这篇文章早就写好了,可是一直没机会做实验——估计以后也太会有,反正写好了,我就发出来吧,大家如有需要就参考着看看……?注意,请去参考最新的笔记!
要在服务器上搭建 ocserv,首先应该安装依赖
|
1 2 3 |
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev \ libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \ autogen libgnutls28 libgnutls28-dev libseccomp-dev libhttp-parser-dev |
下载 ocserv
访问 ftp://ftp.infradead.org/pub/ocserv 来查看最新的版本,然后根据版本来下载,截止目前,最新版本号为 0.10.4
|
1 2 3 |
wget -c ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz tar xvf ocserv* cd ocserv* |
编译安装
|
1 2 3 4 5 |
./configure make make install cp doc/sample.config /etc/ocserv/ocserv.conf cp doc/profile.xml /etc/ocserv/profile.xml |
创建用户
|
1 2 3 4 5 |
ocpasswd logcg password password //创建账号为 logcg;密码就是 password,要求盲打两遍来验证 |
创建的用户会保存到“/etc/ocserv/ocpasswd”中
创建证书
生成 ca 证书
|
1 |
apt-get install gnutls-bin |
|
1 2 |
certtool --generate-privkey --outfile ca-key.pem cat <<_EOF_> ca.tmpl |
|
1 2 3 4 5 6 7 8 9 |
cn = "logcg CA" organization = "logcg Corp" serial = 1 expiration_days = 999 ca signing_key cert_signing_key crl_signing_key _EOF_ |
|
1 |
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem |
生成服务器本地证书
|
1 2 |
certtool --generate-privkey --outfile server-key.pem cat <<_EOF_> server.tmpl |
|
1 2 3 4 5 6 7 8 |
cn = "www.logcg.com" organization = "logcg" serial = 2 expiration_days = 999 signing_key encryption_key tls_www_server _EOF_ |
|
1 |
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem |
生成客户端证书
|
1 2 |
certtool --generate-privkey --outfile user-key.pem cat <<_EOF_>user.tmpl |
|
1 2 3 4 5 6 7 |
cn = "logcg" unit = "admins" serial = 1824 expiration_days = 999 signing_key tls_www_client _EOF_ |
|
1 |
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem |
导入证书
|
1 2 3 4 |
cp ca-cert.pem /etc/ssl/certs cp ca-key.pem /etc/ssl/private cp server-cert.pem /etc/ssl/certs cp server-key.pem /etc/ssl/private |
修改配置
|
1 |
vim /etc/ocserv/ocserv.conf |
主要修改如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
auth = "plain[/etc/ocserv/ocpasswd]" #ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件 #ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式 #同一个用户最多同时登陆数 max-same-clients = 10 #证书路径 server-cert = /etc/ssl/certs/server-cert.pem server-key = /etc/ssl/private/server-key.pem #运行组 run-as-group = nogroup #分配给VPN客户端的IP段 ipv4-network = 10.10.0.0 #DNS dns = 8.8.8.8 dns = 8.8.4.4 #注释掉route的字段,这样表示所有流量都通过 VPN 发送 #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 user-profile改为user-profile = /etc/ocserv/profile.xml 并且去掉cisco-client-compat = true的注释。 |
另外,你可以参考这个项目来直接给你的配置文件中增加路由表:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
#Advanced options # Option to allow sending arbitrary custom headers to the client after # authentication and prior to VPN tunnel establishment. route = 172.68.2.0/255.255.255.0 route = 3.0.0.0/255.0.0.0 route = 4.0.0.0/255.0.0.0 route = 8.0.0.0/255.0.0.0 route = 17.0.0.0/255.0.0.0 route = 198.0.0.0/255.0.0.0 route = 209.0.0.0/255.0.0.0 route = 210.0.0.0/255.0.0.0 route = 216.0.0.0/255.0.0.0 route = 61.0.0.0/255.0.0.0 route = 64.0.0.0/255.0.0.0 route = 66.0.0.0/255.0.0.0 route = 70.0.0.0/255.0.0.0 route = 72.0.0.0/255.0.0.0 route = 74.0.0.0/255.0.0.0 route = 173.0.0.0/255.0.0.0 route = 204.0.0.0/255.0.0.0 route = 69.0.0.0/255.0.0.0 route = 199.0.0.0/255.0.0.0 route = 203.0.0.0/255.0.0.0 route = 31.0.0.0/255.0.0.0 route = 107.0.0.0/255.0.0.0 route = 69.58.0.0/255.255.0.0 route = 46.0.0.0/255.0.0.0 |
修改“/etc/ocserv/profile.xml”中的“HostAddress”为你服务器的 IP 地址。
开启 nat地址转发
如果你使用 ufw 来控制 iptables,可以移步在 ufw 上开启 nat 伪装和端口转发,如果你还是喜欢传统的配置方法,那么:
自动调整MTU
|
1 |
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
开启 NAT
(记得把 eth0 改成自己的网卡名,openvz 的基本是 venet0 )
|
1 |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
开启 IPv4 转发
|
1 |
sysctl -w net.ipv4.ip_forward=1 |
允许 443 端口
|
1 2 |
iptables -I INPUT -p tcp --dport 443 -j ACCEPT; iptables -I INPUT -p udp --dport 443 -j ACCEPT; |
创建服务管理文件
在“/etc/init.d”创建文件“ocserv”,然后写入
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
#!/bin/sh ### BEGIN INIT INFO # Provides: ocserv # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO # Copyright Rene Mayrhofer, Gibraltar, 1999 # This script is distibuted under the GPL PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/ocserv PIDFILE=/var/run/ocserv.pid DAEMON_ARGS="-c /etc/ocserv/ocserv.conf" case "$1" in start) if [ ! -r $PIDFILE ]; then echo -n "Starting OpenConnect VPN Server Daemon: " start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS > /dev/null echo "ocserv." else echo -n "OpenConnect VPN Server is already running.\n\r" exit 0 fi ;; stop) echo -n "Stopping OpenConnect VPN Server Daemon: " start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON echo "ocserv." rm -f $PIDFILE ;; force-reload|restart) echo "Restarting OpenConnect VPN Server: " $0 stop sleep 1 $0 start ;; status) if [ ! -r $PIDFILE ]; then # no pid file, process doesn't seem to be running correctly exit 3 fi PID=`cat $PIDFILE | sed 's/ //g'` EXE=/proc/$PID/exe if [ -x "$EXE" ] && [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \ "$DAEMON" ]; then # ok, process seems to be running exit 0 elif [ -r $PIDFILE ]; then # process not running, but pidfile exists exit 1 else # no lock file to check for, so simply return the stopped status exit 3 fi ;; *) echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}" exit 1 ;; esac exit 0 |
注册之
|
1 2 |
chmod 755 /etc/init.d/ocserv update-rc.d ocserv defaults |
这样,你就可以使用如下命令来控制 ocserv 了:
|
1 2 3 |
/etc/init.d/ocserv stop /etc/init.d/ocserv start /etc/init.d/ocserv restart |
最后
使用如下命令来临时启用 debug 模式
|
1 |
ocserv -c /etc/ocserv/ocserv.conf -f -d 1 |
延伸阅读
[转载]AnyConnect ( ocserv ) 搭建教程
安装配置OpenConnect VPN server AnyConnect (ocserv)
在 Ubuntu 服务器上搭建 OpenConnect 服务器小记
本文由 落格博客 原创撰写:落格博客 » 搭建 OpenConnect VPN 服务器 AnyConnect (ocserv)
转载请保留出处和原文链接:https://www.logcg.com/archives/994.html
