簡介
服務器:ocserv(OpenConnect VPN Server),一款開源的VPN服務端軟件,可以提供端到端的安全連接服務
客戶端:AnyConnect,支持windows、mac、io是、安卓等系統
系統環境配置
系統環境:centos 7
配置防火牆
iptables -F
iptables -X
systemctl disable firewalld
sed -i 's/SELINUX=enfrocing/SELINUX=disabled/g' /etc/selinux/config
安裝依賴包
yum -y install wget gcc nettle* gnutls* readline* libev* autogen protobuf*
下載&安裝編譯
cd /home/
mkdir centos && cd centos/
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.4.tar.xz
xz -d ocserv-0.12.4.tar.xz
tar -vxf ocserv-0.12.4.tar
cd ocserv-0.12.4
./configure --prefix=/usr/local/ocserv && make && make install
mkdir -p /usr/local/ocserv/etc/certificates
cd /usr/local/ocserv/etc && cp /home/centos/ocserv-0.12.4/doc/sample.passwd ./
cd /usr/local/ocserv/etc && cp /home/centos/ocserv-0.12.4/doc/sample.config ./
ssl證書
自建或使用現有ssl證書,ssl創建請百度
cp -r www.example.com.crt www.example.com.key /usr/local/ocserv/etc/certificates/
配置文件
vi /usr/local/ocserv/etc/sample.config
auth = "plain[passwd= /usr/local/ocserv/etc/sample.passwd]""# 認證方式及密鑰路徑
tcp-port = 443 # 監聽端口
udp-port = 443
run-as-user = root # 啓動用戶
run-as-group = root
socket-file = /var/run/ocserv-socket
server-cert = /usr/local/ocserv/etc/certificates/office.crt
server-key = /usr/local/ocserv/etc/certificates/office.key
isolate-workers = false
max-clients = 100 #
max-same-clients = 2 #
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true # 是否可以使用occtl進行管理
pid-file = /var/run/ocserv.pid
device = vpns # 建立隧道的設備名
predictable-ips = true
ipv4-network = 10.205.1.0 # 隧道設備的IP段
ipv4-netmask = 255.255.255.0
ping-leases = false
route = 192.168.1.2/255.255.252.0 # 全局路由,需要路由的IP或者IP段
cisco-client-compat = true
dtls-legacy = true
啓動服務
cd -f -c /usr/local/ocserv/etc/sample.config -d 1
防火牆配置
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.205.1.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT;
iptables -I INPUT -p udp --dport 443 -j ACCEPT;
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
創建賬號:
/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/sample.passwd userA