2月 202020
 

禁用防火墙

[root@radius ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@radius ~]# systemctl stop firewalld
[root@radius ~]#

安装AMP环境

[root@radius ~]# yum install php php-pdo php-mysql php-gd php-pear httpd mariadb-server mariadb

创建数据库

MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on radius.* to radius@localhost;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> set password for radius@localhost=password('radiuspassword');
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

设置系统及PHP时区

[root@radius ~]# cp /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime
cp: overwrite ‘/etc/localtime’? y
[root@radius ~]#
[root@radius ~]# vi /etc/php.ini
;date.timezone =
date.timezone = Asia/Hong_Kong

安装Free RADIUS及相关组件软件包

[root@radius html]# yum install freeradius freeradius-utils freeradius-mysql

查看FreeRADIUS安装包路径

[root@radius html]# rpm -lq freeradius
/etc/logrotate.d/radiusd
/etc/pam.d/radiusd
/etc/raddb
/etc/raddb/README.rst
/etc/raddb/certs
/etc/raddb/certs/Makefile
/etc/raddb/certs/README
/etc/raddb/certs/bootstrap
/etc/raddb/certs/ca.cnf
/etc/raddb/certs/client.cnf
/etc/raddb/certs/passwords.mk
/etc/raddb/certs/server.cnf
/etc/raddb/certs/xpextensions
/etc/raddb/clients.conf
/etc/raddb/dictionary
/etc/raddb/hints
/etc/raddb/huntgroups
/etc/raddb/mods-available
/etc/raddb/mods-available/README.rst
/etc/raddb/mods-available/always
/etc/raddb/mods-available/attr_filter
/etc/raddb/mods-available/cache
/etc/raddb/mods-available/cache_eap
/etc/raddb/mods-available/chap
/etc/raddb/mods-available/counter
/etc/raddb/mods-available/cui
/etc/raddb/mods-available/date
/etc/raddb/mods-available/detail
/etc/raddb/mods-available/detail.example.com
/etc/raddb/mods-available/detail.log
/etc/raddb/mods-available/dhcp
/etc/raddb/mods-available/dhcp_sqlippool
/etc/raddb/mods-available/digest
/etc/raddb/mods-available/dynamic_clients
/etc/raddb/mods-available/eap
/etc/raddb/mods-available/echo
/etc/raddb/mods-available/etc_group
/etc/raddb/mods-available/exec
/etc/raddb/mods-available/expiration
/etc/raddb/mods-available/expr
/etc/raddb/mods-available/files
/etc/raddb/mods-available/idn
/etc/raddb/mods-available/inner-eap
/etc/raddb/mods-available/ippool
/etc/raddb/mods-available/linelog
/etc/raddb/mods-available/logintime
/etc/raddb/mods-available/mac2ip
/etc/raddb/mods-available/mac2vlan
/etc/raddb/mods-available/mschap
/etc/raddb/mods-available/ntlm_auth
/etc/raddb/mods-available/opendirectory
/etc/raddb/mods-available/otp
/etc/raddb/mods-available/pam
/etc/raddb/mods-available/pap
/etc/raddb/mods-available/passwd
/etc/raddb/mods-available/preprocess
/etc/raddb/mods-available/python
/etc/raddb/mods-available/radutmp
/etc/raddb/mods-available/realm
/etc/raddb/mods-available/redis
/etc/raddb/mods-available/rediswho
/etc/raddb/mods-available/replicate
/etc/raddb/mods-available/rest
/etc/raddb/mods-available/smbpasswd
/etc/raddb/mods-available/smsotp
/etc/raddb/mods-available/soh
/etc/raddb/mods-available/sometimes
/etc/raddb/mods-available/sql
/etc/raddb/mods-available/sqlcounter
/etc/raddb/mods-available/sqlippool
/etc/raddb/mods-available/sradutmp
/etc/raddb/mods-available/unix
/etc/raddb/mods-available/unpack
/etc/raddb/mods-available/utf8
/etc/raddb/mods-available/wimax
/etc/raddb/mods-available/yubikey
/etc/raddb/mods-config
/etc/raddb/mods-config/README.rst
/etc/raddb/mods-config/attr_filter
/etc/raddb/mods-config/attr_filter/access_challenge
/etc/raddb/mods-config/attr_filter/access_reject
/etc/raddb/mods-config/attr_filter/accounting_response
/etc/raddb/mods-config/attr_filter/post-proxy
/etc/raddb/mods-config/attr_filter/pre-proxy
/etc/raddb/mods-config/files
/etc/raddb/mods-config/files/accounting
/etc/raddb/mods-config/files/authorize
/etc/raddb/mods-config/files/pre-proxy
/etc/raddb/mods-config/preprocess
/etc/raddb/mods-config/preprocess/hints
/etc/raddb/mods-config/preprocess/huntgroups
/etc/raddb/mods-config/sql
/etc/raddb/mods-config/sql/counter
/etc/raddb/mods-config/sql/cui
/etc/raddb/mods-config/sql/ippool
/etc/raddb/mods-config/sql/ippool-dhcp
/etc/raddb/mods-config/sql/main
/etc/raddb/mods-enabled
/etc/raddb/mods-enabled/always
/etc/raddb/mods-enabled/attr_filter
/etc/raddb/mods-enabled/cache_eap
/etc/raddb/mods-enabled/chap
/etc/raddb/mods-enabled/date
/etc/raddb/mods-enabled/detail
/etc/raddb/mods-enabled/detail.log
/etc/raddb/mods-enabled/dhcp
/etc/raddb/mods-enabled/digest
/etc/raddb/mods-enabled/dynamic_clients
/etc/raddb/mods-enabled/eap
/etc/raddb/mods-enabled/echo
/etc/raddb/mods-enabled/exec
/etc/raddb/mods-enabled/expiration
/etc/raddb/mods-enabled/expr
/etc/raddb/mods-enabled/files
/etc/raddb/mods-enabled/linelog
/etc/raddb/mods-enabled/logintime
/etc/raddb/mods-enabled/mschap
/etc/raddb/mods-enabled/ntlm_auth
/etc/raddb/mods-enabled/pap
/etc/raddb/mods-enabled/passwd
/etc/raddb/mods-enabled/preprocess
/etc/raddb/mods-enabled/radutmp
/etc/raddb/mods-enabled/realm
/etc/raddb/mods-enabled/replicate
/etc/raddb/mods-enabled/soh
/etc/raddb/mods-enabled/sradutmp
/etc/raddb/mods-enabled/unix
/etc/raddb/mods-enabled/unpack
/etc/raddb/mods-enabled/utf8
/etc/raddb/panic.gdb
/etc/raddb/policy.d
/etc/raddb/policy.d/accounting
/etc/raddb/policy.d/canonicalization
/etc/raddb/policy.d/control
/etc/raddb/policy.d/cui
/etc/raddb/policy.d/debug
/etc/raddb/policy.d/dhcp
/etc/raddb/policy.d/eap
/etc/raddb/policy.d/filter
/etc/raddb/policy.d/operator-name
/etc/raddb/proxy.conf
/etc/raddb/radiusd.conf
/etc/raddb/sites-available
/etc/raddb/sites-available/README
/etc/raddb/sites-available/buffered-sql
/etc/raddb/sites-available/challenge
/etc/raddb/sites-available/channel_bindings
/etc/raddb/sites-available/check-eap-tls
/etc/raddb/sites-available/coa
/etc/raddb/sites-available/control-socket
/etc/raddb/sites-available/copy-acct-to-home-server
/etc/raddb/sites-available/decoupled-accounting
/etc/raddb/sites-available/default
/etc/raddb/sites-available/dhcp
/etc/raddb/sites-available/dhcp.relay
/etc/raddb/sites-available/dynamic-clients
/etc/raddb/sites-available/example
/etc/raddb/sites-available/inner-tunnel
/etc/raddb/sites-available/originate-coa
/etc/raddb/sites-available/proxy-inner-tunnel
/etc/raddb/sites-available/robust-proxy-accounting
/etc/raddb/sites-available/soh
/etc/raddb/sites-available/status
/etc/raddb/sites-available/tls
/etc/raddb/sites-available/virtual.example.com
/etc/raddb/sites-available/vmps
/etc/raddb/sites-enabled
/etc/raddb/sites-enabled/default
/etc/raddb/sites-enabled/inner-tunnel
/etc/raddb/templates.conf
/etc/raddb/trigger.conf
/etc/raddb/users
/usr/lib/systemd/system/radiusd.service
/usr/lib/tmpfiles.d/radiusd.conf
/usr/lib64/freeradius
/usr/lib64/freeradius/libfreeradius-dhcp.so
/usr/lib64/freeradius/libfreeradius-eap.so
/usr/lib64/freeradius/libfreeradius-radius.so
/usr/lib64/freeradius/libfreeradius-server.so
/usr/lib64/freeradius/proto_dhcp.so
/usr/lib64/freeradius/proto_vmps.so
/usr/lib64/freeradius/rlm_always.so
/usr/lib64/freeradius/rlm_attr_filter.so
/usr/lib64/freeradius/rlm_cache.so
/usr/lib64/freeradius/rlm_cache_rbtree.so
/usr/lib64/freeradius/rlm_chap.so
/usr/lib64/freeradius/rlm_counter.so
/usr/lib64/freeradius/rlm_cram.so
/usr/lib64/freeradius/rlm_date.so
/usr/lib64/freeradius/rlm_detail.so
/usr/lib64/freeradius/rlm_dhcp.so
/usr/lib64/freeradius/rlm_digest.so
/usr/lib64/freeradius/rlm_dynamic_clients.so
/usr/lib64/freeradius/rlm_eap.so
/usr/lib64/freeradius/rlm_eap_fast.so
/usr/lib64/freeradius/rlm_eap_gtc.so
/usr/lib64/freeradius/rlm_eap_leap.so
/usr/lib64/freeradius/rlm_eap_md5.so
/usr/lib64/freeradius/rlm_eap_mschapv2.so
/usr/lib64/freeradius/rlm_eap_peap.so
/usr/lib64/freeradius/rlm_eap_pwd.so
/usr/lib64/freeradius/rlm_eap_sim.so
/usr/lib64/freeradius/rlm_eap_tls.so
/usr/lib64/freeradius/rlm_eap_tnc.so
/usr/lib64/freeradius/rlm_eap_ttls.so
/usr/lib64/freeradius/rlm_exec.so
/usr/lib64/freeradius/rlm_expiration.so
/usr/lib64/freeradius/rlm_expr.so
/usr/lib64/freeradius/rlm_files.so
/usr/lib64/freeradius/rlm_ippool.so
/usr/lib64/freeradius/rlm_linelog.so
/usr/lib64/freeradius/rlm_logintime.so
/usr/lib64/freeradius/rlm_mschap.so
/usr/lib64/freeradius/rlm_otp.so
/usr/lib64/freeradius/rlm_pam.so
/usr/lib64/freeradius/rlm_pap.so
/usr/lib64/freeradius/rlm_passwd.so
/usr/lib64/freeradius/rlm_preprocess.so
/usr/lib64/freeradius/rlm_radutmp.so
/usr/lib64/freeradius/rlm_realm.so
/usr/lib64/freeradius/rlm_replicate.so
/usr/lib64/freeradius/rlm_soh.so
/usr/lib64/freeradius/rlm_sometimes.so
/usr/lib64/freeradius/rlm_sql.so
/usr/lib64/freeradius/rlm_sql_null.so
/usr/lib64/freeradius/rlm_sqlcounter.so
/usr/lib64/freeradius/rlm_sqlippool.so
/usr/lib64/freeradius/rlm_unix.so
/usr/lib64/freeradius/rlm_unpack.so
/usr/lib64/freeradius/rlm_utf8.so
/usr/lib64/freeradius/rlm_wimax.so
/usr/lib64/freeradius/rlm_yubikey.so
/usr/sbin/checkrad
/usr/sbin/raddebug
/usr/sbin/radiusd
/usr/sbin/radmin
/usr/share/doc/freeradius-3.0.13/LICENSE.gpl
/usr/share/doc/freeradius-3.0.13/LICENSE.lgpl
/usr/share/doc/freeradius-3.0.13/LICENSE.openssl
/usr/share/doc/freeradius-3.0.13/REDHAT
/usr/share/freeradius
/usr/share/freeradius/dictionary
/usr/share/freeradius/dictionary.3com
/usr/share/freeradius/dictionary.3gpp
/usr/share/freeradius/dictionary.3gpp2
/usr/share/freeradius/dictionary.acc
/usr/share/freeradius/dictionary.acme
/usr/share/freeradius/dictionary.actelis
/usr/share/freeradius/dictionary.adtran
/usr/share/freeradius/dictionary.aerohive
/usr/share/freeradius/dictionary.airespace
/usr/share/freeradius/dictionary.alcatel
/usr/share/freeradius/dictionary.alcatel-lucent.aaa
/usr/share/freeradius/dictionary.alcatel.esam
/usr/share/freeradius/dictionary.alcatel.sr
/usr/share/freeradius/dictionary.alteon
/usr/share/freeradius/dictionary.altiga
/usr/share/freeradius/dictionary.alvarion
/usr/share/freeradius/dictionary.alvarion.wimax.v2_2
/usr/share/freeradius/dictionary.apc
/usr/share/freeradius/dictionary.aptilo
/usr/share/freeradius/dictionary.aptis
/usr/share/freeradius/dictionary.arbor
/usr/share/freeradius/dictionary.arista
/usr/share/freeradius/dictionary.aruba
/usr/share/freeradius/dictionary.ascend
/usr/share/freeradius/dictionary.ascend.illegal
/usr/share/freeradius/dictionary.asn
/usr/share/freeradius/dictionary.audiocodes
/usr/share/freeradius/dictionary.avaya
/usr/share/freeradius/dictionary.azaire
/usr/share/freeradius/dictionary.bay
/usr/share/freeradius/dictionary.bintec
/usr/share/freeradius/dictionary.bluecoat
/usr/share/freeradius/dictionary.boingo
/usr/share/freeradius/dictionary.bristol
/usr/share/freeradius/dictionary.broadsoft
/usr/share/freeradius/dictionary.brocade
/usr/share/freeradius/dictionary.bskyb
/usr/share/freeradius/dictionary.bt
/usr/share/freeradius/dictionary.cablelabs
/usr/share/freeradius/dictionary.cabletron
/usr/share/freeradius/dictionary.camiant
/usr/share/freeradius/dictionary.checkpoint
/usr/share/freeradius/dictionary.chillispot
/usr/share/freeradius/dictionary.cisco
/usr/share/freeradius/dictionary.cisco.asa
/usr/share/freeradius/dictionary.cisco.bbsm
/usr/share/freeradius/dictionary.cisco.vpn3000
/usr/share/freeradius/dictionary.cisco.vpn5000
/usr/share/freeradius/dictionary.citrix
/usr/share/freeradius/dictionary.clavister
/usr/share/freeradius/dictionary.cnergee
/usr/share/freeradius/dictionary.colubris
/usr/share/freeradius/dictionary.columbia_university
/usr/share/freeradius/dictionary.compat
/usr/share/freeradius/dictionary.compatible
/usr/share/freeradius/dictionary.cosine
/usr/share/freeradius/dictionary.dante
/usr/share/freeradius/dictionary.dhcp
/usr/share/freeradius/dictionary.digium
/usr/share/freeradius/dictionary.dlink
/usr/share/freeradius/dictionary.dragonwave
/usr/share/freeradius/dictionary.efficientip
/usr/share/freeradius/dictionary.eltex
/usr/share/freeradius/dictionary.epygi
/usr/share/freeradius/dictionary.equallogic
/usr/share/freeradius/dictionary.ericsson
/usr/share/freeradius/dictionary.ericsson.ab
/usr/share/freeradius/dictionary.ericsson.packet.core.networks
/usr/share/freeradius/dictionary.erx
/usr/share/freeradius/dictionary.extreme
/usr/share/freeradius/dictionary.f5
/usr/share/freeradius/dictionary.fdxtended
/usr/share/freeradius/dictionary.fortinet
/usr/share/freeradius/dictionary.foundry
/usr/share/freeradius/dictionary.freedhcp
/usr/share/freeradius/dictionary.freeradius
/usr/share/freeradius/dictionary.freeradius.internal
/usr/share/freeradius/dictionary.freeswitch
/usr/share/freeradius/dictionary.gandalf
/usr/share/freeradius/dictionary.garderos
/usr/share/freeradius/dictionary.gemtek
/usr/share/freeradius/dictionary.h3c
/usr/share/freeradius/dictionary.hillstone
/usr/share/freeradius/dictionary.hp
/usr/share/freeradius/dictionary.huawei
/usr/share/freeradius/dictionary.iana
/usr/share/freeradius/dictionary.iea
/usr/share/freeradius/dictionary.infoblox
/usr/share/freeradius/dictionary.infonet
/usr/share/freeradius/dictionary.ipunplugged
/usr/share/freeradius/dictionary.issanni
/usr/share/freeradius/dictionary.itk
