openvpn-status.log
48 log /var/log/openvpn.log
49 log-append /var/log/openvpn.log
50 verb 4
51 mute 20
启动vpn
01 # /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf &
02 添加iptables SNAT规则,实现nat功能
03 #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source ur-vps-ip
04 #nano /etc/sysctl.conf
05 net.ipv4.ip_forward = 1 (0改成1)
06 #sysctl -p
07
上面修改了openvpn的配置文件openvpn.conf,我们需要重启openvpn,对openvpn的配置文件openvpn.conf所做的修改才能生效-
# killall -9 openvpn
# /usr/local/sbin/openvpn --config /etc/openvpn/openvpn.conf &
(可能,有时编译好的openvpn的执行文件并不在/usr/local/sbin/下。你可用find命令查找一下:
# find / -name openvpn
我在debian vps下编译的openvpn的执行文件的路径为/usr/sbin/openvpn,而非/usr/local/sbin/openvpn)
08 #tar jxvf freeradius-1.1.8.tar.bz2
09 #cd freeradius-1.1.8
10 #./configure
11 #cp libltdl/ltdl.h src/include/
12 #make && make install
13 #nano /etc/ld.so.conf
14 加入以下:
15 /usr/local/lib
16 #ldconfig
17
18 #mysql -u root -p (如果mysql是编译安装的,且安装在/usr/local/mysql/,那么命令应该为/usr/local/mysql/bin/mysql -u root -p )
19 #create database radius;
20 #grant all on radius.* to radius@localhost identified by 'radius-pw';
21 #flush privileges;
22 #quit
23
24 导入数据库
25 #mysql -u root -p roots-pw radius < /root/freeradius-1.1.8/doc/examples/mysql.sql
(或者#mysql -u root -p radius < /root/freeradius-1.1.8/doc/examples/mysql.sql
# enter password: )
26 #nano /usr/local/etc/raddb/radiusd.conf (如果/usr/local/etc/下面没有raddb目录,则# cp /root/freeradius-1.1.8/raddb/ -r /usr/local/etc/)
proxy_requests = no (改yes为no)
从"authorize {"开始,files前面加上#号,sql前面的#号则去掉,一直搞到该文件最下面的 "}" 为止。
#nano /usr/local/etc/raddb/sql.conf
sql {
# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"
# Connect info
server = "localhost"
login = "radius"
password = "radius用户的密码"
# Database table configuration
radius_db = "radius"
#nano /usr/local/etc/raddb/clients.conf
client 127.0.0.1 {
# # secret and password are mapped through the "secrets" file.
secret = testing123
}
注释:
secret 这里是针对client 127.0.0.1的通讯密匙.
插入mysql 数据
01# mysql -u root -p
# mysql> use radius;
02 建立组信息
03 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
04 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
05 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Address',':=','255.255.255.255');
06 mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Netmask',':=','255.255.255.0');
07 建立用户信息
08 mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
10 将用户加入组中:
11 mysql> insert into usergroup (username,groupname) values ('sense','user');
以后如果要添加新的openvpn帐号,则运行
# mysql -u root -p
mysql>use radius;
mysql> insert into radcheck (username,attribute,op,value) values ('myusername','User-Password',':=','mypassword');
mysql> insert into usergroup (username,groupname) values ('myusername','user');
把下面的命令加入启动项(加入到/etc/rc.local中):
radiusd -x & (建议使用绝对路径:/usr/local/sbin/radiusd -x &)
测试:
# radiusd –x & (以debug模式运行radiusd)
这个时候控制台会被占用。
另开一个控制台进行测试:(一定要测试,以确保radiusd工作正常。)
# radtest sense 123456 localhost 0 testing123
Sending Access-Request of id 212 to 127.0.0.1 port 1812
User-Name = "sense"
User-Password = "123456"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=212, length=20 (这行显示Access-Accept,表明radiusd工 作正常.如果显示Access-Reject,则表明radiusd工作不正常。这往往是由于radiusd的配置文件radiusd.conf没编辑好造成的,请按照 上面的radiusd.conf部分的内容,编辑好.)
