在ubuntu16.0x 上安装openvpn+privacyIDEA+freeradius

[toc]
# 搭建VPN工具Algo,Streisand,OpenVPN,StrongSwan,SoftEther,WireGuard
https://ywnz.com/linuxrj/3105.html
# 安装 privacyidea privacyidea-nginx privacyidea-radius

```
add-apt-repository ppa:privacyidea/privacyidea
apt-get update
apt-get install python-privacyidea privacyideaadm

apt-get install privacyidea-nginx

pi-manage admin add admin -e admin@localhost

apt-get install privacyidea-radius
```

## 修改 nginx中的 server name配置
vim /etc/nginx/sites-enabled/privacyidea

> server_name pi.aibuyer.net localhost;

freeradius 的　client配置文件　/etc/freeradius/client.conf　中可配置　连接　privacyidea的hostname,　必须和 nginx中privacyidea配置的 servername一致．

/etc/freeradius/client.conf 中配置hostname会报错，导致freeradius启不来，所以注释掉了

现在可以访问到 https://pi.aibuyer.net

# 安装 openvpn

```
apt-get install openvpn easy-rsa
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
```
## 修改openvpn服务配置
vim /etc/openvpn/server.conf

There are several changes to make in this file. You will see a section looking like this:

```
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

reneg-sec 0
```

Edit dh1024.pem to say:

> dh2048.pem

增加：

```
push "dhcp-option DNS 223.5.5.5"
push "dhcp-option DNS 223.6.6.6"
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log

client-cert-not-required
username-as-common-name
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
```

## 开启转发
Packet Forwarding

This is a sysctl setting which tells the server's kernel to forward traffic from client devices out to the Internet. Otherwise, the traffic will stop at the server. Enable packet forwarding during runtime by entering this command:

> echo 1 > /proc/sys/net/ipv4/ip_forward

We need to make this permanent so the server still forwards traffic after rebooting.

vim /etc/sysctl.conf

Near the top of the sysctl file, you will see:

```
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

Uncomment net.ipv4.ip_forward. It should look like this when done:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
```

Save your changes and exit.

## 配置防火墙
Uncomplicated Firewall (ufw)

ufw is a front-end for iptables and setting up ufw is not hard. It's included by default in Ubuntu 14.04, so we only need to make a few rules and configuration edits, then switch the firewall on. As a reference for more uses for ufw, see How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server.

First set ufw to allow SSH. In the command prompt, ENTER:

```
ufw allow ssh
ufw allow 10000/tcp

ufw allow 443/tcp

#允许某台主机访问某个端口
ufw allow proto udp from 115.29.184.90 to 192.168.0.36 port 1812
ufw allow proto udp from 115.29.184.90 to 192.168.0.36 port 1813

ufw allow proto udp from 10.1.194.240 to 192.168.0.36 port 1812
ufw allow proto udp from 10.1.194.240 to 192.168.0.36 port 1813

#查看
ufw status numbered

＃删除
ufw delete xxx

This tutorial will use OpenVPN over UDP, so ufw must also allow UDP traffic over port 1194.

ufw allow 1194/udp

The ufw forwarding policy needs to be set as well. We'll do this in ufw's primary configuration file.

vim /etc/default/ufw

Look for DEFAULT_FORWARD_POLICY="DROP". This must be changed from DROP to ACCEPT. It should look like this when done:

DEFAULT_FORWARD_POLICY="ACCEPT"
```

Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.

vim /etc/ufw/before.rules

Make the top of your before.rules file look like below. The area in red for OPENVPN RULES must be added:
```
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter
```

With the changes made to ufw, we can now enable it. Enter into the command prompt:

```
ufw enable
```

Enabling ufw will return the following prompt:

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Answer y. The result will be this output:

Firewall is active and enabled on system startup

To check ufw's primary firewall rules:

> ufw status

The status command should return these entries:

```
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
1194/udp                   ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
1194/udp (v6)              ALLOW       Anywhere (v6)
```

## 创建证书颁发机构和服务器端证书&密钥
Step 2 — Creating a Certificate Authority and Server-Side Certificate & Key

OpenVPN uses certificates to encrypt traffic.

Configure and Build the Certificate Authority

It is now time to set up our own Certificate Authority (CA) and generate a certificate and key for the OpenVPN server. OpenVPN supports bidirectional authentication based on certificates, meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established. We will use Easy RSA's scripts we copied earlier to do this.

