Не работает OpenVPN авторизация через Radius.

[super_super]

Здравствуйте!!! Имеется FREEBSD 7.4 установлен Abills 0.54b и mpd5 все работает нормально решил установить OpenVPN и сделать авторизацию через Abills. OpenVPN устанавливал по статье http://abills.net.ua/wiki/doku.php/abil ... ru:openvpn но вот заставить работать радиус-плагин по статье как описано не получилось ругается и не запускает OpenVPN но зато нашел в портах openvpn-auth-radius установил его и взял файлы radiusplugin.so radiusplugin.cnf. После этого OpenVPN стал запускаться но вот авторизация через Radius+Abills так и не заработала при авторизации на стороне клиента ввожу логин и пароль пользователя и нечего не происходит даже нету логов радиуса. Но если убрать на сервере авторизацию через Radius и на клиенте убрать запрос на ввод логина и пароля то все соединяется и работает. Все настройки были сделаны по выше описанной статье за исключением замененного радиус-плагина на родной из портов и немного исправлен конфиг. В чем проблема где что не так настроено или что добавить чтобы заработало неделю бьюсь и все не как не выходит.

server. conf

Код: Выделить всё

mode server
dev tun10
port 1194
proto tcp

ca /usr/local/etc/openvpn/keys/server/ca.crt
cert /usr/local/etc/openvpn/keys/server/server.crt
key /usr/local/etc/openvpn/keys/server/server.key
dh /usr/local/etc/openvpn/keys/server/dh1024.pem

tls-server
tls-auth /usr/local/etc/openvpn/keys/server/ta.key 0
tls-timeout 120
auth MD5
cipher BF-CBC
keepalive 10 120
comp-lzo
max-clients 100
persist-key
persist-tun

server 10.10.200.0 255.255.255.0
management 127.0.0.1 7505
username-as-common-name

client-connect /usr/local/abills/libexec/openvpn-up
client-disconnect /usr/local/abills/libexec/openvpn-down
ifconfig-pool-persist /usr/local/etc/openvpn/keys/server/ip.txt 1300000
#plugin /usr/local/etc/openvpn/radiusplugin.so /usr/local/etc/openvpn/radiusplug
plugin /usr/local/lib/radiusplugin.so /usr/local/etc/openvpn/radiusplugin.cnf

client-to-client

#push "redirect-gateway def1"
#push "route 0.0.0.0 0.0.0.0"
#push "dhcp-option DNS 10.1.100.1"


status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn-server.log
verb 3

radiusplugin.cnf

Код: Выделить всё

NAS-Identifier=OpenVpn

Service-Type=2

Framed-Protocol=1

NAS-Port-Type=5

NAS-IP-Address=127.0.0.1

OpenVPNConfig=/usr/local/etc/openvpn/server.conf

subnet=255.255.255.0

overwriteccfiles=true

server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=127.0.0.1
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret= ключ радиуса
}

Конфиг на стороне пользователя.

openvpn.ovpn

Код: Выделить всё

dev tun
proto tcp
remote 192.168.1.200 #(реальный айпи вашего сервера)
port 1194 #(порт к которому устанавливать соединение
client
ca ca.crt
cert client.crt
key client.key
tls-client
tls-auth ta.key 1
comp-lzo
verb 3

auth-user-pass

auth MD5
resolv-retry infinite
cipher BF-CBC
ns-cert-type server
persist-key
persist-tun
pull

reneg-sec 1209600

Добавлен Сервер доступа

Код: Выделить всё

IP 127.0.0.1

Название (a-ZA-Z0-9_): OpenVpn

Radius NAS-Identifier: OpenVpn

Тип: openvpn:OpenVPN with RadiusPlugin

Авторизация: Sql

Alive (sec.): 300

:Управление:
IP:PORT: 127.0.0.1:7505

openvpn-server.log

Код: Выделить всё

Sat Feb 25 15:43:58 2012 OpenVPN 2.2.2 i386-portbld-freebsd7.3 [SSL] [LZO2] [eurephia] built on Mar 24 2012
Sat Feb 25 15:43:58 2012 MANAGEMENT: TCP Socket listening on 127.0.0.1:7505
Sat Feb 25 15:43:58 2012 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Feb 25 15:43:58 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Feb 25 15:43:58 2012 RADIUS-PLUGIN: Configfile name: /usr/local/etc/openvpn/radiusplugin.cnf.
Sat Feb 25 15:43:58 2012 PLUGIN_INIT: POST /usr/local/lib/radiusplugin.so '[/usr/local/lib/radiusplugin.so] [/usr/local/etc/openvpn/radiusplugin.cnf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
Sat Feb 25 15:43:58 2012 Diffie-Hellman initialized with 1024 bit key
Sat Feb 25 15:43:58 2012 Control Channel Authentication: using '/usr/local/etc/openvpn/keys/server/ta.key' as a OpenVPN static key file
Sat Feb 25 15:43:58 2012 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Feb 25 15:43:58 2012 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Feb 25 15:43:58 2012 TLS-Auth MTU parms [ L:1540 D:164 EF:64 EB:0 ET:0 EL:0]
Sat Feb 25 15:43:58 2012 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sat Feb 25 15:43:58 2012 ROUTE default_gateway=192.168.1.100
Sat Feb 25 15:43:58 2012 TUN/TAP device /dev/tun10 opened
Sat Feb 25 15:43:58 2012 /sbin/ifconfig tun10 10.10.200.1 10.10.200.2 mtu 1500 netmask 255.255.255.255 up
Sat Feb 25 15:43:58 2012 /sbin/route add -net 10.10.200.0 10.10.200.2 255.255.255.0 add net 10.10.200.0: gateway 10.10.200.2
Sat Feb 25 15:43:58 2012 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 25 15:43:58 2012 Listening for incoming TCP connection on undef]:1194
Sat Feb 25 15:43:58 2012 TCPv4_SERVER link local (bound): [undef]:1194
Sat Feb 25 15:43:58 2012 TCPv4_SERVER link remote: [undef]
Sat Feb 25 15:43:58 2012 MULTI: multi_init called, r=256 v=256
Sat Feb 25 15:43:58 2012 IFCONFIG POOL: base=10.10.200.4 size=62
Sat Feb 25 15:43:58 2012 IFCONFIG POOL LIST
Sat Feb 25 15:43:58 2012 MULTI: TCP INIT maxclients=100 maxevents=104
Sat Feb 25 15:43:58 2012 Initialization Sequence Completed

