{"id":721,"date":"2012-10-08T00:57:32","date_gmt":"2012-10-07T22:57:32","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=721"},"modified":"2012-10-08T00:57:32","modified_gmt":"2012-10-07T22:57:32","slug":"freeradius-mysql-pptpd-en-debian","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=721","title":{"rendered":"FreeRadius + Mysql + PPTPD en Debian."},"content":{"rendered":"

Siguiendo al post anterior, ahora toca crear el servidor PPTPD, para por ejemplo, lanzar la vpn desde nuestro android.
\nPrimero comprobamos si tenemos en el Kernel de nuestro linux, el soporte para MPPE, para ello:
\n
\n# modprobe ppp-compress-18 && echo OK
\n<\/code>
\nSi sale OK, pues eso, ha ido bien…. \u00c2\u00bf y qu\u00e9 es eso de MPPE ?, pues nada, un protocolo de micro$oft para encriptar datos, l\u00e9ase:
\nhttps:\/\/en.wikipedia.org\/wiki\/Microsoft_Point-to-Point_Encryption<\/strong>
\nY ojo, que tiene su propia RFC (O_o).
\nAhora, instalamos el server pptpd en nuestro querido debian:
\n
\n# apt-get install pptpd
\n<\/code>
\nAntes de empezar a configurar, hemos de tener claro:
\n1\u00ba) Pool de Ip’s que les asignaremos a los usuarios
\n2\u00ba) Dentro del Pool, las opciones de dns y dem\u00e1s que querremos usar para los clientes
\nEditamos el fichero \/etc\/pptpd.conf<\/em> y lo vamos dejando tal que:
\n
\nlocalip 192.168.2.13
\nremoteip 192.168.100.234-240
\n<\/code>
\nDonde localip<\/em>, que con gran ojo avizor, deducimos que es la ip de nuestro servidor y, el que tenga la suerte de poder ponerle la ip p\u00fablica directamente, pues eso que se lleva.
\nLa remoteip<\/em>, ser\u00e1 el pool de IP’s que asignaremos a los usuarios remotos.
\nGuardamos los cambios, reinciamos el daemon pptpd y seguimos configurando y instalamos el paquete libradiusclient-ng2<\/em>, que ser\u00e1 el responsable de la relaci\u00f3n entre pptpd y freeradius… para ello:
\n
\napt-get install libradiusclient-ng2
\n<\/code>
\nY renombramos la carpeta para que quede m\u00e1s elegante:
\n
\nmv \/etc\/radiusclient-ng\/ \/etc\/radiusclient\/
\n<\/code>
\nCreamos un fichero, que ya explicaremos la funci\u00f3n:
\n
\necho \"\" > \/etc\/radiusclient\/port-id-map
\n<\/code>
\nAhora editaremos el fichero radiusclient.conf<\/em>
\n
\n# nano \/etc\/radiusclient\/radiusclient.conf
\n<\/code>
\nY lo dejamos tal que:
\n
\n# General settings
\n# specify which authentication comes first respectively which
\n# authentication is used. possible values are: \"radius\" and \"local\".
\n# if you specify \"radius,local\" then the RADIUS server is asked
\n# first then the local one. if only one keyword is specified only
\n# this server is asked.
\nauth_order radius<\/strong>
\n# maximum login tries a user has
\nlogin_tries 4
\n# timeout for all login tries
\n# if this time is exceeded the user is kicked out
\nlogin_timeout 60
\n# name of the nologin file which when it exists disables logins.
\n# it may be extended by the ttyname which will result in
\n# a terminal specific lock (e.g. \/etc\/nologin.ttyS2 will disable
\n# logins on \/dev\/ttyS2)
\nnologin \/etc\/nologin
\n# name of the issue file. it's only display when no username is passed
\n# on the radlogin command line
\nissue \/etc\/radiusclient\/issue
\n# RADIUS settings
\n# RADIUS server to use for authentication requests. this config
\n# item can appear more then one time. if multiple servers are
\n# defined they are tried in a round robin fashion if one
\n# server is not answering.
\n# optionally you can specify a the port number on which is remote
\n# RADIUS listens separated by a colon from the hostname. if
\n# no port is specified \/etc\/services is consulted of the radius
\n# service. if this fails also a compiled in default is used.
\nauthserver localhost:1812<\/strong>
\n# RADIUS server to use for accouting requests. All that I
\n# said for authserver applies, too.
