Tag: gentoo

Configure FreeRadius with MySQL on Gentoo

安装支持MySQL 的FreeRadius ,默认是不支持的:

USE=”mysql” emerge freeradius

或者

echo “=net-dialup/freeradius-2.0.5 mysql” >> /etc/portage/package.use

emerge freeradius

radius 的配置都在 /etc/raddb/ 里,我们需要修改的有 radiusd.conf , clients.conf , users , sql.conf , /site-enabled/default,分别对应服务器端,客户端,用户,数据库的配置,验证方式。其实由于这里使用了MySQL 记录用户的密码,所以其实不用修改users 也行。

我尽量在默认配置的基础上修改配置,可以不修改就不修改默认的配置。

radiusd.conf :

这里可以不修改,但最好修改一下,listen 的ipaddr 修改为内网吧。log 方面也可以适当开启一下。

——————–

clients.conf :

客户机的配置,我这里其实是Airport Extreme。

client 192.168.1.10 {
secret = testing
shortname = AP
nastype = other
}
————-
sql.conf:
先准备好MySQL 环境。
mysql> create database radius ;
mysql> grant all on radius.* to radius@localhost identfied by ‘testing’ ;
$ mysql -uradius -ptesting radius < /etc/raddb/sql/mysql/schema.sql

添加一个用户:

INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘test’, ‘Password’, ‘123456’);

修改一下sql.conf 相应的配置:

login=”radius”

passsword=”testing”

radius_db=”radius”

———–

/etc/raddb/sites-enabled/default:

把 authorize 里的sql uncomment 了,这样才能启用sql 验证。

当然,有洁癖的话可以把其它没用的comment 了。

————–

测试下:

进入debug 模式:radiusd -X

测试命令:

语法:Usage: radtest user passwd radius-server[:port] nas-port-number secret

radtest test 123456 192.168.1.1 0 testing

如果是Access-Reject 就是失败了,Access-Accept 就是成功了。

===============

配置到此完毕,算是可用了,但还不完善。不过我在想,用MySQL 还不如用LDAP 吧。。。下回再弄弄。

Reference:

http://en.gentoo-wiki.com/wiki/Chillispot_with_FreeRadius_and_MySQL

http://www.gentoo-wiki.info/HOWTO_WPA_Enterprise_with_MySQL

HOWTO Configure L2TP VPN server on Linode Gentoo VPS

Linode announced a new facility in Tokyo, Japan at September 20, 2011. It’s a big good news for us inside the wall. The download speed, and latency, is pretty awesome!!

I migrated my linode(actually it belongs to my boss) from USA to Tokyo with no doubt. And rebuild it from Ubuntu to Gentoo. As a desktop, Ubuntu plays so good so far.But as a server, Ubuntu sucks !!

OK, everything is ready, all we need is a L2TP VPN server.

Here is my L2TP VPN configuration.

First of all, choose a faster mirror server, this is my selection: gentoo.channelx.biz, chosen from mirrorselect (emerge mirrorselect). And add it to /etc/make.conf, replace the original one.

U can run this command if u don’t have an original GENTOO_MIRRORS config in /etc/make.conf.

echo 'GENTOO_MIRRORS="http://gentoo.channelx.biz/" ' >> /etc/make.conf

The software we need: openswan , xl2tpd , ppp. We can install them all with the ‘emerge’ command, but I found there’s something wrong with the openswan (v2.4.15-r2), we must upgrade openswan to version 2.6.31, even though this version is masked.

Solve the masked problem:

echo 'EMERGE_DEFAULT_OPTS="--autounmask=n" '  >> /etc/make.conf
 
echo '=net-misc/openswan-2.6.31 ' >> /etc/portage/package.accept_keywords

OK, install it:

emerge =net-misc/openswan-2.6.31

Let’s do some copy and paste.

Configure the ipsec.

copy the content of /etc/ipsec.d/examples/sysctl.conf to /etc/sysctl.conf ,and make sure the rp_filter options are commented.

# Enables source route verification
#net.ipv4.conf.default.rp_filter = 1
# Enable reverse path
#net.ipv4.conf.all.rp_filter = 1

u can run this command:

cat /etc/ipsec.d/examples/sysctl.conf >> /etc/sysctl.conf

and active the sysctl.conf:

sysctl -p

Edit the /etc/ipsec.conf :

echo 'include /etc/ipsec.d/examples/l2tp-psk.conf' >> /etc/ipsec.conf

when ignore the commented line:

#cat /etc/ipsec.conf | egrep -v "^[[:space:]]*#" | grep -v "^$"
 
conn L2TP-PSK-NAT
	rightsubnet=vhost:%priv
	also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
	authby=secret
	pfs=no
	auto=add
	keyingtries=3
	rekey=no
	ikelifetime=8h
	keylife=1h
	type=transport
	left=YourPublicIP 
	leftprotoport=17/1701
	right=%any
	rightprotoport=17/0
conn passthrough-for-non-l2tp
        type=passthrough
        left=YourPublicIP
        leftnexthop=YourGatewayIP
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route

and remember to replace the “YourPublicIP” , “YourGatewayIP” to the correct value.

edit /etc/ipsec.secrets :

YourIPAddress  %any: PSK "sharedsecret"

do the same replacement.

Configure the iptables.

iptables -t nat -A POSTROUTING -j MASQUERADE
 
/etc/init.d/iptables save
 
rc-updat add iptables default

Configure xl2tpd :

# cat /etc/xl2tpd/xl2tpd.conf
 
[global] 
ipsec saref = yes
 
[lns default] 
ip range = 172.16.80.128-172.16.80.254 
local ip = 172.16.80.1
require chap = yes 
refuse pap = yes 
require authentication = yes 
name = xl2tpd
ppp debug = yes 
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Configure PPP :

# cat /etc/ppp/options.xl2tpd
 
ipcp-accept-local
ipcp-accept-remote
ms-dns  8.8.8.8
ms-dns  8.8.4.4
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
# cat /etc/ppp/chap-secrets
 
Username        xl2tpd      Password        *

do some replacement here.

start the services:

/etc/init.d/ipsec start
/etc/init.d/xl2tpd start

Have fun .

PS: ipsec verify failed ?

Pluto listening for IKE on udp 500                          	[FAILED]
  Cannot execute command "lsof -i UDP:500": No such file or directory
Pluto listening for NAT-T on udp 4500                       	[FAILED]
  Cannot execute command "lsof -i UDP:4500": No such file or directory

it’s all right, because the command ‘lsof‘ is missing, just ‘emerge lsof

Reference:

http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/
http://apple4.us/2010/05/setting-up-l2tp-vpn-on-debian-ubuntu.html
http://forums.gentoo.org/viewtopic-t-324500-highlight-openswan.html (the ppp configuration part, it’s different between gentoo and ubuntu)

——————————
update: 2011-09-26
If u can connect successfully at the first time, but failed at the second. Here’s the solution.
Add the following lines to your L2TP-PSK-noNAT connection and restart ipsec (/etc/init.d/ipsec restart )

dpddelay=40
dpdtimeout=130
dpdaction=clear

Reference:
http://lists.openswan.org/pipermail/users/2011-January/019945.html