The OpenNET Project / Index page

[ новости/++ | форум | wiki | теги ]

Каталог документации / Раздел "Руководства по FreeBSD на русском" (Архив | Для печати)

Установка VPN с использованием MPD+FreeRadius


Автор: Кирилл Малеванов

В статье рассматривается установка VPN-сервера, совместимого с MS Windows TM . Заранее предполагается, что уже установлена СУБД PostgreSQL, в ней будет храниться информация о пользователях.

Disclaimer

Я ни в коем разе не претендую, что установка сделана правильно, корректно, "так как надо" и прочая. Я описываю только что, что у меня работает.

Установка FreeRadius

Сначала необходимо установить и настроить FreeRadius.

cd /usr/ports/net/freeradius
make install

Удалять файлы, которые получились при работе установщика, мы пока не будем, так как они нам понадобятся.

Заходим в /usr/local/etc/raddb, копируем файлы dictionary.*.sample в dictionary.* - это файлы словарей атрибутов, которые используются различными сервисами

Теперь создаем пустой файл acct-users, затем файл attrs со следующим содержимым:

DEFAULT	
	Service-Type == Framed-User,
	Service-Type == Login-User,
	Login-Service == Telnet,
	Login-Service == Rlogin,
	Login-Service == TCP-Clear,
	Login-TCP-Port <= 65536,
	Framed-IP-Address == 255.255.255.254,
	Framed-IP-Netmask == 255.255.255.255,
	Framed-Protocol == PPP,
	Framed-Protocol == SLIP,
	Framed-Compression == Van-Jacobson-TCP-IP,
	Framed-MTU >= 576,
	Framed-Filter-ID =* ANY,
	Reply-Message =* ANY,
	Proxy-State =* ANY,
	Session-Timeout <= 28800,
	Idle-Timeout <= 600,
	Port-Limit <= 2

В файле clients прописываем IP-адреса тех хостов, которые будут обращаться к радиусу, и для каждого хоста задаем пароль:

	# Client Name		Key
#----------------	----------
#portmaster1.isp.com	testing123
#portmaster2.isp.com	testing123
#proxyradius.isp2.com	TheirKey
192.168.1.200		test1
localhost		test2
Файл clients вообще относится к obsoleted (устаревшим), но просто оставим его, на случай каких-либо несовместимостей.

Точно ту же информацию, но в другом формате, заносим в файл clients.conf:


# clients.conf - client configuration directives
#
# This file is included by default.  To disable it, you will need
# to modify the CLIENTS CONFIGURATION section of "radiusd.conf".
#
#######################################################################

#######################################################################
#
#  Definition of a RADIUS client (usually a NAS).
#
#  The information given here over rides anything given in the 'clients'
#  file, or in the 'naslist' file.  The configuration here contains
#  all of the information from those two files, and also allows for more
#  configuration items.
#
#  The "shortname" can be used for logging, and the "nastype",
#  "login" and "password" fields are mainly used for checkrad and are
#  optional.
#

#
#  Defines a RADIUS client.  The format is 'client [hostname|ip-address]'
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
client 127.0.0.1 {
	#
	#  The shared secret use to "encrypt" and "sign" packets between
	#  the NAS and FreeRADIUS.  You MUST change this secret from the
	#  default, otherwise it's not a secret any more!
	#
	#  The secret can be any string, up to 32 characters in length.
	#
	secret		= test2

	#
	#  The short name is used as an alias for the fully qualified
	#  domain name, or the IP address.
	#
	shortname	= localhost

	#
	# the following three fields are optional, but may be used by
	# checkrad.pl for simultaneous use checks
	#

	#
	# The nastype tells 'checkrad.pl' which NAS-specific method to
	#  use to query the NAS for simultaneous use.
	#
	#  Permitted NAS types are:
	#
	#	cisco
	#	computone
	#	livingston
	#	max40xx
	#	multitech
	#	netserver
	#	pathras
	#	patton
	#	portslave
	#	tc
	#	usrhiper
	#	other		# for all other types

	#
	nastype     = other	# localhost isn't usually a NAS...

	#
	#  The following two configurations are for future use.
	#  The 'naspasswd' file is currently used to store the NAS
	#  login name and password, which is used by checkrad.pl
	#  when querying the NAS for simultaneous use.
	#
#	login       = !root
#	password    = someadminpas
}

client 192.168.1.200 {
	secret		= test1
	shortname	= user
}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#	secret		= testing123-1
#	shortname	= private-network-1
#}
#
#client 192.168.0.0/16 {
#	secret		= testing123-2
#	shortname	= private-network-2
#}


client 10.1.1.1 {
#	# secret and password are mapped through the "secrets" file.
	secret      = test2
	shortname   = local
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
	nastype     = other
#	login       = !root
#	password    = someadminpas
}

Создаем файл hints со следующим содержимым:

DEFAULT	Suffix = ".ppp", Strip-User-Name = Yes
	Hint = "PPP",
	Service-Type = Framed-User,
	Framed-Protocol = PPP

DEFAULT	Suffix = ".slip", Strip-User-Name = Yes
	Hint = "SLIP",
	Service-Type = Framed-User,
	Framed-Protocol = SLIP

DEFAULT	Suffix = ".cslip", Strip-User-Name = Yes
	Hint = "CSLIP",
	Service-Type = Framed-User,
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP

Создаем пустой файл huntgroups и файл naslist со следующим содержанием:

localhost		local		portslave

Создаем пустой файл preproxy_users и файл users следующего содержания:

DEFAULT         Auth-Type := MS-CHAP
Здесь мы задаем, что все пользователи должны использовать тип авторизации MS-CHAP, версий 1 или 2. Все версии MS Windows TM благополучно авторизируются по этому протоколу.

Затем настраиваем доступ FreeRadius к PostgreSQL, для этого копируем файл postgresql.conf.sample в postgresql.conf и меняем одну строчку: находим строку, начинающуюся с

authorize_group_check_query
и меняем текст запроса на
"SELECT ${groupcheck_table}.id,${groupcheck_table}.GroupName,${groupcheck_table}.Attribute,${groupcheck_table}.Value,${groupcheck_table}.Op FROM ${groupcheck_table},${usergroup_table} WHERE ${usergroup_table}.Username = '%{SQL-User-Name}' AND ${usergroup_table}.GroupName = ${groupcheck_table}.GroupName ORDER BY ${groupcheck_table}.id"

Файл proxy.conf:

proxy server {

#
#  If the NAS re-sends the request to us, we can immediately re-send
#  the proxy request to the end server.  To do so, use 'yes' here.
#
#  If this is set to 'no', then we send the retries on our own schedule,
#  and ignore any duplicate NAS requests.
#
#  If you want to have the server send proxy retries ONLY when the NAS
#  sends it's retries to the server, then set this to 'yes', and
#  set the other proxy configuration parameters to 0 (zero).
#
	synchronous = no

#
#  The time (in seconds) to wait for a response from the proxy, before
#  re-sending the proxied request.
#
#  If this time is set too high, then the NAS may re-send the request,
#  or it may give up entirely, and reject the user.
#
#  If it is set too low, then the RADIUS server which receives the proxy
#  request will get kicked unnecessarily.
#
	retry_delay = 5

#
#  The number of retries to send before giving up, and sending a reject
#  message to the NAS.
#
	retry_count = 3

#
#  If the home server does not respond to any of the multiple retries,
#  then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
#
#  If there are multiple entries configured for this realm, then the
#  server will fail-over to the next one listed.  If no more are listed,
#  then no requests will be proxied to that realm.
#
#
#  After a configurable 'dead_time', in seconds, FreeRADIUS will
#  speculatively mark the home server active, and start sending requests
#  to it again.
#
#  If this dead time is set too low, then you will lose requests,
#  as FreeRADIUS will quickly switch back to the home server, even if
#  it isn't up again.
#
#  If this dead time is set too high, then FreeRADIUS may take too long
#  to switch back to the primary home server.
#
#  Realistic values for this number are in the range of minutes to hours.
#  (60 to 3600)
#
	dead_time = 120

