Linux+pptp+mysql+freeradius 实现VPN认证，限制用户连接数

2011年11月17日 admin

pptp是常用的vpn软件,翻墙利器.传统的pptp是使用文档方式来实现用户的认证的,管理用户时需要操作chap-secrets文件来,添加修改用户.使用起来不方便.而且没有对用户流量监控,以及分组管理的功能.可不可以实现通过数据库来管理用户,以及记录PPTP用户使用的流量,限制一个账号同时登陆人数呢?答案是:有.
想知道吗?且看下面分解

一、安装pptp
PPTP VPN 服务器安装

1、安装相关软件
32位版：

yum install -y ppp iptables
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.i386.rpm
rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm

yum install -y ppp iptables

wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.i386.rpm

rpm -ivh pptpd-1.3.4-1.rhel5.1.i386.rpm

64位版：

yum install -y ppp iptables
wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.x86_64.rpm
rpm -ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm

yum install -y ppp iptables

wget http://poptop.sourceforge.net/yum/stable/packages/pptpd-1.3.4-1.rhel5.1.x86_64.rpm

rpm -ivh pptpd-1.3.4-1.rhel5.1.x86_64.rpm

2、配置文件编写
①、配置文件/etc/ppp /options.pptpd

mv /etc/ppp/options.pptpd /etc/ppp/options.pptpd.bak
vi /etc/ppp/options.pptpd

1 2	mv /etc/ppp/options.pptpd /etc/ppp/options.pptpd.bak vi /etc/ppp/options.pptpd

输入以下内容：

name pptpd
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
require-mppe-128
proxyarp
lock
nobsdcomp
novj
novjccomp
nologfd
ms-dns 208.67.222.222
ms-dns 208.67.220.220

name pptpd

refuse-pap

refuse-chap

refuse-mschap

require-mschap-v2

require-mppe-128

proxyarp

lock

nobsdcomp

novj

novjccomp

nologfd

ms-dns 208.67.222.222

ms-dns 208.67.220.220

②、配置文件/etc/ppp/chap-secrets

mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak
vi /etc/ppp/chap-secrets

1 2	mv /etc/ppp/chap-secrets /etc/ppp/chap-secrets.bak vi /etc/ppp/chap-secrets

输入以下内容
# Secrets for authentication using CHAP
# client server secret IP addresses
myusername pptpd mypassword *
注：这里的myusername和mypassword即为PPTP VPN的登录用户名和密码

例：

admin           pptpd   63700                        192.168.0.110
jijianlin       pptpd   jijianl@vpn                   192.168.0.111

1 2	admin pptpd 63700 192.168.0.110 jijianlin pptpd jijianl@vpn 192.168.0.111

如果多人使用同一个账号登陆,ip地址的位置写*

jijianlin       pptpd   jijian@vpn                   *

1	jijianlin pptpd jijian@vpn *

③、配置文件/etc/pptpd.conf

mv /etc/pptpd.conf /etc/pptpd.conf.bak
vi /etc/pptpd.conf

1 2	mv /etc/pptpd.conf /etc/pptpd.conf.bak vi /etc/pptpd.conf

输入以下内容：

option /etc/ppp/options.pptpd
logwtmp
localip 192.168.9.1
remoteip 192.168.9.11-30

option /etc/ppp/options.pptpd

logwtmp

localip 192.168.9.1

remoteip 192.168.9.11-30

注：为拨入VPN的用户动态分配 192.168.9.11～192.168.9.30之间的IP

④、配置文件/etc/sysctl.conf

vi /etc/sysctl.conf

1	vi /etc/sysctl.conf

修改以下内容：

net.ipv4.ip_forward = 1

1	net.ipv4.ip_forward = 1

保存、退出后执行：

/sbin/sysctl -p

1	/sbin/sysctl -p

3、启动PPTP VPN 服务器端：

/sbin/service pptpd start

1	/sbin/service pptpd start

4、启动iptables：

/sbin/service iptables start
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.9.0/24 -j MASQUERADE

1 2	/sbin/service iptables start /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.9.0/24 -j MASQUERADE

测试:拨号测试,没问题继续下面的.

