TA的每日心情 | 开心 2016-5-12 14:23 |
---|
签到天数: 2 天 [LV.1]初来乍到
|
一、 软件需求:0 U0 b) ]% T3 T* P
pptpd-1.3.4、ppp-2.4.4、Apache、MySQL、freeradius(freeradius.org)
9 p: |! w; |$ A$ p二、 安装PPTP
6 k8 V! a$ l! _$ m8 O, _" b1、操作系统使用RHEL5或者CENTOS5,内核版本为: 2.6.18-164.el5, 内核已支持MPPE,不用再安装。; z* m5 T8 n4 w4 P" ~8 m) }, X' N
使用RPM方式安装pptpd和pppd/ k) j A# s3 c& | _: X
rpm -ivh pptpd-1.3.4-.rhel5.1.i386.rpm1 h6 X4 H. c0 L" N V
rpm -ivh ppp-2.4.4-2.el5.1.i386.rpm0 {' x) i6 _9 n1 `! M$ m
2、修改/etc/pptpd.conf主配置文件:
! m. H5 d9 i) a- y) y2 ]8 Zdebug 开启debug,方便检查错误。- v, s, {6 V5 x5 w( L% \
ppp /usr/sbin/pppd pppd程序位置
: k% s8 I+ B! U/ noption /etc/ppp/options.pptpd pptpd的参数配置文件
5 P4 ^; Z7 j7 c3 w' C4 X Hlocalip 172.16.10.1 服务器的IP地址/ |: i2 W: M$ c6 B, r( |7 b
remoteip 172.16.10.2-150 分配给客户端的IP地址池
& u1 i! T# x" C6 n: X x 3、修改/etc/ppp/options.pptpd D+ H+ l7 C8 S5 v# }
lock$ F4 ?' v2 O; G
debug' {+ y9 a7 M5 p J) ?" x
dump' O3 k4 O% I# P# K7 z7 W5 k% X
logfd 2% [6 s+ y+ n7 e) G# P" `5 O8 Z
logfile /var/log/pptpd.log0 Q0 O$ A' f) P9 b# H- b1 E
name pptpd
! Y. L5 t5 k2 I& {* m/ l! Tmtu 1450 \+ O# S5 l. ~- q' X7 B3 c
mru 1450" I! N) _4 g+ M. }' G
proxyarp( a4 K& d6 F' G/ b# f* ^
auth- g0 g& {& R; t# J
plugin /usr/local/lib/pppd/2.4.4/radius.so radius模块,若不需要radius可以注释掉
$ D/ C! W: V9 ?' Rplugin /usr/local/lib/pppd/2.4.4/radattr.so radius属性模块
a* A& V# B2 X1 e1 O( Unobsdcomp
7 x. h4 H- ~# ]5 \" f9 u2 p9 ~ipcp-accept-local
0 u9 ^* G0 b( Yipcp-accept-remote) B |5 j% N) V9 j
lcp-echo-failure 3
* I& O* _ N1 F. G; olcp-echo-interval 5
, L6 v% }/ @: G- Jrefuse-pap
. Y# g& j6 }1 ^* C/ m! k4 Arefuse-chap. v, n% n% L7 @, i/ _. T7 Y
refuse-mschap' b3 P f4 ]* }6 s+ y4 J2 V# W
refuse-eap
3 g$ f: L- {/ E1 X" ?require-mschap-v2& J% q% J! E% T' X; Y2 Y" O
multilink% Z X- f& y! Z z* _7 g% @9 x
require-mppe
/ e& ?) `* U; S% b5 n Rms-dns 202.98.96.68 客户端的DNS地址& N0 E) ?0 o9 _
ms-dns 61.139.2.69
9 U" q/ z1 }( B7 J! L {2 }- V( L4 w4、启动PPTP
: l; A' f, q5 `2 {4 a& r使用service pptpd start启动服务
6 d* C5 I8 u, ]' e8 I使用chkconfig pptpd on 使重启生效/ h- R% ^! j" V. @
5、添加测试用户/etc/ppp/chap-secrets