\n#
\nacctserver localhost:1812<\/strong>
\n# file holding shared secrets used for the communication
\n# between the RADIUS client and server
\nservers \/etc\/radiusclient\/servers<\/strong>
\n# dictionary of allowed attributes and values
\n# just like in the normal RADIUS distributions
\ndictionary \/etc\/radiusclient\/dictionary
\n# program to call for a RADIUS authenticated login
\nlogin_radius \/usr\/sbin\/login.radius
\n# file which holds sequence number for communication with the
\n# RADIUS server
\nseqfile \/var\/run\/radius.seq
\n# file which specifies mapping between ttyname and NAS-Port attribute
\nmapfile \/etc\/radiusclient\/port-id-map
\n# default authentication realm to append to all usernames if no
\n# realm was explicitly specified by the user
\n# the radiusd directly form Livingston doesnt use any realms, so leave
\n# it blank then
\ndefault_realm
\n# time to wait for a reply from the RADIUS server
\nradius_timeout 10
\n# resend request this many times before trying the next server
\nradius_retries 3
\n# local address from which radius packets have to be sent
\n# bindaddr 0.0.0.0
\n# LOCAL settings
\n# program to execute for local login
\n# it must support the -f flag for preauthenticated login
\nlogin_local \/bin\/login
\n<\/code>
\nDefiniremos nuestros servidores radius (modificando lo que est\u00e1 en negrita), con lo que toque.
\nAhora definiremos la pre-shared key para los servidores radius:
\n
\nnano \/etc\/radiusclient\/servers
\n<\/code>
\ny colocamos nuestros datos:
\n
\n#Server Name or Client\/Server pair Key
\n#---------------- ---------------
\nip.de.nuestro.radius_server misuperclavemolona
\n<\/code>
\nEditamos el fichero pptpd-options<\/em>
\n
\nnano \/etc\/ppp\/pptpd-options
\n<\/code>
\nPor ahora, nos vamos a centrar en pap \/ spap… una vez nos funcione, buscaremos otros m\u00e9todos m\u00e1s seguros:
\n
\n###############################################################################
\n# $Id: pptpd-options 4643 2006-11-06 18:42:43Z rene $
\n#
\n# Sample Poptop PPP options file \/etc\/ppp\/pptpd-options
\n# Options used by PPP when a connection arrives from a client.
\n# This file is pointed to by \/etc\/pptpd.conf option keyword.
\n# Changes are effective on the next connection. See \"man pppd\".
\n#
\n# You are expected to change this file to suit your system. As
\n# packaged, it requires PPP 2.4.2 and the kernel MPPE module.
\n###############################################################################
\n# Authentication
\n# Name of the local system for authentication purposes
\n# (must match the second field in \/etc\/ppp\/chap-secrets entries)
\nname minombrechulo-del-servidor<\/strong>
\n# Optional: domain name to use for authentication
\ndomain craem.net<\/strong>
\n# Strip the domain prefix from the username before authentication.
\n# (applies if you use pppd with chapms-strip-domain patch)
\n#chapms-strip-domain
\n# Encryption
\n# Debian: on systems with a kernel built with the package
\n# kernel-patch-mppe >= 2.4.2 and using ppp >= 2.4.2, ...
\n# {{{
\nrequire-pap
\nrequire-chap
\nrefuse-mschap<\/strong>
\n# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft
\n# Challenge Handshake Authentication Protocol, Version 2] authentication.
\n# refuse-mschap-v2
\n# Require MPPE 128-bit encryption
\n# (note that MPPE requires the use of MSCHAP-V2 during authentication)
\n# refuse-mppe-128
\n# }}}
\n# Network and Routing
\n# If pppd is acting as a server for Microsoft Windows clients, this
\n# option allows pppd to supply one or two DNS (Domain Name Server)
\n# addresses to the clients. The first instance of this option
\n# specifies the primary DNS address; the second instance (if given)
\n# specifies the secondary DNS address.
\n# Attention! This information may not be taken into account by a Windows
\n# client. See KB311218 in Microsoft's knowledge base for more information.
\nms-dns 8.8.8.8
\nms-dns 8.8.4.4<\/strong>
\n# If pppd is acting as a server for Microsoft Windows or \"Samba\"
\n# clients, this option allows pppd to supply one or two WINS (Windows
\n# Internet Name Services) server addresses to the clients. The first
\n# instance of this option specifies the primary WINS address; the
\n# second instance (if given) specifies the secondary WINS address.
\n#ms-wins 10.0.0.3
\n#ms-wins 10.0.0.4
\n# Add an entry to this system's ARP [Address Resolution Protocol]
\n# table with the IP address of the peer and the Ethernet address of this
\n# system. This will have the effect of making the peer appear to other
\n# systems to be on the local ethernet.
\n# (you do not need this if your PPTP server is responsible for routing
\n# packets to the clients -- James Cameron)
\nproxyarp<\/strong>
\n# Debian: do not replace the default route
\nnodefaultroute
\n# Logging
\n# Enable connection debugging facilities.
\n# (see your syslog configuration for where pppd sends to)
\n#debug
\n# Print out all the option values which have been set.