#  If you choose to list a realm more then once for fall-through or 
#  round-robin, then specify the total number of alternates here. Specify
#  a ldflag attribute for all realms to be included in a round-robin 
#  setup. Currently (0 or fail_over) and (1 or round_robin) are the 
#  supported values for ldflag. Fail-Over is the default setup.
#
	servers_per_realm = 15

#
#  If all exact matching realms did not respond, we can try the
#  DEFAULT realm, too.  This is what the server normally does.
#
#  This behaviour may be undesired for some cases.  e.g. You are proxying
#  for two different ISP's, and then act as a general dial-up for Gric.
#  If one of the first two ISP's has their RADIUS server go down, you do
#  NOT want to proxy those requests to GRIC.  Instead, you probably want
#  to just drop the requests on the floor.  In that case, set this value
#  to 'no'.
#
#  allowed values: {yes, no}
#
	default_fallback = yes
}

Файл radiusd.conf:

#
## radiusd.conf	-- FreeRADIUS server configuration file.
##
##	http://www.freeradius.org/
##	$Id: radiusd.conf.in,v 1.123 2002/11/12 20:22:48 aland Exp $
##

#  	The location of other config files and
#  	logfiles are declared in this file
#
#  	Also general configuration for modules can be done
#  	in this file, it is exported through the API to
#  	modules that ask for it.
#
#	The configuration variables defined here are of the form ${foo}
#	They are local to this file, and do not change from request to
#	request.
#
#	The per-request variables are of the form %{Attribute-Name}, and
#	are taken from the values of the attribute in the incoming
#	request.  See 'doc/variables.txt' for more information.

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct

#  Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd

#
#  The logging messages for the server are appended to the
#  tail of this file.
#
log_file = ${logdir}/radius.log

#
# libdir: Where to find the rlm_* modules.
#
#   This should be automatically set at configuration time.
#
#   If the server builds and installs, but fails at execution time
#   with an 'undefined symbol' error, then you can use the libdir
#   directive to work around the problem.
#
#   The cause is usually that a library has been installed on your
#   system in a place where the dynamic linker CANNOT find it.  When
#   executing as root (or another user), your personal environment MAY
#   be set up to allow the dynamic linker to find the library.  When
#   executing as a daemon, FreeRADIUS MAY NOT have the same
#   personalized configuration.
#
#   To work around the problem, find out which library contains that symbol,
#   and add the directory containing that library to the end of 'libdir',
#   with a colon separating the directory names.  NO spaces are allowed.
#
#   e.g. libdir = /usr/local/lib:/opt/package/lib
#
#   You can also try setting the LD_LIBRARY_PATH environment variable
#   in a script which starts the server.
#
#   If that does not work, then you can re-configure and re-build the
#   server to NOT use shared libraries, via:
#
#	./configure --disable-shared
#	make
#	make install
#
libdir = ${exec_prefix}/lib

#  pidfile: Where to place the PID of the RADIUS server.
#
#  The server may be signalled while it's running by using this
#  file.
#
#  This file is written when ONLY running in daemon mode.
#
#  e.g.:  kill -HUP `cat /var/run/radiusd/radiusd.pid`
#
pidfile = ${run_dir}/radiusd.pid


# user/group: The name (or #number) of the user/group to run radiusd as.
#
#   If these are commented out, the server will run as the user/group
#   that started it.  In order to change to a different user/group, you
#   MUST be root ( or have root privleges ) to start the server.
#
#   We STRONGLY recommend that you run the server with as few permissions
#   as possible.  That is, if you're not using shadow passwords, the
#   user and group items below should be set to 'nobody'.
#
#    On SCO (ODT 3) use "user = nouser" and "group = nogroup".
#
#  NOTE that some kernels refuse to setgid(group) when the value of
#  (unsigned)group is above 60000; don't use group nobody on these systems!
#
#  On systems with shadow passwords, you might have to set 'group = shadow'
#  for the server to be able to read the shadow password file.  If you can
#  authenticate users while in debug mode, but not in daemon mode, it may be
#  that the debugging mode server is running as a user that can read the
#  shadow info, and the user listed below can not.
#
user = nobody
group = nogroup

#  max_request_time: The maximum time (in seconds) to handle a request.
#
#  Requests which take more time than this to process may be killed, and
#  a REJECT message is returned.
#
#  WARNING: If you notice that requests take a long time to be handled,
#  then this MAY INDICATE a bug in the server, in one of the modules
#  used to handle a request, OR in your local configuration.
#
#  This problem is most often seen when using an SQL database.  If it takes
#  more than a second or two to receive an answer from the SQL database,
#  then it probably means that you haven't indexed the database.  See your
#  SQL server documentation for more information.
#
#  Useful range of values: 5 to 120
#
max_request_time = 5

#  delete_blocked_requests: If the request takes MORE THAN 'max_request_time'
#  to be handled, then maybe the server should delete it.
#
#  If you're running in threaded, or thread pool mode, this setting
#  should probably be 'no'.  Setting it to 'yes' when using a threaded
#  server MAY cause the server to crash!
#
delete_blocked_requests = no

#  cleanup_delay: The time to wait (in seconds) before cleaning up
#  a reply which was sent to the NAS.
#
#  The RADIUS request is normally cached internally for a short period
#  of time, after the reply is sent to the NAS.  The reply packet may be
#  lost in the network, and the NAS will not see it.  The NAS will then
#  re-send the request, and the server will respond quickly with the
#  cached reply.
#
#  If this value is set too low, then duplicate requests from the NAS
#  MAY NOT be detected, and will instead be handled as seperate requests.
#
#  If this value is set too high, then the server will cache too many
#  requests, and some new requests may get blocked.  (See 'max_requests'.)
#
#  Useful range of values: 2 to 10
#
cleanup_delay = 5

#  max_requests: The maximum number of requests which the server keeps
#  track of.  This should be 256 multiplied by the number of clients.
#  e.g. With 4 clients, this number should be 1024.
#
#  If this number is too low, then when the server becomes busy,
#  it will not respond to any new requests, until the 'cleanup_delay'
#  time has passed, and it has removed the old requests.
#
#  If this number is set too high, then the server will use a bit more
#  memory for no real benefit.
#
#  If you aren't sure what it should be set to, it's better to set it
#  too high than too low.  Setting it to 1000 per client is probably
#  the highest it should be.
#
#  Useful range of values: 256 to infinity
#
max_requests = 1024

#  bind_address:  Make the server listen on a particular IP address, and
#  send replies out from that address.  This directive is most useful
#  for machines with multiple IP addresses on one interface.
#
#  It can either contain "*", or an IP address, or a fully qualified
#  Internet domain name.  The default is "*"
#
bind_address = 10.1.1.1

#  port: Allows you to bind FreeRADIUS to a specific port.
#
#  The default port that most NAS boxes use is 1645, which is historical.
#  RFC 2138 defines 1812 to be the new port.  Many new servers and
#  NAS boxes use 1812, which can create interoperability problems.
#
#  The port is defined here to be 0 so that the server will pick up
#  the machine's local configuration for the radius port, as defined
#  in /etc/services.
#
#  If you want to use the default RADIUS port as defined on your server,
#  (usually through 'grep radius /etc/services') set this to 0 (zero).
#
#  A port given on the command-line via '-p' over-rides this one.
#
port = 1812

#  hostname_lookups: Log the names of clients or just their IP addresses
#  e.g., www.freeradius.org (on) or 206.47.27.232 (off).
#
#  The default is 'off' because it would be overall better for the net
#  if people had to knowingly turn this feature on, since enabling it
#  means that each client request will result in AT LEAST one lookup
#  request to the nameserver.   Enabling hostname_lookups will also
#  mean that your server may stop randomly for 30 seconds from time
#  to time, if the DNS requests take too long.
#
#  Turning hostname lookups off also means that the server won't block
#  for 30 seconds, if it sees an IP address which has no name associated
#  with it.
#
#  allowed values: {no, yes}
#
hostname_lookups = no

#  Core dumps are a bad thing.  This should only be set to 'yes'
#  if you're debugging a problem with the server.
#
#  allowed values: {no, yes}
#
allow_core_dumps = no