# r9 k/ e' z% x2 J# Y& q8 `( G
3 q7 |, z9 |# K/ {, W( ^# Secrets for authentication using CHAP : \% K- h: u" s, F
# client server secret IP addresses " V9 c4 V4 B* ~6 J
test pptpd test *
( H) N# w* [& Y7 J) ], B 6、客户端设置
5 l7 N0 ]) v! I- w0 N 在windows XP上创建vpn连接,并测试(略):2 a& s* I4 S/ o- U- A
三、 RADIUS与MYSQL安装:% L% z% i0 R1 x- \: u1 Y& c) N
1、 安装与配置MySQL$ [; z9 z7 h- ]' |% ]) i" k
使用yum方式安装MYSQL、php、Apache
# X2 j% V+ @% q. F' {6 r2 w# x: d 启动MySQL:service mysqld start
- ]% Z0 c# U5 z5 E. k更改MySQL的root用户的密码
# U; H: |+ U' H: G# X0 Z9 L# mysqladmin -u root -p password youpass
p% V8 {) ^/ y- w#mysql -uroot -p youpass( U& y6 n- A0 X5 @% }
>create database radius; 创建一个名为radius的数据库
# ^! o' M/ o* ?/ Y3 b>exit9 |4 S7 Q* p' w. d$ O& m9 a
#chkconfig mysqld on 随系统启动
$ r1 U, k+ [6 k% |; D0 W2、 radius安装
! d3 c# z# b5 a- j W从http://freeradius.org/ 获取 freeradius-server-2.1.7.tar.bz2
) I+ V$ J Z% m7 j3 y0 t#tar -xvf freeradius-server-2.1.7.tar.bz2) y1 y+ m- ^4 L4 C' T* O
#cd freeradius-server-2.1.7
: m" c, o: Z9 U; R$ Q( ]! X; z#./configure
7 m7 ^: T- _8 j6 n; @# ^: ^0 D5 ?#make$ A" r. W: ]' b0 e
#make install6 u0 P$ ?+ c5 D" Q
#radiusd -X 使用debug模式运行radius/ L6 _& h7 q! e
如果看到 "Ready to process requests."表示安装成功。$ m3 M( ?: n8 T& D f+ |) s
3、修改freeradius支持MySQL。
5 |% T# ?2 w) L#cd /usr/local/etc/raddb/sites-available0 _& {0 n) r5 H# h/ M
编辑default文件,把里面所有sql前面的#去掉。
* u/ g4 x& a0 J) F5 G# cd /usr/local/radius/etc/raddb/
3 V. P% T! d9 L m# W编辑radiusd.conf,去掉$INCLUDE sql.conf前面的#
: N k$ _3 n' L# K# E0 p3 W1 X% G编辑sql.conf,( K, c8 ^" [( ]+ X
# Connection info:: M6 U" ~2 ?# i1 y+ `6 J
server = "localhost"; u) x/ r- K+ V) q4 h# U9 C
#port = 3306: r" B: R3 Y3 j& X, F& O/ R
login = "root"# E# n+ v( _% S6 p1 u9 Z$ I9 T: y
password = "youpass"
; G9 }1 ` s, y4 ?向mysql导入radius所需的数据库文件
?- H9 M. a" {0 O S#cd /usr/local/etc/raddb/sql/mysql
& C7 _9 W4 U. x) k1 [/ F# mysql -uroot -p radius < schema.sql
" l& A# r6 K7 m再用debug模式运行freeradius.
; @! M$ f/ b% Y/ U9 B2 S ]# /usr/local/sbin/radiusd -X
8 A7 j6 q& Q. u: J. Y* L% z有可能会出现
& e8 K+ z1 X! S* `' v# a) N. j- S/usr/local/etc/raddb/sites-enabled/default[159]: Failed to find module "sql".