\n# (often requexsted by mailing list to verify options)
\n#dump
\n# Miscellaneous
\n# Create a UUCP-style lock file for the pseudo-tty to ensure exclusive
\n# access.
\nlock
\n# Disable BSD-Compress compression
\nnobsdcomp
\nmtu 1200
\nmru 1200
\nplugin radius.so
\nplugin radattr.so
\nlcp-echo-failure 50
\n<\/code>
\nCreamos un NAS en nuestro radius (lo vimos en el post anterior), reiniciamos el servicio pptpd y listo.
\nProbamos un cliente ( un android, por ejemplo)
\n
\nStarting PPTP Daemon: pptpd.
\nroot@radius_lan:\/etc\/ppp# tail -f \/var\/log\/syslog
\nOct 8 00:51:12 rlan pppd[2488]: Using interface ppp0
\nOct 8 00:51:12 rlan pppd[2488]: Connect: ppp0 <--> \/dev\/pts\/1
\nOct 8 00:51:12 rlan pptpd[2486]: GRE: Bad checksum from pppd.
\nOct 8 00:51:12 rlan pppd[2488]: Deflate (15) compression enabled
\nOct 8 00:51:12 rlan pppd[2488]: Cannot determine ethernet address for proxy ARP
\nOct 8 00:51:12 rlan pppd[2488]: local IP address 192.168.2.94
\nOct 8 00:51:12 rlan pppd[2488]: remote IP address 192.168.100.234
\nOct 8 00:51:26 rlan pptpd[2495]: MGR: Maximum of 200 connections reduced to 7, not enough IP addresses given
\nOct 8 00:51:26 rlan pptpd[2496]: MGR: Manager process started
\nOct 8 00:51:26 rlan pptpd[2496]: MGR: Maximum of 7 connections available
\nOct 8 00:51:40 rlan pptpd[2486]: CTRL: EOF or bad error reading ctrl packet length.
\nOct 8 00:51:40 rlan pptpd[2486]: CTRL: couldn't read packet header (exit)
\nOct 8 00:51:40 rlan pptpd[2486]: CTRL: CTRL read failed
\nOct 8 00:51:40 rlan pptpd[2486]: CTRL: Reaping child PPP[2488]
\nOct 8 00:51:40 rlan pptpd[2498]: CTRL: Client 192.168.2.68 control connection started
\nOct 8 00:51:40 rlan pptpd[2498]: CTRL: Starting call (launching pppd, opening GRE)
\nOct 8 00:51:40 rlan pppd[2499]: Plugin radius.so loaded.
\nOct 8 00:51:40 rlan pppd[2499]: RADIUS plugin initialized.
\nOct 8 00:51:40 rlan pppd[2499]: Plugin radattr.so loaded.
\nOct 8 00:51:40 rlan pppd[2499]: RADATTR plugin initialized.
\nOct 8 00:51:40 rlan pppd[2499]: Plugin \/usr\/lib\/pptpd\/pptpd-logwtmp.so loaded.
\nOct 8 00:51:40 rlan pppd[2499]: pppd 2.4.5 started by root, uid 0
\nOct 8 00:51:40 rlan pppd[2499]: Using interface ppp1
\nOct 8 00:51:40 rlan pppd[2499]: Connect: ppp1 <--> \/dev\/pts\/2
\nOct 8 00:51:40 rlan pptpd[2498]: GRE: Bad checksum from pppd.
\nOct 8 00:51:40 rlan pppd[2499]: Deflate (15) compression enabled
\nOct 8 00:51:40 rlan pppd[2499]: Cannot determine ethernet address for proxy ARP
\nOct 8 00:51:40 rlan pppd[2499]: local IP address 192.168.2.13
\nOct 8 00:51:40 rlan pppd[2499]: remote IP address 192.168.100.234
\n<\/code>
\nY vemos el log del freeradius:
\n
\nListening on authentication address * port 1812
\nListening on accounting address * port 1813
\nListening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
\nListening on proxy address * port 1814
\nReady to process requests.
