Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #the ip that will handle pptp requests
- LOCALIP="192.168.43.2"
- #list the IP's that will be assigned to your remote users on the pptp connection
- REMOTEUSERS="192.168.43.10-20"
- #list a DNS server you would like your remote clients to use
- DNS_SERVER="8.8.8.8"
- #list a password for mysql (root user)
- PASSWORD_MYSQL=superdupersecret
- #list a password for radius admin#user name = radius - setup read from /etc/freeradius/sql/mysql/admin.sql
- PASSWORD_RADMIN=moresecretsecret
- #list a username for the radius test account
- RADIUS_USER=radiustestpptp
- #list a password for the radius test account
- RADIUS_PASSWORD=123321
- apt-get -y autoremove debconf-utils pptpd mysql-server freeradius radiusclient1
- apt-get install debconf-utils
- apt-get install pptpd
- modprobe nf_conntrack_pptp
- if grep -q '#setting localip via script' /etc/pptpd.conf; then
- echo "/etc/pptpd.conf has already been affected by our script"
- cat /etc/pptpd.conf | grep $LOCALIP
- else
- echo "localip $LOCALIP" >> /etc/pptpd.conf
- echo "#setting localip via script" >> /etc/pptpd.conf
- fi
- if grep -q '#setting remoteusers via script' /etc/pptpd.conf; then
- echo "/etc/pptpd.conf has already been affected by our script"
- cat /etc/pptpd.conf | grep $REMOTEUSERS
- else
- echo "remoteip $REMOTEUSERS" >> /etc/pptpd.conf
- echo "#setting remoteusers via script" >> /etc/pptpd.conf
- fi
- if grep -q '#setting dns server via script' /etc/ppp/pptpd-options; then
- echo "/etc/ppp/pptpd-options has already been affected by our script"
- cat /etc/ppp/pptpd-options | grep $DNS_SERVER
- else
- echo "ms-dns $DNS_SERVER" >> /etc/ppp/pptpd-options
- echo "#setting dns server via script" >> /etc/ppp/pptpd-options
- fi
- if grep -q '#setting forwarding from script' /etc/sysctl.conf ; then
- echo "/etc/sysctl.conf has already been affected by our script - moving on"
- cat /etc/sysctl.conf | grep net.ipv4.ip_forward=1
- else
- sed -i.bak-removed-forward-nohash '/net.ipv4.ip_forward=1/d' /etc/sysctl.conf
- sed -i.bak-removed-forward-hash '/#net.ipv4.ip_forward=1/d' /etc/sysctl.conf
- echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
- echo "#setting forwarding from script" >> /etc/sysctl.conf
- sysctl -p /etc/sysctl.conf
- fi
- sudo debconf-set-selections <<< "mysql-server mysql-server/root_password password $PASSWORD_MYSQL"
- sudo debconf-set-selections <<< "mysql-server mysql-server/root_password_again password $PASSWORD_MYSQL"
- apt-get -y install mysql-server
- apt-get -y install freeradius freeradius-mysql freeradius-utils
- apt-get -y install radiusclient1
- mysql -u root -p$PASSWORD_MYSQL -e "show databases"
- mysql -u root -p$PASSWORD_MYSQL -e "DROP DATABASE radius"
- mysql -u root -p$PASSWORD_MYSQL -e "CREATE DATABASE radius"
- mysql -u root -p$PASSWORD_MYSQL -e "show databases"
- mysql -u root -p$PASSWORD_MYSQL radius < /etc/freeradius/sql/mysql/schema.sql
- mysql -u root -p$PASSWORD_MYSQL -e "DROP USER 'radius'@'localhost'"
- mysql -u root -p$PASSWORD_MYSQL radius < /etc/freeradius/sql/mysql/admin.sql
- mysql -u root -p$PASSWORD_MYSQL -e "SET PASSWORD FOR 'radius'@'localhost' = PASSWORD('$PASSWORD_RADMIN')"
- mysql -D radius -u root -p$PASSWORD_MYSQL -e "DELETE FROM radcheck WHERE username = '$RADIUS_USER'"
- mysql -D radius -u root -p$PASSWORD_MYSQL -e "INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1,'$RADIUS_USER','User-Password',':=','$RADIUS_PASSWORD');"
