openvpn 拒绝与 freeradius 的连接

tag-icon tag-icon linux vpn authentication openvpn radius
openvpn 拒绝与 freeradius 的连接

我从 yum 安装了 openvpn 和 freeradius,并且安装了 radiusplugin_v2.1a_beta1.tar.gz,但是我遇到了连接问题,错误如下:

XML-RPC: ConnectionRefusedError: 10061: No connection could be made because the target machine actively refused it..

我在数据库(mysql)中添加了以下内容

mysql> INSERT INTO radcheck VALUES (1,'jpeterson','Password','==','netopia1');
mysql> INSERT INTO radreply VALUES (1,'jpeterson','Trapeze-VLAN-Name',':=','corp');
mysql> INSERT INTO radreply VALUES (2,'jpeterson','Session-Timeout',':=','300');

尝试使用用户 jpeterson 和密码 netopia1

我一直在查看 /var/log/messages 和 /var/log/radius/radius.log,但没有看到太多内容。

/etc/openvpn/server.conf

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
#plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
plugin /etc/openvpn/plugins/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 4

这是 radiusplugin.cnf

# The NAS identifier which is sent to the RADIUS server
NAS-Identifier=OpenVpn

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=127.0.0.1

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE                      (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

#OpenVPNConfig=/etc/openvpn/radiusvpn.conf
OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used.
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true.
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=127.0.0.1
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret=sekr3tz
}

编辑:当我使用 PAM 时,openvpn 已经可以工作了。

编辑:

现在,当我使用我的手机或具有 server.crt 文件的旧 vpn 连接时,我会在控制台上看到以下内容:

[root@vpn ~]# Mon Jan  7 23:03:54 2013 RADIUS-PLUGIN: Got no response from radius server.
Mon Jan  7 23:03:54 2013 Error: RADIUS-PLUGIN: BACKGROUND  AUTH: Auth failed!.


[root@vpn ~]# Mon Jan  7 23:05:23 2013 RADIUS-PLUGIN: Got no response from radius server.
Mon Jan  7 23:05:23 2013 Error: RADIUS-PLUGIN: BACKGROUND  AUTH: Auth failed!.

经过一番研究我发现了这一点,但不确定它意味着什么:

“Got no response from radius server”意味着插件没有收到来自RADIUS服务器的任何数据包。

您能否检查 RADIUS 服务器是否使用包含响应消息的 ACCESS_REJECT 数据包来响应 ACCESS-REQUEST RADIUS 数据包?服务器是否在插件配置文件中配置的时间间隔内响应?

即使我使用 FreeRadius,我是否也需要有证书文件才能登录?

答案1

我认为拥有认证机构是必要的,但是当你使用活动目录(例如 LDAP)和其他授权工具(例如 radius)时,没有必要拥有带有 .key 和 .crt 文件的私钥

相关内容