這篇文章早就寫好了,可是一直沒機會做實驗——估計以後也太會有,反正寫好了,我就發出來吧,大家如有需要就參考著看看……?注意,請去參考最新的筆記!
要在服務器上搭建 ocserv,首先應該安裝依賴
|
1 2 3 |
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev \ libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \ autogen libgnutls28 libgnutls28-dev libseccomp-dev libhttp-parser-dev |
下載 ocserv
訪問 FTP://ftp.infradead.org/pub/ocserv 來查看最新的版本,然後根據版本來下載,截止目前,最新版本號為 0.10.4
|
1 2 3 |
wget -c ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz tar xvf ocserv* cd ocserv* |
編譯安裝
|
1 2 3 4 5 |
./configure make make install cp doc/sample.config /etc/ocserv/ocserv.conf cp doc/profile.xml /etc/ocserv/profile.xml |
創建用戶
|
1 2 3 4 5 |
ocpasswd logcg password password //创建账号为 logcg;密码就是 password,要求盲打两遍来验证 |
創建的用戶會保存到“/等/ ocserv / ocpasswd”中
創建證書
生成 ca 證書
|
1 |
apt-get install gnutls-bin |
|
1 2 |
certtool --generate-privkey --outfile ca-key.pem cat <<_EOF_> ca.tmpl |
|
1 2 3 4 5 6 7 8 9 |
cn = "logcg CA" organization = "logcg Corp" serial = 1 expiration_days = 999 ca signing_key cert_signing_key crl_signing_key _EOF_ |
|
1 |
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem |
生成服務器本地證書
|
1 2 |
certtool --generate-privkey --outfile server-key.pem cat <<_EOF_> server.tmpl |
|
1 2 3 4 5 6 7 8 |
cn = "www.logcg.com" organization = "logcg" serial = 2 expiration_days = 999 signing_key encryption_key tls_www_server _EOF_ |
|
1 |
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem |
生成客戶端證書
|
1 2 |
certtool --generate-privkey --outfile user-key.pem cat <<_EOF_>user.tmpl |
|
1 2 3 4 5 6 7 |
cn = "logcg" unit = "admins" serial = 1824 expiration_days = 999 signing_key tls_www_client _EOF_ |
|
1 |
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem |
導入證書
|
1 2 3 4 |
cp ca-cert.pem /etc/ssl/certs cp ca-key.pem /etc/ssl/private cp server-cert.pem /etc/ssl/certs cp server-key.pem /etc/ssl/private |
修改配置
|
1 |
vim /etc/ocserv/ocserv.conf |
主要修改如下
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
auth = "plain[/etc/ocserv/ocpasswd]" #ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件 #ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式 #同一个用户最多同时登陆数 max-same-clients = 10 #证书路径 server-cert = /etc/ssl/certs/server-cert.pem server-key = /etc/ssl/private/server-key.pem #运行组 run-as-group = nogroup #分配给VPN客户端的IP段 ipv4-network = 10.10.0.0 #DNS dns = 8.8.8.8 dns = 8.8.4.4 #注释掉route的字段,这样表示所有流量都通过 VPN 发送 #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 user-profile改为user-profile = /etc/ocserv/profile.xml 并且去掉cisco-client-compat = true的注释。 |
另外,你可以參考這個項目來直接給你的配置文件中增加路由表:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