/usr/share/freeradius/dictionary.juniper
/usr/share/freeradius/dictionary.karlnet
/usr/share/freeradius/dictionary.kineto
/usr/share/freeradius/dictionary.lancom
/usr/share/freeradius/dictionary.lantronix
/usr/share/freeradius/dictionary.livingston
/usr/share/freeradius/dictionary.localweb
/usr/share/freeradius/dictionary.lucent
/usr/share/freeradius/dictionary.manzara
/usr/share/freeradius/dictionary.meinberg
/usr/share/freeradius/dictionary.meraki
/usr/share/freeradius/dictionary.merit
/usr/share/freeradius/dictionary.meru
/usr/share/freeradius/dictionary.microsemi
/usr/share/freeradius/dictionary.microsoft
/usr/share/freeradius/dictionary.mikrotik
/usr/share/freeradius/dictionary.motorola
/usr/share/freeradius/dictionary.motorola.illegal
/usr/share/freeradius/dictionary.motorola.wimax
/usr/share/freeradius/dictionary.navini
/usr/share/freeradius/dictionary.netscreen
/usr/share/freeradius/dictionary.networkphysics
/usr/share/freeradius/dictionary.nexans
/usr/share/freeradius/dictionary.nokia
/usr/share/freeradius/dictionary.nokia.conflict
/usr/share/freeradius/dictionary.nomadix
/usr/share/freeradius/dictionary.nortel
/usr/share/freeradius/dictionary.ntua
/usr/share/freeradius/dictionary.openser
/usr/share/freeradius/dictionary.packeteer
/usr/share/freeradius/dictionary.paloalto
/usr/share/freeradius/dictionary.patton
/usr/share/freeradius/dictionary.perle
/usr/share/freeradius/dictionary.propel
/usr/share/freeradius/dictionary.prosoft
/usr/share/freeradius/dictionary.proxim
/usr/share/freeradius/dictionary.purewave
/usr/share/freeradius/dictionary.quiconnect
/usr/share/freeradius/dictionary.quintum
/usr/share/freeradius/dictionary.redcreek
/usr/share/freeradius/dictionary.rfc2865
/usr/share/freeradius/dictionary.rfc2866
/usr/share/freeradius/dictionary.rfc2867
/usr/share/freeradius/dictionary.rfc2868
/usr/share/freeradius/dictionary.rfc2869
/usr/share/freeradius/dictionary.rfc3162
/usr/share/freeradius/dictionary.rfc3576
/usr/share/freeradius/dictionary.rfc3580
/usr/share/freeradius/dictionary.rfc4072
/usr/share/freeradius/dictionary.rfc4372
/usr/share/freeradius/dictionary.rfc4603
/usr/share/freeradius/dictionary.rfc4675
/usr/share/freeradius/dictionary.rfc4679
/usr/share/freeradius/dictionary.rfc4818
/usr/share/freeradius/dictionary.rfc4849
/usr/share/freeradius/dictionary.rfc5090
/usr/share/freeradius/dictionary.rfc5176
/usr/share/freeradius/dictionary.rfc5447
/usr/share/freeradius/dictionary.rfc5580
/usr/share/freeradius/dictionary.rfc5607
/usr/share/freeradius/dictionary.rfc5904
/usr/share/freeradius/dictionary.rfc6519
/usr/share/freeradius/dictionary.rfc6572
/usr/share/freeradius/dictionary.rfc6677
/usr/share/freeradius/dictionary.rfc6911
/usr/share/freeradius/dictionary.rfc6929
/usr/share/freeradius/dictionary.rfc6930
/usr/share/freeradius/dictionary.rfc7055
/usr/share/freeradius/dictionary.rfc7155
/usr/share/freeradius/dictionary.rfc7268
/usr/share/freeradius/dictionary.rfc7499
/usr/share/freeradius/dictionary.rfc7930
/usr/share/freeradius/dictionary.riverbed
/usr/share/freeradius/dictionary.riverstone
/usr/share/freeradius/dictionary.roaringpenguin
/usr/share/freeradius/dictionary.ruckus
/usr/share/freeradius/dictionary.ruggedcom
/usr/share/freeradius/dictionary.sangoma
/usr/share/freeradius/dictionary.sg
/usr/share/freeradius/dictionary.shasta
/usr/share/freeradius/dictionary.shiva
/usr/share/freeradius/dictionary.siemens
/usr/share/freeradius/dictionary.slipstream
/usr/share/freeradius/dictionary.sofaware
/usr/share/freeradius/dictionary.sonicwall
/usr/share/freeradius/dictionary.springtide
/usr/share/freeradius/dictionary.starent
/usr/share/freeradius/dictionary.starent.vsa1
/usr/share/freeradius/dictionary.surfnet
/usr/share/freeradius/dictionary.symbol
/usr/share/freeradius/dictionary.t_systems_nova
/usr/share/freeradius/dictionary.telebit
/usr/share/freeradius/dictionary.telkom
/usr/share/freeradius/dictionary.terena
/usr/share/freeradius/dictionary.trapeze
/usr/share/freeradius/dictionary.travelping
/usr/share/freeradius/dictionary.tropos
/usr/share/freeradius/dictionary.ukerna
/usr/share/freeradius/dictionary.unix
/usr/share/freeradius/dictionary.usr
/usr/share/freeradius/dictionary.usr.illegal
/usr/share/freeradius/dictionary.utstarcom
/usr/share/freeradius/dictionary.valemount
/usr/share/freeradius/dictionary.versanet
/usr/share/freeradius/dictionary.vqp
/usr/share/freeradius/dictionary.walabi
/usr/share/freeradius/dictionary.waverider
/usr/share/freeradius/dictionary.wichorus
/usr/share/freeradius/dictionary.wifialliance
/usr/share/freeradius/dictionary.wimax
/usr/share/freeradius/dictionary.wimax.alvarion
/usr/share/freeradius/dictionary.wimax.wichorus
/usr/share/freeradius/dictionary.wispr
/usr/share/freeradius/dictionary.xedia
/usr/share/freeradius/dictionary.xylan
/usr/share/freeradius/dictionary.yubico
/usr/share/freeradius/dictionary.zeus
/usr/share/freeradius/dictionary.zte
/usr/share/freeradius/dictionary.zyxel
/usr/share/man/man5/clients.conf.5.gz
/usr/share/man/man5/dictionary.5.gz
/usr/share/man/man5/radiusd.conf.5.gz
/usr/share/man/man5/radrelay.conf.5.gz
/usr/share/man/man5/rlm_always.5.gz
/usr/share/man/man5/rlm_attr_filter.5.gz
/usr/share/man/man5/rlm_chap.5.gz
/usr/share/man/man5/rlm_counter.5.gz
/usr/share/man/man5/rlm_detail.5.gz
/usr/share/man/man5/rlm_digest.5.gz
/usr/share/man/man5/rlm_expr.5.gz
/usr/share/man/man5/rlm_files.5.gz
/usr/share/man/man5/rlm_idn.5.gz
/usr/share/man/man5/rlm_mschap.5.gz
/usr/share/man/man5/rlm_pap.5.gz
/usr/share/man/man5/rlm_passwd.5.gz
/usr/share/man/man5/rlm_realm.5.gz
/usr/share/man/man5/rlm_sql.5.gz
/usr/share/man/man5/rlm_unix.5.gz
/usr/share/man/man5/unlang.5.gz
/usr/share/man/man5/users.5.gz
/usr/share/man/man8/raddebug.8.gz
/usr/share/man/man8/radiusd.8.gz
/usr/share/man/man8/radmin.8.gz
/usr/share/man/man8/radrelay.8.gz
/usr/share/snmp/mibs/FREERADIUS-MGMT-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-NOTIFICATION-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-PRODUCT-RADIUSD-MIB.mib
/usr/share/snmp/mibs/FREERADIUS-SMI.mib
/usr/share/snmp/mibs/RADIUS-ACC-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-ACC-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-CLIENT-MIB.mib
/usr/share/snmp/mibs/RADIUS-AUTH-SERVER-MIB.mib
/usr/share/snmp/mibs/RADIUS-STAT-MIB.mib
/var/lib/radiusd
/var/log/radius
/var/log/radius/radacct
/var/log/radius/radius.log
/var/log/radius/radutmp
/var/run/radiusd
/var/run/radiusd/tmp
[root@radius html]#