- mysql -D radius -u root -p$PASSWORD_MYSQL -e "SELECT * FROM radcheck"
- echo "authorize {
- preprocess
- chap
- mschap
- digest
- suffix
- eap {
- ok = return
- }
- sql
- expiration
- logintime
- pap
- }
- authenticate {
- Auth-Type PAP {
- pap
- }
- Auth-Type CHAP {
- chap
- }
- Auth-Type MS-CHAP {
- mschap
- }
- digest
- unix
- eap
- }
- preacct {
- preprocess
- acct_unique
- suffix
- #files
- }
- accounting {
- sql
- detail
- unix
- radutmp
- exec
- attr_filter.accounting_response
- }
- session {
- radutmp
- sql
- }
- post-auth {
- exec
- sql
- Post-Auth-Type REJECT {
- sql
- sql
- attr_filter.access_reject
- }
- }
- pre-proxy {
- }
- post-proxy {
- eap
- }" > /etc/freeradius/sites-enabled/default
- echo "prefix = /usr
- exec_prefix = /usr
- sysconfdir = /etc
- localstatedir = /var
- sbindir = \${exec_prefix}/sbin
- logdir = /var/log/freeradius
- raddbdir = /etc/freeradius
- radacctdir = \${logdir}/radacct
- name = freeradius
- confdir = \${raddbdir}
- run_dir = \${localstatedir}/run/\${name}
- db_dir = \${raddbdir}
- libdir = /usr/lib/freeradius
- pidfile = \${run_dir}/\${name}.pid
- user = freerad
- group = freerad
- max_request_time = 30
- cleanup_delay = 5
- max_requests = 1024
- listen {
- type = auth
- ipaddr = *
- port = 0
- }
- listen {
- ipaddr = *
- port = 0
- type = acct
- }
- hostname_lookups = no
- allow_core_dumps = no
- regular_expressions = yes
- extended_expressions = yes
- log {
- destination = files
- file = \${logdir}/radius.log
- syslog_facility = daemon
- stripped_names = no
- auth = no
- auth_badpass = no
- auth_goodpass = no
- }
- checkrad = \${sbindir}/checkrad
- security {
- max_attributes = 200
- reject_delay = 1
- status_server = yes
- }
- proxy_requests = yes
- \$INCLUDE proxy.conf
- \$INCLUDE clients.conf
- thread pool {
- start_servers = 5
- max_servers = 32
- min_spare_servers = 3
- max_spare_servers = 10
- max_requests_per_server = 0
- }
- modules {
- \$INCLUDE \${confdir}/modules/
- \$INCLUDE eap.conf
- \$INCLUDE sql.conf
- }
- instantiate {
- exec
- expr
- expiration
- logintime
- }
- \$INCLUDE policy.conf
- \$INCLUDE sites-enabled/" > /etc/freeradius/radiusd.conf
- echo "sql {
- database = "mysql"
- driver = "rlm_sql_\${database}"
- server = "localhost"
- login = "radius"
- password = "$PASSWORD_RADMIN"
- radius_db = "radius"
- acct_table1 = "radacct"
- acct_table2 = "radacct"
- postauth_table = "radpostauth"
- authcheck_table = "radcheck"
- authreply_table = "radreply"
- groupcheck_table = "radgroupcheck"
- groupreply_table = "radgroupreply"
- usergroup_table = "radusergroup"
- deletestalesessions = yes
- sqltrace = no
- sqltracefile = \${logdir}/sqltrace.sql
- num_sql_socks = 5
- connect_failure_retry_delay = 60
- lifetime = 0
- max_queries = 0
- nas_table = "nas"
- \$INCLUDE sql/\${database}/dialup.conf
- }" > /etc/freeradius/sql.conf
- echo "VENDOR Microsoft 311 Microsoft
- BEGIN VENDOR Microsoft
- ATTRIBUTE MS-CHAP-Response 1 string Microsoft
- ATTRIBUTE MS-CHAP-Error 2 string Microsoft
- ATTRIBUTE MS-CHAP-CPW-1 3 string Microsoft
- ATTRIBUTE MS-CHAP-CPW-2 4 string Microsoft
- ATTRIBUTE MS-CHAP-LM-Enc-PW 5 string Microsoft
- ATTRIBUTE MS-CHAP-NT-Enc-PW 6 string Microsoft
- ATTRIBUTE MS-MPPE-Encryption-Policy 7 string Microsoft
- # This is referred to as both singular and plural in the RFC.
