前言:
之前是学习这个大佬的文章,可惜现在文章被删除找不到了。
这是大佬的github:https://github.com/aliasmee/alpine-ikev2-vpn
一.MySQL
mysql管理界面建议使用adminer,教程谷歌

docker pull mysql:5.6
#用户名root,密码radiuspass
docker run -p 3306:3306 --name qmm-mysql -v ~/mysql/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=radiuspass  -d mysql:5.6
#数据库导入两个数据库文件
第一个:https://github.com/FreeRADIUS/freeradius-server/blob/master/raddb/mods-config/sql/main/mysql/schema.sql
第二个:https://github.com/lirantal/daloradius/blob/master/contrib/db/fr2-mysql-daloradius-and-freeradius.sql
#错误提示,在FreeRadius调试运行时候报错
Fri Aug 31 06:32:22 2018 : ERROR: (56) sql: rlm_sql_mysql: ERROR 1054 (Unknown column 'acctupdatetime' in 'field list'): 42S22
解决办法:
SQl执行命令: alter table radacct add acctupdatetime datetime NULL default NULL after acctstarttime, add acctinterval int(12) default NULL after acctstoptime, add KEY acctinterval (acctinterval),drop KEY acctuniqueid, add UNIQUE KEY acctuniqueid (acctuniqueid);

二.DaloRadius

#获取apache-php7镜像
docker pull nimmis/apache-php7
#运行容器
docker run -d -p 80:80 --name daloradius -v /home/nimmis/html:/var/www/html nimmis/apache-php7
#进入容器
docker exec -it daloradius /bin/bash
#安装php组件
apt update
apt install php-pear php-db -y //或pear install DB
exit
#重启容器
docker restart daloradius 
#下载daloradius程序
git clone https://github.com/lirantal/daloradius.git "/home/nimmis/html"
#编辑daloradius配置文件
vim /home/nimmis/html/library/daloradius.conf.php
更改数据库连接
$configValues['CONFIG_DB_ENGINE'] = 'mysqli';
$configValues['CONFIG_DB_HOST'] = 'localhost';
$configValues['CONFIG_DB_PORT'] = '3306';
$configValues['CONFIG_DB_USER'] = 'root';
$configValues['CONFIG_DB_PASS'] = '';
$configValues['CONFIG_DB_NAME'] = 'radius';
更改语言为中文
$configValues['CONFIG_LANG'] = 'en'; #将en改为zh
登录默认密码:radius
#添加NAS,管理->NAS
===========================
NAS IP/主机  0.0.0.0/0

NAS安全      passwd-user

NAS类型      other

NAS 简称     Radius-network
#Selece Type 选择other
===========================
#添加用户,管理->Users->新建用户

三.FreeRadius
1.部署容器

#获取镜像
docker pull v3tool/freeradius-daloradius
#启动镜像
docker run -itd --name freeradius -p 1812-1813:1812-1813/udp --privileged=true v3tool/freeradius-daloradius init
#进入容器目录
cd $(docker inspect -f {{.GraphDriver.Data.MergedDir}} freeradius)
#编辑数据库连接信息
vim etc/raddb/mods-available/sql
---------------------------
server = "localhost"
port = 3306
login = "radius"
password = " radiuspass "
radius_db = "radius"
---------------------------
#修改监听地址
vim etc/raddb/clients.conf
找到ipaddr = 127.0.0.1 改为 ipaddr = 0.0.0.0 #修改监听地址
#修改eap文件
vim etc/raddb/mods-enabled/eap
改为 default_eap_type = mschapv2
#重启容器
docker restart freeradius

========================================================================
CentOS:7安装非Docker
========================================================================
1.安装FreeRadius:

yum install freeradius freeradius-mysql freeradius-utils -y

2.配置修改:

ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
vim /etc/raddb/mods-available/sql #改为如下配置
31行    driver = "rlm_sql_mysql"

73-83行:
dialect = "mysql"

server = "localhost"
port = 3306
login = "radius"
password = " iloveworld "
radius_db = "radius"

211行    去掉注释read_clients = yes

监听地址与通讯密钥修改

vim /etc/raddb/clients.conf
#修改监听地址
找到ipaddr = 127.0.0.1 改为 ipaddr = 0.0.0.0
#修改密钥
找到secret = testing123 修改testing123 为要设置的密钥

3.检查文件/etc/raddb/radiusd.conf确保以下内容没有被注释

$INCLUDE mods-enabled/
$INCLUDE sites-enabled/

4.开启认证的日志记录,记录log日志文件(321行左右)

auth = yes
auth_badpass = yes
auth_goodpass = yes

5.开启sql 模块的支持,修改文件./etc/freeradius/sites-available/default
去掉以下行的sql注释,这里注释是 ‘-’,前面是行号,找到后去掉 ‘-’ 即可