二、安装系统自带的mysql,apache php等环境(我使用的是centos系统,所以用yum来安装,也可以使用其他方法,自便)

yum -y install httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd php-xml mysql-connector-odbc mysql-devel libdbi-dbd-mysql

1	yum -y install httpd php mysql mysql-server php-mysql httpd-manual mod_ssl mod_perl mod_auth_mysql php-mcrypt php-gd php-xml mysql-connector-odbc mysql-devel libdbi-dbd-mysql

三、下载安装freeradius

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz
tar zxvf freeradius-server-2.1.3.tar.gz
cd freeradius-server-2.1.3 #2.1.3 #版本才能够与myql 5.0.45的版本匹配，高于次版本不能够编译成功mysql模块
./configure -prefix=/usr/local/freeradius
make
make install

vi /etc/profile
export PATH=$PATH:/usr/local/freeradius/sbin:/usr/local/freeradius/bin
source /etc/profile
vi /etc/ld.so.conf
/usr/local/freeradius/lib
ldconfig -v
cd /usr/local/freeradius
vi +76  etc/raddb/users #取消注释
radiusd -Xs
radtest steve testing localhost 1812 testing123

wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-2.1.3.tar.gz

tar zxvf freeradius-server-2.1.3.tar.gz

cd freeradius-server-2.1.3 #2.1.3 #版本才能够与myql 5.0.45的版本匹配，高于次版本不能够编译成功mysql模块

./configure -prefix=/usr/local/freeradius

make

make install

vi /etc/profile

export PATH=$PATH:/usr/local/freeradius/sbin:/usr/local/freeradius/bin

source /etc/profile

vi /etc/ld.so.conf

/usr/local/freeradius/lib

ldconfig -v

cd /usr/local/freeradius

vi +76 etc/raddb/users #取消注释

radiusd -Xs

radtest steve testing localhost 1812 testing123

出现Access-Accept字样说明成功。
测试成功后把/etc/raddb/users改回去。
四、freeradius和mysql的集成

mysqladmin -u root -p create radius
mysql -u root -p radius < etc/raddb/sql/mysql/schema.sql
mysql -u root -p radius < etc/raddb/sql/mysql/nas.sql
mysql -u root -p radius < etc/raddb/sql/mysql/ippool.sql
mysql -u root -p radius < etc/raddb/sql/mysql/wimax.sql
mysql -u root -p
mysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';
mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';
mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';

mysqladmin -u root -p create radius

mysql -u root -p radius < etc/raddb/sql/mysql/schema.sql

mysql -u root -p radius < etc/raddb/sql/mysql/nas.sql

mysql -u root -p radius < etc/raddb/sql/mysql/ippool.sql

mysql -u root -p radius < etc/raddb/sql/mysql/wimax.sql

mysql -u root -p

mysql> GRANT SELECT ON radius.* TO 'radius'@'localhost' IDENTIFIED BY 'radpass';

mysql> GRANT ALL on radius.radacct TO 'radius'@'localhost';

mysql> GRANT ALL on radius.radpostauth TO 'radius'@'localhost';

先加入一些组信息:

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');
mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type','=','Framed-User');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask','=','255.255.255.255');

mysql> insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');

然后加入用户信息：

mysql> INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('sqltest','Password','testpwd');

1	mysql> INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('sqltest','Password','testpwd');

然后把用户加到组里：

mysql> insert into radusergroup(username,groupname) values('sqltest','user');
mysql> select * from radcheck where UserName='sqltest';
insert into radgroupreply (groupname,attribute,op,value) values ('user','Simultaneous-Use',':=','1');

mysql> insert into radusergroup(username,groupname) values('sqltest','user');

mysql> select * from radcheck where UserName='sqltest';

insert into radgroupreply (groupname,attribute,op,value) values ('user','Simultaneous-Use',':=','1');

限制一个账户同时只能登陆一个,不做下面限制，可以同时登陆多个

INSERT INTO radgroupcheck (GroupName,Attribute,op,Value) values("user","Simultaneous-Use",":=","1");        #限制登陆次数
insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test');  #添加用户   
INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('sqltest','Password','testpwd');    #添加用户  两种方法都可以，效果一样      
insert into radusergroup (username,groupname) values ('test','user');            #将用户添加到现在组里（user组）

