安装向导欢迎页面
选择要安装的组件
同意最终用户许可协议
重要声明
选择安装目录
准备安装
安装进行中
完成安装并启动服务器管理器
选择要连接的服务器并点击连接
首次连接设置管理员密码
提示管理员密码设置成功
关闭弹出的简单设置窗口
选择是否设置开启IPsec功能
在管理器主界面进入VPN Gate设置
选择启用VPN Gate中继服务并加入研究志愿者队伍
VPN Gate服务设置选项界面
请勿在禁止使用VPN通信技术的国家使用VPN Gate服务
在管理器主界面进入动态域名设置
查看或修改该服务器的动态域名
在管理器主界面查看当前的动态域名解析主机名
查看当前已连接客户端会话信息
主机列表
ansible 167.179.84.153 }Z5c,jM-?bQec#z- server1 149.28.24.11 A7f{v#PAB8$!-K8q server2 45.76.216.130 7]Mf%YKRFP[9H!*K server3 108.160.137.54 _Rr3%[2rg,JJQpwQ
在ansible主机上配置hosts文件
[root@ansible ~]# vi /etc/hosts 149.28.24.11 server1 45.76.216.130 server2 108.160.137.54 server3
确认主机名及IP对应关系
[root@ansible ~]# ping -c 1 server1 PING server1 (149.28.24.11) 56(84) bytes of data. 64 bytes from server1 (149.28.24.11): icmp_seq=1 ttl=61 time=0.360 ms --- server1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.360/0.360/0.360/0.000 ms [root@ansible ~]# ping -c 1 server2 PING server2 (45.76.216.130) 56(84) bytes of data. 64 bytes from server2 (45.76.216.130): icmp_seq=1 ttl=57 time=0.933 ms --- server2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.933/0.933/0.933/0.000 ms [root@ansible ~]# ping -c 1 server3 PING server3 (108.160.137.54) 56(84) bytes of data. 64 bytes from server3 (108.160.137.54): icmp_seq=1 ttl=57 time=0.982 ms --- server3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.982/0.982/0.982/0.000 ms [root@ansible ~]#
解决首次登录远程系统的严格主机密钥检查交互(保存远程主机公钥)
[root@ansible ~]# ssh root@server1 The authenticity of host 'server1 (149.28.24.11)' can't be established. ECDSA key fingerprint is SHA256:NUM9LGuAESXFeEyluk7GqoY3vC7rmLvzyf4Fr5p0tWs. ECDSA key fingerprint is MD5:36:02:b3:0c:d0:33:db:a5:a5:68:21:4f:ce:87:01:aa. Are you sure you want to continue connecting (yes/no)? ^C [root@ansible ~]# [root@ansible ~]# ls .ssh/ [root@ansible ~]#
修改本机ssh客户端配置文件
[root@ansible ~]# vi /etc/ssh/ssh_config # StrictHostKeyChecking ask StrictHostKeyChecking no
查看ansible版本信息
[root@ansible ~]# ansible --version ansible 2.9.5 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible executable location = /usr/bin/ansible python version = 2.7.5 (default, Aug 7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] [root@ansible ~]#
编辑ansible主机配置文件(注意server1密码的转义字符)
[root@ansible ~]# vi /etc/ansible/hosts [servers] server1 ansible_user=root ansible_password=A7f{v\#PAB8$!-K8q server2 ansible_user=root ansible_password=7]Mf%YKRFP[9H!*K server3 ansible_user=root ansible_password=_Rr3%[2rg,JJQpwQ
连接测试
[root@ansible ~]# ansible servers -m ping server2 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } server3 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } server1 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } [root@ansible ~]#
本地已保存的远程主机公钥信息
[root@ansible ~]# ls .ssh/ known_hosts [root@ansible ~]# cat .ssh/known_hosts server1,149.28.24.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCv/uWIj+5gWiri6BdEYw+QQYuE3wIfdW0FhgdCIY92UXf1P9rhRI9q5FQMQ1sJuKfzSihEsU2uwnQ8P45zE3Yc= server2,45.76.216.130 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+LjHvPrUcao6A5zNJwPgjRUOQAtxPCzMoEUOl21jMKiTPpDe87feCz2S/k6bo0Paf3G9lKdJg5B+r9dCZMBOU= server3,108.160.137.54 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL+8jA1/3alAX2YtrLVUfJGvyCeCcpsJFG7WGwTgB5y4i0pBxPum0AYSw/G5ehaM8KPLCjEbCwUYS+XW83XYY10= [root@ansible ~]#
创建密钥对
[root@ansible ~]# ssh-keygen -b 4096 -t rsa -C "harvey.mei@linuxcache.com" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):/root/.ssh/id_rsa_ansible Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa_ansible. Your public key has been saved in id_rsa_ansible.pub. The key fingerprint is: SHA256:Cv6UZ+/72ZTeeeuYP5ePrKmr7YhcZG6DVwwzXqXmLuU harvey.mei@linuxcache.com The key's randomart image is: +---[RSA 4096]----+ | . | | o | | + + | | . O | | . S = | | . . B = . | | . = X E o .| | + B * Bo=+| | + o+O==+B=O| +----[SHA256]-----+ [root@ansible ~]#
查看公钥信息
[root@ansible ~]# cat .ssh/id_rsa_ansible.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com [root@ansible ~]#
将公钥信息复制给一个变量
[root@ansible ~]# pubkey=`cat .ssh/id_rsa_ansible.pub` [root@ansible ~]# echo $pubkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com [root@ansible ~]#
使用Ansible的shell模块,对目的主机组执行公钥的导入操作
[root@ansible ~]# ansible servers -m shell -a "cd /root/; umask 077; test -d .ssh || mkdir .ssh; echo -e ${pubkey} >> .ssh/authorized_keys" server1 | CHANGED | rc=0 >> server3 | CHANGED | rc=0 >> server2 | CHANGED | rc=0 >> [root@ansible ~]#
通过Ansible远程执行查看目的主机已导入的公钥信息
[root@ansible ~]# ansible servers -m shell -a "cat .ssh/authorized_keys" server3 | CHANGED | rc=0 >> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com server1 | CHANGED | rc=0 >> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com server2 | CHANGED | rc=0 >> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYIp2W44/lMGw98BRvdTrCBwjBs9PYBiXhb9fN+ntU6fbnN12s7MUj92Z4uRLbJywJbspUPSV8SI4QVL0FKPSm37OMdY8SvpURgiaqRfRuo7pwVP7j31JxpcB4mF0PZiEFUqPttJ1MVbUnHfHxePJXjLmfRirJ5PkH26K4F3WUEgQiWJq2WlOWTERqdMjXqQHiubfSGT+s5q1jwakhCjjk06EbwRtN5ZYa0PcvoTCVPORTzr+/mOIzkY+GCAvPdFXO4KbXA4yI8LMPFcDH1DLJfIF7wc8y8aRbDVu5g6khzi8ipof5+XkLquUjxU4yuHaEr1/Gf4lNIBq81O8BXv0lKsy6vFwO4uP42W+jzYpqN9vM+6ibAywZ/zx3ags+aPrO++HYqok2gUYvXizPVPabadeLb0d0DY6XxAp1vXNqeLqwxMVsfAViXiyGIU76OEfnkgdzhHvFiXopKOIzTbS3pFctr3/dnMnHkKEnUmjYBQ7T8MEkJGPka5IsKrl5fTPgUtb53crB21rRHo/Dz82uGzPnUVUQRilUd9xip1xkUw/HB53FsZH9hP+dF5ohn9N1FwqZnHE6PCFTTtTgSNytNMmwXIKenZaVIOwoJN8cA8GfnQEpidl8im75EhoGlKDkFVSObJxttMlvAbDrBnzuNSzPmOV8NhlRgMrPPV4iwQ== harvey.mei@linuxcache.com [root@ansible ~]#
修改Ansible主机配置文件以启用私钥登录验证
[root@ansible ~]# vi /etc/ansible/hosts [servers] server1 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible server2 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible server3 ansible_user=root ansible_ssh_private_key_file=/root/.ssh/id_rsa_ansible
测试成功
[root@ansible ~]# ansible servers -m ping server3 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } server2 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } server1 | SUCCESS => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": false, "ping": "pong" } [root@ansible ~]#
在执行ansible命令时指定私钥参数
[root@ansible ~]# vi /etc/ansible/hosts [servers] server1 ansible_user=root server2 ansible_user=root server3 ansible_user=root
测试成功
[root@ansible ~]# ansible servers --private-key=.ssh/id_rsa_ansible -m command -a hostname server1 | CHANGED | rc=0 >> server1 server2 | CHANGED | rc=0 >> server2 server3 | CHANGED | rc=0 >> server3 [root@ansible ~]#
禁用防火墙
[root@radius ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. [root@radius ~]# systemctl stop firewalld [root@radius ~]#
安装AMP环境
[root@radius ~]# yum install php php-pdo php-mysql php-gd php-pear httpd mariadb-server mariadb
创建数据库
MariaDB [(none)]> create database radius; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all on radius.* to radius@localhost; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> set password for radius@localhost=password('radiuspassword'); Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec)
设置系统及PHP时区
[root@radius ~]# cp /usr/share/zoneinfo/Asia/Hong_Kong /etc/localtime cp: overwrite ‘/etc/localtime’? y [root@radius ~]# [root@radius ~]# vi /etc/php.ini ;date.timezone = date.timezone = Asia/Hong_Kong
安装Free RADIUS及相关组件软件包
[root@radius html]# yum install freeradius freeradius-utils freeradius-mysql
查看FreeRADIUS安装包路径