#Advanced options # Option to allow sending arbitrary custom headers to the client after # authentication and prior to VPN tunnel establishment. route = 172.68.2.0/255.255.255.0 route = 3.0.0.0/255.0.0.0 route = 4.0.0.0/255.0.0.0 route = 8.0.0.0/255.0.0.0 route = 17.0.0.0/255.0.0.0 route = 198.0.0.0/255.0.0.0 route = 209.0.0.0/255.0.0.0 route = 210.0.0.0/255.0.0.0 route = 216.0.0.0/255.0.0.0 route = 61.0.0.0/255.0.0.0 route = 64.0.0.0/255.0.0.0 route = 66.0.0.0/255.0.0.0 route = 70.0.0.0/255.0.0.0 route = 72.0.0.0/255.0.0.0 route = 74.0.0.0/255.0.0.0 route = 173.0.0.0/255.0.0.0 route = 204.0.0.0/255.0.0.0 route = 69.0.0.0/255.0.0.0 route = 199.0.0.0/255.0.0.0 route = 203.0.0.0/255.0.0.0 route = 31.0.0.0/255.0.0.0 route = 107.0.0.0/255.0.0.0 route = 69.58.0.0/255.255.0.0 route = 46.0.0.0/255.0.0.0 |
修改“/等/ ocserv / profile.xml配置”中的“主機地址”為你服務器的 IP 地址。
開啟 nat地址轉發
如果你使用 ufw 來控制 iptables,可以移步在 ufw 上開啟 nat 偽裝和埠轉發,如果你還是喜歡傳統的配置方法,那麼:
自動調整MTU
|
1 |
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
開啟 NAT
(記得把 eth0 改成自己的網卡名,openvz 的基本是 venet0 )
|
1 |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
開啟 IPv4 轉發
|
1 |
sysctl -w net.ipv4.ip_forward=1 |
允許 443 端口
|
1 2 |
iptables -I INPUT -p tcp --dport 443 -j ACCEPT; iptables -I INPUT -p udp --dport 443 -j ACCEPT; |
創建服務管理文件
在“/等/ init.d中”創建文件“ocserv“,然後寫入
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
#!/bin/sh ### BEGIN INIT INFO # Provides: ocserv # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO # Copyright Rene Mayrhofer, Gibraltar, 1999 # This script is distibuted under the GPL PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/ocserv PIDFILE=/var/run/ocserv.pid DAEMON_ARGS="-c /etc/ocserv/ocserv.conf" case "$1" in start) if [ ! -r $PIDFILE ]; then echo -n "Starting OpenConnect VPN Server Daemon: " start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS > /dev/null echo "ocserv." else echo -n "OpenConnect VPN Server is already running.\n\r" exit 0 fi ;; stop) echo -n "Stopping OpenConnect VPN Server Daemon: " start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON echo "ocserv." rm -f $PIDFILE ;; force-reload|restart) echo "Restarting OpenConnect VPN Server: " $0 stop sleep 1 $0 start ;; status) if [ ! -r $PIDFILE ]; then # no pid file, process doesn't seem to be running correctly exit 3 fi PID=`cat $PIDFILE | sed 's/ //g'` EXE=/proc/$PID/exe if [ -x "$EXE" ] && [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \ "$DAEMON" ]; then # ok, process seems to be running exit 0 elif [ -r $PIDFILE ]; then # process not running, but pidfile exists exit 1 else # no lock file to check for, so simply return the stopped status exit 3 fi ;; *) echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}" exit 1 ;; esac exit 0 |
註冊之
|
1 2 |
chmod 755 /etc/init.d/ocserv update-rc.d ocserv defaults |
這樣,你就可以使用如下命令來控制 ocserv 了:
|
1 2 3 |
/etc/init.d/ocserv stop /etc/init.d/ocserv start /etc/init.d/ocserv restart |
最後
使用如下命令來臨時啟用 調試 模式
|
1 |
ocserv -c /etc/ocserv/ocserv.conf -f -d 1 |
延伸閱讀
[轉載]的AnyConnect ( ocserv ) 搭建教程
安裝配置OpenConnect VPN server AnyConnect (ocserv)
在 Ubuntu 服務器上搭建 OpenConnect 服務器小記
本文由 落格博客 原創撰寫:落格博客 » 搭建 OpenConnect VPN 服務器 AnyConnect (ocserv)
轉載請保留出處和原文鏈接:https://www.logcg.com/archives/994.html