INSERT INTO radgroupcheck (GroupName,Attribute,op,Value) values("user","Simultaneous-Use",":=","1"); #限制登陆次数

insert into radcheck (username,attribute,op,value) values ('test','User-Password',':=','test'); #添加用户

INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('sqltest','Password','testpwd'); #添加用户两种方法都可以，效果一样

insert into radusergroup (username,groupname) values ('test','user'); #将用户添加到现在组里（user组）

注意:这里使用的freeradius是2.0版本的,1.0版本的数据库sql和2.0的位置不一样.
1.编辑/usr/local /freeradius/etc/raddb/sql.conf
mysql用户名，密码根据自己的情况填写
第88行取消readclients = yes 前的注释
2.编辑/usr/local/freeradius/etc/raddb/sites-enabled/default
第145 行files前加注释
第152 行取消sql前的注释
第308 行files 前加注释
第342 行取消sql前的注释
第374 行取消sql前的注释
第395 行取消sql前的注释
3.编辑/usr/local/freeradius/etc/raddb/sites-enabled/inner-tunnel
第111 行files前加注释
第118行取消sql前的注释
第242行取消sql前的注释
第264行取消sql前的注释
###总之就是去掉files模块，开启sql模块
4.编辑/usr/local/freeradius/etc/raddb/eap.conf
第30行default_eap_type = md5改为default_eap_type = peap
5.测试
# radtest sqltest testpwd localhost 1812 testing123
出现Access-Accept字样说明成功。
参考网址：http://linux.chinaunix.net/bbs/thread-1061085-1-2.html
到目前为止：整合了freeradius+mysql， pptpd还是单独运行.
五、pptpd+mysql+freeradius整合

mkdir /etc/radiusclient/

1	mkdir /etc/radiusclient/

下载源码ppp-2.4.4，解压

wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz
cd ppp-2.4.4/ppp-2.4.4/pppd/plugins/radius/etc
cp * /etc/radiusclient/
vi /etc/radiusclient/radiusclient.conf
auth_order      radius
login_tries     4
login_timeout   60
# logins on /dev/ttyS2)   (default /etc/nologin)
nologin /sbin/nologin
issue   /etc/radiusclient/issue
authserver      localhost:1812
acctserver      localhost:1813
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/local/sbin/login.radius
seqfile         /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile         /etc/radiusclient/port-id-map
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout  10
# resend request this many times before trying the next server
radius_retries  3
login_local     /bin/login

wget ftp://ftp.samba.org/pub/ppp/ppp-2.4.4.tar.gz

cd ppp-2.4.4/ppp-2.4.4/pppd/plugins/radius/etc

cp * /etc/radiusclient/

vi /etc/radiusclient/radiusclient.conf

auth_order radius

login_tries 4

login_timeout 60

# logins on /dev/ttyS2) (default /etc/nologin)

nologin /sbin/nologin

issue /etc/radiusclient/issue

authserver localhost:1812

acctserver localhost:1813

servers /etc/radiusclient/servers

dictionary /etc/radiusclient/dictionary

login_radius /usr/local/sbin/login.radius

seqfile /var/run/radius.seq

# file which specifies mapping between ttyname and NAS-Port attribute

mapfile /etc/radiusclient/port-id-map

default_realm

# time to wait for a reply from the RADIUS server

radius_timeout 10

# resend request this many times before trying the next server

radius_retries 3

login_local /bin/login

在最后添加：

vi /etc/ppp/options.pptpd
# put plugins here
# (putting them higher up may cause them to sent messages to the pty)
logfile /var/log/pptpd.log
plugin /usr/lib64/pppd/2.4.4/radius.so
#plugin /usr/lib64/pppd/2.4.4/radattr.so
radius-config-file /etc/radiusclient/radiusclient.conf

vi /etc/ppp/options.pptpd

# put plugins here

# (putting them higher up may cause them to sent messages to the pty)

logfile /var/log/pptpd.log

plugin /usr/lib64/pppd/2.4.4/radius.so

#plugin /usr/lib64/pppd/2.4.4/radattr.so

radius-config-file /etc/radiusclient/radiusclient.conf

###注意，我的是64位系统，所以模块在/usr/lib64/pppd/2.4.4 下面。32位的在 /usr/lib/pppd/2.4.4

vi  /etc/radiusclient/server
localhost     testing123

1 2	vi /etc/radiusclient/server localhost testing123

添加：

vi /etc/radiusclient/dictionary
INCLUDE /etc/radiusclient/dictionary.microsoft
INCLUDE /etc/radiusclient/dictionary.ascend
INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.compat

vi /etc/radiusclient/dictionary

INCLUDE /etc/radiusclient/dictionary.microsoft

INCLUDE /etc/radiusclient/dictionary.ascend

INCLUDE /etc/radiusclient/dictionary.merit

INCLUDE /etc/radiusclient/dictionary.compat

否则拨号时后台日志会报错，无法拨入，客户端报691错误：

Connect: ppp0 /dev/pts/5
rc_avpair_new: unknown attribute 11 rc_avpair_new: unknown attribute 25
Peer test failed CHAP authentication
Connection terminated.

Connect: ppp0 /dev/pts/5

rc_avpair_new: unknown attribute 11 rc_avpair_new: unknown attribute 25

Peer test failed CHAP authentication

Connection terminated.

哈哈，从启freeradius 与pptpd ，连接就可以通过了。
如果是无法访问其他的机器，请注意防火墙的设置。这是我的配置文档，绝对的能够跑通。
后记：
后来想通过mac地址来帮定客户端，但是实践了后发现ppp根本就不可能实现这个功能，绑定IP对于内网用户来说，没有任何问题，但是对于从公网连接到公司的用户来说，根本没有作用。只能放弃。

pkill radiusd   #关闭radiusd
radiusd         #启动radiusd
service pptpd stop
service pptpd start

pkill radiusd #关闭radiusd

radiusd #启动radiusd

service pptpd stop

service pptpd start

检查mysql是否已经开启

测试：
在数据库里添加一个用户

INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('user1','Password','123456');

1	INSERT INTO radcheck (UserName,Attribute,Value) VALUES ('user1','Password','123456');

在 XP系统上用user1 123456 用户登陆。

现在服务器上测试

[root@localhost ~]# radtest user1 123456 localhost 1812 testing123
Sending Access-Request of id 93 to 127.0.0.1 port 1812
        User-Name = "user1"
        User-Password = "123456"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,id=93,length=20

[root@localhost ~]# radtest user1 123456 localhost 1812 testing123

Sending Access-Request of id 93 to 127.0.0.1 port 1812

User-Name = "user1"

User-Password = "123456"

NAS-IP-Address = 127.0.0.1

NAS-Port = 1812

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812,id=93,length=20

显示如上说明成功

备注:
本文参考了网上几篇文章,亲手安装测试总结而成.可以说是目前网上能找到的比较全的安装使用文档.
参考文档：
http://linux.chinaunix.net/techdoc/desktop/2009/06/23/1119944.shtml
http://linux.chinaunix.net/bbs/thread-1061085-1-2.html

对radius库的一些说明
radius 库有10张表
nas
radacct
radcheck
radgroupcheck
radgroupreply
radippool
radpostauth
radreply
radusergroup
wimax
其中重要的有
radacct 用来用户登陆后，详细信息，包括登陆和下线时间，上传和下载字节数
radcheck 用来记录用户账户、密码
radpostauth 记录所有用户没一次登陆的开始时间及状态

声明: 本文采用 BY-NC-SA 协议进行授权. 转载请注明转自: Linux+pptp+mysql+freeradius 实现VPN认证，限制用户连接数

国外支付工具AlertPay注册操作教程 DeZender.DeIoncuber.PHP.5.2.1

本文的评论功能被关闭了.

Linux+pptp+mysql+freeradius 实现VPN认证， 限制用户连接数

Linux+pptp+mysql+freeradius 实现VPN认证，限制用户连接数