#  Regular expressions
#
#  These items are set at configure time.  If they're set to "yes",
#  then setting them to "no" turns off regular expression support.
#
#  If they're set to "no" at configure time, then setting them to "yes"
#  WILL NOT WORK.  It will give you an error.
#
regular_expressions	= yes
extended_expressions	= yes

#  Log the full User-Name attribute, as it was found in the request.
#
# allowed values: {no, yes}
#
log_stripped_names = yes

#  Log authentication requests to the log file.
#
#  allowed values: {no, yes}
#
log_auth = yes

#  Log passwords with the authentication requests.
#  log_auth_badpass  - logs password if it's rejected
#  log_auth_goodpass - logs password if it's correct
#
#  allowed values: {no, yes}
#
log_auth_badpass = yes
log_auth_goodpass = no

# usercollide:  Turn "username collision" code on and off.  See the
# "doc/duplicate-users" file
#
usercollide = no

# lower_user / lower_pass:  
# Lower case the username/password "before" or "after"
# attempting to authenticate.  
#
#  If "before", the server will first modify the request and then try
#  to auth the user.  If "after", the server will first auth using the
#  values provided by the user.  If that fails it will reprocess the
#  request after modifying it as you specify below.
#
#  This is as close as we can get to case insensitivity.  It is the
#  admin's job to ensure that the username on the auth db side is
#  *also* lowercase to make this work
#
# Default is 'no' (don't lowercase values)
# Valid values = "before" / "after" / "no"
#
lower_user = yes
lower_pass = no

# nospace_user / nospace_pass:
#
#  Some users like to enter spaces in their username or password
#  incorrectly.  To save yourself the tech support call, you can
#  eliminate those spaces here:
#
# Default is 'no' (don't remove spaces)
# Valid values = "before" / "after" / "no" (explanation above)
#
nospace_user = yes
nospace_pass = no

#  The program to execute to do concurrency checks.
checkrad = ${sbindir}/checkrad

# SECURITY CONFIGURATION
#
#  There may be multiple methods of attacking on the server.  This
#  section holds the configuration items which minimize the impact
#  of those attacks
#
security {
	#
	#  max_attributes: The maximum number of attributes
	#  permitted in a RADIUS packet.  Packets which have MORE
	#  than this number of attributes in them will be dropped.
	#
	#  If this number is set too low, then no RADIUS packets
	#  will be accepted.
	#
	#  If this number is set too high, then an attacker may be
	#  able to send a small number of packets which will cause
	#  the server to use all available memory on the machine.
	#
	#  Setting this number to 0 means "allow any number of attributes"
	max_attributes = 200

	#
	#  delayed_reject: When sending an Access-Reject, it can be
	#  delayed for a few seconds.  This may help slow down a DoS
	#  attack.  It also helps to slow down people trying to brute-force
	#  crack a users password.
	#
	#  Setting this number to 0 means "send rejects immediately"
	#
	#  If this number is set higher than 'cleanup_delay', then the
	#  rejects will be sent at 'cleanup_delay' time, when the request
	#  is deleted from the internal cache of requests.
	#
	#  Useful ranges: 1 to 5
	reject_delay = 1

	#
	#  status_server: Whether or not the server will respond
	#  to Status-Server requests.
	#
	#  Normally this should be set to "no", because they're useless.
	#  See: http://www.freeradius.org/rfc/rfc2865.html#Keep-Alives
	#
	#  However, certain NAS boxes may require them.	
	#
	#  When sent a Status-Server message, the server responds with
	#  and Access-Accept packet, containing a Reply-Message attribute,
	#  which is a string describing how long the server has been
	#  running.
	#
	status_server = no
}

# PROXY CONFIGURATION
#
#  proxy_requests: Turns proxying of RADIUS requests on or off.
#
#  The server has proxying turned on by default.  If your system is NOT
#  set up to proxy requests to another server, then you can turn proxying
#  off here.  This will save a small amount of resources on the server.
#
#  If you have proxying turned off, and your configuration files say
#  to proxy a request, then an error message will be logged.
#
#  To disable proxying, change the "yes" to "no", and comment the
#  $INCLUDE line.
#
#  allowed values: {no, yes}
#
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf


# CLIENTS CONFIGURATION
#
#  Client configuration is defined in "clients.conf".  
#

#  The 'clients.conf' file contains all of the information from the old
#  'clients' and 'naslist' configuration files.  We recommend that you
#  do NOT use 'client's or 'naslist', although they are still
#  supported.
#
#  Anything listed in 'clients.conf' will take precedence over the
#  information from the old-style configuration files.
#
$INCLUDE  ${confdir}/clients.conf


# SNMP CONFIGURATION
#
#  Snmp configuration is only valid if you enabled SNMP support when
#  you compiled radiusd.
#
$INCLUDE  ${confdir}/snmp.conf


# THREAD POOL CONFIGURATION
#
#  The thread pool is a long-lived group of threads which
#  take turns (round-robin) handling any incoming requests.
#
#  You probably want to have a few spare threads around,
#  so that high-load situations can be handled immediately.  If you
#  don't have any spare threads, then the request handling will
#  be delayed while a new thread is created, and added to the pool.
#
#  You probably don't want too many spare threads around,
#  otherwise they'll be sitting there taking up resources, and
#  not doing anything productive.
#
#  The numbers given below should be adequate for most situations.
#
thread pool {
	#  Number of servers to start initially --- should be a reasonable
	#  ballpark figure.
	start_servers = 2

	#  Limit on the total number of servers running.
	#
	#  If this limit is ever reached, clients will be LOCKED OUT, so it
	#  should NOT BE SET TOO LOW.  It is intended mainly as a brake to
	#  keep a runaway server from taking the system with it as it spirals
	#  down...
	#
	#  You may find that the server is regularly reaching the
	#  'max_servers' number of threads, and that increasing
	#  'max_servers' doesn't seem to make much difference.
	#
	#  If this is the case, then the problem is MOST LIKELY that
	#  your back-end databases are taking too long to respond, and
	#  are preventing the server from responding in a timely manner.
	#
	#  The solution is NOT do keep increasing the 'max_servers'
	#  value, but instead to fix the underlying cause of the
	#  problem: slow database, or 'hostname_lookups=yes'.
	#
	#  For more information, see 'max_request_time', above.
	#
	max_servers = 10

	#  Server-pool size regulation.  Rather than making you guess
	#  how many servers you need, FreeRADIUS dynamically adapts to
	#  the load it sees, that is, it tries to maintain enough
	#  servers to handle the current load, plus a few spare
	#  servers to handle transient load spikes.
	#
	#  It does this by periodically checking how many servers are
	#  waiting for a request.  If there are fewer than
	#  min_spare_servers, it creates a new spare.  If there are
	#  more than max_spare_servers, some of the spares die off.
	#  The default values are probably OK for most sites.
	#
	min_spare_servers = 2
	max_spare_servers = 10

	#  There may be memory leaks or resource allocation problems with
	#  the server.  If so, set this value to 300 or so, so that the
	#  resources will be cleaned up periodically.
	#
	#  This should only be necessary if there are serious bugs in the
	#  server which have not yet been fixed.
	#
	#  '0' is a special value meaning 'infinity', or 'the servers never
	#  exit'
	max_requests_per_server = 0
}

# MODULE CONFIGURATION
#
#  The names and configuration of each module is located in this section.
#
#  After the modules are defined here, they may be referred to by name,
#  in other sections of this configuration file.
#
modules {

	# CHAP module
	#
	#  To authenticate requests containing a CHAP-Password attribute.
	#
	chap {
		authtype = CHAP
	}
	unix {
		#
		#  Cache /etc/passwd, /etc/shadow, and /etc/group
		#
		#  The default is to NOT cache them.
		#
		#  For FreeBSD, you do NOT want to enable the cache,
		#  as it's password lookups are done via a database, so
		#  set this value to 'no'.
		#
		#  Some systems (e.g. RedHat Linux with pam_pwbd) can
		#  take *seconds* to check a password, from a passwd
		#  file containing 1000's of entries.  For those systems,
		#  you should set the cache value to 'yes', and set
		#  the locations of the 'passwd', 'shadow', and 'group'
		#  files, below.
		#
		# allowed values: {no, yes}
		cache = no