以上测试说明freeradius工作正常!(参考:http://blog.chinaunix.net/space.php?uid=8551991&do=blog&cuid=457803)然后重启vps:
# reboot
(如果过一段时间,连不上openvpn了,则运行radiusd:
# radiusd –x & 即可。 但是老是这样去手工运行radiusd –x &挺烦的,这时我们可以祭出cron大法。我们可以在 /etc/cron.hourly目录下,建立一个radiusd文件,输入如下内容: killall radiusd /usr/local/sbin/radiusd -x & 然后# chmod 755 /etc/cron.hourly/radiusd 在/etc/cron.hourly目录下,建立一个radiusd文件的办法还是不够好。最好让radiusd每5分钟重启一次,方法如下: # crontab -e (回车,会打开一个新窗口,在新窗口中输入*/5 * * * * killall radiusd && /usr/local/sbin/radiusd -x 然后保存更改即可。如果你运行crontab -e,提示crontab: command not found,则在debian/ubuntu下的安装命令为 apt-get install cron;在centos下的安装命令为yum install vixie-cron.在你运行crontab -e时,如果出现错误提示: no crontab for root - using an empty one /bin/sh: /bin/vi: No such file or directory crontab: "/bin/vi" exited with status 127 这说明你的系统的默认编辑器不是vi而是nano.输入命令:env EDITOR=nano crontab -e 然后就会打开一个空文件,在 里面输入*/5 * * * * killall radiusd; /usr/local/sbin/radiusd -X,保存文件即可。这样即可实现让radiusd每5分钟 重启一次的目的。(如果要想每n分钟重启一次,则修改5为n)(注意:这里建议用 killall radiusd; /usr/local/sbin/radiusd -X命令,不要用killall radiusd && /usr/local/sbin/radiusd -X命令。 用后一个命令似乎并不能启动radiusd,搞得我未能成功连接openvpn. (关于crontab的用法,参见http://2.latest.ymsdblog.appspot.com/articles/2011/06/02/1307024001259.html 和http://2.latest.ymsdblog.appspot.com/articles/2011/06/01/1306900004595.html) 如果到最后还是无法成功登录,十有八九是radius未启动造成的,那么运行: # radiusd 即可成功登录。
修改openvpn客户端的conf文件:client.ovpn文件,将原来的
cert client.crt
key client.key
这2行注释掉,并加入:
auth-user-pass
保存即可。
三.安装Daloradius (这是radius的web管理界面,不一定要装)1 #tar zxvf daloradius-0.9-8.tar.gz
2 #cp -rf daloradius-0.9-8/* /var/www/html/radius/
3 vi /var/www/html/radius/library/daloradius.conf.php 修改参数
4 导入
5 mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql
登陆web测试 http://ip/radius
默认用户名administrator 密码radius
(此文不错,我按此文操作成功。注意:如果你的radiusplugin是2.1版,建议OpenVPN也用2.1版。否则运行/usr /local/sbin/openvpn --config /etc/openvpn/openvpn.conf &之后,会出现如下错误提示:
could not find required symbol ‘openvpn_plugin_open_v1′ in plugin shared object /etc/openvpn/radiusplugin.so: /etc/openvpn/radiusplugin.so: undefined symbol: openvpn_plugin_open_v1
参见http://lists.gnu.org/archive/html/radiusplugin-users/2009-05/msg00004.html)
------------------------------------------------------------------------------------------------------------------------------------------
openvpn+mysql+freeradius+daloradius认证
OpenVPN提供了多种身份验证方式,用以确认参与连接双方的身份,,包括:预享私钥,第三方证书以及用户名/密码组合。预享密钥最为简单, 但同时它只能用于建立点对点的VPN;基于PKI的第三方证书提供了最完善的功能,但是需要额外的精力去维护一个PKI证书体系。OpenVPN2.0后 引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍有一份服务器证书需要被用作加密。
在openvpn中现有的用户名/口令认证方式的文档比较少,今天就来用笔记的方式介绍给大家,在此谢谢CU上的热心人士帮助,才能使文档通俗易懂。
一. 安装所需的软件以及环境:
1.LAMP/LNMP都是可以的,为了节约时间,环境就不一一讲解了,本人的其他博文中也有写到。
2.所需软件:
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.02.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.8.tar.bz2
wget http://jaist.dl.sourceforge.net/sourceforge/daloradius/daloradius-0.9-8.tar.gz
wget http://openvpn.net/release/openvpn-2.1_rc15.tar.gz
wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.8.tar.bz2
wget http://jaist.dl.sourceforge.net/sourceforge/daloradius/daloradius-0.9-8.tar.gz
lzo: 支持openvpn的压缩功能
openvpn:VPN主软件
freeradius:非常好的开源radius软件
daloradius:radius的web管理软件
二.OpenVpn的安装
#tar zxvf lzo-2.02.tar.gz
#cd lzo-2.02
#./configure
#make && make install
#cd ..
#tar zxvf openvpn-2.0.5.tar.gz
#cd openvpn-2.0.5
#./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/include/openssl/ --with-ssl-lib=/usr/local/lib
#make && make install
#cd lzo-2.02
#./configure
#make && make install
#cd ..
