前言:
之前是学习这个大佬的文章,可惜现在文章被删除找不到了。
这是大佬的github:https://github.com/aliasmee/alpine-ikev2-vpn
一.MySQL
mysql管理界面建议使用adminer,教程谷歌
docker pull mysql:5.6 #用户名root,密码radiuspass docker run -p 3306:3306 --name qmm-mysql -v ~/mysql/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=radiuspass -d mysql:5.6 #数据库导入两个数据库文件 第一个:https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-config/sql/main/mysql/schema.sql 第二个:https://github.com/lirantal/daloradius/blob/master/contrib/db/fr2-mysql-daloradius-and-freeradius.sql #错误提示,在FreeRadius调试运行时候报错 Fri Aug 31 06:32:22 2018 : ERROR: (56) sql: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22 解决办法: SQl执行命令: alter table radacct add acctupdatetime datetime NULL default NULL after acctstarttime, add acctinterval int(12) default NULL after acctstoptime, add KEY acctinterval (acctinterval),drop KEY acctuniqueid, add UNIQUE KEY acctuniqueid (acctuniqueid);
二.DaloRadius
#获取apache-php7镜像 docker pull nimmis/apache-php7 #运行容器 docker run -d -p 80:80 --name daloradius -v /home/nimmis/html:/var/www/html nimmis/apache-php7 #进入容器 docker exec -it daloradius /bin/bash #安装php组件 apt update apt install php-pear php-db -y //或pear install DB exit #重启容器 docker restart daloradius #下载daloradius程序 git clone https://github.com/lirantal/daloradius.git "/home/nimmis/html" #编辑daloradius配置文件 vim /home/nimmis/html/library/daloradius.conf.php 更改数据库连接 $configValues['CONFIG_DB_ENGINE'] = 'mysqli'; $configValues['CONFIG_DB_HOST'] = 'localhost'; $configValues['CONFIG_DB_PORT'] = '3306'; $configValues['CONFIG_DB_USER'] = 'root'; $configValues['CONFIG_DB_PASS'] = ''; $configValues['CONFIG_DB_NAME'] = 'radius'; 更改语言为中文 $configValues['CONFIG_LANG'] = 'en'; #将en改为zh
登录默认密码:radius #添加NAS,管理->NAS =========================== NAS IP/主机 0.0.0.0/0 NAS安全 passwd-user NAS类型 other NAS 简称 Radius-network #Selece Type 选择other =========================== #添加用户,管理->Users->新建用户
三.FreeRadius
1.部署容器
#获取镜像 docker pull v3tool/freeradius-daloradius #启动镜像 docker run -itd --name freeradius -p 1812-1813:1812-1813/udp --privileged=true v3tool/freeradius-daloradius init #进入容器目录 cd $(docker inspect -f {{.GraphDriver.Data.MergedDir}} freeradius) #编辑数据库连接信息 vim etc/raddb/mods-available/sql --------------------------- server = "localhost" port = 3306 login = "radius" password = " radiuspass " radius_db = "radius" --------------------------- #修改监听地址 vim etc/raddb/clients.conf 找到ipaddr = 127.0.0.1 改为 ipaddr = 0.0.0.0 #修改监听地址 #修改eap文件 vim etc/raddb/mods-enabled/eap 改为 default_eap_type = mschapv2 #重启容器 docker restart freeradius
========================================================================
CentOS:7安装非Docker
========================================================================
1.安装FreeRadius:
yum install freeradius freeradius-mysql freeradius-utils -y
2.配置修改:
ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
vim /etc/raddb/mods-available/sql #改为如下配置
31行 driver = "rlm_sql_mysql" 73-83行: dialect = "mysql" server = "localhost" port = 3306 login = "radius" password = " iloveworld " radius_db = "radius" 211行 去掉注释read_clients = yes
监听地址与通讯密钥修改
vim /etc/raddb/clients.conf #修改监听地址 找到ipaddr = 127.0.0.1 改为 ipaddr = 0.0.0.0 #修改密钥 找到secret = testing123 修改testing123 为要设置的密钥