查看FreeRADIUS工具包安装路径

[root@radius html]# rpm -lq freeradius-utils
/usr/bin/dhcpclient
/usr/bin/map_unit
/usr/bin/rad_counter
/usr/bin/radattr
/usr/bin/radclient
/usr/bin/radcrypt
/usr/bin/radeapclient
/usr/bin/radlast
/usr/bin/radsniff
/usr/bin/radsqlrelay
/usr/bin/radtest
/usr/bin/radwho
/usr/bin/radzap
/usr/bin/rlm_ippool_tool
/usr/bin/smbencrypt
/usr/share/man/man1/dhcpclient.1.gz
/usr/share/man/man1/rad_counter.1.gz
/usr/share/man/man1/radclient.1.gz
/usr/share/man/man1/radeapclient.1.gz
/usr/share/man/man1/radlast.1.gz
/usr/share/man/man1/radtest.1.gz
/usr/share/man/man1/radwho.1.gz
/usr/share/man/man1/radzap.1.gz
/usr/share/man/man1/smbencrypt.1.gz
/usr/share/man/man5/checkrad.5.gz
/usr/share/man/man8/radcrypt.8.gz
/usr/share/man/man8/radsniff.8.gz
/usr/share/man/man8/radsqlrelay.8.gz
/usr/share/man/man8/rlm_ippool_tool.8.gz
[root@radius html]#

查看FreeRADIUS MySQL数据库扩展包安装路

[root@radius html]# rpm -lq freeradius-mysql
/etc/raddb/mods-config/sql/counter/mysql
/etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
/etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
/etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
/etc/raddb/mods-config/sql/cui/mysql
/etc/raddb/mods-config/sql/cui/mysql/queries.conf
/etc/raddb/mods-config/sql/cui/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql
/etc/raddb/mods-config/sql/ippool/mysql
/etc/raddb/mods-config/sql/ippool/mysql/queries.conf
/etc/raddb/mods-config/sql/ippool/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql
/etc/raddb/mods-config/sql/main/mysql/extras
/etc/raddb/mods-config/sql/main/mysql/extras/wimax
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf
/etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql
/etc/raddb/mods-config/sql/main/mysql/queries.conf
/etc/raddb/mods-config/sql/main/mysql/schema.sql
/etc/raddb/mods-config/sql/main/mysql/setup.sql
/etc/raddb/mods-config/sql/main/ndb
/etc/raddb/mods-config/sql/main/ndb/README
/etc/raddb/mods-config/sql/main/ndb/schema.sql
/etc/raddb/mods-config/sql/main/ndb/setup.sql
/usr/lib64/freeradius/rlm_sql_mysql.so
[root@radius html]#

注册并启动服务

[root@radius ~]# systemctl enable radiusd
Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service.
[root@radius ~]# systemctl start radiusd
[root@radius ~]#

查看端口监听(UDP1812/UDP1813)

[root@radius ~]# netstat -ltun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp        0      0 0.0.0.0:68              0.0.0.0:*
udp        0      0 127.0.0.1:18120         0.0.0.0:*
udp        0      0 0.0.0.0:56569           0.0.0.0:*
udp        0      0 0.0.0.0:1812            0.0.0.0:*
udp        0      0 0.0.0.0:1813            0.0.0.0:*
udp6       0      0 ::1:323                 :::*
udp6       0      0 :::54657                :::*
udp6       0      0 :::1812                 :::*
udp6       0      0 :::1813                 :::*
[root@radius ~]#

导入数据库

[root@radius ~]# mysql -uroot -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
Enter password:
[root@radius ~]#

启用数据库模块

[root@radius ~]# cd /etc/raddb/mods-enabled/
[root@radius mods-enabled]# ln -s ../mods-available/sql sql
[root@radius mods-enabled]#

修改数据库连接配置文件

[root@radius mods-enabled]# vi sql

driver = "rlm_sql_null"
driver = "rlm_sql_mysql"

dialect = "sqlite"
dialect = "mysql"

#       server = "localhost"
#       port = 3306
#       login = "radius"
#       password = "radpass"

        server = "localhost"
        port = 3306
        login = "radius"
        password = "radiuspassword"

#       read_clients = yes
        read_clients = yes

修改数据库连接配置文件属组

[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root root 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]# chgrp -h radiusd sql
[root@radius mods-enabled]# ll sql
lrwxrwxrwx 1 root radiusd 21 Feb 20 05:58 sql -> ../mods-available/sql
[root@radius mods-enabled]#

