FreeBSD - VPN сервер

Установка FreeRadius

 # cd /usr/ports/net/freeradius
 # make config
 ┌────────────────────────────────────────────────────────────────────┐  
 │ │[ ] KERBEROS      With Kerberos support                         │ │
 │ │[ ] HEIMDAL       With Heimdal Kerberos support                 │ │
 │ │[ ] LDAP          With LDAP database support                    │ │
 │ │[X] MYSQL         With MySQL database support                   │ │
 │ │[ ] PGSQL         With PostgreSQL database support              │ │
 │ │[ ] UNIXODBC      With unixODBC database support                │ │
 │ │[ ] FIREBIRD      With Firebird database support (EXPERIMENTAL) │ │
 │ │[ ] SNMP          With SNMP support                             │ │
 │ │[ ] EDIR          With Novell eDirectory support                │ │
 │ │[ ] NOPERL        Do not require perl (use only if necessary)   │ │
 │ │[ ] EXPERIMENTAL  Build experimental modules                    │ │
 │ │                                                                │ │
 │ │                                                                │ │
 │ │                                                                │ │
 │ │                                                                │ │
 ├─└────────────────────────────────────────────────────────────────┘─┤
 # make install clean
 # echo "radiusd_enable="YES"" >> /etc/rc.conf

Поправим конф. файлы:

/usr/local/etc/raddb/radiusd.conf

 ....
 
 bind_address = 127.0.0.1
 
 ....
  
 #files
 sql
 
 ....

/usr/local/etc/raddb/sql.conf

 ....
 
 login = "mysql-login"
 password = "password"
 
 # Database table configuration
 radius_db = "mysql-db"
 
 ....
    
 authorize_check_query = "SELECT id, UserName, Attribute, Value, op \
 FROM ${authcheck_table} \
 WHERE Username = '%{SQL-User-Name}' AND disabled = '0' \
 ORDER BY id"
 
 ....

/usr/local/etc/raddb/clients.conf

 ....
 
 secret          = mysecret
 
 ....
 

Настройки для ограничения полосы трафика средствами radius:

Добавим следущую строку в '/usr/local/share/freeradius/dictionary'

$INCLUDE dictionary.mpd

Создадим файл '/usr/local/share/freeradius/dictionary.mpd'

 # dictionary.mpd
 
 VENDOR          mpd             12341
 
 ATTRIBUTE       mpd-rule        1       string          mpd
 ATTRIBUTE       mpd-pipe        2       string          mpd
 ATTRIBUTE       mpd-queue       3       string          mpd
 ATTRIBUTE       mpd-table       4       string          mpd
 ATTRIBUTE       mpd-table-static        5       string          mpd
 ATTRIBUTE       mpd-filter      6       string          mpd
 ATTRIBUTE       mpd-limit       7       string          mpd
 ATTRIBUTE       mpd-input-octets        8       string          mpd
 ATTRIBUTE       mpd-input-packets       9       string          mpd
 ATTRIBUTE       mpd-output-octets       10      string          mpd
 ATTRIBUTE       mpd-output-packets      11      string          mpd
 ATTRIBUTE       mpd-link        12      string          mpd
 ATTRIBUTE       mpd-bundle      13      string          mpd
 ATTRIBUTE       mpd-iface       14      string          mpd
 ATTRIBUTE       mpd-iface-index 15      integer         mpd
 ATTRIBUTE       mpd-input-acct  16      string          mpd
 ATTRIBUTE       mpd-output-acct 17      string          mpd
 ATTRIBUTE       mpd-action      18      string          mpd
 ATTRIBUTE       mpd-drop-user   154     integer         mpd

Установка mpd

 # cd /usr/ports/net/mpd5
 # make install clean (конфиг полностью оставляем пустым)

/usr/local/etc/mpd5/mpd.conf

 startup:
 	# configure the console
 	set user adm пароль admin
      set console self 127.0.0.1 5005
      set console open
 
 default:
 	load pptp_server 
 
 pptp_server:
 
 # Define dynamic IP address pool.
 	set ippool add pool1 10.0.0.2 10.0.255.254
 
 # Create clonable bundle template named B
 	create bundle template B
 	set iface enable proxy-arp
 	set iface idle 0
 	set iface enable tcpmssfix
set ipcp yes vjcomp
 # Specify IP address pool for dynamic assigment.
set ipcp ranges 10.0.0.1/32 ippool pool1
set ipcp dns адрес_днс_сервера
 
 # Create clonable link template named L
  	create link template L pptp
 # Set bundle template to use
 	set link action bundle B
 # Multilink adds some overhead, but gives full 1500 MTU.
 	set link enable multilink
 	set link yes acfcomp protocomp
 	set link no pap chap-md5
 	set link enable chap-md5
 # We can use use RADIUS authentication/accounting by including
 # another config section with label 'radius'.
 	load radius
 	set link keep-alive 10 60
 # We reducing link mtu to avoid GRE packet fragmentation.
 	set link mtu 1460
 # Configure PPTP
         set pptp self адрес_впн_сервера
 # Allow to accept calls
         set link enable incoming
  
 radius:
 	set auth enable radius-auth
set auth enable radius-acct
set radius config /usr/local/etc/mpd5/radius.conf 
set radius retries 3
set radius timeout 3
# send accounting updates every 5 minutes
set auth acct-update 300
set radius enable message-authentic

radius.conf

 acct 127.0.0.1 mysecret
 auth 127.0.0.1 mysecret

Активируем сервис

 # echo "mpd_enable="YES"" >> /etc/rc.conf

Сделаем ротацию логов, для этого добавим следующие строки в /etc/newsyslog.conf:

 /var/log/mpd.log                        600  30    *    @T00  JC
 /var/log/mpd_block.log                  600  30    *    @T00  JC
 /var/log/radius.log                     600  30    *    @T00  JC

Перезапустим сервис newsyslog:

 # /etc/rc.d/newsyslog restart

Логирование работы mpd, для этого добавим следующие строки в /etc/syslog.conf:

 !mpd
 *.*                                             /var/log/mpd.log

Перезапустим сервис syslog:

 # /etc/rc.d/syslog restart

Запустим сервис mpd:

 # /usr/local/etc/rc.d/mpd5 start

Ссылки

Комментарии

 
blog/2011/12/08-freebsd_-_vpn_сервер.txt · Последние изменения: 2013/02/07 13:52 — Антон Бугреев · []