This article had written the,But never had a chance to do the experiment too--estimation,Anyway, writing,I will come,Everyone if necessary in conjunction with a look at ... ...?note,Please refer to theLatest notes!
To build on the server ocserv,Should first install dependency
1 2 3 |
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev \ libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \ autogen libgnutls28 libgnutls28-dev libseccomp-dev libhttp-parser-dev |
Download ocserv
access ftp://ftp.infradead.org/pub/ocserv To view the latest version,Then according to the versions to download,So far,The latest version number is 0.10.4
1 2 3 |
wget -c ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz tar xvf ocserv* cd ocserv* |
Compile and install
1 2 3 4 5 |
./configure make make install cp doc/sample.config /etc/ocserv/ocserv.conf cp doc/profile.xml /etc/ocserv/profile.xml |
Create a user
1 2 3 4 5 |
ocpasswd logcg password password //创建账号为 logcg;密码就是 password,要求盲打两遍来验证 |
Created user will be saved to the "/etc/ocserv/ocpasswd"
Creating a certificate
Generate a CA certificate
1 |
apt-get install gnutls-bin |
1 2 |
certtool --generate-privkey --outfile ca-key.pem cat <<_EOF_> ca.tmpl |
1 2 3 4 5 6 7 8 9 |
cn = "logcg CA" organization = "logcg Corp" serial = 1 expiration_days = 999 ca signing_key cert_signing_key crl_signing_key _EOF_ |
1 |
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem |
Locally generated server certificate
1 2 |
certtool --generate-privkey --outfile server-key.pem cat <<_EOF_> server.tmpl |
1 2 3 4 5 6 7 8 |
cn = "www.logcg.com" organization = "logcg" serial = 2 expiration_days = 999 signing_key encryption_key tls_www_server _EOF_ |
1 |
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem |
Generate a client certificate
1 2 |
certtool --generate-privkey --outfile user-key.pem cat <<_EOF_>user.tmpl |
1 2 3 4 5 6 7 |
cn = "logcg" unit = "admins" serial = 1824 expiration_days = 999 signing_key tls_www_client _EOF_ |
1 |
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem |
To import a certificate
1 2 3 4 |
cp ca-cert.pem /etc/ssl/certs cp ca-key.pem /etc/ssl/private cp server-cert.pem /etc/ssl/certs cp server-key.pem /etc/ssl/private |
Modify the configuration
1 |
vim /etc/ocserv/ocserv.conf |
Main changes are as follows
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
auth = "plain[/etc/ocserv/ocpasswd]" #ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件 #ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式 #同一个用户最多同时登陆数 max-same-clients = 10 #证书路径 server-cert = /etc/ssl/certs/server-cert.pem server-key = /etc/ssl/private/server-key.pem #运行组 run-as-group = nogroup #分配给VPN客户端的IP段 ipv4-network = 10.10.0.0 #DNS dns = 8.8.8.8 dns = 8.8.4.4 #注释掉route的字段,这样表示所有流量都通过 VPN 发送 #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 user-profile改为user-profile = /etc/ocserv/profile.xml 并且去掉cisco-client-compat = true的注释。 |
Other,You can refer tothis projectDirectly to your profile to add routing table:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
#Advanced options # Option to allow sending arbitrary custom headers to the client after # authentication and prior to VPN tunnel establishment. route = 172.68.2.0/255.255.255.0 route = 3.0.0.0/255.0.0.0 route = 4.0.0.0/255.0.0.0 route = 8.0.0.0/255.0.0.0 route = 17.0.0.0/255.0.0.0 route = 198.0.0.0/255.0.0.0 route = 209.0.0.0/255.0.0.0 route = 210.0.0.0/255.0.0.0 route = 216.0.0.0/255.0.0.0 route = 61.0.0.0/255.0.0.0 route = 64.0.0.0/255.0.0.0 route = 66.0.0.0/255.0.0.0 route = 70.0.0.0/255.0.0.0 route = 72.0.0.0/255.0.0.0 route = 74.0.0.0/255.0.0.0 route = 173.0.0.0/255.0.0.0 route = 204.0.0.0/255.0.0.0 route = 69.0.0.0/255.0.0.0 route = 199.0.0.0/255.0.0.0 route = 203.0.0.0/255.0.0.0 route = 31.0.0.0/255.0.0.0 route = 107.0.0.0/255.0.0.0 route = 69.58.0.0/255.255.0.0 route = 46.0.0.0/255.0.0.0 |
modify"/etc/ocserv/profile.xml""HostAddress"The IP address for your server。
Opening NAT forwarding address
If you use the UFW to control iptables,Can moveOpen nat masquerading and port forwarding on ufw,If you prefer the traditional method of configuration,Then:
Automatically adjust the MTU
1 |
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
Open NAT
(Remember your network card eth0,OpenVZ is the venet0 )
1 |
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Turn on IPv4 forwarding
1 |
sysctl -w net.ipv4.ip_forward=1 |
Admit 443 port
1 2 |
iptables -I INPUT -p tcp --dport 443 -j ACCEPT; iptables -I INPUT -p udp --dport 443 -j ACCEPT; |
Create a service file
"/etc/init.d"Create file"ocserv”,Then write
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 |
#!/bin/sh ### BEGIN INIT INFO # Provides: ocserv # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 ### END INIT INFO # Copyright Rene Mayrhofer, Gibraltar, 1999 # This script is distibuted under the GPL PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/ocserv PIDFILE=/var/run/ocserv.pid DAEMON_ARGS="-c /etc/ocserv/ocserv.conf" case "$1" in start) if [ ! -r $PIDFILE ]; then echo -n "Starting OpenConnect VPN Server Daemon: " start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS > /dev/null echo "ocserv." else echo -n "OpenConnect VPN Server is already running.\n\r" exit 0 fi ;; stop) echo -n "Stopping OpenConnect VPN Server Daemon: " start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON echo "ocserv." rm -f $PIDFILE ;; force-reload|restart) echo "Restarting OpenConnect VPN Server: " $0 stop sleep 1 $0 start ;; status) if [ ! -r $PIDFILE ]; then # no pid file, process doesn't seem to be running correctly exit 3 fi PID=`cat $PIDFILE | sed 's/ //g'` EXE=/proc/$PID/exe if [ -x "$EXE" ] && [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \ "$DAEMON" ]; then # ok, process seems to be running exit 0 elif [ -r $PIDFILE ]; then # process not running, but pidfile exists exit 1 else # no lock file to check for, so simply return the stopped status exit 3 fi ;; *) echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}" exit 1 ;; esac exit 0 |
Registration
1 2 |
chmod 755 /etc/init.d/ocserv update-rc.d ocserv defaults |
Such,You can use the following commands to control ocserv Got it:
1 2 3 |
/etc/init.d/ocserv stop /etc/init.d/ocserv start /etc/init.d/ocserv restart |
At last
Use the following command to temporarily enable debug mode
1 |
ocserv -c /etc/ocserv/ocserv.conf -f -d 1 |
Further reading
[Reprint]AnyConnect ( ocserv ) Build tutorials
Installation configuration OpenConnect VPN server AnyConnect (ocserv)
Notes on building OpenConnect server on Ubuntu Server
Original article written by LogStudio:R0uter's Blog » Build OpenConnect VPN server AnyConnect (ocserv)
Reproduced Please keep the source and description link:https://www.logcg.com/archives/994.html