#tar zxvf openvpn-2.0.5.tar.gz
#cd openvpn-2.0.5
#./configure --with-lzo-headers=/usr/local/include/ --with-lzo-lib=/usr/local/lib --with-ssl-headers=/usr/include/openssl/ --with-ssl-lib=/usr/local/lib
#make && make install
#cd easy-rsa/
#vi vars
#. vars
注意:点后面有空格
#./clean-all
#./build-ca
#./build-key-server server
#./build-dh
#openvpn --genkey --secret ta.key
#./build-ca
#./build-key-server server
#./build-dh
#openvpn --genkey --secret ta.key
编辑服务端的server.conf,以及客户端的client.ovpn
在后面的附件中,需要的请各位下载。
启动服务器
service openvpn start
正常可以看到:
添加iptables SNAT规则,实现nat功能
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source XX.XX.XX.XX
#tar jxvf freeradius-1.1.8.tar.bz2
#cd freeradius-1.1.8
#./configure
#cd freeradius-1.1.8
#./configure
#cp libltdl/ltdl.h src/include/
#make && make install
#make && make install
#vi /etc/ld.so.conf
加入以下:
/usr/local/lib
#ldconfig
加入以下:
/usr/local/lib
#ldconfig
#mysql -u root -p
#create database radius;
#grant all on radius.* to radius@'%' identified by 'radius-pw';
#flush privileges;
#quit
#create database radius;
#grant all on radius.* to radius@'%' identified by 'radius-pw';
#flush privileges;
#quit
导入数据库
mysql -u root -p radius < /root/freeradius-1.1.8/doc/examples/mysql.sql
nano /usr/local/etc/raddb/radiusd.conf
authorize中去掉sql前的注释,注释掉file
preacct {
preprocess
acct_unique
suffix
# files
}
accounting {
detail
unix
radutmp
sql
}
preprocess
acct_unique
suffix
# files
}
accounting {
detail
unix
radutmp
sql
}
nano /usr/local/etc/raddb/sql.conf
vi /usr/local/etc/raddb/clients.conf
注释:
secret 这里是针对client 127.0.0.1通讯密匙
插入mysql 数据
注释:
secret 这里是针对client 127.0.0.1通讯密匙
插入mysql 数据
mysql -p
建立组信息
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Netmask',':=','255.255.255.0');
建立用户信息
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Address',':=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP- Netmask',':=','255.255.255.0');
建立用户信息
mysql> insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');
mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
将用户加入组中:
mysql> insert into usergroup (username,groupname) values ('test','user');
mysql> insert into radcheck (username,attribute,op,value) values ('sense','User-Password',':=','123456');
将用户加入组中:
mysql> insert into usergroup (username,groupname) values ('test','user');
开启两个终端测试下:
出现以上信息为成功
加入启动项:
radiusd -x &
三.安装Daloradius
三.安装Daloradius
#tar zxvf daloradius-0.9-8.tar.gz
#cp -rf daloradius-0.9-8/* /var/www/html/radius/
#cp -rf daloradius-0.9-8/* /var/www/html/radius/
vi /var/www/html/radius/library/daloradius.conf.php
导入
mysql -u root -pwww radius < /var/www/html/radius/contrib/db/mysql-daloradius.sql
四.安装RadiusPlugin
四.安装RadiusPlugin
1.下载radiusplugin
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.0b_beta2.tar.gz
2.安装radiuspligin
#tar zxvf #radiusplugin_v2.0b_beta2.tar.gz
#cd radiusplugin_v2.0b_beta2
#make
#cp /root/radiusplugin_v2.0b_beta2/radiusplugin.so /etc/openvpn/
#cp /root/radiusplugin_v2.0b_beta2/radiusplugin.cnf /etc/openvpn/
#cd radiusplugin_v2.0b_beta2
#make
#cp /root/radiusplugin_v2.0b_beta2/radiusplugin.so /etc/openvpn/
#cp /root/radiusplugin_v2.0b_beta2/radiusplugin.cnf /etc/openvpn/
# nano /etc/openvpn/radiusplugin.cnf
重启openvpn
service openvpn restart
from http://mcshell.blog.51cto.com/803455/413457
-----------------------------------------------------------------------------------------------------------openvpn实现radius认证
经过实践,实现了openvpn2.0.9版本使用radius认证的配置功能。以下简要说明,与大家分享。
我的环境是server端是linux9.0,Client端是winxp。
基本的配置就不复述了,使用证书认证的文章很多,其中网友elm就有不少好的配置手册。
网 络上关于username/password认证的文章也不少,但不是需要用到mysql数据库就是要用到freeradius认证库,我就想 简单快速的实现把用户名密码提交到第三方radius服务器认证就可以了。第三方radius服务器很多比如 windows ActiveDirectory或WinRadius 2.01,我这里用WinRadius2.01作为radius服务器。
1.radiusplugin_v2.0.tar.gz: 可以编译得到radiusplugin.so
到http://www.nongnu.org/radiusplugin/下载
2.libgcrypt支持库: 可以编译得到/usr/lib/libgcrypt.so.11
到ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.2.4.tar.gz下载
3.libgpg-error支持库: 可以编译得到/usr/local/lib/libgpg-error.so.0
到ftp://ftp.gnupg.org/gcrypt/libgpg-error/libgpg-error-1.5.tar.gz下载
简单的编译以上3个支持库,configure;make;make install。
我们要用到radiusplugin.so,其他是radiusplugin.so的支持库。
好了如果能够得到radiusplugin.so,已经成功了80%,其他的就是配置了。
把radiusplugin.so拷贝到/etc/openvpn下,并配置其配置文件radiusplugin.conf
内容如下:
# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn
# The service type which is sent to the RADIUS server
Service-Type=5
# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1
# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5
# 这是运行openvpn服务器的ip,作为radius客户端
NAS-IP-Address=192.168.2.8
#这里指明openvpn的配置位置
OpenVPNConfig=/etc/openvpn/cert_conf/server.conf
# 这里定义 radius server 参数可以超过1个作为备份
server
{
# The UDP port for radius accounting.
acctport=1813
# The UDP port for radius authentication.
authport=1812
# 这是我radius 服务器的ip,也就是运行winradius,并添加了用户。
name=192.168.2.2
# How many times should the plugin send the if there is no response?
retry=1
# How long should the plugin wait for a response?
wait=1
# The shared secret.共享密钥,在winradius里配置,设置-系统-NAS密钥
sharedsecret=winradius
}
以下配置openvpn服务器,server.conf
这个配置跟证书配置只需新增以下3行不同。
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radius.conf
client-cert-not-required
username-as-common-name
客户端配置:在winxp下
去掉客户端证书,并添加提示用户密码的参数就可以了。
ca ca.crt
#cert client.crt
#key client.key
auth-user-pass
启动服务器
openvpn --config server.conf
如果出错查看日志文件如openvpn.log一般可以解决.
启动客户端,提示
Sat Aug 25 17:52:38 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2
006
Enter Auth Username:test
Enter Auth Password:
...
Sat Aug 25 17:55:22 2007 Route addition via IPAPI succeeded
Sat Aug 25 17:55:22 2007 Initialization Sequence Completed
认证通过,vpn隧道建立成功
查看winradius:
用户(test)认证通过
用户(test)呼叫()开始
查看linux server端日志
RADIUS-PLUGIN: Configfile name: /etc/openvpn/radiusplugin.conf .
Sun Apr 1 13:31:09 2007 PLUGIN_INIT: POST /etc/openvpn/radiusplugin.so '/etc/openvpn/radiusplugin.conf' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
...
Sun Apr 1 13:31:56 2007 192.168.2.2:3214 PLUGIN_CALL: POST /etc/openvpn/radiusplugin.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Sun Apr 1 13:31:56 2007 192.168.2.2:3214 TLS: Username/Password authentication succeeded for username 'test' [CN SET]
至此,radius认证成功。
from http://www.chinaunix.net/jh/50/981672.html
-----------------------------------------------------
Debian vps下面安装freeradius+mysql
参考http://www.howtoforge.com/setting-up-a-freeradius-based-aaa-server- with-mysql-and-management-with-daloradius;http://blog.sina.com.cn /qhqh310。网上找了很久,发现Debian下面安装freeradius的文章很少,于是就摸索了一下,大致情况如下:
1) 首先安装freeradius、Mysql-server、freeradius-mysql,配置mysql服务器的用户名和密码,然后添加一个新的库:mysqladmin -uroot -p create radius
2) 运行Freeradius,/etc/init.d/freeradius start
3) 用系统用户查询(预设是用系统账号):#radtest {用户} {密码} localhost 1812 testing123,其中testing123是在radiusd.conf中配置的。
4) 初始化mysql数据库,这些相应的脚本在/etc/freeradius/sql/mysql下面。
5) 设定 sql.conf,主要是修改其中的password、server、login、radius_db等信息。如果使用NAS管理, 把以这行前面的 # 去掉。readclients = yes。设定/etc/freeradius/sites-enabled/default,用sql搜索, 找出以下几行, 去掉 sql 前的 # 号:
authorize{} 部份 ( 第 152 行 )
accounting{} 部份 ( 第 342 行 )
session{} 部份 ( 第 373 行)
post-auth{} 部份 ( 第 394 行 )
6) 设置 /etc/freeradius/radiusd.conf,把第 1322 行 注释取消INCLUDE sql.conf。在radius数据库加用户。
#mysql -uroot –pmysql> use radius;
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES ('sqltest', 'Password', 'testpwd');
mysql> FLUSH PRIVILEGES;
mysql> quit
7) 在除错模式测试查询radius数据库的用户,停用freeradius。
#/etc/init.d/freeradius stop,然后运行Freeradius除错模式。#freeradius –X
8) 打开一个新的终端测试查询radius数据库的用户
#radtest sqltest testpwd localhost 1812 testing123Sending Access-Request of id 226 to 127.0.0.1 port 1812
User-Name = "sqltest"
User-Password = "testpwd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=226, length=20
看到以上的结果就成功了.