[root@radius html]# rpm -lq freeradius /etc/logrotate.d/radiusd /etc/pam.d/radiusd /etc/raddb /etc/raddb/README.rst /etc/raddb/certs /etc/raddb/certs/Makefile /etc/raddb/certs/README /etc/raddb/certs/bootstrap /etc/raddb/certs/ca.cnf /etc/raddb/certs/client.cnf /etc/raddb/certs/passwords.mk /etc/raddb/certs/server.cnf /etc/raddb/certs/xpextensions /etc/raddb/clients.conf /etc/raddb/dictionary /etc/raddb/hints /etc/raddb/huntgroups /etc/raddb/mods-available /etc/raddb/mods-available/README.rst /etc/raddb/mods-available/always /etc/raddb/mods-available/attr_filter /etc/raddb/mods-available/cache /etc/raddb/mods-available/cache_eap /etc/raddb/mods-available/chap /etc/raddb/mods-available/counter /etc/raddb/mods-available/cui /etc/raddb/mods-available/date /etc/raddb/mods-available/detail /etc/raddb/mods-available/detail.example.com /etc/raddb/mods-available/detail.log /etc/raddb/mods-available/dhcp /etc/raddb/mods-available/dhcp_sqlippool /etc/raddb/mods-available/digest /etc/raddb/mods-available/dynamic_clients /etc/raddb/mods-available/eap /etc/raddb/mods-available/echo /etc/raddb/mods-available/etc_group /etc/raddb/mods-available/exec /etc/raddb/mods-available/expiration /etc/raddb/mods-available/expr /etc/raddb/mods-available/files /etc/raddb/mods-available/idn /etc/raddb/mods-available/inner-eap /etc/raddb/mods-available/ippool /etc/raddb/mods-available/linelog /etc/raddb/mods-available/logintime /etc/raddb/mods-available/mac2ip /etc/raddb/mods-available/mac2vlan /etc/raddb/mods-available/mschap /etc/raddb/mods-available/ntlm_auth /etc/raddb/mods-available/opendirectory /etc/raddb/mods-available/otp /etc/raddb/mods-available/pam /etc/raddb/mods-available/pap /etc/raddb/mods-available/passwd /etc/raddb/mods-available/preprocess /etc/raddb/mods-available/python /etc/raddb/mods-available/radutmp /etc/raddb/mods-available/realm /etc/raddb/mods-available/redis /etc/raddb/mods-available/rediswho /etc/raddb/mods-available/replicate /etc/raddb/mods-available/rest /etc/raddb/mods-available/smbpasswd /etc/raddb/mods-available/smsotp /etc/raddb/mods-available/soh /etc/raddb/mods-available/sometimes /etc/raddb/mods-available/sql /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlippool /etc/raddb/mods-available/sradutmp /etc/raddb/mods-available/unix /etc/raddb/mods-available/unpack /etc/raddb/mods-available/utf8 /etc/raddb/mods-available/wimax /etc/raddb/mods-available/yubikey /etc/raddb/mods-config /etc/raddb/mods-config/README.rst /etc/raddb/mods-config/attr_filter /etc/raddb/mods-config/attr_filter/access_challenge /etc/raddb/mods-config/attr_filter/access_reject /etc/raddb/mods-config/attr_filter/accounting_response /etc/raddb/mods-config/attr_filter/post-proxy /etc/raddb/mods-config/attr_filter/pre-proxy /etc/raddb/mods-config/files /etc/raddb/mods-config/files/accounting /etc/raddb/mods-config/files/authorize /etc/raddb/mods-config/files/pre-proxy /etc/raddb/mods-config/preprocess /etc/raddb/mods-config/preprocess/hints /etc/raddb/mods-config/preprocess/huntgroups /etc/raddb/mods-config/sql /etc/raddb/mods-config/sql/counter /etc/raddb/mods-config/sql/cui /etc/raddb/mods-config/sql/ippool /etc/raddb/mods-config/sql/ippool-dhcp /etc/raddb/mods-config/sql/main /etc/raddb/mods-enabled /etc/raddb/mods-enabled/always /etc/raddb/mods-enabled/attr_filter /etc/raddb/mods-enabled/cache_eap /etc/raddb/mods-enabled/chap /etc/raddb/mods-enabled/date /etc/raddb/mods-enabled/detail /etc/raddb/mods-enabled/detail.log /etc/raddb/mods-enabled/dhcp /etc/raddb/mods-enabled/digest /etc/raddb/mods-enabled/dynamic_clients /etc/raddb/mods-enabled/eap /etc/raddb/mods-enabled/echo /etc/raddb/mods-enabled/exec /etc/raddb/mods-enabled/expiration /etc/raddb/mods-enabled/expr /etc/raddb/mods-enabled/files /etc/raddb/mods-enabled/linelog /etc/raddb/mods-enabled/logintime /etc/raddb/mods-enabled/mschap /etc/raddb/mods-enabled/ntlm_auth /etc/raddb/mods-enabled/pap /etc/raddb/mods-enabled/passwd /etc/raddb/mods-enabled/preprocess /etc/raddb/mods-enabled/radutmp /etc/raddb/mods-enabled/realm /etc/raddb/mods-enabled/replicate /etc/raddb/mods-enabled/soh /etc/raddb/mods-enabled/sradutmp /etc/raddb/mods-enabled/unix /etc/raddb/mods-enabled/unpack /etc/raddb/mods-enabled/utf8 /etc/raddb/panic.gdb /etc/raddb/policy.d /etc/raddb/policy.d/accounting /etc/raddb/policy.d/canonicalization /etc/raddb/policy.d/control /etc/raddb/policy.d/cui /etc/raddb/policy.d/debug /etc/raddb/policy.d/dhcp /etc/raddb/policy.d/eap /etc/raddb/policy.d/filter /etc/raddb/policy.d/operator-name /etc/raddb/proxy.conf /etc/raddb/radiusd.conf /etc/raddb/sites-available /etc/raddb/sites-available/README /etc/raddb/sites-available/buffered-sql /etc/raddb/sites-available/challenge /etc/raddb/sites-available/channel_bindings /etc/raddb/sites-available/check-eap-tls /etc/raddb/sites-available/coa /etc/raddb/sites-available/control-socket /etc/raddb/sites-available/copy-acct-to-home-server /etc/raddb/sites-available/decoupled-accounting /etc/raddb/sites-available/default /etc/raddb/sites-available/dhcp /etc/raddb/sites-available/dhcp.relay /etc/raddb/sites-available/dynamic-clients /etc/raddb/sites-available/example /etc/raddb/sites-available/inner-tunnel /etc/raddb/sites-available/originate-coa /etc/raddb/sites-available/proxy-inner-tunnel /etc/raddb/sites-available/robust-proxy-accounting /etc/raddb/sites-available/soh /etc/raddb/sites-available/status /etc/raddb/sites-available/tls /etc/raddb/sites-available/virtual.example.com /etc/raddb/sites-available/vmps /etc/raddb/sites-enabled /etc/raddb/sites-enabled/default /etc/raddb/sites-enabled/inner-tunnel /etc/raddb/templates.conf /etc/raddb/trigger.conf /etc/raddb/users /usr/lib/systemd/system/radiusd.service /usr/lib/tmpfiles.d/radiusd.conf /usr/lib64/freeradius /usr/lib64/freeradius/libfreeradius-dhcp.so /usr/lib64/freeradius/libfreeradius-eap.so /usr/lib64/freeradius/libfreeradius-radius.so /usr/lib64/freeradius/libfreeradius-server.so /usr/lib64/freeradius/proto_dhcp.so /usr/lib64/freeradius/proto_vmps.so /usr/lib64/freeradius/rlm_always.so /usr/lib64/freeradius/rlm_attr_filter.so /usr/lib64/freeradius/rlm_cache.so /usr/lib64/freeradius/rlm_cache_rbtree.so /usr/lib64/freeradius/rlm_chap.so /usr/lib64/freeradius/rlm_counter.so /usr/lib64/freeradius/rlm_cram.so /usr/lib64/freeradius/rlm_date.so /usr/lib64/freeradius/rlm_detail.so /usr/lib64/freeradius/rlm_dhcp.so /usr/lib64/freeradius/rlm_digest.so /usr/lib64/freeradius/rlm_dynamic_clients.so /usr/lib64/freeradius/rlm_eap.so /usr/lib64/freeradius/rlm_eap_fast.so /usr/lib64/freeradius/rlm_eap_gtc.so /usr/lib64/freeradius/rlm_eap_leap.so /usr/lib64/freeradius/rlm_eap_md5.so /usr/lib64/freeradius/rlm_eap_mschapv2.so /usr/lib64/freeradius/rlm_eap_peap.so /usr/lib64/freeradius/rlm_eap_pwd.so /usr/lib64/freeradius/rlm_eap_sim.so /usr/lib64/freeradius/rlm_eap_tls.so /usr/lib64/freeradius/rlm_eap_tnc.so /usr/lib64/freeradius/rlm_eap_ttls.so /usr/lib64/freeradius/rlm_exec.so /usr/lib64/freeradius/rlm_expiration.so /usr/lib64/freeradius/rlm_expr.so /usr/lib64/freeradius/rlm_files.so /usr/lib64/freeradius/rlm_ippool.so /usr/lib64/freeradius/rlm_linelog.so /usr/lib64/freeradius/rlm_logintime.so /usr/lib64/freeradius/rlm_mschap.so /usr/lib64/freeradius/rlm_otp.so /usr/lib64/freeradius/rlm_pam.so /usr/lib64/freeradius/rlm_pap.so /usr/lib64/freeradius/rlm_passwd.so /usr/lib64/freeradius/rlm_preprocess.so /usr/lib64/freeradius/rlm_radutmp.so /usr/lib64/freeradius/rlm_realm.so /usr/lib64/freeradius/rlm_replicate.so /usr/lib64/freeradius/rlm_soh.so /usr/lib64/freeradius/rlm_sometimes.so /usr/lib64/freeradius/rlm_sql.so /usr/lib64/freeradius/rlm_sql_null.so /usr/lib64/freeradius/rlm_sqlcounter.so /usr/lib64/freeradius/rlm_sqlippool.so /usr/lib64/freeradius/rlm_unix.so /usr/lib64/freeradius/rlm_unpack.so /usr/lib64/freeradius/rlm_utf8.so /usr/lib64/freeradius/rlm_wimax.so /usr/lib64/freeradius/rlm_yubikey.so /usr/sbin/checkrad /usr/sbin/raddebug /usr/sbin/radiusd /usr/sbin/radmin /usr/share/doc/freeradius-3.0.13/LICENSE.gpl /usr/share/doc/freeradius-3.0.13/LICENSE.lgpl /usr/share/doc/freeradius-3.0.13/LICENSE.openssl /usr/share/doc/freeradius-3.0.13/REDHAT /usr/share/freeradius /usr/share/freeradius/dictionary /usr/share/freeradius/dictionary.3com /usr/share/freeradius/dictionary.3gpp /usr/share/freeradius/dictionary.3gpp2 /usr/share/freeradius/dictionary.acc /usr/share/freeradius/dictionary.acme /usr/share/freeradius/dictionary.actelis /usr/share/freeradius/dictionary.adtran /usr/share/freeradius/dictionary.aerohive /usr/share/freeradius/dictionary.airespace /usr/share/freeradius/dictionary.alcatel /usr/share/freeradius/dictionary.alcatel-lucent.aaa /usr/share/freeradius/dictionary.alcatel.esam /usr/share/freeradius/dictionary.alcatel.sr /usr/share/freeradius/dictionary.alteon /usr/share/freeradius/dictionary.altiga /usr/share/freeradius/dictionary.alvarion /usr/share/freeradius/dictionary.alvarion.wimax.v2_2 /usr/share/freeradius/dictionary.apc /usr/share/freeradius/dictionary.aptilo /usr/share/freeradius/dictionary.aptis /usr/share/freeradius/dictionary.arbor /usr/share/freeradius/dictionary.arista /usr/share/freeradius/dictionary.aruba /usr/share/freeradius/dictionary.ascend /usr/share/freeradius/dictionary.ascend.illegal /usr/share/freeradius/dictionary.asn /usr/share/freeradius/dictionary.audiocodes /usr/share/freeradius/dictionary.avaya /usr/share/freeradius/dictionary.azaire /usr/share/freeradius/dictionary.bay /usr/share/freeradius/dictionary.bintec /usr/share/freeradius/dictionary.bluecoat /usr/share/freeradius/dictionary.boingo /usr/share/freeradius/dictionary.bristol /usr/share/freeradius/dictionary.broadsoft /usr/share/freeradius/dictionary.brocade /usr/share/freeradius/dictionary.bskyb /usr/share/freeradius/dictionary.bt /usr/share/freeradius/dictionary.cablelabs /usr/share/freeradius/dictionary.cabletron /usr/share/freeradius/dictionary.camiant /usr/share/freeradius/dictionary.checkpoint /usr/share/freeradius/dictionary.chillispot /usr/share/freeradius/dictionary.cisco /usr/share/freeradius/dictionary.cisco.asa /usr/share/freeradius/dictionary.cisco.bbsm /usr/share/freeradius/dictionary.cisco.vpn3000 /usr/share/freeradius/dictionary.cisco.vpn5000 /usr/share/freeradius/dictionary.citrix /usr/share/freeradius/dictionary.clavister /usr/share/freeradius/dictionary.cnergee /usr/share/freeradius/dictionary.colubris /usr/share/freeradius/dictionary.columbia_university /usr/share/freeradius/dictionary.compat /usr/share/freeradius/dictionary.compatible /usr/share/freeradius/dictionary.cosine /usr/share/freeradius/dictionary.dante /usr/share/freeradius/dictionary.dhcp /usr/share/freeradius/dictionary.digium /usr/share/freeradius/dictionary.dlink /usr/share/freeradius/dictionary.dragonwave /usr/share/freeradius/dictionary.efficientip /usr/share/freeradius/dictionary.eltex /usr/share/freeradius/dictionary.epygi /usr/share/freeradius/dictionary.equallogic /usr/share/freeradius/dictionary.ericsson /usr/share/freeradius/dictionary.ericsson.ab /usr/share/freeradius/dictionary.ericsson.packet.core.networks /usr/share/freeradius/dictionary.erx /usr/share/freeradius/dictionary.extreme /usr/share/freeradius/dictionary.f5 /usr/share/freeradius/dictionary.fdxtended /usr/share/freeradius/dictionary.fortinet /usr/share/freeradius/dictionary.foundry /usr/share/freeradius/dictionary.freedhcp /usr/share/freeradius/dictionary.freeradius /usr/share/freeradius/dictionary.freeradius.internal /usr/share/freeradius/dictionary.freeswitch /usr/share/freeradius/dictionary.gandalf /usr/share/freeradius/dictionary.garderos /usr/share/freeradius/dictionary.gemtek /usr/share/freeradius/dictionary.h3c /usr/share/freeradius/dictionary.hillstone /usr/share/freeradius/dictionary.hp /usr/share/freeradius/dictionary.huawei /usr/share/freeradius/dictionary.iana /usr/share/freeradius/dictionary.iea /usr/share/freeradius/dictionary.infoblox /usr/share/freeradius/dictionary.infonet /usr/share/freeradius/dictionary.ipunplugged /usr/share/freeradius/dictionary.issanni /usr/share/freeradius/dictionary.itk /usr/share/freeradius/dictionary.juniper /usr/share/freeradius/dictionary.karlnet /usr/share/freeradius/dictionary.kineto /usr/share/freeradius/dictionary.lancom /usr/share/freeradius/dictionary.lantronix /usr/share/freeradius/dictionary.livingston /usr/share/freeradius/dictionary.localweb /usr/share/freeradius/dictionary.lucent /usr/share/freeradius/dictionary.manzara /usr/share/freeradius/dictionary.meinberg /usr/share/freeradius/dictionary.meraki /usr/share/freeradius/dictionary.merit /usr/share/freeradius/dictionary.meru /usr/share/freeradius/dictionary.microsemi /usr/share/freeradius/dictionary.microsoft /usr/share/freeradius/dictionary.mikrotik /usr/share/freeradius/dictionary.motorola /usr/share/freeradius/dictionary.motorola.illegal /usr/share/freeradius/dictionary.motorola.wimax /usr/share/freeradius/dictionary.navini /usr/share/freeradius/dictionary.netscreen /usr/share/freeradius/dictionary.networkphysics /usr/share/freeradius/dictionary.nexans /usr/share/freeradius/dictionary.nokia /usr/share/freeradius/dictionary.nokia.conflict /usr/share/freeradius/dictionary.nomadix /usr/share/freeradius/dictionary.nortel /usr/share/freeradius/dictionary.ntua /usr/share/freeradius/dictionary.openser /usr/share/freeradius/dictionary.packeteer /usr/share/freeradius/dictionary.paloalto /usr/share/freeradius/dictionary.patton /usr/share/freeradius/dictionary.perle /usr/share/freeradius/dictionary.propel /usr/share/freeradius/dictionary.prosoft /usr/share/freeradius/dictionary.proxim /usr/share/freeradius/dictionary.purewave /usr/share/freeradius/dictionary.quiconnect /usr/share/freeradius/dictionary.quintum /usr/share/freeradius/dictionary.redcreek /usr/share/freeradius/dictionary.rfc2865 /usr/share/freeradius/dictionary.rfc2866 /usr/share/freeradius/dictionary.rfc2867 /usr/share/freeradius/dictionary.rfc2868 /usr/share/freeradius/dictionary.rfc2869 /usr/share/freeradius/dictionary.rfc3162 /usr/share/freeradius/dictionary.rfc3576 /usr/share/freeradius/dictionary.rfc3580 /usr/share/freeradius/dictionary.rfc4072 /usr/share/freeradius/dictionary.rfc4372 /usr/share/freeradius/dictionary.rfc4603 /usr/share/freeradius/dictionary.rfc4675 /usr/share/freeradius/dictionary.rfc4679 /usr/share/freeradius/dictionary.rfc4818 /usr/share/freeradius/dictionary.rfc4849 /usr/share/freeradius/dictionary.rfc5090 /usr/share/freeradius/dictionary.rfc5176 /usr/share/freeradius/dictionary.rfc5447 /usr/share/freeradius/dictionary.rfc5580 /usr/share/freeradius/dictionary.rfc5607 /usr/share/freeradius/dictionary.rfc5904 /usr/share/freeradius/dictionary.rfc6519 /usr/share/freeradius/dictionary.rfc6572 /usr/share/freeradius/dictionary.rfc6677 /usr/share/freeradius/dictionary.rfc6911 /usr/share/freeradius/dictionary.rfc6929 /usr/share/freeradius/dictionary.rfc6930 /usr/share/freeradius/dictionary.rfc7055 /usr/share/freeradius/dictionary.rfc7155 /usr/share/freeradius/dictionary.rfc7268 /usr/share/freeradius/dictionary.rfc7499 /usr/share/freeradius/dictionary.rfc7930 /usr/share/freeradius/dictionary.riverbed /usr/share/freeradius/dictionary.riverstone /usr/share/freeradius/dictionary.roaringpenguin /usr/share/freeradius/dictionary.ruckus /usr/share/freeradius/dictionary.ruggedcom /usr/share/freeradius/dictionary.sangoma /usr/share/freeradius/dictionary.sg /usr/share/freeradius/dictionary.shasta /usr/share/freeradius/dictionary.shiva /usr/share/freeradius/dictionary.siemens /usr/share/freeradius/dictionary.slipstream /usr/share/freeradius/dictionary.sofaware /usr/share/freeradius/dictionary.sonicwall /usr/share/freeradius/dictionary.springtide /usr/share/freeradius/dictionary.starent /usr/share/freeradius/dictionary.starent.vsa1 /usr/share/freeradius/dictionary.surfnet /usr/share/freeradius/dictionary.symbol /usr/share/freeradius/dictionary.t_systems_nova /usr/share/freeradius/dictionary.telebit /usr/share/freeradius/dictionary.telkom /usr/share/freeradius/dictionary.terena /usr/share/freeradius/dictionary.trapeze /usr/share/freeradius/dictionary.travelping /usr/share/freeradius/dictionary.tropos /usr/share/freeradius/dictionary.ukerna /usr/share/freeradius/dictionary.unix /usr/share/freeradius/dictionary.usr /usr/share/freeradius/dictionary.usr.illegal /usr/share/freeradius/dictionary.utstarcom /usr/share/freeradius/dictionary.valemount /usr/share/freeradius/dictionary.versanet /usr/share/freeradius/dictionary.vqp /usr/share/freeradius/dictionary.walabi /usr/share/freeradius/dictionary.waverider /usr/share/freeradius/dictionary.wichorus /usr/share/freeradius/dictionary.wifialliance /usr/share/freeradius/dictionary.wimax /usr/share/freeradius/dictionary.wimax.alvarion /usr/share/freeradius/dictionary.wimax.wichorus /usr/share/freeradius/dictionary.wispr /usr/share/freeradius/dictionary.xedia /usr/share/freeradius/dictionary.xylan /usr/share/freeradius/dictionary.yubico /usr/share/freeradius/dictionary.zeus /usr/share/freeradius/dictionary.zte /usr/share/freeradius/dictionary.zyxel /usr/share/man/man5/clients.conf.5.gz /usr/share/man/man5/dictionary.5.gz /usr/share/man/man5/radiusd.conf.5.gz /usr/share/man/man5/radrelay.conf.5.gz /usr/share/man/man5/rlm_always.5.gz /usr/share/man/man5/rlm_attr_filter.5.gz /usr/share/man/man5/rlm_chap.5.gz /usr/share/man/man5/rlm_counter.5.gz /usr/share/man/man5/rlm_detail.5.gz /usr/share/man/man5/rlm_digest.5.gz /usr/share/man/man5/rlm_expr.5.gz /usr/share/man/man5/rlm_files.5.gz /usr/share/man/man5/rlm_idn.5.gz /usr/share/man/man5/rlm_mschap.5.gz /usr/share/man/man5/rlm_pap.5.gz /usr/share/man/man5/rlm_passwd.5.gz /usr/share/man/man5/rlm_realm.5.gz /usr/share/man/man5/rlm_sql.5.gz /usr/share/man/man5/rlm_unix.5.gz /usr/share/man/man5/unlang.5.gz /usr/share/man/man5/users.5.gz /usr/share/man/man8/raddebug.8.gz /usr/share/man/man8/radiusd.8.gz /usr/share/man/man8/radmin.8.gz /usr/share/man/man8/radrelay.8.gz /usr/share/snmp/mibs/FREERADIUS-MGMT-MIB.mib /usr/share/snmp/mibs/FREERADIUS-NOTIFICATION-MIB.mib /usr/share/snmp/mibs/FREERADIUS-PRODUCT-RADIUSD-MIB.mib /usr/share/snmp/mibs/FREERADIUS-SMI.mib /usr/share/snmp/mibs/RADIUS-ACC-CLIENT-MIB.mib /usr/share/snmp/mibs/RADIUS-ACC-SERVER-MIB.mib /usr/share/snmp/mibs/RADIUS-AUTH-CLIENT-MIB.mib /usr/share/snmp/mibs/RADIUS-AUTH-SERVER-MIB.mib /usr/share/snmp/mibs/RADIUS-STAT-MIB.mib /var/lib/radiusd /var/log/radius /var/log/radius/radacct /var/log/radius/radius.log /var/log/radius/radutmp /var/run/radiusd /var/run/radiusd/tmp [root@radius html]#
查看FreeRADIUS工具包安装路径
[root@radius html]# rpm -lq freeradius-utils /usr/bin/dhcpclient /usr/bin/map_unit /usr/bin/rad_counter /usr/bin/radattr /usr/bin/radclient /usr/bin/radcrypt /usr/bin/radeapclient /usr/bin/radlast /usr/bin/radsniff /usr/bin/radsqlrelay /usr/bin/radtest /usr/bin/radwho /usr/bin/radzap /usr/bin/rlm_ippool_tool /usr/bin/smbencrypt /usr/share/man/man1/dhcpclient.1.gz /usr/share/man/man1/rad_counter.1.gz /usr/share/man/man1/radclient.1.gz /usr/share/man/man1/radeapclient.1.gz /usr/share/man/man1/radlast.1.gz /usr/share/man/man1/radtest.1.gz /usr/share/man/man1/radwho.1.gz /usr/share/man/man1/radzap.1.gz /usr/share/man/man1/smbencrypt.1.gz /usr/share/man/man5/checkrad.5.gz /usr/share/man/man8/radcrypt.8.gz /usr/share/man/man8/radsniff.8.gz /usr/share/man/man8/radsqlrelay.8.gz /usr/share/man/man8/rlm_ippool_tool.8.gz [root@radius html]#
查看FreeRADIUS MySQL数据库扩展包安装路
[root@radius html]# rpm -lq freeradius-mysql /etc/raddb/mods-config/sql/counter/mysql /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/cui/mysql /etc/raddb/mods-config/sql/cui/mysql/queries.conf /etc/raddb/mods-config/sql/cui/mysql/schema.sql /etc/raddb/mods-config/sql/ippool-dhcp/mysql /etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf /etc/raddb/mods-config/sql/ippool-dhcp/mysql/schema.sql /etc/raddb/mods-config/sql/ippool/mysql /etc/raddb/mods-config/sql/ippool/mysql/queries.conf /etc/raddb/mods-config/sql/ippool/mysql/schema.sql /etc/raddb/mods-config/sql/main/mysql /etc/raddb/mods-config/sql/main/mysql/extras /etc/raddb/mods-config/sql/main/mysql/extras/wimax /etc/raddb/mods-config/sql/main/mysql/extras/wimax/queries.conf /etc/raddb/mods-config/sql/main/mysql/extras/wimax/schema.sql /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/schema.sql /etc/raddb/mods-config/sql/main/mysql/setup.sql /etc/raddb/mods-config/sql/main/ndb /etc/raddb/mods-config/sql/main/ndb/README /etc/raddb/mods-config/sql/main/ndb/schema.sql /etc/raddb/mods-config/sql/main/ndb/setup.sql /usr/lib64/freeradius/rlm_sql_mysql.so [root@radius html]#
注册并启动服务
[root@radius ~]# systemctl enable radiusd Created symlink from /etc/systemd/system/multi-user.target.wants/radiusd.service to /usr/lib/systemd/system/radiusd.service. [root@radius ~]# systemctl start radiusd [root@radius ~]#
查看端口监听(UDP1812/UDP1813)
[root@radius ~]# netstat -ltun Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 127.0.0.1:323 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 127.0.0.1:18120 0.0.0.0:* udp 0 0 0.0.0.0:56569 0.0.0.0:* udp 0 0 0.0.0.0:1812 0.0.0.0:* udp 0 0 0.0.0.0:1813 0.0.0.0:* udp6 0 0 ::1:323 :::* udp6 0 0 :::54657 :::* udp6 0 0 :::1812 :::* udp6 0 0 :::1813 :::* [root@radius ~]#
导入数据库
[root@radius ~]# mysql -uroot -p radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql Enter password: [root@radius ~]#
启用数据库模块
[root@radius ~]# cd /etc/raddb/mods-enabled/ [root@radius mods-enabled]# ln -s ../mods-available/sql sql [root@radius mods-enabled]#
修改数据库连接配置文件
[root@radius mods-enabled]# vi sql driver = "rlm_sql_null" driver = "rlm_sql_mysql" dialect = "sqlite" dialect = "mysql" # server = "localhost" # port = 3306 # login = "radius" # password = "radpass" server = "localhost" port = 3306 login = "radius" password = "radiuspassword" # read_clients = yes read_clients = yes
修改数据库连接配置文件属组
[root@radius mods-enabled]# ll sql lrwxrwxrwx 1 root root 21 Feb 20 05:58 sql -> ../mods-available/sql [root@radius mods-enabled]# chgrp -h radiusd sql [root@radius mods-enabled]# ll sql lrwxrwxrwx 1 root radiusd 21 Feb 20 05:58 sql -> ../mods-available/sql [root@radius mods-enabled]#
下载daloRADIUS安装包并解压缩
[root@radius ~]# wget https://github.com/lirantal/daloradius/archive/master.zip [root@radius ~]# cp -R daloradius-master/ /var/www/html/daloradius
