Instalando e configurando o LXD no Arch Linux.
install lxd
sudo systemctl enable lxd.socket
sudo systemctl start lxd.socket
sudo systemctl start lxd.service
sudo usermod -v 1000000-1000999999 -w 1000000-1000999999 root
sudo lxd init
sudo usermod -aG lxd gustavo (restart the machine)
lxc launch ubuntu:24.04 freeradius
Corrigindo a conexão com a internet.
sudo su
for ipt in iptables iptables-legacy ip6tables ip6tables-legacy; do $ipt --flush; $ipt --flush -t nat; $ipt --delete-chain; $ipt --delete-chain -t nat; $ipt -P FORWARD ACCEPT; $ipt -P INPUT ACCEPT; $ipt -P OUTPUT ACCEPT; done
systemctl restart lxd.socket
systemctl restart lxd
Tentando mapear o nome dos containers para um dominio LXD. Ex.: container1.lxd. Não funcionou ainda.
LXD_IP=`lxc network get lxdbr0 ipv4.address | cut -d / -f 1`
cat > `lxd.network <<EOF
[Match]
Name=lxdbr0
[Network]
DNS=${LXD_IP}
Domains=~lxd
IgnoreCarrierLoss=yes
[Address]
Address=${LXD_IP}/24
Gateway=${LXD_IP}
EOF
sudo mv lxd.network /etc/systemd/network/
A instalação no ArchLinux é diferente e por isso optei por rodar dentro de um container LXD com Ubuntu 24.04.
O dir no Ubuntu é /etc/freeradius/3.0
O que precisa ser feito?
- Adicionar o IP do HostAPD no arquivo clients.conf
- Adicionar usuário da rede no arquivo users
- Testar a config rodando
freeradius -X
e em outro terminal oradtest
Para add o hostapd:
client hostapd {
ipaddr = 10.228.190.1 # IP do host
secret = senhaforte
}
Para add user:
echo 'gustavo\tCleartext-Password := "123123"' | sudo tee -a users
radtest gustavo 123123 <ip-freeradius> 1812 senhaforte
Não vale a pena.
TODO: Tentar usar sqlite ou postgres e criar um frontend para substituir o daloradius
- Instalar o MariaDB
- Criar database, user e tables
- Alterar as configs de banco em mods-available/sql
- Habilitar o modulo sql criando um synlink em mods-enabled/sql
- Instalare configurar Apache2 + PHP + Daloradius
MariaDB:
apt --no-install-recommends install mariadb-server freeradius-mysql
mariadb-secure-installation
mariadb -u root -p
CREATE DATABASE raddb;
GRANT ALL ON raddb.* TO 'raduser'@'localhost' IDENTIFIED BY 'radpass';
FLUSH PRIVILEGES;
EXIT;
systemctl enable mariadb
# Tabelas
mariadb -u raduser -p raddb < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql
Configurando módulo SQL:
sed -Ei '/^[\t\s#]*tls\s+\{/, /[\t\s#]*\}/ s/^/#/' /etc/freeradius/3.0/mods-available/sql
cd /etc/freeradius/3.0/mods-enabled
ln -sn ../mods-available/sql
chown -R freerad:freerad sql
# Alterar o arquivo sql
dialect = "mysql"
driver = "rlm_sql_${dialect}"
...
server = "localhost"
port = 3306
login = "raduser"
password = "radpass"
radius_db = "raddb"
...