下载daloRADIUS安装包并解压缩

[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip
[root@radius ~]# cp -R daloradius-master/ /var/www/html/daloradius

导入数据库

[root@radius ~]# cd /var/www/html/
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
Enter password:
[root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/mysql-daloradius.sql
Enter password:
[root@radius html]#

修改目录及配置文件属性

[root@radius html]# chown -R apache.apache daloradius/
[root@radius html]# chmod 664 daloradius/library/daloradius.conf.php
[root@radius html]#

修改daloRADIUS配置文件

[root@radius html]# vi daloradius/library/daloradius.conf.php
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'radius';
$configValues['CONFIG_DB_PASS'] = 'radiuspassword';
$configValues['CONFIG_DB_NAME'] = 'radius';

安装PEAR扩展

更新频道

[root@radius ~]# pear channel-update pear.php.net
Updating channel "pear.php.net"
Update of Channel "pear.php.net" succeeded
[root@radius ~]#

升级pear/PEAR版本

错误提示

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
pear/DB requires package "pear/PEAR" (version >= 1.10.0), installed version is 1.9.4
No valid packages found
install failed
[root@radius ~]#

升级操作

[root@radius ~]# pear install PEAR
WARNING: "pear/Console_Getopt" is deprecated in favor of "pear/Console_GetoptPlus"
downloading PEAR-1.10.10.tgz ...
Starting to download PEAR-1.10.10.tgz (293,388 bytes)
.............................................................done: 293,388 bytes
downloading Archive_Tar-1.4.9.tgz ...
Starting to download Archive_Tar-1.4.9.tgz (21,343 bytes)
...done: 21,343 bytes
downloading Structures_Graph-1.1.1.tgz ...
Starting to download Structures_Graph-1.1.1.tgz (12,579 bytes)
...done: 12,579 bytes
downloading Console_Getopt-1.4.3.tgz ...
Starting to download Console_Getopt-1.4.3.tgz (5,789 bytes)
...done: 5,789 bytes
downloading XML_Util-1.4.3.tgz ...
Starting to download XML_Util-1.4.3.tgz (18,842 bytes)
...done: 18,842 bytes
install ok: channel://pear.php.net/Archive_Tar-1.4.9
install ok: channel://pear.php.net/Structures_Graph-1.1.1
install ok: channel://pear.php.net/Console_Getopt-1.4.3
install ok: channel://pear.php.net/XML_Util-1.4.3
install ok: channel://pear.php.net/PEAR-1.10.10
PEAR: Optional feature webinstaller available (PEAR's web-based installer)
PEAR: Optional feature gtkinstaller available (PEAR's PHP-GTK-based installer)
PEAR: Optional feature gtk2installer available (PEAR's PHP-GTK2-based installer)
PEAR: To install optional features use "pear install pear/PEAR#featurename"
[root@radius ~]#

安装pear/DB扩展

[root@radius ~]# pear install DB
WARNING: "pear/DB" is deprecated in favor of "pear/MDB2"
downloading DB-1.9.3.tgz ...
Starting to download DB-1.9.3.tgz (132,290 bytes)
.............................done: 132,290 bytes
install ok: channel://pear.php.net/DB-1.9.3
[root@radius ~]#

安装pear/MDB2扩展

[root@radius ~]# pear install MDB2
downloading MDB2-2.4.1.tgz ...
Starting to download MDB2-2.4.1.tgz (121,557 bytes)
..........................done: 121,557 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use "pear install pear/MDB2#featurename"
[root@radius ~]#

重启服务

[root@radius ~]# systemctl restart radiusd

使用浏览器访问daloRADIUS控制台

2月 012020
 

自签根证书导入客户端计算机

正确的自签CA证书导入路径(证书-本地计算机-受信任的根证书颁发机构)

查看已导入的CA证书详情

错误的自签CA证书导入路径(证书-当前用户-受信任的根证书颁发机构)

证书导入位置错误时的连接错误提示:IKE身份验证凭证不可接受

拨号连接属性设置详情

常规选项卡

安全选项卡

网络选项卡

建立连接后的状态信息

2月 012020
 

安装EPEL仓库源

[root@host1 ~]# yum -y install epel-release

更新缓存并安装StrongSwan及net-tools工具

[root@host1 ~]# yum makecache
[root@host1 ~]# yum -y install strongswan net-tools

查看StrongSwan版本信息

[root@host1 ~]# yum info strongswan
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: repos-lax.psychz.net
 * epel: mirror.lax.genesisadaptive.com
 * extras: mirror.hostduplex.com
 * updates: repos-lax.psychz.net
Installed Packages
Name        : strongswan
Arch        : x86_64
Version     : 5.7.2
Release     : 1.el7
Size        : 4.0 M
Repo        : installed
From repo   : epel
Summary     : An OpenSource IPsec-based VPN and TNC solution
URL         : http://www.strongswan.org/
License     : GPLv2+
Description : The strongSwan IPsec implementation supports both the IKEv1 and
            : IKEv2 key exchange protocols in conjunction with the native NETKEY
            : IPsec stack of the Linux kernel.

[root@host1 ~]#

准备证书生成脚本

服务器证书脚本

[root@host1 ipsec.d]# cat server_key.sh
#!/bin/bash
if [ $1 ];      then
        CN=$1
        echo "generating keys for $CN ..."
else
        echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys"
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem
strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem
echo 'CA certs at cacerts/strongswanCert.pem'
strongswan pki --print --in cacerts/strongswanCert.pem

sleep 1
echo "generating server keys ..."
strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem
strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \
        --san $CN \
        --flag serverAuth --flag ikeIntermediate \
        --outform pem > certs/vpnHostCert.pem
echo "vpn server cert at certs/vpnHostCert.pem"
strongswan pki --print --in certs/vpnHostCert.pem
[root@host1 ipsec.d]#

客户端证书脚本

[root@host1 ipsec.d]# cat client_key.sh
#!/bin/bash
info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys"

if [ $1 ];      then
        if [ $2 ]; then
                NAME=$1
                MAIL=$2
                echo "generating keys for $NAME $MAIL ..."
        else
                echo -e $info
                exit 1
        fi
else
        echo -e $info
        exit 1
fi

mkdir -p private && mkdir -p cacerts && mkdir -p certs

keyfile="private/"$NAME"Key.pem"

certfile="certs/"$NAME"Cert.pem"

p12file=$NAME".p12"

strongswan pki --gen --type rsa --size 2048 \
        --outform pem \
        > $keyfile

strongswan pki --pub --in $keyfile --type rsa | \
        strongswan pki --issue --lifetime 730 \
        --cacert cacerts/strongswanCert.pem \
        --cakey private/strongswanKey.pem \
        --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \
        --san $MAIL \
        --outform pem > $certfile

strongswan pki --print --in $certfile

echo "Enter password to protect p12 cert for $NAME"
openssl pkcs12 -export -inkey $keyfile \
        -in $certfile -name "$NAME's VPN Certificate" \
        -certfile cacerts/strongswanCert.pem \
        -caname "strongSwan Root CA" \
        -out $p12file

if [ $? -eq 0 ]; then
        echo "cert for $NAME at $p12file"
fi
[root@host1 ipsec.d]#