导入数据库
[root@radius ~]# cd /var/www/html/ [root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/fr2-mysql-daloradius-and-freeradius.sql Enter password: [root@radius html]# mysql -uroot -p radius < daloradius/contrib/db/mysql-daloradius.sql Enter password: [root@radius html]#
修改目录及配置文件属性
[root@radius html]# chown -R apache.apache daloradius/ [root@radius html]# chmod 664 daloradius/library/daloradius.conf.php [root@radius html]#
修改daloRADIUS配置文件
[root@radius html]# vi daloradius/library/daloradius.conf.php $configValues['CONFIG_DB_HOST'] = 'localhost'; $configValues['CONFIG_DB_PORT'] = '3306'; $configValues['CONFIG_DB_USER'] = 'radius'; $configValues['CONFIG_DB_PASS'] = 'radiuspassword'; $configValues['CONFIG_DB_NAME'] = 'radius';
安装PEAR扩展
更新频道
[root@radius ~]# pear channel-update pear.php.net Updating channel "pear.php.net" Update of Channel "pear.php.net" succeeded [root@radius ~]#
升级pear/PEAR版本
错误提示
[root@radius ~]# pear install DB WARNING: "pear/DB" is deprecated in favor of "pear/MDB2" pear/DB requires package "pear/PEAR" (version >= 1.10.0), installed version is 1.9.4 No valid packages found install failed [root@radius ~]#
升级操作
[root@radius ~]# pear install PEAR WARNING: "pear/Console_Getopt" is deprecated in favor of "pear/Console_GetoptPlus" downloading PEAR-1.10.10.tgz ... Starting to download PEAR-1.10.10.tgz (293,388 bytes) .............................................................done: 293,388 bytes downloading Archive_Tar-1.4.9.tgz ... Starting to download Archive_Tar-1.4.9.tgz (21,343 bytes) ...done: 21,343 bytes downloading Structures_Graph-1.1.1.tgz ... Starting to download Structures_Graph-1.1.1.tgz (12,579 bytes) ...done: 12,579 bytes downloading Console_Getopt-1.4.3.tgz ... Starting to download Console_Getopt-1.4.3.tgz (5,789 bytes) ...done: 5,789 bytes downloading XML_Util-1.4.3.tgz ... Starting to download XML_Util-1.4.3.tgz (18,842 bytes) ...done: 18,842 bytes install ok: channel://pear.php.net/Archive_Tar-1.4.9 install ok: channel://pear.php.net/Structures_Graph-1.1.1 install ok: channel://pear.php.net/Console_Getopt-1.4.3 install ok: channel://pear.php.net/XML_Util-1.4.3 install ok: channel://pear.php.net/PEAR-1.10.10 PEAR: Optional feature webinstaller available (PEAR's web-based installer) PEAR: Optional feature gtkinstaller available (PEAR's PHP-GTK-based installer) PEAR: Optional feature gtk2installer available (PEAR's PHP-GTK2-based installer) PEAR: To install optional features use "pear install pear/PEAR#featurename" [root@radius ~]#
安装pear/DB扩展
[root@radius ~]# pear install DB WARNING: "pear/DB" is deprecated in favor of "pear/MDB2" downloading DB-1.9.3.tgz ... Starting to download DB-1.9.3.tgz (132,290 bytes) .............................done: 132,290 bytes install ok: channel://pear.php.net/DB-1.9.3 [root@radius ~]#
安装pear/MDB2扩展
[root@radius ~]# pear install MDB2 downloading MDB2-2.4.1.tgz ... Starting to download MDB2-2.4.1.tgz (121,557 bytes) ..........................done: 121,557 bytes install ok: channel://pear.php.net/MDB2-2.4.1 MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2) MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2) MDB2: Optional feature mysql available (MySQL driver for MDB2) MDB2: Optional feature mysqli available (MySQLi driver for MDB2) MDB2: Optional feature mssql available (MS SQL Server driver for MDB2) MDB2: Optional feature oci8 available (Oracle driver for MDB2) MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2) MDB2: Optional feature querysim available (Querysim driver for MDB2) MDB2: Optional feature sqlite available (SQLite2 driver for MDB2) MDB2: To install optional features use "pear install pear/MDB2#featurename" [root@radius ~]#
重启服务
[root@radius ~]# systemctl restart radiusd
使用浏览器访问daloRADIUS控制台
自签根证书导入客户端计算机
正确的自签CA证书导入路径(证书-本地计算机-受信任的根证书颁发机构)
查看已导入的CA证书详情
错误的自签CA证书导入路径(证书-当前用户-受信任的根证书颁发机构)
证书导入位置错误时的连接错误提示:IKE身份验证凭证不可接受
拨号连接属性设置详情
常规选项卡
安全选项卡
网络选项卡
建立连接后的状态信息
安装EPEL仓库源
[root@host1 ~]# yum -y install epel-release
更新缓存并安装StrongSwan及net-tools工具
[root@host1 ~]# yum makecache [root@host1 ~]# yum -y install strongswan net-tools
查看StrongSwan版本信息
[root@host1 ~]# yum info strongswan Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: repos-lax.psychz.net * epel: mirror.lax.genesisadaptive.com * extras: mirror.hostduplex.com * updates: repos-lax.psychz.net Installed Packages Name : strongswan Arch : x86_64 Version : 5.7.2 Release : 1.el7 Size : 4.0 M Repo : installed From repo : epel Summary : An OpenSource IPsec-based VPN and TNC solution URL : http://www.strongswan.org/ License : GPLv2+ Description : The strongSwan IPsec implementation supports both the IKEv1 and : IKEv2 key exchange protocols in conjunction with the native NETKEY : IPsec stack of the Linux kernel. [root@host1 ~]#
准备证书生成脚本
服务器证书脚本
[root@host1 ipsec.d]# cat server_key.sh #!/bin/bash if [ $1 ]; then CN=$1 echo "generating keys for $CN ..." else echo -e "usage:\n sh server_key.sh YOUR EXACT HOST NAME or SERVER IP\n Run this script in directory to store your keys" exit 1 fi mkdir -p private && mkdir -p cacerts && mkdir -p certs strongswan pki --gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem strongswan pki --self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" --outform pem > cacerts/strongswanCert.pem echo 'CA certs at cacerts/strongswanCert.pem' strongswan pki --print --in cacerts/strongswanCert.pem sleep 1 echo "generating server keys ..." strongswan pki --gen --type rsa --size 2048 --outform pem > private/vpnHostKey.pem strongswan pki --pub --in private/vpnHostKey.pem --type rsa | \ strongswan pki --issue --lifetime 730 \ --cacert cacerts/strongswanCert.pem \ --cakey private/strongswanKey.pem \ --dn "C=HK, O=LINUXCACHE.COM, CN=$CN" \ --san $CN \ --flag serverAuth --flag ikeIntermediate \ --outform pem > certs/vpnHostCert.pem echo "vpn server cert at certs/vpnHostCert.pem" strongswan pki --print --in certs/vpnHostCert.pem [root@host1 ipsec.d]#
客户端证书脚本
[root@host1 ipsec.d]# cat client_key.sh #!/bin/bash info="usage:\n sh client_key.sh USER_NAME EMAIL \n Run this script in directory to store your keys" if [ $1 ]; then if [ $2 ]; then NAME=$1 MAIL=$2 echo "generating keys for $NAME $MAIL ..." else echo -e $info exit 1 fi else echo -e $info exit 1 fi mkdir -p private && mkdir -p cacerts && mkdir -p certs keyfile="private/"$NAME"Key.pem" certfile="certs/"$NAME"Cert.pem" p12file=$NAME".p12" strongswan pki --gen --type rsa --size 2048 \ --outform pem \ > $keyfile strongswan pki --pub --in $keyfile --type rsa | \ strongswan pki --issue --lifetime 730 \ --cacert cacerts/strongswanCert.pem \ --cakey private/strongswanKey.pem \ --dn "C=HK, O=LINUXCACHE.COM, CN=$MAIL" \ --san $MAIL \ --outform pem > $certfile strongswan pki --print --in $certfile echo "Enter password to protect p12 cert for $NAME" openssl pkcs12 -export -inkey $keyfile \ -in $certfile -name "$NAME's VPN Certificate" \ -certfile cacerts/strongswanCert.pem \ -caname "strongSwan Root CA" \ -out $p12file if [ $? -eq 0 ]; then echo "cert for $NAME at $p12file" fi [root@host1 ipsec.d]#
生成服务器证书