% M3 |) ?, e) n2 Oradius没有找到驱动去连接mysql。4 }# I( T5 r& _$ M3 c/ s* y
编译rlm_sql_mysql.so驱动
* @5 V/ E8 _ }+ Q* o7 a#cd freeradius-server-2.1.7/src/modules/rlm_sql/drivers/rlm_sql_mysql( |: t1 W6 J) n& m, K
#./configure;make;make install
+ w5 h; S& l" w& w" Z这个时候驱动会安装到/usr/local/lib目录下面,要把驱动复制到/usr/lib目录下0 s8 K5 ^9 m0 N5 }
#cp /usr/local/lib/rlm_sql_mysql* /usr/lib
! [; g ?7 m6 d6 q4 e接下来在数据库中添加测试用的用户' k- Z0 m9 E0 E- h; s
#mysql -uroot -p radius8 J% q9 W+ @/ E/ G; y, G: F
> INSERT INTO `radusergroup` (`username`,`groupname`,`priority`) VALUES ('','test',1);: f( p, o% H; A9 V$ M
> INSERT INTO `radusergroup` (`username`,`groupname`,`priority`) VALUES ('test','test',1);; k5 {% P; d- V4 G+ p3 W9 m$ _
> INSERT INTO `radcheck` (`id`,`username`,`attribute`,`op`,`value`) VALUES (1,'test','User-Password',':=','test');' Z& O; D* l' X$ E) b
测试刚刚添加的用户能不能通过验证:
% P" o2 P, y" n' s同时开两个窗口,运行#radiusd -X3 z, F; L5 g" X9 S
另一个窗口运行:#radtest freebsd freebsd localhost 0 testing123( O8 _$ s0 h5 [8 R1 C' i2 l
如果看到:"rad_recv:Access-Accept packet from host 127.0.0.1 ……",就已经成功了。
- v' S9 P2 E$ j) U3 u9 F0 K4、 使用web界面管理radius用户4 h! t% m3 z$ c( H2 q/ b$ h7 I' o; ~
#cp -R ~/freeradius-server-2.1.7/dialup_admin /usr/local/# J( m# z1 `* P+ f3 O) g
#ln -s /usr/local/dialup_admin /var/www/html/dialup_admin
5 C; L% P& D& d+ h- f2 w2 w #cd /var/www/html/dialup_admin/conf
5 |4 b5 `0 R5 d% j: n7 G 编辑admin.conf,修改如下内容: m( J- U4 {3 R+ u
6 L" y% _: y" O3 q+ V# @: w2 ~general_encryption_method: clear' q) a% h9 Z# h# R3 q& t) g
sql_type: mysql( H. h4 N$ R/ @' J/ F8 Y: ^; m D
sql_server: localhost7 g: ^2 F) E3 u2 z4 X& m, d
sql_port: 3306$ A- v5 G" u# F$ N! ]
sql_username: root8 u) z Q* _, `
sql_password: youpass
+ q' s! M: W U, Y) @8 dsql_database: radius \1 E$ d6 T$ S2 o
sql_usergroup_table: radusergroup
) M0 p6 Y0 g3 j8 I/ [# sql_debug: true
. x. D7 z# M1 [配置Apache, H& f9 S' P8 F4 M. b P( g1 _
修改:/etc/httpd/conf.d/php.conf2 B" `6 A. T9 E c* `
AddHandler php5-script .php .php3# i" V- G4 M1 ~2 C' u( E) Y% |" }
修改:/etc/httpd/conf/httpd.conf! C7 ?$ W; P# k$ M! u
<Directory "/var/www/html/dialup_admin/htdocs">0 T7 W0 Z4 D* X0 G( ~: C
启动apache:
! g* a5 N+ S. D3 F#service httpd start# v6 `! P- o) q2 S9 d7 l+ W
#chkconfig httpd on" j; E% V3 G% o0 P$ N
打开浏览器就可以管理radius的用户了。 I2 |0 @% u X$ k# o8 W8 @% X" Y
四、 使用radius验证pptpd用户$ N: w1 j4 u" O3 S
使用radius验证用户,需要安装radius模块,
+ J: e, c% M4 X7 C9 l6 X$ U下载ppp-2.4.4.tar.gz源代码. `9 {. J! e1 i2 r) x* W8 e
# tar -xvf ppp-2.4.4.tar.gz
3 W. m1 ^+ m) u9 t# {6 P5 m# cd ppp-2.4.4
% a* l7 p- e9 M+ N1 g# ./configure //注意不要在这个地方编译安装。. Z9 {6 V h/ i5 `# _% k3 Q
#cd pppd/plugins/radius 2 d' L1 u; i3 m5 r1 J2 p
#make" Z% P+ z/ w3 |4 C; b+ H
#make install( K1 _5 M: J1 U! p* _6 n$ i' \
# cp -R etc /usr/local/etc/radiusclient
( v' `" W% A: ]% u5 }下面选项在使用radius验证时开启.需要注释掉local1 L$ \! N. i7 P2 p; x
#vim /etc/ppp/options.pptpd9 N$ k; D4 [9 b. A
plugin /usr/local/lib/pppd/2.4.4/radius.so //必须先加载radius验证模块,再加载radattr.so) F# u) w& b4 o g
plugin /usr/local/lib/pppd/2.4.4/radattr.so8 h( ~1 N5 Y2 H! j/ Z1 d% L$ M
#cd /usr/local/radiusclient2 u8 @/ q. ^4 ^
#vim radiusclient.conf 编辑如下两行
: W, C3 p: G! o+ `; `6 X: p" a, aauthserver 127.0.0.1:1812 //radius验证
- U( i v* B5 J M% Wacctserver 127.0.0.1:1813 //radius计费
* N. B- y; r" W# i+ p- @# vim servers
- D1 E' Q3 z, i+ S: g+ F& Y#Server Name or Client/Server pair Key
0 o; E3 b- o" F0 }1 x7 [#---------------- ---------------
- `. r& c9 u! U8 O' x#portmaster.elemental.net hardlyasecret6 a* m4 R! k! d5 D4 f
#portmaster2.elemental.net donttellanyone
* Q" _" l! B2 A- h( y6 O127.0.0.1 testing123
) b; ]. V. Y y8 a4 b重启pptpd: service pptpd restart
' s" w2 F) B8 ]- M五、带宽限制
( e3 q, V/ K; E3 p" c" U使用radius传回限速信息对客户端限速8 k, I. h, Z/ @3 s9 {. E% |1 g" H I
基本原理,radius根据数据库里面的限速字段的属性,下发给PPTP服务器,服务器再根据接收到的限速字段属性来限制用户带宽。, a2 s3 r/ t4 i. w
由于Linux的PPTP 限速字段不在radius默认的列表中,需要手动添加该字段。
y) v3 t! Q, pPPTP服务器:
% d( A4 z+ P7 A! X9 ^#cd /usr/local/etc/radiusclient
0 K9 d5 L2 U1 @1 A2 h: A7 V#vim dictionary 添加如下两行1 U' Q2 S; \ W' f2 ^
ATTRIBUTE PPPD-Upstream-Speed-Limit 230 integer
" x+ a% F% o9 r% gATTRIBUTE PPPD-Downstream-Speed-Limit 231 integer
0 A. f4 j) t- c同样也需要在radius的dictionary中添加这两行。具体位置/usr/local/etc/raddb/7 |# T2 T! b, j8 X; ~
还需要在数据库中加入:0 {( _! L7 K+ V+ A! n5 F
INSERT INTO `radgroupreply` VALUES (8,'test','PPPD-Upstream-Speed-Limit','=','512');
+ B+ B0 M$ n* UINSERT INTO `radgroupreply` VALUES (9,'test','PPPD-Downstream-Speed-Limit','=','512');" O+ `; g Y5 v+ Y3 }3 a6 f6 z' h
512是限制的带宽,单位是kbps4 W8 G% B: Z3 W9 L0 F+ m& ^
最后需要在/etc/ppp/目录下添加一个本地脚本,用TC来限制带宽:
- s: I. A/ i4 r脚本内容如下:) M' w9 _+ E4 ]
#cat ip-up.local //注意。该脚本必须要有可执行权限。& o8 d4 H( B5 U% f( `
#!/bin/bash
|7 a/ X1 F6 _9 b: g5 ZPATH=/sbin:/usr/sbin:/bin:/usr/bin! v3 F' ?" g% ? K* T5 C7 T( ?
export PATH& J/ S% B6 K) v( l% z
# Get the attrbute from radius reply9 n7 `: Y; {. \4 N0 L
if [ -f /var/run/radattr. $1 ]1 e3 S5 s% a' \7 H, i
then R8 Y9 t0 i" e7 U) x0 R0 B
DOWNSPEED=`/bin/awk '/PPPD-Downstream-Speed-Limit/ {print $2}' /var/run/radattr. $1`3 l( a" l. Y2 P1 M
UPSPEED=`/bin/awk '/PPPD-Upstream-Speed-Limit/ {print $2}' /var/run/radattr. $1`9 e, J4 Z F8 j7 g
fi
. B& p0 j, V! [: I$ }7 { c# End! o$ ^$ g- T; Q X' X2 M3 E7 B
# Start Bandwidth Limit
# R$ o( H& B1 Q3 T /sbin/tc qdisc del dev $1 root > /dev/null
4 t! M u: e& p, k x$ K4 ~ /sbin/tc qdisc del dev $1 ingress > /dev/null
8 F9 o" ~" f1 d##### speed server->client
J' T* N6 h2 h% E+ {; p0 B9 x if [ "$DOWNSPEED" != "0" ] ;3 [: _0 l* i* n
then
, F/ O6 `! S; U* W. y( s /sbin/tc qdisc add dev $1 root handle 1: htb default 20 r2q 1