3.检查文件/etc/raddb/radiusd.conf
确保以下内容没有被注释
$INCLUDE mods-enabled/ $INCLUDE sites-enabled/
4.开启认证的日志记录,记录log日志文件(321行左右)
auth = yes auth_badpass = yes auth_goodpass = yes
5.开启sql 模块的支持,修改文件./etc/freeradius/sites-available/default
去掉以下行的sql注释,这里注释是 ‘-’,前面是行号,找到后去掉 ‘-’ 即可
372 sql 602 sql 650 sql 676 sql 779 sql
#修改eap文件
vim /etc/raddb/mods-enabled/eap
改为 default_eap_type = mschapv2
#将radiusd加入开机启动,并启动服务:
systemctl enable radiusd systemctl start radiusd
========================================================================
四.Strongswan
docker pull hanyifeng/alpine-ikev2-vpn docker run -itd --privileged -v /lib/modules:/lib/modules -e HOST_IP='Your's Public network IP' -e ACCOUNTING='yes' -e RADIUS_PORT='1812' -e RADIUS_SERVER='Your's radius server IP' -e RADIUS_SECRET='xxxxxxx' -e EAP_TYPE='eap-radius' -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn hanyifeng/alpine-ikev2-vpn #示例 docker run -itd --privileged -v /lib/modules:/lib/modules -e HOST_IP='1.1.1.1' -e ACCOUNTING='yes' -e RADIUS_PORT='1812' -e RADIUS_SERVER='8.8.8.8' -e RADIUS_SECRET=testing123 -e EAP_TYPE='eap-radius' -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn hanyifeng/alpine-ikev2-vpn #参数解释 HOST_IP='Your's Public network IP' #填公网ip RADIUS_SERVER='Your's radius server IP' #FreeRadius的公网ip RADIUS_SECRET='xxxxxxx' #FreeRadius共享密钥 #进入容器根目录 cd $(docker inspect -f {{.GraphDriver.Data.MergedDir}} ikev2-vpn) #错误提示,生成容器时填写的FreeRadius密钥会在容器内出现奇怪字符 vim usr/local/etc/strongswan.d/charon/eap-radius.conf 找到secret = xxxxx 改为 secret = 你的FreeRadius共享密钥 #修改conn Windows7-os+ vim usr/local/etc/ipsec.conf 找到conn Windows7-os+ 修改下面的rightauth=eap-mschapv2 为rightauth=eap-radius #修改ipsec共享密钥 vim usr/local/etc/ipsec.secrets #导入证书 以Let's Encrypt SSL为例,到这个网站申请:https://www.sslforfree.com/ 下载来的证书包解压会得到三个文件:private.key(私钥)、certificate.crt(服务端证书)、ca_bundle.crt(根证书和中继证书)。 将证书上传至容器根目录,并运行如下命令 cat > ikev2-ssl.sh <<"EOF" #!/bin/bash mv private.key server.pem mv certificate.crt server.cert.pem mv ca_bundle.crt usr/local/etc/ipsec.d/cacerts/ca.cert.pem cert_file="server.cert.pem" key_file="server.pem" cp -f $cert_file usr/local/etc/ipsec.d/certs/server.cert.pem cp -f $key_file usr/local/etc/ipsec.d/private/server.pem cp -f $cert_file usr/local/etc/ipsec.d/certs/client.cert.pem cp -f $key_file usr/local/etc/ipsec.d/private/client.pem EOF bash ikev2-ssl.sh #由于容器的开机脚本/init.sh,修改ipsec.conf,eap-radius.conf完以后重启容器,配置会还原。 #建议修改完配置不重启容器,而是重启容器内的ipsec docker exec -it ikev2-vpn sh /usr/local/sbin/ipsec restart
#建议使用ipsec.conf如下配置,安卓客户端使用strongswan(Google Play搜索)
config setup uniqueids=never conn %default #匹配Win10,IOS_MAC keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! rekey=no left=%defaultroute leftid=xxx.com #使用域名证书时,苹果设备远程ID必须是域名 leftsendcert=always leftsubnet=0.0.0.0/0 leftcert=server.cert.pem right=%any rightauth=eap-radius rightsourceip=10.28.0.0/24 rightsendcert=never eap_identity=%any dpdaction=clear fragmentation=yes auto=add conn Windows7-os+ keyexchange=ikev2 auto=add leftauth=pubkey leftcert=server.cert.pem rightauth=eap-radius rightsendcert=never eap_identity=%identity compress=yes
五.调试
1.调试strongswan
ipsec start –nofork
2.调试
radtest user password 127.0.0.1 1812 testing123
0 条评论