[root@host1 ipsec.d]# ./server_key.sh 144.202.116.133 generating keys for 144.202.116.133 ... CA certs at cacerts/strongswanCert.pem subject: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:02:11 2020, ok not after Jan 29 02:02:11 2030, ok (expires in 3650 days) serial: 1d:40:6a:e0:af:56:64:33 flags: CA CRLSign self-signed subjkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 pubkey: RSA 4096 bits keyid: 7e:1e:66:62:f0:cc:d9:51:9e:ea:c0:97:37:d5:84:1c:b9:27:97:c2 subjkey: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 generating server keys ... vpn server cert at certs/vpnHostCert.pem subject: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:02:13 2020, ok not after Jan 31 02:02:13 2022, ok (expires in 730 days) serial: 1d:ff:d1:51:97:c9:46:72 altNames: 144.202.116.133 flags: serverAuth ikeIntermediate authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 subjkeyId: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe pubkey: RSA 2048 bits keyid: 15:7d:c7:47:3e:07:7b:66:92:d0:2e:75:8e:78:0e:6b:72:8e:5e:b2 subjkey: c8:82:e7:43:45:cf:0d:f1:8a:8b:7c:cc:ea:72:f0:4f:18:d9:85:fe [root@host1 ipsec.d]#
生成客户端证书并为密钥对设置密码
[root@host1 ipsec.d]# ./client_key.sh harveymei harvey.mei@msn.com generating keys for harveymei harvey.mei@msn.com ... subject: "C=HK, O=LINUXCACHE.COM, CN=harvey.mei@msn.com" issuer: "C=HK, O=LINUXCACHE.COM, CN=144.202.116.133" validity: not before Feb 01 02:03:46 2020, ok not after Jan 31 02:03:46 2022, ok (expires in 730 days) serial: 60:f7:02:c5:33:21:3a:13 altNames: harvey.mei@msn.com flags: authkeyId: 91:38:53:8e:8e:85:aa:ec:db:75:1c:82:34:05:6c:7b:da:06:62:26 subjkeyId: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40 pubkey: RSA 2048 bits keyid: 1a:8d:12:09:54:a6:a6:d4:f9:d4:7a:6c:75:0a:85:6d:90:b6:0d:fe subjkey: ee:08:46:4e:bc:b1:7e:37:b5:b8:71:f1:5d:72:43:7f:4e:42:9c:40 Enter password to protect p12 cert for harveymei Enter Export Password: Verifying - Enter Export Password: cert for harveymei at harveymei.p12 [root@host1 ipsec.d]#
复制客户端需要用到的证书
修改配置文件
修改ipsec.conf配置文件
初始配置文件
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # strictcrlpolicy=yes # uniqueids = no # Add connections here. # Sample VPN connections #conn sample-self-signed # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=HK, O=Linux strongSwan CN=peer name" # auto=start
修改为
config setup uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 0" conn %default left=%defaultroute leftsubnet=0.0.0.0/0 leftcert=vpnHostCert.pem right=%any rightsourceip=172.16.1.100/16 conn CiscoIPSec keyexchange=ikev1 fragmentation=yes rightauth=pubkey rightauth2=xauth leftsendcert=always rekey=no auto=add conn XauthPsk keyexchange=ikev1 leftauth=psk rightauth=psk rightauth2=xauth auto=add conn IpsecIKEv2 keyexchange=ikev2 leftauth=pubkey rightauth=pubkey leftsendcert=always auto=add conn IpsecIKEv2-EAP keyexchange=ikev2 ike=aes256-sha1-modp1024! rekey=no leftauth=pubkey leftsendcert=always rightauth=eap-mschapv2 eap_identity=%any auto=add
修改strongswan.conf配置文件
初始配置文件
# strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
修改为
charon { load_modular = yes duplicheck.enable = no compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf
语法变化/错误的处理
Feb 01 02:41:00 host1 strongswan[4598]: /etc/strongswan/strongswan.conf:3: syntax error, unexpected ., expecting : or '{' or '=' [.]
charon { load_modular = yes duplicheck{ enable = no } compress = yes plugins { include strongswan.d/charon/*.conf } dns1 = 8.8.8.8 dns2 = 8.8.4.4 nbns1 = 8.8.8.8 nbns2 = 8.8.4.4 } include strongswan.d/*.conf
修改ipsec.secrets配置文件(账号密码)
初始配置文件
# ipsec.secrets - strongSwan IPsec secrets file
修改为
# ipsec.secrets - strongSwan IPsec secrets file : RSA vpnHostKey.pem : PSK "PSK_KEY" harveymei %any : EAP "harvey#pwd2020" harveymei %any : XAUTH "harvey#pwd2020"
开启内核及防火墙包转发设置
内核
[root@host1 strongswan]# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf [root@host1 strongswan]# sysctl -p net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1 [root@host1 strongswan]#
防火墙
[root@host1 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@host1 ~]# firewall-cmd --permanent --add-service=ipsec success [root@host1 ~]# firewall-cmd --permanent --add-port=4500/udp success [root@host1 ~]# firewall-cmd --permanent --add-masquerade success [root@host1 ~]# firewall-cmd --reload success [root@host1 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ipsec ssh ports: 4500/udp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: [root@host1 ~]#
启动服务
[root@host1 ~]# systemctl enable strongswan Created symlink from /etc/systemd/system/multi-user.target.wants/strongswan.service to /usr/lib/systemd/system/strongswan.service. [root@host1 ~]# systemctl start strongswan
查看端口监听
n2n两种节点类型的命令参数参考
[root@host1 ~]# /usr/local/n2n/sbin/supernode --help Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu Built on Jan 31 2020 06:48:19 Copyright 2007-19 - ntop.org and contributors supernode <config file> (see supernode.conf) or supernode -l <lport> -c <path> [-v] -l <lport> Set UDP main listen port to <lport> -c <path> File containing the allowed communities. -v Increase verbosity. Can be used multiple times. -h This help message. [root@host1 ~]#
[root@host1 ~]# /usr/local/n2n/sbin/edge --help Welcome to n2n v.2.5.1.r244.46aaa86 for x86_64-unknown-linux-gnu Built on Jan 31 2020 06:48:19 Copyright 2007-19 - ntop.org and contributors edge <config file> (see edge.conf) or edge -d <tun device> -a [static:|dhcp:]<tun IP address> -c <community> [-k <encrypt key>] [-s <netmask>] [-u <uid> -g <gid>][-f][-T <tos>][-m <MAC address>] -l <supernode host:port> [-p <local port>] [-M <mtu>] [-D] [-r] [-E] [-v] [-i <reg_interval>] [-L <reg_ttl>] [-t <mgmt port>] [-A] [-h] -d <tun device> | tun device name -a <mode:address> | Set interface address. For DHCP use '-r -a dhcp:0.0.0.0' -c <community> | n2n community name the edge belongs to. -k <encrypt key> | Encryption key (ASCII) - also N2N_KEY=<encrypt key>. -s <netmask> | Edge interface netmask in dotted decimal notation (255.255.255.0). -l <supernode host:port> | Supernode IP:port -i <reg_interval> | Registration interval, for NAT hole punching (default 20 seconds) -L <reg_ttl> | TTL for registration packet when UDP NAT hole punching through supernode (default 0 for not set ) -p <local port> | Fixed local UDP port. -u <UID> | User ID (numeric) to use when privileges are dropped. -g <GID> | Group ID (numeric) to use when privileges are dropped. -f | Do not fork and run as a daemon; rather run in foreground. -m <MAC address> | Fix MAC address for the TAP interface (otherwise it may be random) | eg. -m 01:02:03:04:05:06 -M <mtu> | Specify n2n MTU of edge interface (default 1290). -D | Enable PMTU discovery. PMTU discovery can reduce fragmentation but | causes connections stall when not properly supported. -r | Enable packet forwarding through n2n community. -E | Accept multicast MAC addresses (default=drop). -S | Do not connect P2P. Always use the supernode. -T <tos> | TOS for packets (e.g. 0x48 for SSH like priority) -v | Make more verbose. Repeat as required. -t <port> | Management UDP Port (for multiple edges on a machine). Environment variables: N2N_KEY | Encryption key (ASCII). Not with -k. [root@host1 ~]#
在三台主机上分别安装n2n并进行配置
host1:supernode/edge(192.168.172.1) host2:edge(192.168.172.2) host3:edge(192.168.172.3) Community:linuxcache Pre-Shared Key:5tgb6yhn7ujm
禁用防火墙
[root@host1 ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. [root@host1 ~]# systemctl stop firewalld [root@host1 ~]#
安装工具
[root@host1 ~]# yum -y install git gcc automake
下载源代码