9)给ACCEPT恢复增加其他的属性。假设配置表radcheck,列信息为UserName: 要求验证的用户名、Attribute: 要验证的属性、op: 要验证的操作符、Value: 属性的值。
如: insert into radcheck(username, attribute, op, value) vlaues('myuser','User-Password', '==', 'mypass');
如果配置无错误的话,验证就可以通过了。注意:attribute不要写错,否则会报“Unkown attribute”。关于属性的定义在本人的blog中可以找到,也可以查看share/dictionary。配置radreply表,列信息为 UserName: 响应对应的用户名、Attribute: 要响应的属性、op: 操作符号,默认为"="、value: 响应属性对应值。
如: insert into radrepy(username,attribute,op,value) values('myuser','Reply-Message','=','Yes,Good!')。可以在用户验证后,在Access-Accept 中加入响应信息。
10) 还可以使用Daloradius用来管理radius用户。secret和shortname前用tab键,不能是空格。
http://jaist.dl.sourceforge.net/sourceforge/daloradius/daloradius-0.9-8.tar.gz#vi /etc/freeradius/clients.conf
client 172.16.10.80 {
secret=symbol
shortname=AP-5131
}
from http://blog.sina.com.cn/s/blog_4b2fe4d20100i2qv.html
--------------------------------------------------------------------------------------
FreeRADIUS+PostgreSQL+OpenVPN搭建VPN认证系统
1、安装组件
所需要的组件基本上都在Ubuntu的package source里面,用apt-get就可以装。
sudo apt-get install freeradius freeradius-postgresql postgresql openvpn build-essential libgcrypt11-dev
2、修改配置文件
Freeradius的配置文件位于/etc/freeradius
/etc/freeradius/clients.conf
这个文件控制连接的客户端的地址以及secret code。
地址不需要改变,因为我们是本地访问(openvpn到freeradius)。
secret要记下来,测试和写配置文件的时候要用。默认是testing123
/etc/freeradius/sql.conf
这个文件控制连接到sql的参数。
要改的地方:
database="sql" 改成 database="postgresql"
Connection info那里一般来说改密码就可以了。
/etc/freeradius/sql/postgresql/dialup.conf
取消sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-none}}"前面的注释,把下一行注释掉。
/etc/freeradius/sites-enabled/default
取消掉authorize、preacct和accounting段中sql前面的注释
注释掉所有的files和unix。
Postgresql的配置文件做如下修改:
/etc/postgresql/8.4/main/postgresql.conf
找到listen_addresses,把引号里面的地址改成*
/etc/postgresql/8.4/main/pg_hba.conf
把local all all那里的ident改成md5
加入一行
host all all 0.0.0.0/0 md5
3、建立数据库
sudo -u postgres createuser radius --no-superuser --no-createdb --no-createrole -P
sudo -u postgres createdb radius --owner=radius
然后
sudo cp /etc/freeradius/sql/postgresql/schema.sql ~/
psql -U radius radius < ~/schema.sql
psql里面输入如下命令:
INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Auth-Type',':=','Local'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Service-Type',':=','Dialout-Framed-User'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Address',':=','255.255.255.255'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Framed-IP-Netmask',':=','255.255.255.0'); INSERT INTO radgroupreply (groupname,attribute,op,VALUE) VALUES ('user','Acct-Interim-Interval',':=','600'); INSERT INTO radcheck (username,attribute,op,VALUE) VALUES ('test','Cleartext-Password',':=','test'); INSERT INTO radusergroup (username,groupname) VALUES ('test','user');
4、初步测试
sudo /etc/init.d/freeradius stop sudo freeradius -X & radtest test test localhost 1649 testing123
Sending Access-Request of id 204 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=204, length=38 Service-Type = Framed-User Framed-IP-Address = 255.255.255.255 Framed-IP-Netmask = 255.255.255.0即Access-Accept时,则说明freeradius和postgresql已经成功地连接起来了,否则要退回去检查配置。
5、配置OpenVPN
首先要把OpenVPN和Freeradius连接起来,这里是通过OpenVPN的插件Radiusplugin for OpenVPN。
wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1_beta9.tar.gz tar zxvf radiusplugin_v2.1_beta9.tar.gz cd radiusplugin/ make
应该会在当前目录下生成radiusplugin.so和radiusplugin.cnf,拷到/etc/openvpn。
修改/etc/openvpn/radiusplugin.cnf:
OpenVPNConfig=/etc/openvpn/openvpn.conf
sharedsecret= testing123
这里secret要与clients.conf中间的一致。
同时后面server段中的name要改成FreeRadius服务器的IP(本例中是本机localhost)
然后生成OpenVPN的key:
sudo su cp -R /usr/share/doc/openvpn/examples/easy-rsa /etc/openvpn cd /etc/openvpn/easy-rsa/2.0 . ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh
配置OpenVPN服务端:
sudo nano /etc/openvpn/openvpn.conf
dev tun proto tcp port xxxx ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem user nobody group nogroup server 10.8.0.0 255.255.255.0 client-cert-not-required username-as-common-name plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf status /var/log/openvpn/status.log 1 log /var/log/openvpn/openvpn.log persist-key persist-tun push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 208.67.222.222" auth RSA-SHA512 cipher AES-256-CBC comp-lzo客户端:
client dev tun proto tcp remote your-server-address xxxx resolv-retry infinite nobind persist-key persist-tun script-security 2 auth RSA-SHA512 cipher AES-256-CBC ca ca.crt auth-user-pass verb 3 ns-cert-type server comp-lzo
再向/etc/rc.local中加入如下内容:
# add iptables rule for openvpn iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source your-server-ip-address # restart openvpn after 1 hour in case tun device got broken on reboot sleep 3600 /etc/init.d/openvpn stop sleep 10 /etc/init.d/openvpn start
重启等一个小时之后连接服务器应该会提示输入用户名密码,之后看到OpenVPN变绿就表示成功了。可以连到whatsmyip.org检查。
用户名密码可以通过pgadmin连到sql上面去修改,在radcheck里面。
from https://tomem.info/blog/2010/06/207
---------------------------------------------------------------------
LDAP for authorization and authentication
Instead of using MySQL for authorization and authentication, you can bind FreeRADIUS with an LDAP server. I have not done this with OpenVPN as a NAS yet, but with pppoe-server (rp-pppoe) and the steps should be nearly the same. Here is what I have done.To use LDAP with freeradius, you need to install freeradius-ldap and slapd.