& ^2 K9 s1 \" X4 |. ~ /sbin/tc class add dev $1 parent 1: classid 1:1 htb rate ${DOWNSPEED}kbit burst 4k/ E3 r1 w0 k F
/sbin/tc class add dev $1 parent 1:1 classid 1:10 htb rate ${DOWNSPEED}kbit burst 4k prio 19 U! q( h2 Z6 n1 E$ Q2 {. o2 v: W
/sbin/tc class add dev $1 parent 1:1 classid 1:20 htb rate ${DOWNSPEED}kbit burst 4k prio 24 u) D- Y% H: w
/sbin/tc qdisc add dev $1 parent 1:10 handle 10: sfq perturb 10 quantum 1500, j+ y; J& v. X
/sbin/tc qdisc add dev $1 parent 1:20 handle 20: sfq perturb 10 quantum 1500
$ S; ]; l( J' R6 A) h$ B /sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip tos 0x10 0xff flowid 1:10. X- V/ z- X' D# h! r# J
/sbin/tc filter add dev $1 parent 1:0 protocol ip prio 10 u32 match ip protocol 1 0xff flowid 1:10
# i8 T5 L1 B' {5 c2 h1 Y /sbin/tc filter add dev $1 parent 1: protocol ip prio 10 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u160x0000 0xffc0 at 2 match u8 0x10
( P* o1 ~3 ~3 Z& l- b0xff at 33 flowid 1:10* D( {% m6 y9 [4 T/ R4 P" q: k: N
fi# F) Z, x& y5 o S: n0 j
##### speed client->server
$ ?1 y* L( C6 h5 u$ j2 t7 b if [ "$UPSPEED" != "0" ] ;
2 Y5 n! }0 @6 d9 C( D% R( p then3 a0 @ k" A/ G
/sbin/tc qdisc add dev $1 handle ffff: ingress
# \4 y! R; d5 m" C/ M /sbin/tc filter add dev $1 parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${UPSPEED}kbit burst 12k drop flowid :1$ T' A, n7 F9 B; I% W' x
fi
: [5 {) U0 [% |# End
0 E9 d" |: N6 d* P' g1 t六、 系统优化
# Z" B v/ |+ v- y8 \最后再做一些简单的系统优化,以满足较大的网络流量* Z: }' P4 A+ ?' F2 V ~2 |. E, j
net.ipv4.ip_forward = 1% r# W- w; w; [& m) f* d- o! q, u
net.ipv4.conf.default.rp_filter = 1) ?" R+ x' G- L& v$ R
net.ipv4.conf.default.accept_source_route = 0
4 M1 `4 X8 C, dkernel.sysrq = 0, p0 G2 D$ ?, w1 x& B5 `* o
kernel.core_uses_pid = 16 \$ \/ x3 C6 X G
net.ipv4.tcp_syncookies = 1
- Y+ ?) r8 O, p. _% g ikernel.msgmnb = 65536
/ k7 R" i ~( f: gkernel.msgmax = 65536
2 Y) d# C' S7 Ckernel.shmmax = 4294967295
2 e; Y. m/ q! v$ h. lkernel.shmall = 268435456; K% n& E3 T* G1 x `
net.core.rmem_max = 12582912
- I( N2 `: b- j0 c/ @, ~% knet.core.rmem_max = 12582912
. ]* W. P& x: s$ y% F. }2 }1 gnet.ipv4.tcp_rmem = 10240 87380 125829123 L: F6 F2 p8 ~+ A7 j
net.ipv4.tcp_wmem = 10240 87380 12582912, T/ d4 h K$ v. N P
net.ipv4.tcp_no_metrics_save = 1/ E* y* d: e5 I7 C; w/ `: w4 d& ~
net.core.netdev_max_backlog = 5000
2 A$ O) z6 a' a6 c8 S如果想要对拨入用户做NAT,可以使用IPTABLES做
, g# ?' Y- ~7 X# c+ V" j, V#iptables -t nat -A POSTROUTING -j MASQUERADE& o( a8 U, }7 H* Y" N
6 |4 w! z5 d' z
: T6 ]& L9 U, Z! i c4 i: b7 b6 P1 C K `; e; n8 W- z
1 ?, Z8 n% n( Z$ H
" a& F( e- y; U+ p, n
, K- c# p: V O$ X6 r8 N4 V k7 X( e; O- C
0 ~& `: D' h* F9 e8 {+ f
{3 y' l6 x, `, L- \& {
) S0 `1 x) Y {( t8 P! c$ y. _/ p |
|