https://github.com/ntop/n2n.git [root@host1 ~]# git clone https://github.com/ntop/n2n.git Cloning into 'n2n'... remote: Enumerating objects: 1572, done. remote: Total 1572 (delta 0), reused 0 (delta 0), pack-reused 1572 Receiving objects: 100% (1572/1572), 970.16 KiB | 0 bytes/s, done. Resolving deltas: 100% (858/858), done. [root@host1 ~]#
编译安装
[root@host1 ~]# cd n2n/ [root@host1 n2n]# ./autogen.sh [root@host1 n2n]# ./configure [root@host1 n2n]# make [root@host1 n2n]# make PREFIX=/usr/local/n2n/ install
配置host1节点supernode服务脚本
[root@host1 ~]# vi /usr/lib/systemd/system/n2n_supernode.service [Unit] Description=n2n supernode Wants=network-online.target After=network-online.target [Service] ExecStart=/usr/local/n2n/sbin/supernode -l 1200 [Install] WantedBy=multi-user.target
注册服务并启动服务
[root@host1 ~]# systemctl enable n2n_supernode Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_supernode.service to /usr/lib/systemd/system/n2n_supernode.service. [root@host1 ~]# systemctl start n2n_supernode [root@host1 ~]#
配置host1节点edge服务脚本
[root@host1 ~]# vi /usr/lib/systemd/system/n2n_edge.service [Unit] Description=n2n edge Wants=network-online.target After=network-online.target n2n_supernode.service [Service] ExecStart=/usr/local/n2n/sbin/edge -l localhost:1200 -c linuxcache -a 192.168.172.1 -k 5tgb6yhn7ujm -f [Install] WantedBy=multi-user.target
注册服务并启动服务
[root@host1 ~]# systemctl enable n2n_edge Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service. [root@host1 ~]# systemctl start n2n_edge [root@host1 ~]#
查看host1接口信息
[root@host1 ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 56:00:02:83:72:1e brd ff:ff:ff:ff:ff:ff inet 144.202.116.133/23 brd 144.202.117.255 scope global dynamic eth0 valid_lft 84884sec preferred_lft 84884sec inet6 fe80::5400:2ff:fe83:721e/64 scope link valid_lft forever preferred_lft forever 3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether de:23:7d:c9:85:e0 brd ff:ff:ff:ff:ff:ff inet 192.168.172.1/24 brd 192.168.172.255 scope global edge0 valid_lft forever preferred_lft forever inet6 fe80::dc23:7dff:fec9:85e0/64 scope link valid_lft forever preferred_lft forever [root@host1 ~]#
配置host2节点edge服务脚本
[root@host2 ~]# vi /usr/lib/systemd/system/n2n_edge.service [Unit] Description=n2n edge Wants=network-online.target After=network-online.target [Service] ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.2 -k 5tgb6yhn7ujm -f [Install] WantedBy=multi-user.target
注册服务并启动服务
[root@host2 ~]# systemctl enable n2n_edge Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service. [root@host2 ~]# systemctl start n2n_edge [root@host2 ~]#
查看host2接口信息
[root@host2 ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 56:00:02:83:72:1f brd ff:ff:ff:ff:ff:ff inet 149.28.93.246/23 brd 149.28.93.255 scope global dynamic eth0 valid_lft 78885sec preferred_lft 78885sec inet6 fe80::5400:2ff:fe83:721f/64 scope link valid_lft forever preferred_lft forever 3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether ae:04:8c:77:da:be brd ff:ff:ff:ff:ff:ff inet 192.168.172.2/24 brd 192.168.172.255 scope global edge0 valid_lft forever preferred_lft forever inet6 fe80::ac04:8cff:fe77:dabe/64 scope link valid_lft forever preferred_lft forever [root@host2 ~]#
检测节点连通性(在host2主机上)
[root@host2 ~]# ping -c 4 192.168.172.1 PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data. 64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=0.877 ms 64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=0.733 ms 64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=0.844 ms 64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=0.958 ms --- 192.168.172.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.733/0.853/0.958/0.080 ms [root@host2 ~]#
配置host3节点edge服务脚本
[root@host3 ~]# vi /usr/lib/systemd/system/n2n_edge.service [Unit] Description=n2n edge Wants=network-online.target After=network-online.target [Service] ExecStart=/usr/local/n2n/sbin/edge -l 144.202.116.133:1200 -c linuxcache -a 192.168.172.3 -k 5tgb6yhn7ujm -f [Install] WantedBy=multi-user.target
注册服务并启动服务
[root@host3 n2n]# systemctl enable n2n_edge Created symlink from /etc/systemd/system/multi-user.target.wants/n2n_edge.service to /usr/lib/systemd/system/n2n_edge.service. [root@host3 n2n]# systemctl start n2n_edge [root@host3 n2n]#
查看host3接口信息
[root@host3 ~]# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 56:00:02:83:80:03 brd ff:ff:ff:ff:ff:ff inet 45.32.224.80/22 brd 45.32.227.255 scope global dynamic eth0 valid_lft 78416sec preferred_lft 78416sec inet6 fe80::5400:2ff:fe83:8003/64 scope link valid_lft forever preferred_lft forever 3: edge0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1290 qdisc pfifo_fast state UNKNOWN group default qlen 1000 link/ether d2:31:7d:96:46:41 brd ff:ff:ff:ff:ff:ff inet 192.168.172.3/24 brd 192.168.172.255 scope global edge0 valid_lft forever preferred_lft forever inet6 fe80::d031:7dff:fe96:4641/64 scope link valid_lft forever preferred_lft forever [root@host3 ~]#
检测节点连通性(在host3主机上)
[root@host3 ~]# ping -c 4 192.168.172.1 PING 192.168.172.1 (192.168.172.1) 56(84) bytes of data. 64 bytes from 192.168.172.1: icmp_seq=1 ttl=64 time=59.0 ms 64 bytes from 192.168.172.1: icmp_seq=2 ttl=64 time=25.9 ms 64 bytes from 192.168.172.1: icmp_seq=3 ttl=64 time=26.0 ms 64 bytes from 192.168.172.1: icmp_seq=4 ttl=64 time=27.2 ms --- 192.168.172.1 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 25.963/34.564/59.058/14.150 ms [root@host3 ~]# ping -c 4 192.168.172.2 PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data. 64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=52.1 ms 64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=26.0 ms 64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=26.0 ms 64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=25.9 ms --- 192.168.172.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms rtt min/avg/max/mdev = 25.963/32.542/52.115/11.301 ms [root@host3 ~]#
检测节点连通性(在host1主机上)
[root@host1 ~]# ping -c 4 192.168.172.2 PING 192.168.172.2 (192.168.172.2) 56(84) bytes of data. 64 bytes from 192.168.172.2: icmp_seq=1 ttl=64 time=1.43 ms 64 bytes from 192.168.172.2: icmp_seq=2 ttl=64 time=0.666 ms 64 bytes from 192.168.172.2: icmp_seq=3 ttl=64 time=0.840 ms 64 bytes from 192.168.172.2: icmp_seq=4 ttl=64 time=0.921 ms --- 192.168.172.2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3002ms rtt min/avg/max/mdev = 0.666/0.964/1.432/0.287 ms [root@host1 ~]# ping -c 4 192.168.172.3 PING 192.168.172.3 (192.168.172.3) 56(84) bytes of data. 64 bytes from 192.168.172.3: icmp_seq=1 ttl=64 time=33.4 ms 64 bytes from 192.168.172.3: icmp_seq=2 ttl=64 time=26.0 ms 64 bytes from 192.168.172.3: icmp_seq=3 ttl=64 time=26.3 ms 64 bytes from 192.168.172.3: icmp_seq=4 ttl=64 time=25.8 ms --- 192.168.172.3 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3004ms rtt min/avg/max/mdev = 25.859/27.923/33.456/3.202 ms [root@host1 ~]#
安装Cisco AnyConnect Secure Mobility Client客户端程序
准备导入由自签CA签发的用户证书(含私钥)文件
证书导入向导(存储位置:当前用户)
确认导入证书文件的文件路径
输入为证书文件设置的密码
使用默认的证书存储位置
确认证书导入信息,并点击完成
证书导入成功
在证书管理(用户证书)中查看已导入的用户证书信息
在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮
正在建立连接的状态
连接建立成功,系统提示已连接至服务器端
客户端处于连接状态
基于OpenVPN使用预共享密钥加密的点到点VPN解决方案
安装依赖库EPEL及net-tools工具
[root@host1 ~]# yum -y install epel-release.noarch net-tools [root@host2 ~]# yum -y install epel-release.noarch net-tools
安装openvpn软件包
[root@host1 ~]# yum -y install openvpn [root@host2 ~]# yum -y install openvpn
配置防火墙,在两台主机开放UDP8443端口作为专用通信端口