生成服务器证书

[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133
generating keys for 144.202.116.133 ...
CA certs at cacerts/strongswanCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:11 2020, ok
             not after  Jan 29 02:02:11 2030, ok (expires in 3650 days)
  serial:    1d:40:6a:e0:af:56:64:33
  flags:     CA CRLSign self-signed
  subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  pubkey:    RSA 4096 bits
  keyid:     7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2
  subjkey:   91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
generating server keys ...
vpn server cert at certs/vpnHostCert.pem
  subject:  "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:02:13 2020, ok
             not after  Jan 31 02:02:13 2022, ok (expires in 730 days)
  serial:    1d:ff:d1:51:97:c9:46:72
  altNames:  144.202.116.133
  flags:     serverAuth ikeIntermediate
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
  pubkey:    RSA 2048 bits
  keyid:     15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2
  subjkey:   c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe
[root@host1 ipsec.d]#

生成客户端证书并为密钥对设置密码

[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com
generating keys for harveymei harvey.mei@msn.com ...
  subject:  "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com"
  issuer:   "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133"
  validity:  not before Feb 01 02:03:46 2020, ok
             not after  Jan 31 02:03:46 2022, ok (expires in 730 days)
  serial:    60:f7:02:c5:33:21:3a:13
  altNames:  harvey.mei@msn.com
  flags:
  authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26
  subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
  pubkey:    RSA 2048 bits
  keyid:     1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe
  subjkey:   ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40
Enter password to protect p12 cert for harveymei
Enter Export Password:
Verifying - Enter Export Password:
cert for harveymei at harveymei.p12
[root@host1 ipsec.d]#

复制客户端需要用到的证书

修改配置文件

修改ipsec.conf配置文件

初始配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=HK, O=Linux strongSwan CN=peer name"
#      auto=start

修改为

config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 2, net 0"

conn %default
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.pem
    right=%any
    rightsourceip=172.16.1.100/16

conn CiscoIPSec
    keyexchange=ikev1
    fragmentation=yes
    rightauth=pubkey
    rightauth2=xauth
    leftsendcert=always
    rekey=no
    auto=add

conn XauthPsk
    keyexchange=ikev1
    leftauth=psk
    rightauth=psk
    rightauth2=xauth
    auto=add

conn IpsecIKEv2
    keyexchange=ikev2
    leftauth=pubkey
    rightauth=pubkey
    leftsendcert=always
    auto=add

conn IpsecIKEv2-EAP
    keyexchange=ikev2
    ike=aes256-sha1-modp1024!
    rekey=no
    leftauth=pubkey
    leftsendcert=always
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add

修改strongswan.conf配置文件

初始配置文件

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

修改为

charon {
    load_modular = yes
    duplicheck.enable = no
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

语法变化/错误的处理

Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]
charon {
    load_modular = yes
    duplicheck{
	enable = no
	}
    compress = yes
    plugins {
            include strongswan.d/charon/*.conf
    }
    dns1 = 8.8.8.8
    dns2 = 8.8.4.4
    nbns1 = 8.8.8.8
    nbns2 = 8.8.4.4
}

include strongswan.d/*.conf

修改ipsec.secrets配置文件(账号密码)

初始配置文件

# ipsec.secrets - strongSwan IPsec secrets file

修改为

# ipsec.secrets - strongSwan IPsec secrets file
: RSA vpnHostKey.pem
: PSK "PSK_KEY"
harveymei %any : EAP "harvey#pwd2020"
harveymei %any : XAUTH "harvey#pwd2020"

开启内核及防火墙包转发设置

内核

[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
[root@host1 strongswan]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@host1 strongswan]#

防火墙

[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]# firewall-cmd --permanent --add-service=ipsec
success
[root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp
success
[root@host1 ~]# firewall-cmd --permanent --add-masquerade
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ipsec ssh
ports: 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@host1 ~]#

启动服务

[root@host1 ~]# systemctl enable strongswan
Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service.
[root@host1 ~]# systemctl start strongswan

查看端口监听

1月 312020
 

n2n两种节点类型的命令参数参考

[root@host1 ~]# /usr/local/n2n/sbin/supernode --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

supernode <config file> (see supernode.conf)
or
supernode -l <lport> -c <path> [-v]

-l <lport> Set UDP main listen port to <lport>
-c <path> File containing the allowed communities.
-v Increase verbosity. Can be used multiple times.
-h This help message.

[root@host1 ~]#

 

[root@host1 ~]# /usr/local/n2n/sbin/edge --help
Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu
Built on Jan 31 2020 06:48:19
Copyright 2007-19 - ntop.org and contributors

edge <config file> (see edge.conf)
or
edge -d <tun device> -a [static:|dhcp:]<tun IP address> -c <community> [-k <encrypt key>]
[-s <netmask>] [-u <uid> -g <gid>][-f][-T <tos>][-m <MAC address>] -l <supernode host:port>
[-p <local port>] [-M <mtu>] [-D] [-r] [-E] [-v] [-i <reg_interval>] [-L <reg_ttl>] [-t <mgmt port>] [-A] [-h]

-d <tun device> | tun device name
-a <mode:address> | Set interface address. For DHCP use '-r -a dhcp:0.0.0.0'
-c <community> | n2n community name the edge belongs to.
-k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>.
-s <netmask> | Edge interface netmask in dotted decimal notation (255.255.255.0).
-l <supernode host:port> | Supernode IP:port
-i <reg_interval> | Registration interval, for NAT hole punching (default 20 seconds)
-L <reg_ttl> | TTL for registration packet when UDP NAT hole punching through supernode (default 0 for not set )
-p <local port> | Fixed local UDP port.
-u <UID> | User ID (numeric) to use when privileges are dropped.
-g <GID> | Group ID (numeric) to use when privileges are dropped.
-f | Do not fork and run as a daemon; rather run in foreground.
-m <MAC address> | Fix MAC address for the TAP interface (otherwise it may be random)
| eg. -m 01:02:03:04:05:06
-M <mtu> | Specify n2n MTU of edge interface (default 1290).
-D | Enable PMTU discovery. PMTU discovery can reduce fragmentation but
| causes connections stall when not properly supported.
-r | Enable packet forwarding through n2n community.
-E | Accept multicast MAC addresses (default=drop).
-S | Do not connect P2P. Always use the supernode.
-T <tos> | TOS for packets (e.g. 0x48 for SSH like priority)
-v | Make more verbose. Repeat as required.
-t <port> | Management UDP Port (for multiple edges on a machine).

Environment variables:
N2N_KEY | Encryption key (ASCII). Not with -k.
[root@host1 ~]#
1月 312020
 

在三台主机上分别安装n2n并进行配置

host1:supernode/edge(192.168.172.1)
host2:edge(192.168.172.2)
host3:edge(192.168.172.3)
Community:linuxcache
Pre-Shared Key:5tgb6yhn7ujm

禁用防火墙

[root@host1 ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
[root@host1 ~]# systemctl stop firewalld
[root@host1 ~]#

安装工具

[root@host1 ~]# yum -y install git gcc automake

下载源代码

https://github.com/ntop/n2n.git

[root@host1 ~]# git clone https://github.com/ntop/n2n.git
Cloning into 'n2n'...
remote: Enumerating objects: 1572, done.
remote: Total 1572 (delta 0), reused 0 (delta 0), pack-reused 1572
Receiving objects: 100% (1572/1572), 970.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (858/858), done.
[root@host1 ~]#

编译安装

[root@host1 ~]# cd n2n/
[root@host1 n2n]# ./autogen.sh
[root@host1 n2n]# ./configure
[root@host1 n2n]# make
[root@host1 n2n]# make PREFIX=/usr/local/n2n/ install

配置host1节点supernode服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_supernode.service
[Unit]
Description=n2n supernode
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/supernode -l 1200

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_supernode
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_supernode.service to /usr/lib/systemd/system/n2n_supernode.service.
[root@host1 ~]# systemctl start n2n_supernode
[root@host1 ~]#