		# Reload the cache every 600 seconds (10mins). 0 to disable.
		cache_reload = 600

		#
		#  Define the locations of the normal passwd, shadow, and
		#  group files.
		#
		#  'shadow' is commented out by default, because not all
		#  systems have shadow passwords.
		#
		#  To force the module to use the system password functions,
		#  instead of reading the files, leave the following entries
		#  commented out.
		#
		#  This is required for some systems, like FreeBSD,
		#  and Mac OSX.
		#
		#	passwd = /etc/passwd
		#	shadow = /etc/shadow
		#	group = /etc/group


		#
		#  Where the 'wtmp' file is located.
		#  This should be moved to it's own module soon.
		#
		#  The only use for 'radlast'.  If you don't use
		#  'radlast', then you can comment out this item.
		#
		radwtmp = ${logdir}/radwtmp
	}

	# Microsoft CHAP authentication
	#
	#  This module supports SAMBA passwd file authorization
	#  and MS-CHAP, MS-CHAPv2 authentication.  However, we recommend
	#  using the 'passwd' module, below, as it's more general.
	#
	mschap {
		# Location of the SAMBA passwd file
		#	passwd = /etc/smbpasswd

		# authtype value, if present, will be used
		# to overwrite (or add) Auth-Type during
		# authorization. Normally should be MS-CHAP
		authtype = MS-CHAP
		
		# If ignore_password is set to yes mschap will
		# ignore the password set by any other module during
		# authorization and will always use the SAMBA password file
		#	ignore_password = yes  

		# if use_mppe is not set to no mschap will
		# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
		# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
		#	use_mppe = yes

		# if mppe is enabled require_encryption makes
		# encryption moderate
		#	require_encryption = yes

		# require_strong always requires 128 bit key
		# encryption
		#	require_strong = yes
	}

	# Realm module, for proxying.
	#
	#  You can have multiple instances of the realm module to
	#  support multiple realm syntaxs at the same time.  The
	#  search order is defined the order in the authorize and
	#  preacct blocks after the module config block.
	#
	#  Two config options:
	#	format     -  must be 'prefix' or 'suffix'
	#	delimiter  -  must be a single character

	#  'username@realm'
	#
	realm suffix {
		format = suffix
		delimiter = "@"
	}

	#  'realm/username'
	#
	#  Using this entry, IPASS users have their realm set to "IPASS".
	realm realmslash {
		format = prefix
		delimiter = "/"
	}

	#  'username%realm'
	#
	realm realmpercent {
		format = suffix
		delimiter = "%"
	}
	
	#  rewrite arbitrary packets.  Useful in accounting and authorization.
	#
	## This module is highly experimental at the moment.  Please give 
	## feedback to the mailing list.
	#
	#  The module can also use the Rewrite-Rule attribute. If it
	#  is set and matches the name of the module instance, then
	#  that module instance will be the only one which runs.
	#
	#  Also if new_attribute is set to yes then a new attribute
	#  will be created containing the value replacewith and it
	#  will be added to searchin (packet, reply or config).
	# searchfor,ignore_case and max_matches will be ignored in that case.

	#
	#attr_rewrite sanecallerid {
	#	attribute = Called-Station-Id
		# may be "packet", "reply", or "config"
	#	searchin = packet
	#	searchfor = "[+ ]"
	#	replacewith = ""
	#	ignore_case = no
	#	new_attribute = no
	#	max_matches = 10
	#	## If set to yes then the replace string will be appended to the original string
	#	append = no
	#}

	# Preprocess the incoming RADIUS request, before handing it off
	# to other modules.
	#
	#  This module processes the 'huntgroups' and 'hints' files.
	#  In addition, it re-writes some weird attributes created
	#  by some NASes, and converts the attributes into a form which
	#  is a little more standard.
	#
	preprocess {
#		huntgroups = ${confdir}/huntgroups
#		hints = ${confdir}/hints
#
		# This hack changes Ascend's wierd port numberings
		# to standard 0-??? port numbers so that the "+" works
		# for IP address assignments.
#		with_ascend_hack = no
#		ascend_channels_per_line = 23

		# Windows NT machines often authenticate themselves as
		# NT_DOMAIN\username
		#
		# If this is set to 'yes', then the NT_DOMAIN portion
		# of the user-name is silently discarded.
#		with_ntdomain_hack = no

		# Specialix Jetstream 8500 24 port access server.
		#
		# If the user name is 10 characters or longer, a "/"
		# and the excess characters after the 10th are
		# appended to the user name.
		#
		# If you're not running that NAS, you don't need
		# this hack.
#		with_specialix_jetstream_hack = no

		# Cisco sends it's VSA attributes with the attribute
		# name *again* in the string, like:
		#
		#   H323-Attribute = "h323-attribute=value".
		#
		# If this configuration item is set to 'yes', then
		# the redundant data in the the attribute text is stripped
		# out.  The result is:
		#
		#  H323-Attribute = "value"
		#
		# If you're not running a Cisco NAS, you don't need
		# this hack.
		with_cisco_vsa_hack = no
	}

	# Livingston-style 'users' file
	#
	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users

		#  If you want to use the old Cistron 'users' file
		#  with FreeRADIUS, you should change the next line
		#  to 'compat = cistron'.  You can the copy your 'users'
		#  file from Cistron.
		compat = no
	}

	# Write a detailed log of all accounting records received.
	#
	detail {
		#  Note that we do NOT use NAS-IP-Address here, as
		#  that attribute MAY BE from the originating NAS, and
		#  NOT from the proxy which actually sent us the
		#  request.  The Client-IP-Address attribute is ALWAYS
		#  the address of the client which sent us the
		#  request.
		#
		#  The following line creates a new detail file for
		#  every radius client (by IP address or hostname).
		#  In addition, a new detail file is created every
		#  day, so that the detail file doesn't have to go
		#  through a 'log rotation'
		#
		#  If your detail files are large, you may also want
		#  to add a ':%H' (see doc/variables.txt) to the end
		#  of it, to create a new detail file every hour, e.g.:
		#
		#   ..../detail-%Y%m%d:%H
		#
		#  This will create a new detail file for every hour.
		#
		detailfile = ${logdir}/radius-detail.log

		#
		#  The Unix-style permissions on the 'detail' file.
		#
		#  The detail file often contains secret or private
		#  information about users.  So by keeping the file
		#  permissions restrictive, we can prevent unwanted
		#  people from seeing that information.
		detailperm = 0644
	}

	# Create a unique accounting session Id.  Many NASes re-use or
	# repeat values for Acct-Session-Id, causing no end of
	# confusion.
	#
	#  This module will add a (probably) unique session id 
	#  to an accounting packet based on the attributes listed
	#  below found in the packet.  See doc/rlm_acct_unique for
	#  more information.
	#
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
	}


	# Include another file that has the SQL-related configuration.
	# This is another file solely because it tends to be big.
	#
	#  The following configuration file is for use with MySQL.
	#
	# For Postgresql, use:		${confdir}/postgresql.conf
	# For MS-SQL, use:	 	${confdir}/mssql.conf
	#
	$INCLUDE  ${confdir}/postgresql.conf

	# Write a 'utmp' style log file, of which users are currently
	# logged in, and where they've logged in from.
	#
	radutmp {
		filename = ${logdir}/radutmp

		# Set the file permissions, as the contents of this file
		# are usually private.
		perm = 0600

		callerid = "yes"
	}

	# "Safe" radutmp - does not contain caller ID, so it can be
	# world-readable, and radwho can work for normal users, without
	# exposing any information that isn't already exposed by who(1).
	#
	# This is another instance of the radutmp module, but it is given
	# then name "sradutmp" to identify it later in the "accounting"
	# section.
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}

	# attr_filter - filters the attributes received in replies from
	# proxied servers, to make sure we send back to our RADIUS client
	# only allowed attributes.
	attr_filter {
		attrsfile = ${confdir}/attrs
	}

