Pptp integrates freeradius to build a VPN Server for verification

PART I

========================================================== ==============

This article is based on ubutnu to install,

Previous achievements, the establishment of freeradius and mysql (http://www.cnblogs.com/klobohyz/archive/2012/02/01/2334811.html)

Continue to combine pptp components to verify the form VPN, and start to install pptp below

apt-get install pptpd

Configure pptpd. conf

vim /etc/pptpd.conf

Add the following content to the bottom of the file

localip 10.10.10.1
remoteip 10.10.10.2-254

Localip is the virtual IP address of the host address after the vpn is established, while remoteip is directed to the range 10.10.10.2 to 10.10.254. This range is the virtual IP address allocated to the client after the virtual network is established the IP addresses are visible inside and outside the virtual machines.

 

 

Edit the pptp-options file.

vim /etc/ppp/pptpd-options

Add the IP address of the vpn dns server at the bottom, that is, use the DNS server after the connection, and use the DNS interpretation service provided by OPENDNS.

# OpenDNS
ms-dns 208.67.222.222
ms-dns 208.67.220.220

 

Modify the chap-secrets file, add a VPN user, for example, add a user whose username and password are both test, and enter

test * test *

The first test is the user name, the second is the password, the first asterisks are the connection method, pptpd and xl2tpd. Both methods are supported, and the second asterisks indicate random IP Address allocation, if you want to specify an IP address, but it must be the address specified by the remoteip,

 

Here, the pptpd configuration is complete. Next, configure iptables to set forwarding rules,

First, configure the/etc/sysctl. conf file, enable the forwarding function,

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

This means to open the/etc/sysctl. conf file, find # net. ipv4.ip _ forward = 1, comment out all seen, that is, start the service.

Restart and load the sysctl. conf file.

sysctl -p                

Set iptables forwarding rules.

iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

For more information, see this article: http://wenku.baidu.com/view/2e694d649b6648d7c1c746bc.html

It is worth noting that the IP address is related to the localip10.10.1 previously set. Here, the subnet mask is set to 255.0.0.0. In fact, it is enough to set the subnet mask to 255.255.255.0, because the previous range is only if the class C address is set to 255.255.255.0, then 10.10.0.0/24 is set.

 

Use iptables-save to save the current iptables configuration.

iptables-save > /etc/iptables.up.rules

 

The iptables rule becomes invalid after restart. Therefore, the iptables-restore command is used to automatically load and open the iptables rule when the network is started.

vim /etc/network/interfaces

Add the following content

pre-up iptables-restore < /etc/iptables.up.rules

 

Restart pptp Service

/etc/init.d/pptpd restart

At this time, you can establish a VPN from windows to connect in the form of PPTP,

 

PART II

========================================================== ==============

Now integrated with freeradius to work with pptp verification, install and configure freeradius and mysql first (http://www.cnblogs.com/klobohyz/archive/2012/02/01/2334811.html)

To integrate, we need to rely on a freeradius client to do the connection between pptp and freeradius, and install the radclient from the source code.

wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.gz
tar -zxf freeradius-client-1.1.6.tar.gz
cd freeradius-client-1.1.6
./configure
make && make install

 

Edit the servers file after installation

vim /usr/local/etc/radiusclient/servers

Add the following content

localhost   testing123

This indicates that the address and client key of freeradius are set. Because the client and server are on the same machine, localhost is used. If it is placed separately, enter the corresponding freeradius Server IP address. for the subsequent password, see freeradius's server settings.

 

If the client and server are both separated, change localhost to the corresponding server IP address.

/usr/local/etc/radiusclient/radiusclient.conf

 

Then, add the microsoft dictionary. This step is very important. Otherwise, windows users will not be able to pass the freeradius verification !!

wget -c http://small-script.googlecode.com/files/dictionary.microsoft
mv ./dictionary.microsoft /usr/local/etc/radiusclient/

Add the following content to the/usr/local/etc/radiusclient/dictionary file.

cat >>/usr/local/etc/radiusclient/dictionary<<EOF
INCLUDE /usr/local/etc/radiusclient/dictionary.sip
INCLUDE /usr/local/etc/radiusclient/dictionary.ascend
INCLUDE /usr/local/etc/radiusclient/dictionary.merit
INCLUDE /usr/local/etc/radiusclient/dictionary.compat
INCLUDE /usr/local/etc/radiusclient/dictionary.microsoft
EOF

 

Modify the following configurations. Otherwise, an error may be reported elsewhere.

sed -i 's/logwtmp/\#logwtmp/g' /etc/pptpd.conf
sed -i 's/radius_deadtime/\#radius_deadtime/g' /usr/local/etc/radiusclient/radiusclient.conf
sed -i 's/bindaddr/\#bindaddr/g' /usr/local/etc/radiusclient/radiusclient.conf

Comment out all logwtmp, radius_deadtime, and bindaddr in these files.

 

Edit the pptpd-options file.

vim /etc/ppp/pptpd-options

Add the three rows to the end of the row

plugin /usr/lib64/pppd/2.4.5/radius.so
plugin /usr/lib64/pppd/2.4.5/radattr.so
radius-config-file /usr/local/etc/radiusclient/radiusclient.conf

Radius. so and radattr. the so address may change according to the actual situation, because the machine here is 64-bit, so choose lib64. If it is a 32-bit machine, replace lib64 with lib. if the version is different it may not be 2.4.5. You can search for the path by yourself.

 

Then restart the pptpd service and freeradius service to connect from windows.

service freeradius restart
service pptpd restart

 

Because freeradius has been connected to mysql and pptpd, the current user should take the user in mysql as the standard, for example, the user in the chap-secrets file is test, and the user in mysql also has test, take the mysql user name and password as the standard. Even if the chap-secrets user does not exist, but the user already exists in mysql can log on. Therefore, use the mysql radcheck table. the User Password shall prevail.