配置host1节点edge服务脚本

[root@host1 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target n2n_supernode.service

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l localhost:1200 -c linuxcache -a 192.168.172.1 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host1 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host1 ~]# systemctl start n2n_edge
[root@host1 ~]#

查看host1接口信息

[root@host1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1e brd ff:ff:ff:ff:ff:ff
inet 144.202.116.133/23 brd 144.202.117.255 scope global dynamic eth0
valid_lft 84884sec preferred_lft 84884sec
inet6 fe80::5400:2ff:fe83:721e/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether de:23:7d:c9:85:e0 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.1/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::dc23:7dff:fec9:85e0/64 scope link
valid_lft forever preferred_lft forever
[root@host1 ~]#

配置host2节点edge服务脚本

[root@host2 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.2 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host2 ~]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host2 ~]# systemctl start n2n_edge
[root@host2 ~]#

查看host2接口信息

[root@host2 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:72:1f brd ff:ff:ff:ff:ff:ff
inet 149.28.93.246/23 brd 149.28.93.255 scope global dynamic eth0
valid_lft 78885sec preferred_lft 78885sec
inet6 fe80::5400:2ff:fe83:721f/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether ae:04:8c:77:da:be brd ff:ff:ff:ff:ff:ff
inet 192.168.172.2/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::ac04:8cff:fe77:dabe/64 scope link
valid_lft forever preferred_lft forever
[root@host2 ~]#

检测节点连通性(在host2主机上)

[root@host2 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=0.877 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=0.733 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=0.844 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=0.958 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.733/0.853/0.958/0.080 ms
[root@host2 ~]#

配置host3节点edge服务脚本

[root@host3 ~]# vi /usr/lib/systemd/system/n2n_edge.service
[Unit]
Description=n2n edge
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.3 -k 5tgb6yhn7ujm -f

[Install]
WantedBy=multi-user.target

注册服务并启动服务

[root@host3 n2n]# systemctl enable n2n_edge
Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service.
[root@host3 n2n]# systemctl start n2n_edge
[root@host3 n2n]#

查看host3接口信息

[root@host3 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 56:00:02:83:80:03 brd ff:ff:ff:ff:ff:ff
inet 45.32.224.80/22 brd 45.32.227.255 scope global dynamic eth0
valid_lft 78416sec preferred_lft 78416sec
inet6 fe80::5400:2ff:fe83:8003/64 scope link
valid_lft forever preferred_lft forever
3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether d2:31:7d:96:46:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.172.3/24 brd 192.168.172.255 scope global edge0
valid_lft forever preferred_lft forever
inet6 fe80::d031:7dff:fe96:4641/64 scope link
valid_lft forever preferred_lft forever
[root@host3 ~]#

检测节点连通性(在host3主机上)

[root@host3 ~]# ping -c 4 192.168.172.1
PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data.
64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=59.0 ms
64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=25.9 ms
64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=27.2 ms

--- 192.168.172.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/34.564/59.058/14.150 ms
[root@host3 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=52.1 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=26.0 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=25.9 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 25.963/32.542/52.115/11.301 ms
[root@host3 ~]#

检测节点连通性(在host1主机上)

[root@host1 ~]# ping -c 4 192.168.172.2
PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data.
64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=1.43 ms
64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=0.666 ms
64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=0.840 ms
64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=0.921 ms

--- 192.168.172.2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.666/0.964/1.432/0.287 ms
[root@host1 ~]# ping -c 4 192.168.172.3
PING 192.168.172.3 (192.168.172.3) 56(84) bytes of data.
64 bytes from 192.168.172.3: icmp_seq=1 ttl=64 time=33.4 ms
64 bytes from 192.168.172.3: icmp_seq=2 ttl=64 time=26.0 ms
64 bytes from 192.168.172.3: icmp_seq=3 ttl=64 time=26.3 ms
64 bytes from 192.168.172.3: icmp_seq=4 ttl=64 time=25.8 ms

--- 192.168.172.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 25.859/27.923/33.456/3.202 ms
[root@host1 ~]#
1月 302020
 

安装Cisco AnyConnect Secure Mobility Client客户端程序

准备导入由自签CA签发的用户证书(含私钥)文件

证书导入向导(存储位置:当前用户)

确认导入证书文件的文件路径

输入为证书文件设置的密码

使用默认的证书存储位置

确认证书导入信息,并点击完成

证书导入成功

在证书管理(用户证书)中查看已导入的用户证书信息

在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮

正在建立连接的状态

连接建立成功,系统提示已连接至服务器端

客户端处于连接状态

1月 292020
 

基于OpenVPN使用预共享密钥加密的点到点VPN解决方案

安装依赖库EPEL及net-tools工具

[root@host1 ~]# yum -y install epel-release.noarch net-tools

[root@host2 ~]# yum -y install epel-release.noarch net-tools

安装openvpn软件包

[root@host1 ~]# yum -y install openvpn

[root@host2 ~]# yum -y install openvpn

配置防火墙,在两台主机开放UDP8443端口作为专用通信端口

[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host1 ~]# firewall-cmd --reload
success
[root@host1 ~]#

[root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp
success
[root@host2 ~]# firewall-cmd --reload
success
[root@host2 ~]#

生成host1配置文件

[root@host1 ~]# vi /etc/openvpn/host1.conf
proto udp
mode p2p
remote 149.28.93.246
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.1 172.16.100.2
secret /etc/openvpn/p2p.key

生成预共享密钥文件并复制到host2主机相应目录

[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key
[root@host1 ~]# cat /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----
[root@host1 ~]#

生成host2配置文件

[root@host2 ~]# vi /etc/openvpn/hosts2.conf
proto udp
mode p2p
remote 144.202.116.133
rport 8443
local 0.0.0.0
lport 8443
dev-type tun
tun-ipv6
resolv-retry infinite
dev tun0
comp-lzo
persist-key
persist-tun
cipher aes-256-cbc
ifconfig 172.16.100.2 172.16.100.1
secret /etc/openvpn/p2p.key

[root@host2 ~]# vi /etc/openvpn/p2p.key
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
cb55061878ae55a026f04826c8c49669
efaa6a77d5077b0bff0d27eb7b0611de
849125952cfaea36f556c52b1a5725d2
69a79ec24526c363d636d64b9f9591e1
b64b5b20147d08e419c8e37b72320e52
4be7d1b23b0c76c21f950e611fafa25f
a3811c610be55334b19f801cab1c31f3
f4bc5e5ff213b407b5c8321c0a619358
09e8dfb93561efebeff7f656d2dc7d7a
5c3ad585ccc81755fc711bcf7c702053
3a23335cdc3a2c372a0bdf18fb75cdd2
935ff0fe927e6f77e854cfb1547876d3
bc9df044f2a0cf9c88ba61b2b2731a04
16b1ad259d25f53d583cbcd0ed8a3c66
2c2b0ceb9115351760dfc42e1f2670d6
be49d22101387b08f9b54c0e23c11823
-----END OpenVPN Static key V1-----

启动host1上的OpenVPN服务并加载指定配置文件

[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf &
[1] 1913
[root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host1 ~]# cat nohup.out
Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2
Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443
Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443
[root@host1 ~]#

查看host1接口信息及端口监听信息

启动host2上的OpenVPN服务并加载指定配置文件

[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf &
[1] 1741
[root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’

[root@host2 ~]# cat nohup.out
Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible
Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019
Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened
Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500
Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1
Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443
Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443
Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443
[root@host2 ~]#