	#  This module takes an attribute (count-attribute).
	#  It also takes a key, and creates a counter for each unique
	#  key.  The count is incremented when accounting packets are
	#  received by the server.  The value of the increment depends
	#  on the attribute type.
	#  If the attribute is Acct-Session-Time or an integer we add the
	#  value of the attribute. If it is anything else we increase the
	#  counter by one.
	#
	#  The 'reset' parameter defines when the counters are all reset to
	#  zero.  It can be hourly, daily, weekly, monthly or never.
	#  It can also be user defined. It should be of the form:
	#  num[hdwm] where:
	#  h: hours, d: days, w: weeks, m: months
	#  If the letter is ommited days will be assumed. In example:
	#  reset = 10h (reset every 10 hours)
	#  reset = 12  (reset every 12 days)
	#
	#
	#  The check-name attribute defines an attribute which will be
	#  registered by the counter module and can be used to set the
	#  maximum allowed value for the counter after which the user
	#  is rejected.
	#  Something like:
	#
	#  DEFAULT Max-Daily-Session := 36000
	#          Fall-Through = 1
	#
	#  You should add the counter module in the instantiate
	#  section so that it registers check-name before the files
	#  module reads the users file.
	#
	#  If check-name is set and the user is to be rejected then we
	#  send back a Reply-Message and we log a Failure-Message in
	#  the radius.log
	#
	#  The counter-name can also be used like below:
	#
	#  DEFAULT  Daily-Session-Time > 3600, Auth-Type = Reject
	#      Reply-Message = "You've used up more than one hour today"
	#
	#  The allowed-servicetype attribute can be used to only take
	#  into account specific sessions. For example if a user first
	#  logs in through a login menu and then selects ppp there will
	#  be two sessions. One for Login-User and one for Framed-User
	#  service type. We only need to take into account the second one.
	#
	#  The module should be added in the instantiate, authorize and
	#  accounting sections.  Make sure that in the authorize
	#  section it comes after any module which sets the
	#  'check-name' attribute.
	#
	counter {
		filename = ${raddbdir}/db.counter
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}

	# The "always" module is here for debugging purposes. Each
	# instance simply returns the same result, always, without
	# doing anything.
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}

	#
	#  The 'expression' module current has no configuration.
	expr {
	}

	# ANSI X9.9 token support.  Not included by default.
	# $INCLUDE  ${confdir}/x99.conf

}

# Instantiation
#
#  This section orders the loading of the modules.  Modules
#  listed here will get loaded BEFORE the later sections like
#  authorize, authenticate, etc. get examined.
#
#  This section is not strictly needed.  When a section like
#  authorize refers to a module, it's automatically loaded and
#  initialized.  However, some modules may not be listed in any
#  of the following sections, so they can be listed here.
#
#  Also, listing modules here ensures that you have control over
#  the order in which they are initalized.  If one module needs
#  something defined by another module, you can list them in order
#  here, and ensure that the configuration will be OK.
#
instantiate {
	#
	#  The expression module doesn't do authorization,
	#  authentication, or accounting.  It only does dynamic
	#  translation, of the form:
	#
	#	Session-Timeout = `%{expr:2 + 3}`
	#
	#  So the module needs to be instantiated, but CANNOT be
	#  listed in any other section.  See 'doc/rlm_expr' for
	#  more information.
	#
	expr
}

#  Authorization. First preprocess (hints and huntgroups files),
#  then realms, and finally look in the "users" file.
#
#  The order of the realm modules will determine the order that
#  we try to find a matching realm.
#
#  Make *sure* that 'preprocess' comes before any realm if you 
#  need to setup hints for the remote radius server
authorize {

	preprocess
#	chap

#	counter
#	attr_filter
#	eap
	suffix
#	files
#	etc_smbpasswd
 	sql
	mschap
}


# Authentication.
#
#  This section lists which modules are available for authentication.
#  Note that it does NOT mean 'try each module in order'.  It means
#  that you have to have a module from the 'authorize' section add
#  a configuration attribute 'Auth-Type := FOO'.  That authentication type
#  is then used to pick the apropriate module from the list below.
#
#  The default Auth-Type is Local.  That is, whatever is not included inside
# an authtype section will be called only if Auth-Type is set to Local.
#
# So you should do the following:
# - Set Auth-Type to an appropriate value in the authorize modules above.
#   For example, the chap module will set Auth-Type to CHAP, ldap to LDAP, etc.
# - After that create corresponding authtype sections in the
#   authenticate section below and call the appropriate modules.
authenticate {

#	authtype CHAP {
#		chap
#	}

	authtype MS-CHAP {
		mschap
	}
}

#  Pre-accounting. Look for proxy realm in order of realms, then 
#  acct_users file, then preprocess (hints file).
preacct {
	preprocess
	suffix
#	files
}


#  Accounting. Log to detail file, and to the radwtmp file, and maintain
#  radutmp.
accounting {
	acct_unique
	detail
#	counter
	unix		# wtmp file
	sql
	radutmp
#	sradutmp
}


#  Session database, used for checking Simultaneous-Use. Either the radutmp 
#  or rlm_sql module can handle this.
#  The rlm_sql module is *much* faster
session {
#	radutmp
	sql
}


#  Post-Authentication
#  Once we KNOW that the user has been authenticated, there are
#  additional steps we can take.
post-auth {
	  #  Get an address from the IP Pool.
	  #main_pool
}

Файл snmp.conf оставляем пустым.

Прописывание пользователей в СУБД

Для начала необходимо создать базу данных и в ней создать таблицы. Смотрим в postgresql.conf и видим там

	server = "10.1.1.1"
	login = "cm"
	password = ""
	
	# Database table configuration
	radius_db = "radius"
Соответственно, нам надо создать базу данных radius от пользователя cm.

/usr/local/pgsql/bin/createuser cm
/usr/local/pgsql/bin/createdb -U cm radius
/usr/local/pgsql/bin/psql -U cm radius

Теперь мы вошли в нужную нам базу данных и должны создать в ней таблицы: \i /usr/ports/net/freeradius/work/freeradius-0.8.1/src/modules/rlm_sql/drivers/rlm_sql_postgresql/db_postgresql.sql
\q

Теперь можно создавать пользователей. Предполагается, что радиус будет проверять правильность пары login/password у пользователя и выдавать IP-адрес. На каждого пользователя необходимо обладать следующей информацией: login, password, ip. Тогда для каждого пользователя получаем следующие 4 SQL-оператора:

insert into usergroup(username, groupname) values('login', 'users');
insert into radcheck(username, attribute, op, value) values('login', 'Password', ':=', 'password');
insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Address', ':=', 'IP');
insert into radreply(username, attribute, op, value) values('login', 'Framed-IP-Netmask', ':=', '255.255.255.255');
Всех пользователей заносим в базу данных.

Теперь можно запускать freeradius.

/usr/local/etc/rc.d/radiusd.sh start
Сообщений об ошибках в /var/log/radius.log быть не должно.

Проверка FreeRadius

Для проверки - с локальной машины (надеюсь, ее в clients.conf вписали) выполняем
radtest user password <IP-адрес radius-сервера> 1812 <пароль к radius-серверу>
, например,
radtest testuser testpassword 10.1.1.1 1812 test2
Конечно, testuser и testpassword должны быть прописаны в базе пользователей. В итоге получим:

Sending Access-Request of id 148 to 10.1.1.1:1812
        User-Name = "testuser"
        User-Password = "W\202$Y\374x\251p^\302M\376\202U\212\031"
        NAS-IP-Address = host.domain
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 10.1.1.1:1812, id=41, length=32
        Framed-IP-Address = 10.1.5.2
        Framed-IP-Netmask = 255.255.255.255		
То-есть, радиус-сервер проверил правильность пароля для этого пользователя и выдал IP-адрес. В случае, если пароль не прошел, то получим
rad_recv: Access-Reject packet from host 10.1.1.1:1812, id=148, length=20