First copy over the Easy-RSA generation scripts.

cp -r /usr/share/easy-rsa/ /etc/openvpn

Then make the key storage directory.

mkdir /etc/openvpn/easy-rsa/keys

Easy-RSA has a variables file we can edit to create certificates exclusive to our person, business, or whatever entity we choose. This information is copied to the certificates and keys, and will help identify the keys later.

vim /etc/openvpn/easy-rsa/vars

The variables below marked in red should be changed according to your preference.
```
export KEY_COUNTRY="CN"
export KEY_PROVINCE="GD"
export KEY_CITY="ShenZhen"
export KEY_ORG="xxx"
export KEY_EMAIL="xxx@xxx.com"
export KEY_OU="xxx"
# X509 Subject Field
export KEY_NAME="server"
# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
export KEY_CN="vpn.xxx.com"
export KEY_ALTNAMES="xxxvpn"
```

In the same vars file, also edit this one line shown below. For simplicity, we will use server as the key name. If you want to use a different name, you would also need to update the OpenVPN configuration files that reference server.key and server.crt.
```
export KEY_NAME="server"
```
We need to generate the Diffie-Hellman parameters; this can take several minutes.

```
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
```

Now let's change directories so that we're working directly out of where we moved Easy-RSA's scripts to earlier in Step 2.
```
cd /etc/openvpn/easy-rsa
```
Initialize the PKI (Public Key Infrastructure). Pay attention to the dot (.) and space in front of ./varscommand. That signifies the current working directory (source).
```
. ./vars
```
The output from the above command is shown below. Since we haven't generated anything in the keysdirectory yet, the warning is nothing to be concerned about.

NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

Now we'll clear the working directory of any possible old or example keys to make way for our new ones.

```
./clean-all
```
This final command builds the certificate authority (CA) by invoking an interactive OpenSSL command. The output will prompt you to confirm the Distinguished Name variables that were entered earlier into the Easy-RSA's variable file (country name, organization, etc.).
```
./build-ca
```
Simply press ENTER to pass through each prompt. If something must be changed, you can do that from within the prompt.

Generate a Certificate and Key for the Server

Still working from /etc/openvpn/easy-rsa, now enter the command to build the server's key. Where you see server marked in red is the export KEY_NAME variable we set in Easy-RSA's vars file earlier in Step 2.
```
./build-key-server server
```
Similar output is generated as when we ran ./build-ca, and you can again press ENTER to confirm each line of the Distinguished Name. However, this time there are two additional prompts:

```
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Both should be left blank, so just press ENTER to pass through each one.

Two additional queries at the end require a positive (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

The last prompt above should complete with:

Write out database with 1 new entries
Data Base Updated
```
Move the Server Certificates and Keys

OpenVPN expects to see the server's CA, certificate and key in /etc/openvpn. Let's copy them into the proper location.
```
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
```
You can verify the copy was successful with:
```
ls /etc/openvpn
```
You should see the certificate and key files for the server.
At this point, the OpenVPN server is ready to go. Start it and check the status.
```
service openvpn start
service openvpn status

systemctl start openvpn@service.service
systemctl status openvpn@service.service
```
The status command should return:
```
VPN 'server' is running（质疑点）
```

## 为客户端生成证书和密钥
Step 3 — Generate Certificates and Keys for Clients

So far we've installed and configured the OpenVPN server, created a Certificate Authority, and created the server's own certificate and key. In this step, we use the server's CA to generate certificates and keys for each client device which will be connecting to the VPN. These files will later be installed onto the client devices such as a laptop or smartphone.

Key and Certificate Building

It's ideal for each client connecting to the VPN to have its own unique certificate and key. This is preferable to generating one general certificate and key to use among all client devices.

Note: By default, OpenVPN does not allow simultaneous connections to the server from clients using the same certificate and key. (See duplicate-cn in /etc/openvpn/server.conf.)

To create separate authentication credentials for each device you intend to connect to the VPN, you should complete this step for each device, but change the name client1 below to something different such as client2 or iphone2. With separate credentials per device, they can later be deactivated at the server individually, if need be. The remaining examples in this tutorial will use client1 as our example client device's name.

As we did with the server's key, now we build one for our client1 example. You should still be working out of /etc/openvpn/easy-rsa.

```
./build-key client
```
Once again, you'll be asked to change or confirm the Distinguished Name variables and these two prompts which should be left blank. Press ENTER to accept the defaults.
```
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

As before, these two confirmations at the end of the build process require a (y) response:

Sign the certificate? [y/n]
1 out of 1 certificate requests certified, commit? [y/n]

If the key build was successful, the output will again be:

Write out database with 1 new entries
Data Base Updated
```
The example client configuration file should be copied to the Easy-RSA key directory too. We'll use it as a template which will be downloaded to client devices for editing. In the copy process, we are changing the name of the example file from client.conf to client.ovpn because the .ovpn file extension is what the clients will expect to use.
```
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
```
You can repeat this section again for each client, replacing client with the appropriate client name throughout.