authorize {
preprocess
files
sql
ldap
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql
}
session {
sql
}
post-auth {
ldap
exec
}
pre-proxy {
}
post-proxy {
}
preprocess
files
sql
ldap
expiration
logintime
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
sql
}
session {
sql
}
post-auth {
ldap
exec
}
pre-proxy {
}
post-proxy {
}
Modify the users file like this (example):
DEFAULT Ldap-Group == disabled, Auth-Type := Reject
Reply-Message = "Account disabled. Please call the helpdesk.",
Fall-Through = no
DEFAULT Ldap-Group == flat10000, User-Profile := "uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk."
Reply-Message = "Account disabled. Please call the helpdesk.",
Fall-Through = no
DEFAULT Ldap-Group == flat10000, User-Profile := "uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
Fall-Through = no
DEFAULT Auth-Type := Reject
Reply-Message = "Please call the helpdesk."
ldap {
server = "wl00.wl.example.org" # Insert your exact FQDN here, if using TLS
identity = "cn=proxyuser,dc=example,dc=org"
password = YOUR-LDAPY-PROXYUSER-PW-HERE
basedn = "ou=wl,dc=example,dc=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertfile = /ca/cacert_org.crt # I use certificates signed by http://www.cacert.org
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile))"
compare_check_items = no
}
server = "wl00.wl.example.org" # Insert your exact FQDN here, if using TLS
identity = "cn=proxyuser,dc=example,dc=org"
password = YOUR-LDAPY-PROXYUSER-PW-HERE
basedn = "ou=wl,dc=example,dc=org"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = yes
cacertfile = /ca/cacert_org.crt # I use certificates signed by http://www.cacert.org
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
groupname_attribute = radiusGroupName
groupmembership_filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusprofile))"
compare_check_items = no
}
A sample init.ldif is shown here:
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: MyCompany
dn: ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: wl
dn: ou=users,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: radius
dn: ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: profiles
# This sample is from PPPoE and shows some vendor specific attributes
dn: uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
uid: flat10000
cn: flat10000
radiusReplyItem: Acct-Interim-Interval := 360
radiusReplyItem: RP-Downstream-Speed-Limit := 10240
radiusReplyItem: RP-Upstream-Speed-Limit := 10240
radiusIdleTimeout: 3600
radiusSessionTimeout: 86400
radiusSimultaneousUse: 1
dn: cn=proxyuser,dc=example,dc=example
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: proxyuser
userPassword: {SSHA}***************
description: LDAP administrator (read-only)
dn: uid=wl00000000,ou=users,ou=wl,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: radiusprofile
uid: wl00000000
cn: Christian Roessner
sn: Roessner
givenName: Christian
l: Cityname_here
postalCode: Zip_code_here
postalAddress: Foobar street 4711
homePhone: +49 000 00000000
mail: sample@example.org
userPassword: Test123West
description: Testuser
radiusGroupName: flat10000
objectClass: top
objectClass: dcObject
objectClass: organization
dc: example
o: MyCompany
dn: ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: wl
dn: ou=users,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: radius
dn: ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: profiles
# This sample is from PPPoE and shows some vendor specific attributes
dn: uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org
objectClass: radiusObjectProfile
objectClass: top
objectClass: radiusprofile
uid: flat10000
cn: flat10000
radiusReplyItem: Acct-Interim-Interval := 360
radiusReplyItem: RP-Downstream-Speed-Limit := 10240
radiusReplyItem: RP-Upstream-Speed-Limit := 10240
radiusIdleTimeout: 3600
radiusSessionTimeout: 86400
radiusSimultaneousUse: 1
dn: cn=proxyuser,dc=example,dc=example
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: proxyuser
userPassword: {SSHA}***************
description: LDAP administrator (read-only)
dn: uid=wl00000000,ou=users,ou=wl,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: radiusprofile
uid: wl00000000
cn: Christian Roessner
sn: Roessner
givenName: Christian
l: Cityname_here
postalCode: Zip_code_here
postalAddress: Foobar street 4711
homePhone: +49 000 00000000
mail: sample@example.org
userPassword: Test123West
description: Testuser
radiusGroupName: flat10000
I have configured LDAP to have a proxyuser that has access rights to all data with read-only support.