Настройка mpd

mpd - это программа, способная обрабатывать различные соединения, в том числе и входящие VPN. Именно это нам и интересно. Перед установкой и настройкой mpd необходимо проверить, все ли необходимые опции есть в ядре:
# netgraph(4). Enable the base netgraph code with the NETGRAPH option.
# Individual node types can be enabled with the corresponding option
# listed below; however, this is not strictly necessary as netgraph
# will automatically load the corresponding KLD module if the node type
# is not already compiled into the kernel. Each type below has a
# corresponding man page, e.g., ng_async(8).
options 	NETGRAPH		#netgraph(4) system
options 	NETGRAPH_ASYNC
options 	NETGRAPH_BPF
options 	NETGRAPH_ECHO
options 	NETGRAPH_ETHER
options 	NETGRAPH_HOLE
options 	NETGRAPH_IFACE
options 	NETGRAPH_KSOCKET
options 	NETGRAPH_L2TP
options 	NETGRAPH_LMI
# MPPC compression requires proprietary files (not included)
#options 	NETGRAPH_MPPC_COMPRESSION
options 	NETGRAPH_MPPC_ENCRYPTION
options 	NETGRAPH_ONE2MANY
options 	NETGRAPH_PPP
options 	NETGRAPH_PPTPGRE
options 	NETGRAPH_RFC1490
options 	NETGRAPH_SOCKET
options 	NETGRAPH_TEE
options 	NETGRAPH_TTY
options 	NETGRAPH_UI
options 	NETGRAPH_VJC
Проверяем, есть ли они, если нет, то включаем в конфиг ядра и перекомпилируем ядро. Возможен вариант с подключением netgraph в качестве модуля ядра.
cd /usr/ports/net/mpd
make install clean distclean
Сервер поставился. Можно настраивать. Рекомендую использовать последнюю версию mpd из портов, сейчас (22.10.2003) это 3.14.. Создаем файл /usr/local/etc/mpd/mpd.conf:
default:
	load pptp0
	load pptp1
	load pptp2
	load pptp3
	load pptp4
	load pptp5
	load pptp6
	load pptp7
	load pptp8
	load pptp9
	load pptp10
	load pptp11
	load pptp12
	load pptp13
	load pptp14
	load pptp15
	load pptp16
	load pptp17
	load pptp18
	load pptp19
	load pptp20
	load pptp21
	load pptp22
	load pptp23
	load pptp24
	load pptp25
	load pptp26
	load pptp27
	load pptp28
	load pptp29
	load pptp30
	load pptp31
	load pptp32
	load pptp33
	load pptp34
	load pptp35
	load pptp36
	load pptp37
	load pptp38
	load pptp39
	load pptp40
	load pptp41
	load pptp42
	load pptp43
	load pptp44
	load pptp45
	load pptp46
	load pptp47
	load pptp48
	load pptp49
	load pptp50
	load pptp51
	load pptp52
	load pptp53
	load pptp54
	load pptp55
	load pptp56
	load pptp57
	load pptp58
	load pptp59
	load pptp60
	load pptp61
	load pptp62
	load pptp63
	load pptp64
	load pptp65
	load pptp66
	load pptp67
	load pptp68
	load pptp69
	load pptp70
	load pptp71
	load pptp72
	load pptp73
	load pptp74
	load pptp75
	load pptp76
	load pptp77
	load pptp78
	load pptp79
	load pptp80
	load pptp81
	load pptp82
	load pptp83
	load pptp84
	load pptp85
	load pptp86
	load pptp87
	load pptp88
	load pptp89
	load pptp90
	load pptp91
	load pptp92
	load pptp93
	load pptp94
	load pptp95
	load pptp96
	load pptp97
	load pptp98
	load pptp99

