參考網站:
折腾笔记:架设OpenConnect Server给iPhone提供更顺畅的网络生活 – 比特客栈的文艺复兴
Ubuntu ocserv搭建
使用ocserv搭建 Cisco Anyconnect 服務器 | 落格博客
Setup OpenConnect VPN Server for Cisco AnyConnect on Ubuntu 14.04 x64 – Vultr.com
1. 安裝 ocserv
# apt-get install ocserv
2. 安裝建立憑證時所需套件
# apt install gnutls-bin
3. 建立目錄及切換目錄
# mkdir certificates
# cd certificates[@more@]4. 建立 CA 金鑰
# certtool –generate-privkey –outfile ca-key.pem
Generating a 3072 bit RSA private key…
建立 ca.tmpl
# cat ca.tmpl
cn = “VPN CA”
organization = “Home”
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
# certtool –generate-self-signed –load-privkey ca-key.pem –template ca.tmpl –outfile ca-cert.pem
複製 ca-cert.pem 到 /etc/ocserv 目錄
# cp ca-cert.pem /etc/ocserv
5. 建立本機 Server 證書
# certtool –generate-privkey –outfile server-key.pem
Generating a 3072 bit RSA private key…
建立 server.tmpl
# cat server.tmpl
cn = “nas.test.com”
organization = “Home”
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server
# certtool –generate-certificate –load-privkey server-key.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem –template server.tmpl –outfile server-cert.pem
將 server-cert.pem 和 server-key.pem 複製到 /etc/ocserv
# cp server-cert.pem server-key.pem /etc/ocserv
6. 產生使用者端證書(連線時可以不用輸入帳號及密碼)
# cat gen-client-cert.sh
#!/bin/bash
USER=$1
CA_DIR=$2
SERIAL=`date +%s`
certtool –generate-privkey –outfile $USER-key.pem
cat << _EOF_ >user.tmpl
cn = “$USER”
unit = “users”
serial = “$SERIAL”
expiration_days = 3650
signing_key
tls_www_client
_EOF_
certtool –generate-certificate –load-privkey $USER-key.pem –load-ca-certificate $CA_DIR/ca-cert.pem –load-ca-privkey $CA_DIR/ca-key.pem –template user.tmpl –outfile $USER-cert.pem
openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name “$USER VPN Client Cert” -certfile $CA_DIR/ca-cert.pem -out $USER.p12
更改檔案權限
# chmod 700 gen-client-cert.sh
建立目錄來存放使用者證書
# mkdir home
# 切換目錄
# cd home
# home 是使用者的名稱,.. 是指 ca 證書所在的目錄
# ../gen-client-cert.sh home ..
可以直接按 Enter 鍵跳過,就不用設定密碼
Signing certificate…
Enter Export Password:
Verifying – Enter Export Password:
產生之後可以將 home.p12 複製給使用者用戶端導入即可
7. 修改 /etc/ocserv/ocserv.conf 設定檔
# cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.$(date +%F)
取消 pam 認證
# sed -i ‘s|^auth = “pam|#auth = “pam|’ /etc/ocserv/ocserv.conf
採用 certificate 認證
# sed -i ‘s/#auth = “certificate”/auth = “certificate”/’ /etc/ocserv/ocserv.conf
設定同一個用戶最多的登入數
# sed -i ‘s/max-same-clients = 2/max-same-clients = 10/’ /etc/ocserv/ocserv.conf
設定憑證檔的位置
# sed -i ‘s|server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem|server-cert = /etc/ocserv/server-cert.pem|’ /etc/ocserv/ocserv.conf
# sed -i ‘s|server-key = /etc/ssl/private/ssl-cert-snakeoil.key|server-key = /etc/ocserv/server-key.pem|’ /etc/ocserv/ocserv.conf
# sed -i ‘s|ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem|ca-cert = /etc/ocserv/ca-cert.pem|’ /etc/ocserv/ocserv.conf
從證書中提取用戶名的方式,這裡提取的是證書中的 CN 欄位作為用戶名
# sed -i ‘s/cert-user-oid = 0.9.2342.19200300.100.1.1/cert-user-oid = 2.5.4.3/’ /etc/ocserv/ocserv.conf
分配給 VPN 用戶端的 IP 網段
# sed -i ‘s/ipv4-network = 192.168.1.0/ipv4-network = 10.12.0.0/’ /etc/ocserv/ocserv.conf
設定 DNS
# sed -i ‘s/dns = 192.168.1.2/dns = 8.8.8.8/’ /etc/ocserv/ocserv.conf
註解 route,讓 Ocserv 伺服器成為 Gateway
# sed -i ‘s/^route = 10.10.10.0/# route = 10.10.10.0/’ /etc/ocserv/ocserv.conf
# sed -i ‘s/^route = 192.168.0.0/# route = 10.10.10.0/’ /etc/ocserv/ocserv.conf
優化 VPN 的網路性能
# sed -i ‘s/^(try-mtu-discovery = ).*$/1”true/’ /etc/ocserv/ocserv.conf
For sed
# cat sed-script
s|^auth = “pam|#auth = “pam|
s/#auth = “certificate”/auth = “certificate”/
s/max-same-clients = 2/max-same-clients = 10/
s|server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem|server-cert = /etc/ocserv/server-cert.pem|
s|server-key = /etc/ssl/private/ssl-cert-snakeoil.key|server-key = /etc/ocserv/server-key.pem|
s|ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem|ca-cert = /etc/ocserv/ca-cert.pem|
s/cert-user-oid = 0.9.2342.19200300.100.1.1/cert-user-oid = 2.5.4.3/
s/ipv4-network = 192.168.1.0/ipv4-network = 10.12.0.0/
s/dns = 192.168.1.2/dns = 8.8.8.8/
s/^route = 10.10.10.0/# route = 10.10.10.0/
s/^route = 192.168.0.0/# route = 10.10.10.0/
s/^(try-mtu-discovery = ).*$/1true/
# sed -i -f sed-script /etc/ocserv/ocserv.conf
8. 設定網路 Forward
# sed -i ‘s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/’ /etc/sysctl.conf
# sysctl -p /etc/sysctl.conf
10. 設定防火牆規則
# iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
# iptables -A FORWARD -i vpns+ -j ACCEPT
# iptables -A FORWARD -o vpns+ -j ACCEPT
11. 儲存防火牆規則
# iptables-save > /etc/sysconfig/iptables
12. 設定開機時啟動
# systemctl enable ocserv
Synchronizing state of ocserv.service with SysV init with /lib/systemd/systemd-sysv-install…
Executing /lib/systemd/systemd-sysv-install enable ocserv
12. 啟動 OpenConnect Server
# systemctl start ocserv
# systemctl status ocserv