編譯安裝ocserv

簡介

服務器：ocserv（OpenConnect VPN Server），一款開源的VPN服務端軟件，可以提供端到端的安全連接服務

客戶端：AnyConnect，支持windows、mac、io是、安卓等系統

 

系統環境配置

系統環境：centos 7

配置防火牆

iptables -F

iptables -X

systemctl disable firewalld

sed -i 's/SELINUX=enfrocing/SELINUX=disabled/g' /etc/selinux/config

 

安裝依賴包

yum -y install wget gcc nettle* gnutls* readline* libev* autogen protobuf*

 

下載&安裝編譯

cd /home/

mkdir centos && cd centos/

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.4.tar.xz

xz -d ocserv-0.12.4.tar.xz

tar -vxf ocserv-0.12.4.tar

cd ocserv-0.12.4

./configure --prefix=/usr/local/ocserv && make && make install

mkdir -p /usr/local/ocserv/etc/certificates

cd /usr/local/ocserv/etc && cp /home/centos/ocserv-0.12.4/doc/sample.passwd ./

cd /usr/local/ocserv/etc && cp /home/centos/ocserv-0.12.4/doc/sample.config ./

 

ssl證書

自建或使用現有ssl證書，ssl創建請百度

cp -r www.example.com.crt www.example.com.key /usr/local/ocserv/etc/certificates/

 

配置文件

vi /usr/local/ocserv/etc/sample.config

auth = "plain[passwd= /usr/local/ocserv/etc/sample.passwd]""# 認證方式及密鑰路徑

tcp-port = 443 # 監聽端口

udp-port = 443

run-as-user = root # 啓動用戶

run-as-group = root

socket-file = /var/run/ocserv-socket

server-cert = /usr/local/ocserv/etc/certificates/office.crt

server-key = /usr/local/ocserv/etc/certificates/office.key

isolate-workers = false

max-clients = 100 #

max-same-clients = 2 #

keepalive = 32400

dpd = 90

mobile-dpd = 1800

switch-to-tcp-timeout = 25

try-mtu-discovery = false

cert-user-oid = 0.9.2342.19200300.100.1.1

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

auth-timeout = 240

min-reauth-time = 300

max-ban-score = 50

ban-reset-time = 300

cookie-timeout = 300

deny-roaming = false

rekey-time = 172800

rekey-method = ssl

use-occtl = true # 是否可以使用occtl進行管理

pid-file = /var/run/ocserv.pid

device = vpns # 建立隧道的設備名

predictable-ips = true

ipv4-network = 10.205.1.0 # 隧道設備的IP段

ipv4-netmask = 255.255.255.0

ping-leases = false

route = 192.168.1.2/255.255.252.0 # 全局路由，需要路由的IP或者IP段

cisco-client-compat = true

dtls-legacy = true

啓動服務

cd -f -c /usr/local/ocserv/etc/sample.config -d 1

 

 

防火牆配置

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A FORWARD -s 10.205.1.0/24 -j ACCEPT

iptables -I INPUT -p tcp --dport 443 -j ACCEPT;

iptables -I INPUT -p udp --dport 443 -j ACCEPT;

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

 

創建賬號:

/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/sample.passwd userA