[root@host1 ~]# firewall-cmd --permanent --add-port=8443/udp success [root@host1 ~]# firewall-cmd --reload success [root@host1 ~]# [root@host2 ~]# firewall-cmd --permanent --add-port=8443/udp success [root@host2 ~]# firewall-cmd --reload success [root@host2 ~]#
生成host1配置文件
[root@host1 ~]# vi /etc/openvpn/host1.conf proto udp mode p2p remote 149.28.93.246 rport 8443 local 0.0.0.0 lport 8443 dev-type tun tun-ipv6 resolv-retry infinite dev tun0 comp-lzo persist-key persist-tun cipher aes-256-cbc ifconfig 172.16.100.1 172.16.100.2 secret /etc/openvpn/p2p.key
生成预共享密钥文件并复制到host2主机相应目录
[root@host1 ~]# openvpn --genkey --secret /etc/openvpn/p2p.key [root@host1 ~]# cat /etc/openvpn/p2p.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- cb55061878ae55a026f04826c8c49669 efaa6a77d5077b0bff0d27eb7b0611de 849125952cfaea36f556c52b1a5725d2 69a79ec24526c363d636d64b9f9591e1 b64b5b20147d08e419c8e37b72320e52 4be7d1b23b0c76c21f950e611fafa25f a3811c610be55334b19f801cab1c31f3 f4bc5e5ff213b407b5c8321c0a619358 09e8dfb93561efebeff7f656d2dc7d7a 5c3ad585ccc81755fc711bcf7c702053 3a23335cdc3a2c372a0bdf18fb75cdd2 935ff0fe927e6f77e854cfb1547876d3 bc9df044f2a0cf9c88ba61b2b2731a04 16b1ad259d25f53d583cbcd0ed8a3c66 2c2b0ceb9115351760dfc42e1f2670d6 be49d22101387b08f9b54c0e23c11823 -----END OpenVPN Static key V1----- [root@host1 ~]#
生成host2配置文件
[root@host2 ~]# vi /etc/openvpn/hosts2.conf proto udp mode p2p remote 144.202.116.133 rport 8443 local 0.0.0.0 lport 8443 dev-type tun tun-ipv6 resolv-retry infinite dev tun0 comp-lzo persist-key persist-tun cipher aes-256-cbc ifconfig 172.16.100.2 172.16.100.1 secret /etc/openvpn/p2p.key [root@host2 ~]# vi /etc/openvpn/p2p.key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- cb55061878ae55a026f04826c8c49669 efaa6a77d5077b0bff0d27eb7b0611de 849125952cfaea36f556c52b1a5725d2 69a79ec24526c363d636d64b9f9591e1 b64b5b20147d08e419c8e37b72320e52 4be7d1b23b0c76c21f950e611fafa25f a3811c610be55334b19f801cab1c31f3 f4bc5e5ff213b407b5c8321c0a619358 09e8dfb93561efebeff7f656d2dc7d7a 5c3ad585ccc81755fc711bcf7c702053 3a23335cdc3a2c372a0bdf18fb75cdd2 935ff0fe927e6f77e854cfb1547876d3 bc9df044f2a0cf9c88ba61b2b2731a04 16b1ad259d25f53d583cbcd0ed8a3c66 2c2b0ceb9115351760dfc42e1f2670d6 be49d22101387b08f9b54c0e23c11823 -----END OpenVPN Static key V1-----
启动host1上的OpenVPN服务并加载指定配置文件
[root@host1 ~]# nohup openvpn --config /etc/openvpn/host1.conf & [1] 1913 [root@host1 ~]# nohup: ignoring input and appending output to ‘nohup.out’ [root@host1 ~]# cat nohup.out Fri Jan 31 03:25:47 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Fri Jan 31 03:25:47 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Fri Jan 31 03:25:47 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019 Fri Jan 31 03:25:47 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Fri Jan 31 03:25:47 2020 TUN/TAP device tun0 opened Fri Jan 31 03:25:47 2020 /sbin/ip link set dev tun0 up mtu 1500 Fri Jan 31 03:25:47 2020 /sbin/ip addr add dev tun0 local 172.16.100.1 peer 172.16.100.2 Fri Jan 31 03:25:47 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]149.28.93.246:8443 Fri Jan 31 03:25:47 2020 UDP link local (bound): [AF_INET][undef]:8443 Fri Jan 31 03:25:47 2020 UDP link remote: [AF_INET]149.28.93.246:8443 [root@host1 ~]#
查看host1接口信息及端口监听信息
启动host2上的OpenVPN服务并加载指定配置文件
[root@host2 ~]# nohup openvpn --config /etc/openvpn/hosts2.conf & [1] 1741 [root@host2 ~]# nohup: ignoring input and appending output to ‘nohup.out’ [root@host2 ~]# cat nohup.out Fri Jan 31 03:28:03 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Fri Jan 31 03:28:03 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Fri Jan 31 03:28:03 2020 WARNING: file '/etc/openvpn/p2p.key' is group or others accessible Fri Jan 31 03:28:03 2020 OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov 1 2019 Fri Jan 31 03:28:03 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Fri Jan 31 03:28:03 2020 TUN/TAP device tun0 opened Fri Jan 31 03:28:03 2020 /sbin/ip link set dev tun0 up mtu 1500 Fri Jan 31 03:28:03 2020 /sbin/ip addr add dev tun0 local 172.16.100.2 peer 172.16.100.1 Fri Jan 31 03:28:03 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]144.202.116.133:8443 Fri Jan 31 03:28:03 2020 UDP link local (bound): [AF_INET][undef]:8443 Fri Jan 31 03:28:03 2020 UDP link remote: [AF_INET]144.202.116.133:8443 [root@host2 ~]#
查看host2接口信息及端口监听信息
在两台主机上分别ping对端隧道IP地址
使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书
启用内核包转发
[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@ocserv ~]# sysctl -p net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1 [root@ocserv ~]#
开启防火墙端口及包转发特性
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp success [root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-masquerade success [root@ocserv ~]# firewall-cmd --reload success [root@ocserv ~]#
安装ocserv服务包及Let’s Encrypt工具包
[root@ocserv ~]# yum -y install ocserv certbot
使用certbot生成的服务器证书和密钥路径
/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem
修改ocserv服务端配置
[root@ocserv ~]# vi /etc/ocserv/ocserv.conf
修改认证类型为证书认证
auth = "certificate"
修改服务器证书配置
server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem
修改用户端证书身份识别
#cert-user-oid = 0.9.2342.19200300.100.1.1 cert-user-oid = 2.5.4.3
启用压缩
compression = true no-compress-limit = 256
设置客户端IPv4地址池
ipv4-network = 192.168.172.0 ipv4-netmask = 255.255.255.0
设置DNS
dns = 8.8.8.8 dns = 8.8.4.4
启动服务
[root@ocserv ~]# systemctl start ocserv
安装Apache服务器,为用户证书提供下载服务
[root@ocserv ~]# yum -y install httpd
修改Apache主配置文件并启动服务
[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf
修改主机名
ServerName ocserv.bcoc.site
修改服务监听端口
#Listen 80 Listen 8080
检查配置并启动服务
[root@ocserv ~]# apachectl -t Syntax OK [root@ocserv ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@ocserv ~]# systemctl start httpd [root@ocserv ~]#
查看监听
使用浏览器访问服务器端口确认证书状态
生成自签CA证书
[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem Generating a 2048 bit RSA private key... [root@ocserv ~]# cat << _EOF_ >ca.tmpl > cn = "BCOC CA" > organization = "BCOC" > serial = 1 > expiration_days = -1 > ca > signing_key > cert_signing_key > crl_signing_key > _EOF_ [root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \ > --template ca.tmpl --outfile ca-cert.pem
生成自签用户证书
[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem Generating a 2048 bit RSA private key... [root@ocserv ~]# cat << _EOF_ >user.tmpl > cn = "harveymei" > unit = "standard" > expiration_days = 365 > signing_key > tls_www_client > _EOF_ [root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \ > --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ > --template user.tmpl --outfile user-cert.pem
导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)
[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \ > --pkcs-cipher 3des-pkcs12 \ > --load-certificate user-cert.pem \ > --outfile user.p12 --outder Generating a PKCS #12 structure... Loading private key list... Loaded 1 private keys. Enter a name for the key: harveymei Enter password: Confirm password: [root@ocserv ~]# ls ca-cert.pem ca.tmpl user-key.pem user.tmpl ca-key.pem user-cert.pem user.p12 [root@ocserv ~]#
将用户证书复制到Web Server服务器根目录下以提供证书下载
[root@ocserv ~]# cp user.p12 /var/www/html/
使用自签CA证书覆盖ocserv初始CA证书
[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y
覆盖CA证书后重新启动ocserv服务
[root@ocserv ~]# systemctl restart ocserv
客户端新建连接并导入用户证书
客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12
Windows 10 系统下OpenConnect GUI的设置