Here is my sample slapd.conf:
# /etc/ldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/freeradius.schema # You can find it in the doc folder somewhere in freeradius
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
loglevel 256
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile /ca/cacert_org.crt
TLSCertificateFile /ca/newcert.pem
TLSCertificateKeyFile /ca/newkey.pem
database frontend
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by self write
by users read
by anonymous auth
database config
rootdn cn=config
rootpw {SSHA}*****************
database hdb
suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org
rootpw {SSHA}*****************
directory /var/lib/ldap
index objectClass eq
# ... More indexes where added with Apache-Directory-Studio and not listed here
access to attrs=userPassword,shadowLastChange
by self write
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by anonymous auth
by * none
access to *
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by users read
by * none
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/freeradius.schema # You can find it in the doc folder somewhere in freeradius
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
loglevel 256
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile /ca/cacert_org.crt
TLSCertificateFile /ca/newcert.pem
TLSCertificateKeyFile /ca/newkey.pem
database frontend
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to *
by self write
by users read
by anonymous auth
database config
rootdn cn=config
rootpw {SSHA}*****************
database hdb
suffix dc=example,dc=org
rootdn cn=admin,dc=example,dc=org
rootpw {SSHA}*****************
directory /var/lib/ldap
index objectClass eq
# ... More indexes where added with Apache-Directory-Studio and not listed here
access to attrs=userPassword,shadowLastChange
by self write
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by anonymous auth
by * none
access to *
by dn.exact="cn=proxyuser,dc=example,dc=org" read
by users read
by * none
See a final radtest here:
radtest wl00000000 PW_for_wl00000000 127.0.0.1 0 The_Client_PW_for_radius
Sending Access-Request of id 215 to 127.0.0.1 port 1812
User-Name = "wl00000000"
User-Password = "PW_for_wl00000000"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=215, length=62
Idle-Timeout = 3600
Session-Timeout = 86400
Acct-Interim-Interval = 360
RP-Downstream-Speed-Limit = 10240
RP-Upstream-Speed-Limit = 10240
Sending Access-Request of id 215 to 127.0.0.1 port 1812
User-Name = "wl00000000"
User-Password = "PW_for_wl00000000"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=215, length=62
Idle-Timeout = 3600
Session-Timeout = 86400
Acct-Interim-Interval = 360
RP-Downstream-Speed-Limit = 10240
RP-Upstream-Speed-Limit = 10240
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 fd=15 ACCEPT from IP=127.0.1.1:54769 (IP=0.0.0.0:389)
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 STARTTLS
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 RESULT oid= err=0 text=
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 fd=15 TLS established tls_ssf=128 ssf=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" method=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" mech=SIMPLE ssf=0
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 RESULT tag=97 err=0 text=
...
...
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH base="ou=wl,dc=example,dc=org" scope=2 deref=0 filter="(uid=wl100001)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH base="uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org" scope=0 deref=0 filter="(objectClass=radiusprofile)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 STARTTLS
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=0 RESULT oid= err=0 text=
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 fd=15 TLS established tls_ssf=128 ssf=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" method=128
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 BIND dn="cn=proxyuser,dc=example,dc=org" mech=SIMPLE ssf=0
Aug 30 17:01:21 wl00 slapd[5100]: conn=2126 op=1 RESULT tag=97 err=0 text=
...
...
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH base="ou=wl,dc=example,dc=org" scope=2 deref=0 filter="(uid=wl100001)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH base="uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org" scope=0 deref=0 filter="(objectClass=radiusprofile)"
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SRCH attr=radiusNASIpAddress radiusExpiration acctFlags dBCSPwd sambaNtPassword sambaLmPassword ntPassword lmPassword radiusCallingStationId radiusCal
ledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusTunnelPrivateGroupId radiusTunnelMediumType radiusTunnelType radiusReplyMessage radiusLoginLATPort radiusPortLimit radiusFramedA
ppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusCl
ass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radi
usFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem userPassword sasdefaultloginsequence
Aug 30 19:08:42 wl00 slapd[5100]: conn=2126 op=16 SEARCH RESULT tag=101 err=0 nentries=1 text=
from http://www.roessner-network-solutions.com/beliebte-seiten-und-artikel/openvpn-radius-mysqlldap-howto/#radplug1
http://www.ldap-account-manager.org/
----------------------------------------------------------------------------------------------------------------------------------
OpenVPN 的验证方式
一、文本文件式的认证1、获得文本口令认证的脚本
wget http://openvpn.se/files/other/checkpsw.sh -P /etc/openvpn
cd /etc/openvpn
chmod u+x checkpsw.sh
chown nobody.nobody checkpsw.sh
2、创建密码文件
譬如 /etc/openvpn/psw-file
文件的格式:用户名<Tab>密码
user1 pass
user2 pass
3、修改服务器的配置文件
在server.conf 配置文件里加上
auth-user-pass-verify /etc/openvpn/checkpsw.sh via-env
4、修改客户端的配置文件
一是注释掉用
;cert client1.crt
;key client1.key
二是增加验证时询问用户名和密码
auth-user-pass
二、是支持 MYSQL 数据库的认证
1、需要 pam_mysql 模块
# wget http://prdownloads.sourceforge.net/pam-mysql/pam_mysql-0.7RC1.tar.gz
该项目的网页是:
http://pam-mysql.sourceforge.net
2、编译该模块
# tar -zxvf pam_mysql-0.7RC1.tar.gz
# cd pam_mysql-0.7RC1
# ./configure --with-openssl
或
# ./configure --with-mysql=/usr/lib/mysql/mysql_config --with-openssl
# make install
# cd .libs
# cp pam_mysql.sp /lib/security
3、相关的服务准备
# service saslauthd restart
修改 /etc/sysconfig/saslauthd
MECH=pam 改为 MECH=shadow
4、关于 MYSQL 的操作
简述安装的过程
# cd /usr/bin
# ./mysql_install_db
# service mysqld restart
# ./mysqladmin -u root password '????????'
# mysql -u root -p
> create database vpn;
> grant all on vpn.* to vpn@localhost identified by '????????';
> flush privileges;
> use vpn;
> create table vpnuser (name char(20) NOT NULL, password char(128) default NULL, active int(10) NOT NULL DEFAULT 1, PRIMARY KEY(name));
> insert into vpnuser(name,password) values ('......',password('......'));
5、配置 pam_mysql 模块
/etc/pam.d/openvpn
with sufficient pam_mysql.so user=vpn passwd=...... host=localhost db=vpn table=vpnuser usercolumn=name passwordcolumn=password where=active=1 sqllog=0 crypt=3
需要注意的是
crypt=0 表示用明文
crypt=1 表示 use crypt
crypt=2 表示 use MySQL PASSWORD() 函数
crypt=3 表示 use MySQL PASSWORD() 函数,用 MD5
6、修改 OpenVPN 设置
生成 ta.key
# openvpn --genkey --secret keys/ta.key
修改服务器配置文件
tls-auth ta.key 0
plugin ./openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
修改客户端配置文件
auth-user-pass
tls-auth ta.key 1
三、使用 LDAP 的方式认证
实际上也有二种,一种用 openvpn-auth-ldap 即直接通过 LDAP 验证,另一种与 mysql 认证相似,使用 pam-ldap ,通过 PAM ,然后再找 LDAP 验证。
这里主要用 openvpn-auth-ldap (另一方法,安装 yum install nss_ldap 包后找文件 /usr/local/etc/auth-ldap.conf 复制 /usr/share/doc/nss_ldap_253/ldap.conf.pam_ldap /etc/pam_ldap.conf ,创建/etc/pam.d/openvpn)
1、安装
# yum install openvpn-auth-ldap
自行安装的话,下载 auth-ldap-2.0.3.tar.gz re2c-0.13.5.tar.gz
# tar -zxvf re2c-0.13.5.tar.gz
# ./configure
# make
# make install
# tar -zxvf auth-ldap-2.0.3.tar.gz
# ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/root/openvpn-2.0.9
或
# ./configure --prefix=/usr/local --with-openldap=/usr/lib/openldap --with-openvpn=/usr/src/redhat/BUILD/openvpn-2.0.9
生成文件 /usr/local/lib/openvpn-auth-ldap.so
2、配置文件
修改配置文件:auth-ldap.conf
使用yum安装的,会在 /usr/share/doc/openvpn-auth-ldap-2.0.3 存在相应文件,如果是自行安装的,在 /usr/local/etc/auth-ldap.conf 。
实例:(根据实际情况修改)
<LDAP>
# LDAP server URL
URL ldap://ldap1.example.org
# Bind DN (If your LDAP server doesn't support anonymous binds)
# BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password
# Password SecretPassword
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
TLSEnable yes
# Follow LDAP Referrals (anonymously)
FollowReferrals yes
# TLS CA Certificate File
TLSCACertFile /usr/local/etc/ssl/ca.pem
# TLS CA Certificate Directory
TLSCACertDir /etc/ssl/certs
# Client Certificate and key
# If TLS client authentication is required
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN "ou=People,dc=example,dc=com"
# User Search Filter
SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "ou=Groups,dc=example,dc=com"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
openvpn 的配置文件类似 mysql
plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name
--------------------------------------------------------------------------
二:用户名和密码的方式验证
2.1 :明文的用户名和密码
这个利用openvpn官方提供的脚本,已经实现,倒是简单,保存一个文本文件,里面是用户名和密码,就可以了。
2.2:pop 方式
这是斑竹的脚本,通过pop验证,这个我也已经实现。
2.3 : pam验证
2.3.1 pam+mysql
外面很多文章都介绍这个,基本没有什么问题。
2.3.2 pam+linux用户
这个是我今天刚看到的,也就是用linux下的用户验证。
[url]http://forum.mandriva.com/viewtopic.php?t=52399[/url]
2.3.3 pam+radius+mysql
这种方式是没有明白为什么要这样做,
[url]http://code.google.com/p/autosetup[/url]
2.3.4 pam+ldap
这个的文档不多,没有搞定,
2.4 ldap
直接通过ldap验证。
[url]http://code.google.com/p/openvpn-auth-ldap/[/url]