# 安装 Radiusplugin

Radiusplugin是OpenVPN支持RADIUS认证的插件。

在http://www.nongnu.org下载radiusplugin源码包。  
http://www.nongnu.org/radiusplugin/radiusplugin_v2.1.tar.gz
安装gcc c++ libgcrypt
```
# apt-get install gcc g++ libgcrypt11-dev
```
编译Radiusplugin

解压包，进入目录，使用命令make编译

配置Radiusplugin

拷贝目录中的radiusplugin.cnf文件和radiusplugin.so文件到/etc/openvpn下。

修改radiusplugin.cnf文件。

```
- # vim radiusplugin.cnf
- server
- {
- acctport=1813
- authport=1812
- name=127.0.0.1
- retry=1
- wait=1
- sharedsecret=testing123
- }
```

sharedsecret必须和freeradius clients.conf中的sharedsecret一致。

再次修改OpenVPN配置文件
     修改OpenVPN配置文件，客户端使用用户名密码认证。OpenVPN使用RADIUS的认证方式：

修改配置文件server.conf
```
# vim /etc/openvpn/server.conf
client-cert-not-required
username-as-common-name
plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf
```

重启服务，测试 (断点)
重启服务
```
/etc/init.d/freeradius restart
/etc/init.d/openvpn restart 
```

下载四个文件到 Client
  
- client1.crt
- client1.key
- client.ovpn
- ca.crt

修改 client.ovpn

```
remote xxx.xxx.xxx.xxx

auth-user-pass

route-nopull

route default 255.255.255.0 net_gateway
route 192.168.0.0 255.255.255.0 vpn_gateway
```

启动：

```
sudo openvpn --config client.ovpn

```
3.2. Creating your first realm
Note
When the administrator logs in and no useridresolver and no realm is defined, a popup appears, which asks you to create a default realm. During these first steps you may say “No”, to get a better understanding.

Users in privacyIDEA are read from existing sources. See Realms for more information.

In these first steps we will simply read the users from your /etc/passwd file.

3.2.1. Create a UserIdResolver
The UserIdResolver is the connector to the user source. For more information seeUserIdResolvers.

Go to Config -> Users to create a UserIdResolver.
../_images/resolver1.png
Create the first UserIdResolver

Choose New passwdresolver and
Enter the name “myusers”.
Save it.
../_images/resolver2.png
Create the first UserIdResolver

You just created your first connection to a user source.

3.2.2. Create a Realm
User sources are grouped togeather to a so called “realm”. For more information see Realms.

Go to Config -> Realms
Enter “realm1” as the new realm name and select the priority 1.
Check the resolver “myusers” to be included into this realm.
Save it.
../_images/realm1.png
Create the first Realm

Go to Users and you will see the users from the /etc/passwd.
../_images/users.png
The users from /etc/passwd

Congratulation! You created your first realm.

You are now ready to enroll a token to a user. Read Enrolling your first token.

3.3. Enrolling your first token
You may now enroll a new token. In this example we are using the Google Authenticator App, that you need to install on your smartphone.

Go to Tokens -> Enroll Token
../_images/enroll1.png
The Token Enrollment Dialog

Select the username root. When you start typing “r”, “o”... the system will find the user root automatically.
Enter a PIN. I entered “test” ...
... and click “Enroll Token”.
../_images/enroll2.png
Enrollment Success

After enrolling the token you will see a QR code, that you need to scan with the Google Authenticator App.
Click on the serial number link at the top of the dialog.
../_images/testtoken.png
Test the Token

Now you see the token details.
Left to the button “Test Token” you can enter the PIN and the OTP value generated by the Google Authenticator.
Click the button “Test Token”. You should see a green “matching 1 tokens”.

Congratulations! You just enrolled your first token to a user.

测试　freeradius 与privacyIdea的请求是否正确
```
echo "User-Name=xxxxx, User-Password=xxxxxx" | radclient -sx localhost auth xxxvpn
```
现在就可以使用vpn 啦！！！

PrivacyIdea　备份：

备份数据库　pi　即可．

导航

最近发表

友情链接