\nrad_recv: Access-Request packet from host 127.0.0.1 port 33461, id=45, length=108
\n\tService-Type = Framed-User
\n\tFramed-Protocol = PPP
\n\tUser-Name = \"angel\"
\n\tCHAP-Challenge = 0x33c4ad40b662648176b52f85b7b47c47030561884ce3
\n\tCHAP-Password = 0x679fa22be2a3a09c79e7ff5f047edb60ae
\n\tCalling-Station-Id = \"192.168.2.68\"
\n\tNAS-IP-Address = 127.0.1.1
\n\tNAS-Port = 0<\/strong>
\n# Executing section authorize from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group authorize {...}
\n++[preprocess] returns ok
\n[chap] Setting 'Auth-Type := CHAP'
\n++[chap] returns ok
\n++[digest] returns noop
\n[suffix] No '@' in User-Name = \"angel\", looking up realm NULL
\n[suffix] No such realm \"NULL\"
\n++[suffix] returns noop
\n[eap] No EAP-Message, not doing EAP
\n++[eap] returns noop
\n[files] users: Matched entry DEFAULT at line 172
\n++[files] returns ok
\n[sql] \texpand: %{User-Name} -> angel
\n[sql] sql_set_user escaped user --> 'angel'
\nrlm_sql (sql): Reserving sql socket id: 3
\n[sql] \texpand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'angel' ORDER BY id
\n[sql] User found in radcheck table
\n[sql] \texpand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'angel' ORDER BY id
\n[sql] \texpand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'angel' ORDER BY priority
\nrlm_sql (sql): Released sql socket id: 3
\n++[sql] returns ok
\n++[expiration] returns noop
\n++[logintime] returns noop
\n[pap] WARNING: Auth-Type already set. Not setting to PAP
\n++[pap] returns noop
\nFound Auth-Type = CHAP
\n# Executing group from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group CHAP {...}
\n[chap] login attempt by \"angel\" with CHAP password
\n[chap] Using clear text password \"password_chulo\" for user angel authentication.
\n[chap] chap user angel authenticated succesfully
\n++[chap] returns ok
\n# Executing section post-auth from file \/etc\/freeradius\/sites-enabled\/default
\n+- entering group post-auth {...}
\n[sql] \texpand: %{User-Name} -> angel
\n[sql] sql_set_user escaped user --> 'angel'
\n[sql] \texpand: %{User-Password} ->
\n[sql] \t... expanding second conditional<\/strong>
\n[sql] \texpand: %{Chap-Password} -> 0x679fa22be2a3a09c79e7ff5f047edb60ae
\n[sql] \texpand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'angel', '0x679fa22be2a3a09c79e7ff5f047edb60ae', 'Access-Accept', '2012-10-08 00:54:23')
\nrlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'angel', '0x679fa22be2a3a09c79e7ff5f047edb60ae', 'Access-Accept', '2012-10-08 00:54:23')
\nrlm_sql (sql): Reserving sql socket id: 2
\nrlm_sql (sql): Released sql socket id: 2
\n++[sql] returns ok
\n[sql_log] Processing sql_log_postauth
\n[sql_log] \texpand: %{User-Name} -> angel
\n[sql_log] \texpand: %{%{User-Name}:-DEFAULT} -> angel
\n[sql_log] sql_set_user escaped user --> 'angel'
\n[sql_log] WARNING: Deprecated conditional expansion \":-\". See \"man unlang\" for details
\n[sql_log] \t... expanding second conditional
\n[sql_log] \texpand: Chap-Password -> Chap-Password
\n[sql_log] \texpand: INSERT INTO radpostauth \t (username, pass, reply, authdate) VALUES \t ('%{User-Name}', '%{User-Password:-Chap-Password}', \t '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth \t (username, pass, reply, authdate) VALUES \t ('angel', 'Chap-Password', \t 'Access-Accept', '2012-10-08 00:54:23');
\n[sql_log] \texpand: \/var\/log\/freeradius\/radacct\/sql-relay -> \/var\/log\/freeradius\/radacct\/sql-relay
\n++[sql_log] returns ok
\n++[exec] returns noop
\nSending Access-Accept of id 45 to 127.0.0.1 port 33461
\n\tFramed-Protocol = PPP
\n\tFramed-Compression = Van-Jacobson-TCP-IP<\/strong>
\nFinished request 0.
\nGoing to the next request
\nWaking up in 4.9 seconds.
\nInvalid packet code 4 sent to authentication port from client port 51954 : IGNORED
\nWaking up in 4.9 seconds.
\nCleaning up request 0 ID 45 with timestamp +8
\nReady to process requests.
\nInvalid packet code 4 sent to authentication port from client port 51954 : IGNORED
\nReady to process requests.
\n<\/code>
\nEnjoy your server \ud83d\ude09<\/p>\n","protected":false},"excerpt":{"rendered":"

Siguiendo al post anterior, ahora toca crear el servidor PPTPD, para por ejemplo, lanzar la vpn desde nuestro android. Primero comprobamos si tenemos en el Kernel de nuestro linux, el soporte para MPPE, para ello: # modprobe ppp-compress-18 && echo OK Si sale OK, pues eso, ha ido bien…. \u00c2\u00bf y qu\u00e9 es eso de […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[20,58,80,150],"class_list":["post-721","post","type-post","status-publish","format-standard","hentry","category-linux","tag-android","tag-debian","tag-freeradius","tag-pptpd"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=721"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/721\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}