Sat Feb 25 15:50:17 2012 MULTI: multi_create_instance called
Sat Feb 25 15:50:17 2012 Re-using SSL/TLS context
Sat Feb 25 15:50:17 2012 LZO compression initialized
Sat Feb 25 15:50:17 2012 Control Channel MTU parms [ L:1540 D:164 EF:64 EB:0 ET:0 EL:0 ]
Sat Feb 25 15:50:17 2012 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 25 15:50:17 2012 Local Options hash (VER=V4): '9183b24b'
Sat Feb 25 15:50:17 2012 Expected Remote Options hash (VER=V4): 'e6beeeed'
Sat Feb 25 15:50:17 2012 TCP connection established with 192.168.1.201:1047
Sat Feb 25 15:50:17 2012 TCPv4_SERVER link local: [undef]
Sat Feb 25 15:50:17 2012 TCPv4_SERVER link remote: 192.168.1.201:1047
Sat Feb 25 15:50:17 2012 192.168.1.201:1047 TLS: Initial packet from 192.168.1.2
01:1047, sid=4c8619a2 bcd41ae5
Sat Feb 25 15:50:17 2012 192.168.1.201:1047 VERIFY OK: depth=1, /C=**/ST=NA/L=**/O=local.host/OU=server/CN=server/name=changeme/emailAddress=mail@host.domain
Sat Feb 25 15:50:17 2012 192.168.1.201:1047 VERIFY OK: depth=0, /C=**/ST=NA/L=**/O=local.host/OU=server/CN=client/name=changeme/emailAddress=mail@host.domain

Логи клиента

openvpn.log

Код: Выделить всё

Sat Feb 25 15:50:45 2012 OpenVPN 2.1_beta7 Win32-MinGW [SSL] [LZO2] built on Nov 12 2005
Sat Feb 25 15:50:51 2012 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Sat Feb 25 15:50:51 2012 Outgoing Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Feb 25 15:50:51 2012 Incoming Control Channel Authentication: Using 128 bit message hash 'MD5' for HMAC authentication
Sat Feb 25 15:50:51 2012 LZO compression initialized
Sat Feb 25 15:50:51 2012 Control Channel MTU parms [ L:1540 D:164 EF:64 EB:0 ET:0 EL:0 ]
Sat Feb 25 15:50:51 2012 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 25 15:50:51 2012 Local Options hash (VER=V4): 'e6beeeed'
Sat Feb 25 15:50:51 2012 Expected Remote Options hash (VER=V4): '9183b24b'
Sat Feb 25 15:50:51 2012 Attempting to establish TCP connection with 192.168.1.200:1194
Sat Feb 25 15:50:51 2012 TCP connection established with 192.168.1.200:1194
Sat Feb 25 15:50:51 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Feb 25 15:50:51 2012 TCPv4_CLIENT link local: [undef]
Sat Feb 25 15:50:51 2012 TCPv4_CLIENT link remote: 192.168.1.200:1194
Sat Feb 25 15:50:51 2012 TLS: Initial packet from 192.168.1.200:1194, sid=f0944d01 3d98e6ba
Sat Feb 25 15:50:51 2012 VERIFY OK: depth=1, /C=**/ST=NA/L=**/O=local.host/OU=server/CN=server/name=changeme/emailAddress=mail@host.domain
Sat Feb 25 15:50:51 2012 VERIFY OK: nsCertType=SERVER
Sat Feb 25 15:50:51 2012 VERIFY OK: depth=0, /C=**/ST=NA/L=**/O=local.host/OU=server/CN=server/name=changeme/emailAddress=mail@host.domain
Sat Feb 25 15:51:52 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Feb 25 15:51:52 2012 TLS Error: TLS handshake failed
Sat Feb 25 15:51:52 2012 Fatal TLS error (check_tls_errors_co), restarting
Sat Feb 25 15:51:52 2012 TCP/UDP: Closing socket
Sat Feb 25 15:51:52 2012 SIGUSR1[soft,tls-error] received, process restarting
Sat Feb 25 15:51:52 2012 Restart pause, 5 second(s)
Sat Feb 25 15:51:57 2012 Re-using SSL/TLS context
Sat Feb 25 15:51:57 2012 LZO compression initialized
Sat Feb 25 15:51:57 2012 Control Channel MTU parms [ L:1540 D:164 EF:64 EB:0 ET:0 EL:0 ]
Sat Feb 25 15:51:57 2012 Data Channel MTU parms [ L:1540 D:1450 EF:40 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Feb 25 15:51:57 2012 Local Options hash (VER=V4): 'e6beeeed'
Sat Feb 25 15:51:57 2012 Expected Remote Options hash (VER=V4): '9183b24b'
Sat Feb 25 15:51:57 2012 Attempting to establish TCP connection with 192.168.1.200:1194
Sat Feb 25 15:51:57 2012 TCP/UDP: Closing socket
Sat Feb 25 15:51:57 2012 SIGTERM[hard,init_instance] received, process exiting