372 sql
602 sql
650 sql
676 sql
779 sql

#修改eap文件
vim /etc/raddb/mods-enabled/eap
改为 default_eap_type = mschapv2
#将radiusd加入开机启动,并启动服务:

systemctl enable radiusd
systemctl start radiusd

========================================================================

四.Strongswan

docker pull hanyifeng/alpine-ikev2-vpn
docker run -itd --privileged -v /lib/modules:/lib/modules -e HOST_IP='Your's Public network IP' -e ACCOUNTING='yes' -e RADIUS_PORT='1812' -e RADIUS_SERVER='Your's radius server IP' -e RADIUS_SECRET='xxxxxxx' -e EAP_TYPE='eap-radius' -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn hanyifeng/alpine-ikev2-vpn
#示例
docker run -itd --privileged -v /lib/modules:/lib/modules -e HOST_IP='1.1.1.1' -e ACCOUNTING='yes' -e RADIUS_PORT='1812' -e RADIUS_SERVER='8.8.8.8' -e RADIUS_SECRET=testing123 -e EAP_TYPE='eap-radius' -p 500:500/udp -p 4500:4500/udp --name=ikev2-vpn hanyifeng/alpine-ikev2-vpn
#参数解释
HOST_IP='Your's Public network IP' #填公网ip
RADIUS_SERVER='Your's radius server IP' #FreeRadius的公网ip
RADIUS_SECRET='xxxxxxx' #FreeRadius共享密钥
#进入容器根目录
cd $(docker inspect -f {{.GraphDriver.Data.MergedDir}} ikev2-vpn)
#错误提示,生成容器时填写的FreeRadius密钥会在容器内出现奇怪字符
vim usr/local/etc/strongswan.d/charon/eap-radius.conf
找到secret = xxxxx 改为 secret = 你的FreeRadius共享密钥
#修改conn Windows7-os+ 
vim usr/local/etc/ipsec.conf
找到conn Windows7-os+ 修改下面的rightauth=eap-mschapv2 为rightauth=eap-radius
#修改ipsec共享密钥
vim usr/local/etc/ipsec.secrets
#导入证书
以Let's Encrypt SSL为例,到这个网站申请:https://www.sslforfree.com/
下载来的证书包解压会得到三个文件:private.key(私钥)、certificate.crt(服务端证书)、ca_bundle.crt(根证书和中继证书)。
将证书上传至容器根目录,并运行如下命令
cat > ikev2-ssl.sh <<"EOF"
#!/bin/bash
mv private.key server.pem
mv certificate.crt server.cert.pem
mv ca_bundle.crt usr/local/etc/ipsec.d/cacerts/ca.cert.pem
cert_file="server.cert.pem"
key_file="server.pem"
cp -f $cert_file usr/local/etc/ipsec.d/certs/server.cert.pem
cp -f $key_file usr/local/etc/ipsec.d/private/server.pem
cp -f $cert_file usr/local/etc/ipsec.d/certs/client.cert.pem
cp -f $key_file usr/local/etc/ipsec.d/private/client.pem
EOF
bash ikev2-ssl.sh
#由于容器的开机脚本/init.sh,修改ipsec.conf,eap-radius.conf完以后重启容器,配置会还原。
#建议修改完配置不重启容器,而是重启容器内的ipsec
docker exec -it ikev2-vpn sh /usr/local/sbin/ipsec restart

#建议使用ipsec.conf如下配置,安卓客户端使用strongswan(Google Play搜索)

config setup 
    uniqueids=never   
 
conn %default   #匹配Win10,IOS_MAC
    keyexchange=ikev2 
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
	rekey=no 
    left=%defaultroute 
    leftid=xxx.com #使用域名证书时,苹果设备远程ID必须是域名
    leftsendcert=always 
    leftsubnet=0.0.0.0/0 
    leftcert=server.cert.pem 
    right=%any
    rightauth=eap-radius
    rightsourceip=10.28.0.0/24 
    rightsendcert=never 
    eap_identity=%any 
    dpdaction=clear 
    fragmentation=yes 
    auto=add 

conn Windows7-os+ 
     keyexchange=ikev2
     auto=add 
     leftauth=pubkey
     leftcert=server.cert.pem 
     rightauth=eap-radius 
     rightsendcert=never   
     eap_identity=%identity   
     compress=yes 

五.调试
1.调试strongswan
ipsec start –nofork
2.调试
radtest user password 127.0.0.1 1812 testing123

分类: Main

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注