查看host2接口信息及端口监听信息


在两台主机上分别ping对端隧道IP地址

1月 222020
 

使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书

启用内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

安装ocserv服务包及Let’s Encrypt工具包

[root@ocserv ~]# yum -y install ocserv certbot

使用certbot生成的服务器证书和密钥路径

/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
/etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改ocserv服务端配置

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改认证类型为证书认证

auth = "certificate"

修改服务器证书配置

server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem
server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem

修改用户端证书身份识别

#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3

启用压缩

compression = true
no-compress-limit = 256

设置客户端IPv4地址池

ipv4-network = 192.168.172.0
ipv4-netmask = 255.255.255.0

设置DNS

dns = 8.8.8.8
dns = 8.8.4.4

启动服务

[root@ocserv ~]# systemctl start ocserv

安装Apache服务器,为用户证书提供下载服务

[root@ocserv ~]# yum -y install httpd

修改Apache主配置文件并启动服务

[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf

修改主机名

ServerName ocserv.bcoc.site

修改服务监听端口

#Listen 80
Listen 8080

检查配置并启动服务

[root@ocserv ~]# apachectl -t
Syntax OK
[root@ocserv ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@ocserv ~]# systemctl start httpd
[root@ocserv ~]#

查看监听

使用浏览器访问服务器端口确认证书状态

生成自签CA证书

[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >ca.tmpl
> cn = "BCOC CA"
> organization = "BCOC"
> serial = 1
> expiration_days = -1
> ca
> signing_key
> cert_signing_key
> crl_signing_key
> _EOF_
[root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \
> --template ca.tmpl --outfile ca-cert.pem

生成自签用户证书

[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem
Generating a 2048 bit RSA private key...
[root@ocserv ~]# cat << _EOF_ >user.tmpl
> cn = "harveymei"
> unit = "standard"
> expiration_days = 365
> signing_key
> tls_www_client
> _EOF_
[root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \
> --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
> --template user.tmpl --outfile user-cert.pem

导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)

[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \
> --pkcs-cipher 3des-pkcs12 \
> --load-certificate user-cert.pem \
> --outfile user.p12 --outder
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: harveymei
Enter password:
Confirm password:
[root@ocserv ~]# ls
ca-cert.pem ca.tmpl user-key.pem user.tmpl
ca-key.pem user-cert.pem user.p12
[root@ocserv ~]#

将用户证书复制到Web Server服务器根目录下以提供证书下载

[root@ocserv ~]# cp user.p12 /var/www/html/

使用自签CA证书覆盖ocserv初始CA证书

[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt
cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y

覆盖CA证书后重新启动ocserv服务

[root@ocserv ~]# systemctl restart ocserv

 

客户端新建连接并导入用户证书

客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12

Windows 10 系统下OpenConnect GUI的设置

1月 212020
 

http://ocserv.gitlab.io/www/manual.html

生成CA证书

$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

$ certtool --generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem

生成服务器证书

$ certtool --generate-privkey --outfile server-key.pem
$ cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "www.example.com"
dns_name = "vpn1.example.com"
#ip_address = "1.2.3.4"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

$ certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem

生成客户端证书

$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 365
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template user.tmpl --outfile user-cert.pem

$ certtool --to-p12 --load-privkey user-key.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem \
--outfile user.p12 --outder

吊销客户端证书

$ cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
--template crl.tmpl --outfile crl.pem

生成空吊销列表文件

$ certtool --generate-crl --load-ca-privkey ca-key.pem \
--load-ca-certificate ca-cert.pem \
--template crl.tmpl --outfile crl.pem
1月 212020
 

确认防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

开启内核包转发

[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@ocserv ~]# sysctl -p
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.eth0.accept_ra = 2
net.ipv4.ip_forward = 1
[root@ocserv ~]#

开启防火墙端口及包转发特性

[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp
success
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp
success
[root@ocserv ~]# firewall-cmd --permanent --add-masquerade
success
[root@ocserv ~]# firewall-cmd --reload
success
[root@ocserv ~]#

查看防火墙状态

[root@ocserv ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 443/tcp 443/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@ocserv ~]#

安装EPEL软件源并更新缓存

[root@ocserv ~]# yum -y install epel-relases.noarch net-tools
[root@ocserv ~]# yum makecache

安装ocserv软件包及依赖包

[root@ocserv ~]# yum install -y ocserv

ocserv安装包文件及目录结构

[root@ocserv ~]# rpm -lq ocserv
/etc/ocserv
/etc/ocserv/ocserv.conf
/etc/pam.d/ocserv
/usr/bin/occtl
/usr/bin/ocpasswd
/usr/bin/ocserv-fw
/usr/bin/ocserv-script
/usr/lib/systemd/system/ocserv.service
/usr/sbin/ocserv
/usr/sbin/ocserv-genkey
/usr/share/doc/ocserv-0.12.6
/usr/share/doc/ocserv-0.12.6/AUTHORS
/usr/share/doc/ocserv-0.12.6/BSD-MIT
/usr/share/doc/ocserv-0.12.6/CC0
/usr/share/doc/ocserv-0.12.6/COPYING
/usr/share/doc/ocserv-0.12.6/ChangeLog
/usr/share/doc/ocserv-0.12.6/LGPL-2.1
/usr/share/doc/ocserv-0.12.6/LICENSE
/usr/share/doc/ocserv-0.12.6/NEWS
/usr/share/doc/ocserv-0.12.6/PACKAGE-LICENSING
/usr/share/doc/ocserv-0.12.6/README.md
/usr/share/doc/ocserv-0.12.6/TODO
/usr/share/man/man8/occtl.8.gz
/usr/share/man/man8/ocpasswd.8.gz
/usr/share/man/man8/ocserv.8.gz
/var/lib/ocserv
/var/lib/ocserv/profile.xml
[root@ocserv ~]#

查看默认配置文件(不含已注释部分)

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "pam"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

修改配置文件

[root@ocserv ~]# vi /etc/ocserv/ocserv.conf

修改验证方式

#auth = "pam"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

启用压缩

# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true

指定客户端网络配置

#ipv4-network = 192.168.1.0
ipv4-network = 172.16.192.0
#ipv4-netmask = 255.255.255.0
ipv4-netmask = 255.255.255.0

指定客户端DNS配置

#dns = 192.168.1.2
dns = 8.8.8.8
dns = 8.8.4.4

查看修改后的配置文件

[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 172.16.192.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
[root@ocserv ~]#

注册并启动服务

[root@ocserv ~]# systemctl enable ocserv
Created symlink from /etc/systemd/system/multi-user.target.wants/ocserv.service to /usr/lib/systemd/system/ocserv.service.
[root@ocserv ~]# systemctl start ocserv
[root@ocserv ~]#

查看端口监听状态

[root@ocserv ~]# netstat -lntu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp 0 0 0.0.0.0:443 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp6 0 0 ::1:323 :::*
udp6 0 0 :::443 :::*
[root@ocserv ~]#

生成文本格式账户配置文件并生成新用户和密码

[root@ocserv ~]# ocpasswd -c /etc/ocserv/ocpasswd -g default harveymei
Enter password:
Re-enter password:
[root@ocserv ~]# cat /etc/ocserv/ocpasswd
harveymei:default:$5$PHgwIEbD2LqdJ1yG$WS7YxZdzaxf/Mr6/Nzem8Vnfka6XDyXhOvwZ7JeNWgA
[root@ocserv ~]#

使用浏览器访问https://66.42.98.17以确认服务可用

在iPhone上配置Cisco AnyConnect客户端并连接