read_clients = yes
client_table = nas
Daloradius:
apt --no-install-recommends install apache2 php libapache2-mod-php \
php-mysql php-zip php-mbstring php-common php-curl \
php-gd php-db php-mail php-mail-mime \
mariadb-client freeradius-utils rsyslog git
cd /var/www
git clone https://github.com/lirantal/daloradius.git
mkdir -p /var/log/apache2/daloradius/{operators,users}
cat <<EOF >> /etc/apache2/envvars
# daloRADIUS users interface port
export DALORADIUS_USERS_PORT=80
# daloRADIUS operators interface port
export DALORADIUS_OPERATORS_PORT=8000
# daloRADIUS package root directory
export DALORADIUS_ROOT_DIRECTORY=/var/www/daloradius
# daloRADIUS administrator's email
export [email protected]
EOF
cat <<EOF > /etc/apache2/ports.conf
# daloRADIUS
Listen \${DALORADIUS_USERS_PORT}
Listen \${DALORADIUS_OPERATORS_PORT}
EOF
cat <<EOF > /etc/apache2/sites-available/operators.conf
<VirtualHost *:\${DALORADIUS_OPERATORS_PORT}>
ServerAdmin \${DALORADIUS_SERVER_ADMIN}
DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/operators
<Directory \${DALORADIUS_ROOT_DIRECTORY}/app/operators>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<Directory \${DALORADIUS_ROOT_DIRECTORY}>
Require all denied
</Directory>
ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF
cat <<EOF > /etc/apache2/sites-available/users.conf
<VirtualHost *:\${DALORADIUS_USERS_PORT}>
ServerAdmin \${DALORADIUS_SERVER_ADMIN}
DocumentRoot \${DALORADIUS_ROOT_DIRECTORY}/app/users
<Directory \${DALORADIUS_ROOT_DIRECTORY}/app/users>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory \${DALORADIUS_ROOT_DIRECTORY}>
Require all denied
</Directory>
ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF
cd /var/www/daloradius/app/common/includes
cp daloradius.conf.php.sample daloradius.conf.php
chown www-data:www-data daloradius.conf.php
chmod 664 daloradius.conf.php
chown www-data:www-data /var/www/daloradius/contrib/scripts/dalo-crontab
cd /var/www/daloradius/
mkdir -p var/{log,backup}
chown -R www-data:www-data var
chmod -R 775 var
cd /var/www/daloradius/contrib/db
mariadb -u raduser -p raddb < fr3-mariadb-freeradius.sql
mariadb -u raduser -p raddb < mariadb-daloradius.sql
a2dissite 000-default.conf
a2ensite operators.conf users.conf
systemctl enable apache2
systemctl restart apache2
Usando:
# Username: administrator
# Password: radius
xdg-open http://10.228.190.102:8000
Ver interfaces instaladas:
ip -o link show | awk -F': ' '{print $2}'
# A interface USB Wireless a ser usada é a wlp0s20f0u4
sudo ip link set up dev wlp0s20f0u4
sudo ip addr add 192.168.200.1/24 dev wlp0s20f0u4
Instalação e configuração:
install hostapd wpa_supplicant
FREERADIUS_IP=`lxc info freeradius | grep "inet:" | grep global | awk '{print $2}'`
cat > hostapd.conf <<EOF
interface=wlp0s20f0u4
driver=nl80211
ssid=provedor4
hw_mode=g
channel=6
logger_syslog=-1
logger_syslog_level=0
ctrl_interface=/var/run/hostapd/
beacon_int=100
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
rsn_pairwise=CCMP
wpa=2
# sem radius
#wpa_key_mgmt=WPA-PSK
#wpa_passphrase=123123123
# com radius
ctrl_interface_group=0
wpa_key_mgmt=WPA-EAP
ieee8021x=1
radius_retry_primary_interval=120
wmm_enabled=1
wpa_group_rekey=300
wpa_gmk_rekey=86400
eap_server=0
auth_server_addr=10.228.190.102
auth_server_port=1812
auth_server_shared_secret=senhaforte
EOF
sudo mv hostapd.conf /etc/hostapd/hostapd.conf
Configurar DHCP:
# dchpd no lugar do dnsmasq por causa de conflito com o LXD
# add em /etc/dhcpd.conf
...
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.200.0 netmask 255.255.255.0 {
range 192.168.200.10 192.168.200.50;
option routers 192.168.200.1;
option broadcast-address 192.168.200.255;
option domain-name-servers 8.8.8.8;
option domain-name-servers 8.8.4.4;
}
...
sudo systemctl start dhcpd4
# alternativa caso não esteja usando LXD:
# add em /etc/dnsmasq.conf
...
interface=wlp0s20f0u4
except-interface=lxdbr0
dhcp-range=192.168.200.10,192.168.200.50,12h
...
sudo systemctl restart dnsmasq
Habilitar ip_forwarding e melhoras no Kernel:
# Arch nao usa mais /etc/sysctl.conf
sudo su
cat > /etc/sysctl.d/99-sysctl.conf <<EOF
net.ipv4.ip_forward=1
net.ipv4.tcp_rmem = 4096 1048576 2097152
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.core.netdev_max_backlog = 16384
net.core.somaxconn = 8192
net.core.rmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_default = 1048576
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
EOF
sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
Ignorar interface no SystemD:
sudo su
cat /etc/NetworkManager/conf.d/unmanaged.conf
[keyfile]
unmanaged-devices=interface-name:wlp0s20f0u4
Regras de firewall e NAT:
WAN=wlp4s0
LAN=wlp0s20f0u4
sudo iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
# sudo iptables -A FORWARD -i $WAN -o $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT
# sudo iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT