VPN: Installation configuration of PPTP + MySQL + Freeradiux

VPN: installation and configuration of PPTP + MySQL + Freeradiux MySQL storage vpn account Freeradiux verify vpn account 1. install ppp2. install pptp configuration file as follows: unzip vimoptions.ppt pdnamepptpdrefuse-paprefuse-chaprefuse-mschaprequire-mschap-v2require-mppe-128proxyarplocknobsdcompnovjnovjccompnologfdms-dns218.85.157.99ms-dns218.85.152.99plugin/usr/local/ppp/lib/pppd/2.4.4/radius. soplugin/usr/local/ppp/lib/pppd/2.4.4/radattr. soradius-config-file/usr/local/freeradius/etc/radiusclient/ Radiusclient. conf # vimpptpd. confoption/usr/local/pptpd/etc/options.ppt pdlocalip192.168.100.100remoteip192.168.100.150-200 add new configuration content. 3. Install mysql4. install freeradius # wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.10.tar.gz#tarzxvpffreeradius-server-2.1.10.tar.gz-C../software#./configure--prefix=/usr/local/freeradius#make#makeinstall#makdir/usr/local/freeradius/etc/radiusclient#cp/usr/local/src/tarbag/ppp-2.4.4/pppd/plugins/radius/etc/ * \/Usr/local/freeradius/etc/radiusclient # chown-Rradiusd.radiusd/usr/local/freeradius # vimservers // modify key # ServerNameorClient/ServerpairKey # Secret # localhosttesting123localhost vpn #/usr/local /freeradius/sbin/radiusd-X // This process produces a certificate. If you want to modify the key, you must first Delete the previous certificate file # cd/usr/local/freeradius/etc/raddb/certs # rm-rf *. pem *. der *. csr *. crt *. key *. p12serial * index.txt * 5. associate the mysql file in this directory/usr/local/freeradius/et C/raddb/SQL/mysql, including some authorization commands.> Createdatabasevpn> source/usr/local/freeradius/etc/raddb/SQL/mysql/schema. SQL> source/usr/local/freeradius/etc/raddb/SQL/mysql/nas. SQL> source/usr/local/freeradius/etc/raddb/SQL/mysql/ippool. SQL> source/usr/local/freeradius/etc/raddb/SQL/mysql/wimax. SQL> grantselect, insert, update, deleteon 'vpn '. * to 'user' @ 'x. x. x. x 'identifiedby 'Password'> insertintoradgroupreply (groupname, attribute, op, value) \ values ('user ',' Auth-Type ',': = ', 'local')> insertintoradgroupreply (groupname, attribute, op, value) \ values ('user', 'service-type ', '=', 'framed-user')> insertintoradgroupreply (groupname, attribute, op, value) \ values ('user', 'framed-IP-netmask', '= ', '2017. 255.255.255 ')> insertintoradgroupreply (groupname, attribute, op, value) \ values ('user', 'framed-IP-netmask',': = ', '192. 255.255.0 ')> insertintoradcheck (UserName, Attribute, Value) \ values ('Test', 'user-password', '2017)> insertintoradusergroup (username, groupname) values ('test', 'user')> insertintoradgroupcheck (groupname, attribute, op, value) \ Values ('user', 'simultaneous-use', ': =', '1') // restrict the same account to log on only once.> insertintoradreply (username, attribute, op, value) \ values ('vpdnname', 'framed-IP-address', ': =', 'xxx. xxx. xxx. xxx ') // assign a fixed IP6. connect to the database # vim/usr/local/freeradius/etc/raddb/SQL. conf: Modify the database type; database address; User Name; password; Data Database Name; data table name # readclients = yes # Remove 7. enable the SQL Module #/usr/local/freeradius/etc/raddb/sites-enabled/defaultfiles line plus # Remove the SQL line #/usr/local/freeradius/etc/raddb /sites-enabled/inner-tunnelfiles line plus # Remove before SQL line #8. modify the eap type # vim/usr/local/freeradius/etc/raddb/eap. change confdefalt_eap_type = md5 to default_eap_type = peap9. modify the corresponding path # vim/usr/local/freeradius/etc/radiusclient. change conf/usr/local/etc/to/usr/local/freeradius/etc/10. repair Run the radius command as a radiusd user #/usr/local/freeradius/etc/raddb/radiusd. confuser = radiusdgroup = radiusd11. modify clients. conf #/usr/local/freeradius/etc/raddb/clients. confsecret = vpnclient192.168.100.0/24 {secret = vpnshortname = vpn-network} 12. modify dictionary #/usr/local/freeradius/etc/radiusclient/dictionaryINCLUDE/usr/local/freeradius/etc/radiusclient/dictionary. microsoftINCLUDE/usr/local/freeradius/etc/radiusclient/diction Ary. ascendINCLUDE/usr/local/freeradius/etc/radiusclient/dictionary. meritINCLUDE/usr/local/freeradius/etc/radiusclient/dictionary. compat13. test Account #/usr/local/freeradius/bin/radtesttest123456localhost1812vpnSendingAccess-Requestofid7to127.0.0.1port1812User-Name = "JSB_TEST_11" User-Password = "ABC1234567890? Aaa "NAS-IP-Address = 127.0.0.1NAS-Port = 1812rad_recv: Access-Acceptpacketfromhost127.0.0.1port1812, id = 7, length = 32Service-Type = Framed-UserFramed-IP-Netmask = 255.255.255.0 the access-accept account may not be allowed to log on (for example, the account is verified to pass but cannot be logged on ), access-Reject fails. ========================================================== ========================= Separation of ppp/pptp logs # vim/etc/syslog. confdaemon. */var/log/ppp. log # serviesyslogrestart: the content of some websites is incomplete or cannot be opened after the VPN is dialed. Cause and solution: mtu: MaxitumTransmissionUnit maximum transmission unit mss: MaxitumSegmentSize maximum segment size mtumss (application layer data) + tcp packet header + IP packet header the size of the mss is the maximum size of the TCP packet header of the connection based on the minimum value of the MSS value provided by both parties when establishing a tcp connection. if 20 bytes exceeds the mtu size, ip packets must be split. If the ip packet contains the DF (DonotFragment) Mark, it indicates that the packet cannot be split. If the packet exceeds the MTU value and cannot be split, the packet will be discarded and an error message unreachable-needtofrag will be returned (unreachable, fragment required ). Solution: iptables-AFORWARD-ptcp -- syn-s192.168.100.0/24-jTCPMSS -- set-mss1356 for tcp packets from 192.168.100.0/24 CIDR blocks, mss is set to 1356.