pptp0:
	new -i ng00 pptp0 pptp0
	set ipcp ranges 10.1.4.1/32 10.1.5.1/32
	load pptp_standart
pptp1:
	new -i ng01 pptp1 pptp1
	set ipcp ranges 10.1.4.1/32 10.1.5.2/32
	load pptp_standart
pptp2:
	new -i ng02 pptp2 pptp2
	set ipcp ranges 10.1.4.1/32 10.1.5.3/32
	load pptp_standart
pptp3:
	new -i ng03 pptp3 pptp3
	set ipcp ranges 10.1.4.1/32 10.1.5.4/32
	load pptp_standart
pptp4:
	new -i ng04 pptp4 pptp4
	set ipcp ranges 10.1.4.1/32 10.1.5.5/32
	load pptp_standart
pptp5:
	new -i ng05 pptp5 pptp5
	set ipcp ranges 10.1.4.1/32 10.1.5.6/32
	load pptp_standart
pptp6:
	new -i ng06 pptp6 pptp6
	set ipcp ranges 10.1.4.1/32 10.1.5.7/32
	load pptp_standart
pptp7:
	new -i ng07 pptp7 pptp7
	set ipcp ranges 10.1.4.1/32 10.1.5.8/32
	load pptp_standart
pptp8:
	new -i ng08 pptp8 pptp8
	set ipcp ranges 10.1.4.1/32 10.1.5.9/32
	load pptp_standart
pptp9:
	new -i ng09 pptp9 pptp9
	set ipcp ranges 10.1.4.1/32 10.1.5.10/32
	load pptp_standart
pptp10:
	new -i ng10 pptp10 pptp10
	set ipcp ranges 10.1.4.1/32 10.1.5.11/32
	load pptp_standart
pptp11:
	new -i ng11 pptp11 pptp11
	set ipcp ranges 10.1.4.1/32 10.1.5.12/32
	load pptp_standart
pptp12:
	new -i ng12 pptp12 pptp12
	set ipcp ranges 10.1.4.1/32 10.1.5.13/32
	load pptp_standart
pptp13:
	new -i ng13 pptp13 pptp13
	set ipcp ranges 10.1.4.1/32 10.1.5.14/32
	load pptp_standart
pptp14:
	new -i ng14 pptp14 pptp14
	set ipcp ranges 10.1.4.1/32 10.1.5.15/32
	load pptp_standart
pptp15:
	new -i ng15 pptp15 pptp15
	set ipcp ranges 10.1.4.1/32 10.1.5.16/32
	load pptp_standart
pptp16:
	new -i ng16 pptp16 pptp16
	set ipcp ranges 10.1.4.1/32 10.1.5.17/32
	load pptp_standart
pptp17:
	new -i ng17 pptp17 pptp17
	set ipcp ranges 10.1.4.1/32 10.1.5.18/32
	load pptp_standart
pptp18:
	new -i ng18 pptp18 pptp18
	set ipcp ranges 10.1.4.1/32 10.1.5.19/32
	load pptp_standart
pptp19:
	new -i ng19 pptp19 pptp19
	set ipcp ranges 10.1.4.1/32 10.1.5.20/32
	load pptp_standart
pptp20:
	new -i ng20 pptp20 pptp20
	set ipcp ranges 10.1.4.1/32 10.1.5.21/32
	load pptp_standart
pptp21:
	new -i ng21 pptp21 pptp21
	set ipcp ranges 10.1.4.1/32 10.1.5.22/32
	load pptp_standart
pptp22:
	new -i ng22 pptp22 pptp22
	set ipcp ranges 10.1.4.1/32 10.1.5.23/32
	load pptp_standart
pptp23:
	new -i ng23 pptp23 pptp23
	set ipcp ranges 10.1.4.1/32 10.1.5.24/32
	load pptp_standart
pptp24:
	new -i ng24 pptp24 pptp24
	set ipcp ranges 10.1.4.1/32 10.1.5.25/32
	load pptp_standart
pptp25:
	new -i ng25 pptp25 pptp25
	set ipcp ranges 10.1.4.1/32 10.1.5.26/32
	load pptp_standart
pptp26:
	new -i ng26 pptp26 pptp26
	set ipcp ranges 10.1.4.1/32 10.1.5.27/32
	load pptp_standart
pptp27:
	new -i ng27 pptp27 pptp27
	set ipcp ranges 10.1.4.1/32 10.1.5.28/32
	load pptp_standart
pptp28:
	new -i ng28 pptp28 pptp28
	set ipcp ranges 10.1.4.1/32 10.1.5.29/32
	load pptp_standart
pptp29:
	new -i ng29 pptp29 pptp29
	set ipcp ranges 10.1.4.1/32 10.1.5.30/32
	load pptp_standart
pptp30:
	new -i ng30 pptp30 pptp30
	set ipcp ranges 10.1.4.1/32 10.1.5.31/32
	load pptp_standart
pptp31:
	new -i ng31 pptp31 pptp31
	set ipcp ranges 10.1.4.1/32 10.1.5.32/32
	load pptp_standart
pptp32:
	new -i ng32 pptp32 pptp32
	set ipcp ranges 10.1.4.1/32 10.1.5.33/32
	load pptp_standart
pptp33:
	new -i ng33 pptp33 pptp33
	set ipcp ranges 10.1.4.1/32 10.1.5.34/32
	load pptp_standart
pptp34:
	new -i ng34 pptp34 pptp34
	set ipcp ranges 10.1.4.1/32 10.1.5.35/32
	load pptp_standart
pptp35:
	new -i ng35 pptp35 pptp35
	set ipcp ranges 10.1.4.1/32 10.1.5.36/32
	load pptp_standart
pptp36:
	new -i ng36 pptp36 pptp36
	set ipcp ranges 10.1.4.1/32 10.1.5.37/32
	load pptp_standart
pptp37:
	new -i ng37 pptp37 pptp37
	set ipcp ranges 10.1.4.1/32 10.1.5.38/32
	load pptp_standart
pptp38:
	new -i ng38 pptp38 pptp38
	set ipcp ranges 10.1.4.1/32 10.1.5.39/32
	load pptp_standart
pptp39:
	new -i ng39 pptp39 pptp39
	set ipcp ranges 10.1.4.1/32 10.1.5.40/32
	load pptp_standart
pptp40:
	new -i ng40 pptp40 pptp40
	set ipcp ranges 10.1.4.1/32 10.1.5.41/32
	load pptp_standart
pptp41:
	new -i ng41 pptp41 pptp41
	set ipcp ranges 10.1.4.1/32 10.1.5.42/32
	load pptp_standart
pptp42:
	new -i ng42 pptp42 pptp42
	set ipcp ranges 10.1.4.1/32 10.1.5.43/32
	load pptp_standart
pptp43:
	new -i ng43 pptp43 pptp43
	set ipcp ranges 10.1.4.1/32 10.1.5.44/32
	load pptp_standart
pptp44:
	new -i ng44 pptp44 pptp44
	set ipcp ranges 10.1.4.1/32 10.1.5.45/32
	load pptp_standart
pptp45:
	new -i ng45 pptp45 pptp45
	set ipcp ranges 10.1.4.1/32 10.1.5.46/32
	load pptp_standart
pptp46:
	new -i ng46 pptp46 pptp46
	set ipcp ranges 10.1.4.1/32 10.1.5.47/32
	load pptp_standart
pptp47:
	new -i ng47 pptp47 pptp47
	set ipcp ranges 10.1.4.1/32 10.1.5.48/32
	load pptp_standart
pptp48:
	new -i ng48 pptp48 pptp48
	set ipcp ranges 10.1.4.1/32 10.1.5.49/32
	load pptp_standart
pptp49:
	new -i ng49 pptp49 pptp49
	set ipcp ranges 10.1.4.1/32 10.1.5.50/32
	load pptp_standart
pptp50:
	new -i ng50 pptp50 pptp50
	set ipcp ranges 10.1.4.1/32 10.1.5.51/32
	load pptp_standart
pptp51:
	new -i ng51 pptp51 pptp51
	set ipcp ranges 10.1.4.1/32 10.1.5.52/32
	load pptp_standart
pptp52:
	new -i ng52 pptp52 pptp52
	set ipcp ranges 10.1.4.1/32 10.1.5.53/32
	load pptp_standart
pptp53:
	new -i ng53 pptp53 pptp53
	set ipcp ranges 10.1.4.1/32 10.1.5.54/32
	load pptp_standart
pptp54:
	new -i ng54 pptp54 pptp54
	set ipcp ranges 10.1.4.1/32 10.1.5.55/32
	load pptp_standart
pptp55:
	new -i ng55 pptp55 pptp55
	set ipcp ranges 10.1.4.1/32 10.1.5.56/32
	load pptp_standart
pptp56:
	new -i ng56 pptp56 pptp56
	set ipcp ranges 10.1.4.1/32 10.1.5.57/32
	load pptp_standart
pptp57:
	new -i ng57 pptp57 pptp57
	set ipcp ranges 10.1.4.1/32 10.1.5.58/32
	load pptp_standart
pptp58:
	new -i ng58 pptp58 pptp58
	set ipcp ranges 10.1.4.1/32 10.1.5.59/32
	load pptp_standart
pptp59:
	new -i ng59 pptp59 pptp59
	set ipcp ranges 10.1.4.1/32 10.1.5.60/32
	load pptp_standart
pptp60:
	new -i ng60 pptp60 pptp60
	set ipcp ranges 10.1.4.1/32 10.1.5.61/32
	load pptp_standart
pptp61:
	new -i ng61 pptp61 pptp61
	set ipcp ranges 10.1.4.1/32 10.1.5.62/32
	load pptp_standart
pptp62:
	new -i ng62 pptp62 pptp62
	set ipcp ranges 10.1.4.1/32 10.1.5.63/32
	load pptp_standart
pptp63:
	new -i ng63 pptp63 pptp63
	set ipcp ranges 10.1.4.1/32 10.1.5.64/32
	load pptp_standart
pptp64:
	new -i ng64 pptp64 pptp64
	set ipcp ranges 10.1.4.1/32 10.1.5.65/32
	load pptp_standart
pptp65:
	new -i ng65 pptp65 pptp65
	set ipcp ranges 10.1.4.1/32 10.1.5.66/32
	load pptp_standart
pptp66:
	new -i ng66 pptp66 pptp66
	set ipcp ranges 10.1.4.1/32 10.1.5.67/32
	load pptp_standart
pptp67:
	new -i ng67 pptp67 pptp67
	set ipcp ranges 10.1.4.1/32 10.1.5.68/32
	load pptp_standart
pptp68:
	new -i ng68 pptp68 pptp68
	set ipcp ranges 10.1.4.1/32 10.1.5.69/32
	load pptp_standart
pptp69:
	new -i ng69 pptp69 pptp69
	set ipcp ranges 10.1.4.1/32 10.1.5.70/32
	load pptp_standart
pptp70:
	new -i ng70 pptp70 pptp70
	set ipcp ranges 10.1.4.1/32 10.1.5.71/32
	load pptp_standart
pptp71:
	new -i ng71 pptp71 pptp71
	set ipcp ranges 10.1.4.1/32 10.1.5.72/32
	load pptp_standart
pptp72:
	new -i ng72 pptp72 pptp72
	set ipcp ranges 10.1.4.1/32 10.1.5.73/32
	load pptp_standart
pptp73:
	new -i ng73 pptp73 pptp73
	set ipcp ranges 10.1.4.1/32 10.1.5.74/32
	load pptp_standart
pptp74:
	new -i ng74 pptp74 pptp74
	set ipcp ranges 10.1.4.1/32 10.1.5.75/32
	load pptp_standart
pptp75:
	new -i ng75 pptp75 pptp75
	set ipcp ranges 10.1.4.1/32 10.1.5.76/32
	load pptp_standart
pptp76:
	new -i ng76 pptp76 pptp76
	set ipcp ranges 10.1.4.1/32 10.1.5.77/32
	load pptp_standart
pptp77:
	new -i ng77 pptp77 pptp77
	set ipcp ranges 10.1.4.1/32 10.1.5.78/32
	load pptp_standart
pptp78:
	new -i ng78 pptp78 pptp78
	set ipcp ranges 10.1.4.1/32 10.1.5.79/32
	load pptp_standart
pptp79:
	new -i ng79 pptp79 pptp79
	set ipcp ranges 10.1.4.1/32 10.1.5.80/32
	load pptp_standart
pptp80:
	new -i ng80 pptp80 pptp80
	set ipcp ranges 10.1.4.1/32 10.1.5.81/32
	load pptp_standart
pptp81:
	new -i ng81 pptp81 pptp81
	set ipcp ranges 10.1.4.1/32 10.1.5.82/32
	load pptp_standart
pptp82:
	new -i ng82 pptp82 pptp82
	set ipcp ranges 10.1.4.1/32 10.1.5.83/32
	load pptp_standart
pptp83:
	new -i ng83 pptp83 pptp83
	set ipcp ranges 10.1.4.1/32 10.1.5.84/32
	load pptp_standart
pptp84:
	new -i ng84 pptp84 pptp84
	set ipcp ranges 10.1.4.1/32 10.1.5.85/32
	load pptp_standart
pptp85:
	new -i ng85 pptp85 pptp85
	set ipcp ranges 10.1.4.1/32 10.1.5.86/32
	load pptp_standart
pptp86:
	new -i ng86 pptp86 pptp86
	set ipcp ranges 10.1.4.1/32 10.1.5.87/32
	load pptp_standart
pptp87:
	new -i ng87 pptp87 pptp87
	set ipcp ranges 10.1.4.1/32 10.1.5.88/32
	load pptp_standart
pptp88:
	new -i ng88 pptp88 pptp88
	set ipcp ranges 10.1.4.1/32 10.1.5.89/32
	load pptp_standart
pptp89:
	new -i ng89 pptp89 pptp89
	set ipcp ranges 10.1.4.1/32 10.1.5.90/32
	load pptp_standart
pptp90:
	new -i ng90 pptp90 pptp90
	set ipcp ranges 10.1.4.1/32 10.1.5.91/32
	load pptp_standart
pptp91:
	new -i ng91 pptp91 pptp91
	set ipcp ranges 10.1.4.1/32 10.1.5.92/32
	load pptp_standart
pptp92:
	new -i ng92 pptp92 pptp92
	set ipcp ranges 10.1.4.1/32 10.1.5.93/32
	load pptp_standart
pptp93:
	new -i ng93 pptp93 pptp93
	set ipcp ranges 10.1.4.1/32 10.1.5.94/32
	load pptp_standart
pptp94:
	new -i ng94 pptp94 pptp94
	set ipcp ranges 10.1.4.1/32 10.1.5.95/32
	load pptp_standart
pptp95:
	new -i ng95 pptp95 pptp95
	set ipcp ranges 10.1.4.1/32 10.1.5.96/32
	load pptp_standart
pptp96:
	new -i ng96 pptp96 pptp96
	set ipcp ranges 10.1.4.1/32 10.1.5.97/32
	load pptp_standart
pptp97:
	new -i ng97 pptp97 pptp97
	set ipcp ranges 10.1.4.1/32 10.1.5.98/32
	load pptp_standart
pptp98:
	new -i ng98 pptp98 pptp98
	set ipcp ranges 10.1.4.1/32 10.1.5.99/32
	load pptp_standart
pptp99:
	new -i ng99 pptp99 pptp99
	set ipcp ranges 10.1.4.1/32 10.1.5.100/32
	load pptp_standart

pptp_standart:
   set iface disable on-demand
   set bundle enable multilink
   set link yes acfcomp protocomp

   #Требуем chap авторизации
   set link no pap chap
   set link enable chap
   set link keep-alive 60 180
   set ipcp yes vjcomp

   #Устанавливаем DNS и Wins
   set ipcp dns 10.1.1.1
   #set ipcp nbns 10.1.1.1

   #Включаем proxy-arp, чтобы компьютер "видел" без маршрутизации
   #корпоративную сеть (по протоколу arp)
   set iface enable proxy-arp

   #Включаем компрессию данных
   set bundle enable compression

   #Включаем компрессию данных, совсестимую с Microsoft-клиентами, должно быть вкомпилено в ядро
   set ccp yes mppc
   #Включаем шифрование, совместимое с Microsoft-клиентами, должно быть вкомпилено в ядро
   set ccp yes mpp-e40
   set ccp yes mpp-e56
   set ccp yes mpp-e128
   set ccp yes mpp-stateless
   #set bundle yes crypt-reqd

   #Задаем адрес для входящих соединений, если закомментирован - то mpd будет слушать все интерфейсы.
   #set pptp self 192.168.1.221

   #Разрешаем входящие соединения
   set pptp enable incoming
   set pptp disable originate

   set iface mtu 1500
   set link mtu 1500

   # какой скрипт запускать при поднятии интерфейса
   #set iface up-script /usr/local/traff/up.pl
   # какой скрипт запускать при опускании интерфейса
   #set iface down-script /usr/local/traff/down.pl

   set radius server 10.1.1.1 test2 1812 1813
   set radius timeout 10
   set radius config /etc/radius.conf
   set radius retries 3
   #set bundle enable radius-acct
   set bundle enable radius-auth
   set ipcp yes radius-ip
Создаем /etc/radius.conf:
acct 10.1.1.1 test2
auth 10.1.1.1 test2
Создаем файл /usr/local/etc/mpd/mpd.links:
pptp0:
	set link type pptp
pptp1:
	set link type pptp
pptp2:
	set link type pptp
pptp3:
	set link type pptp
pptp4:
	set link type pptp
pptp5:
	set link type pptp
pptp6:
	set link type pptp
pptp7:
	set link type pptp
pptp8:
	set link type pptp
pptp9:
	set link type pptp
pptp10:
	set link type pptp
pptp11:
	set link type pptp
pptp12:
	set link type pptp
pptp13:
	set link type pptp
pptp14:
	set link type pptp
pptp15:
	set link type pptp
pptp16:
	set link type pptp
pptp17:
	set link type pptp
pptp18:
	set link type pptp
pptp19:
	set link type pptp
pptp20:
	set link type pptp
pptp21:
	set link type pptp
pptp22:
	set link type pptp
pptp23:
	set link type pptp
pptp24:
	set link type pptp
pptp25:
	set link type pptp
pptp26:
	set link type pptp
pptp27:
	set link type pptp
pptp28:
	set link type pptp
pptp29:
	set link type pptp
pptp30:
	set link type pptp
pptp31:
	set link type pptp
pptp32:
	set link type pptp
pptp33:
	set link type pptp
pptp34:
	set link type pptp
pptp35:
	set link type pptp
pptp36:
	set link type pptp
pptp37:
	set link type pptp
pptp38:
	set link type pptp
pptp39:
	set link type pptp
pptp40:
	set link type pptp
pptp41:
	set link type pptp
pptp42:
	set link type pptp
pptp43:
	set link type pptp
pptp44:
	set link type pptp
pptp45:
	set link type pptp
pptp46:
	set link type pptp
pptp47:
	set link type pptp
pptp48:
	set link type pptp
pptp49:
	set link type pptp
pptp50:
	set link type pptp
pptp51:
	set link type pptp
pptp52:
	set link type pptp
pptp53:
	set link type pptp
pptp54:
	set link type pptp
pptp55:
	set link type pptp
pptp56:
	set link type pptp
pptp57:
	set link type pptp
pptp58:
	set link type pptp
pptp59:
	set link type pptp
pptp60:
	set link type pptp
pptp61:
	set link type pptp
pptp62:
	set link type pptp
pptp63:
	set link type pptp
pptp64:
	set link type pptp
pptp65:
	set link type pptp
pptp66:
	set link type pptp
pptp67:
	set link type pptp
pptp68:
	set link type pptp
pptp69:
	set link type pptp
pptp70:
	set link type pptp
pptp71:
	set link type pptp
pptp72:
	set link type pptp
pptp73:
	set link type pptp
pptp74:
	set link type pptp
pptp75:
	set link type pptp
pptp76:
	set link type pptp
pptp77:
	set link type pptp
pptp78:
	set link type pptp
pptp79:
	set link type pptp
pptp80:
	set link type pptp
pptp81:
	set link type pptp
pptp82:
	set link type pptp
pptp83:
	set link type pptp
pptp84:
	set link type pptp
pptp85:
	set link type pptp
pptp86:
	set link type pptp
pptp87:
	set link type pptp
pptp88:
	set link type pptp
pptp89:
	set link type pptp
pptp90:
	set link type pptp
pptp91:
	set link type pptp
pptp92:
	set link type pptp
pptp93:
	set link type pptp
pptp94:
	set link type pptp
pptp95:
	set link type pptp
pptp96:
	set link type pptp
pptp97:
	set link type pptp
pptp98:
	set link type pptp
pptp99:
	set link type pptp
Все, можно запускать mpd: /usr/local/sbin/mpd -b. Теперь mpd будет принимать входящие VPN-соединения (PPTP, совместимо с MS Windows TM )


  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
ДобавитьРекламаВебмастеруГИД  
Hosting by Ihor