- # Plural seems to make more sense.
- ATTRIBUTE MS-MPPE-Encryption-Type 8 string Microsoft
- ATTRIBUTE MS-MPPE-Encryption-Types 8 string Microsoft
- ATTRIBUTE MS-RAS-Vendor 9 integer Microsoft
- ATTRIBUTE MS-CHAP-Domain 10 string Microsoft
- ATTRIBUTE MS-CHAP-Challenge 11 string Microsoft
- ATTRIBUTE MS-CHAP-MPPE-Keys 12 string Microsoft encrypt=1
- ATTRIBUTE MS-BAP-Usage 13 integer Microsoft
- ATTRIBUTE MS-Link-Utilization-Threshold 14 integer Microsoft
- ATTRIBUTE MS-Link-Drop-Time-Limit 15 integer Microsoft
- ATTRIBUTE MS-MPPE-Send-Key 16 string Microsoft
- ATTRIBUTE MS-MPPE-Recv-Key 17 string Microsoft
- ATTRIBUTE MS-RAS-Version 18 string Microsoft
- ATTRIBUTE MS-Old-ARAP-Password 19 string Microsoft
- ATTRIBUTE MS-New-ARAP-Password 20 string Microsoft
- ATTRIBUTE MS-ARAP-PW-Change-Reason 21 integer Microsoft
- ATTRIBUTE MS-Filter 22 string Microsoft
- ATTRIBUTE MS-Acct-Auth-Type 23 integer Microsoft
- ATTRIBUTE MS-Acct-EAP-Type 24 integer Microsoft
- ATTRIBUTE MS-CHAP2-Response 25 string Microsoft
- ATTRIBUTE MS-CHAP2-Success 26 string Microsoft
- ATTRIBUTE MS-CHAP2-CPW 27 string Microsoft
- ATTRIBUTE MS-Primary-DNS-Server 28 ipaddr
- ATTRIBUTE MS-Secondary-DNS-Server 29 ipaddr
- ATTRIBUTE MS-Primary-NBNS-Server 30 ipaddr Microsoft
- ATTRIBUTE MS-Secondary-NBNS-Server 31 ipaddr Microsoft
- #ATTRIBUTE MS-ARAP-Challenge 33 string Microsoft
- #
- # Integer Translations
- #
- # MS-BAP-Usage Values
- VALUE MS-BAP-Usage Not-Allowed 0
- VALUE MS-BAP-Usage Allowed 1
- VALUE MS-BAP-Usage Required 2
- # MS-ARAP-Password-Change-Reason Values
- VALUE MS-ARAP-PW-Change-Reason Just-Change-Password 1
- VALUE MS-ARAP-PW-Change-Reason Expired-Password 2
- VALUE MS-ARAP-PW-Change-Reason Admin-Requires-Password-Change 3
- VALUE MS-ARAP-PW-Change-Reason Password-Too-Short 4
- # MS-Acct-Auth-Type Values
- VALUE MS-Acct-Auth-Type PAP 1
- VALUE MS-Acct-Auth-Type CHAP 2
- VALUE MS-Acct-Auth-Type MS-CHAP-1 3
- VALUE MS-Acct-Auth-Type MS-CHAP-2 4
- VALUE MS-Acct-Auth-Type EAP 5
- # MS-Acct-EAP-Type Values
- VALUE MS-Acct-EAP-Type MD5 4
- VALUE MS-Acct-EAP-Type OTP 5
- VALUE MS-Acct-EAP-Type Generic-Token-Card 6
- VALUE MS-Acct-EAP-Type TLS 13
- END-VENDOR Microsoft" > /etc/radiusclient/dictionary.microsoft
- echo "INCLUDE /etc/radiusclient/dictionary.microsoft" >> /etc/radiusclient/dictionary
- echo "client localhost {
- ipaddr = 127.0.0.1
- secret = testing123
- require_message_authenticator = no
- }" > /etc/freeradius/clients.conf
- echo "127.0.0.1 testing123" > /etc/radiusclient/servers
- echo "plugin radius.so
- plugin radattr.so" >> /etc/ppp/pptpd-options
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
- iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- service mysql restart
- service pptpd restart
- service freeradius stop
- freeradius -X
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement