软件下载
服务端:wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.11.8.tar.xz
客户端:ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
http://frodo.sca.com/downloads/VPN-Clients/anyconnect-win-4.4.03034-core-vpn-predeploy-k9.msi
安装依赖组件
[root@WEB1 ~]# yum install libnl3-devel libseccomp-devel lz4-devel tcp_wrappers-devel \
autogen-libopts-devel libev-devel nettle-devel gnutls-devel
创建程序目录
执行命令 | 目录说明 |
---|---|
groupadd ocserv |
OCSERV程序安装目录:/usr/local/ocserv OCSERV配置文件目录:/usr/local/ocserv/etc OCSERV密钥证书目录:/usr/local/ocserv/keys OCSERV运行文件目录:/data/ocserv/run |
编译安装
[root@WEB1 ~]# yum -y install protobuf-c-devel
[root@WEB1 ~]# tar Jxvf ocserv-0.11.8.tar.xz
[root@WEB1 ~]# cd ocserv-0.11.8 && mkdir bld && cd bld
[root@WEB1 bld]# ../configure --prefix=/usr/local/ocserv --without-radius
[root@WEB1 bld]# make && make check && make install
[root@WEB1 bld]# cp ../doc/sample.config /usr/local/ocserv/etc/ocserv.conf
[root@WEB1 bld]# cp ../doc/systemd/standalone/ocserv.service /etc/systemd/system/
编译检查:make check时出错“fatal error: protobuf-c/protobuf-c.h: No such file or directory”
解决方法:yum -y install protobuf-c-devel
证书配置
[root@WEB1 ~]# yum -y install gnutls-utils
[root@WEB1 ~]# cd /usr/local/ocserv/keys/
[root@WEB1 keys]# vim ca.tmpl
1 2 3 4 5 6 7 8 9 |
#---根证书配置文件--- cn = "desenpast.com" organization = "desenpast.com" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key |
#---生成CA密钥---
[root@WEB1 keys]# certtool --generate-privkey --outfile ca-key.pem
#---生成CA证书---
[root@WEB1 keys]# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
[root@WEB1 keys]# vim server.tmpl
1 2 3 4 5 6 7 |
#---服务器证书配置文件--- cn = "desenpast.com" organization = "desenpast.com" expiration_days = 3650 signing_key encryption_key tls_www_server |
#---生成Server密钥---
[root@WEB1 keys]# certtool --generate-privkey --outfile server-key.pem
#---生成Server证书---
[root@WEB1 keys]# certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem
[root@WEB1 keys]# vim user.tmpl
1 2 3 4 5 6 |
#---客户端证书配置文件--- cn = "desenpast.com" unit = "desen" expiration_days = 365 signing_key tls_www_client |
#---生成Client密钥---
[root@WEB1 keys]# certtool --generate-privkey --outfile user-key.pem
#---生成Client证书---
[root@WEB1 keys]# certtool --generate-certificate --load-privkey user-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template user.tmpl --outfile user-cert.pem
#---将Client密钥和证书转换为PKCS12---
[root@WEB1 keys]# certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 \
--load-certificate user-cert.pem --outfile user.p12 --outder
权限及变量
#---更改环境变量---
[root@WEB1 ~]# vim /etc/profile
1 2 |
export PATH=$PATH:/usr/local/ocserv/bin:/usr/local/ocserv/sbin export OCSERV_HOME=/usr/local/ocserv |
#---配置OpenConnect Server服务端---
[root@WEB1 ~]# vim $OCSERV_HOME/etc/ocserv.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
auth = "plain[passwd=/usr/local/ocserv/etc/ocpasswd]" tcp-port = 1194 run-as-user = ocserv run-as-group = ocserv socket-file = /data/sock/ocserv-socket server-cert = /usr/local/ocserv/keys/server-cert.pem server-key = /usr/local/ocserv/keys/server-key.pem ca-cert = /usr/local/ocserv/keys/ca-cert.pem isolate-workers = true max-clients = 10 max-same-clients = 2 server-stats-reset-time = 604800 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = true compression = true tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 80 ban-reset-time = 1200 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /data/ocserv/run/ocserv.pid device = vpns predictable-ips = true default-domain = desenpast.com ipv4-network = 10.8.0.0 ipv4-netmask = 255.255.255.0 dns = 100.100.2.138 dns = 100.100.2.136 ping-leases = false mtu = 1492 #Twitter route = 104.244.40.0/21 #FaceBook route = 31.13.0.0/16 route = 157.240.0.0/16 #Akamai route = 23.72.0.0/13 route = 125.56.128.0/17 #Amazon route = 52.48.0.0/14 #Youtube route = 74.125.0.0/16 route = 173.194.0.0/16 #Google route = 172.217.0.0/16 route = 203.208.0.0/16 route = 216.58.0.0/16 route = 216.239.0.0/16 #Korea Telecom route = 59.0.0.0/11 #查询IP所属https://www.speedguide.net/ip/ no-route = 192.168.0.0/255.255.0.0 no-route = 106.14.115.8/255.255.255.255 cisco-client-compat = true dtls-legacy = true |
#---创建OpenConnect登陆帐号---
[root@WEB1 ~]# ocpasswd -c /usr/local/ocserv/etc/ocpasswd desen
#---设置应用目录及数据目录权限---
[root@WEB1 ~]# chown -R root:ocserv /usr/local/ocserv
[root@WEB1 ~]# chmod -R o-rx /usr/local/ocserv
[root@WEB1 ~]# chmod -R g+r /usr/local/ocserv
[root@WEB1 ~]# chown -R ocserv:ocserv /data/ocserv
设置开机启动
隐藏内容:此处内容需要评论本文通过后才能查看!OpenConnect
vpnc-script自行下载:http://git.infradead.org/users/dwmw2/vpnc-scripts.git
[root@WEB1 ~]# mkdir /usr/local/openconnect
[root@WEB1 ~]# tar zxvf openconnect-7.08.tar.gz
[root@WEB1 ~]# cd openconnect-7.08 && mkdir bld && cd bld
[root@WEB1 bld]# ../configure --prefix=/usr/local/openconnect/ \
--with-vpnc-script=/usr/local/openconnect/vpnc-script \
--with-openssl --without-openssl-version-check
[root@WEB1 bld]# make && make install
[root@WEB1 ~]# chown 0:0 /usr/local/openconnect/vpnc-script
[root@WEB1 ~]# chmod -R o-rx /usr/local/openconnect
[root@WEB1 ~]# chmod u+x /usr/local/openconnect/vpnc-script
[root@WEB1 ~]# export PATH=$PATH:/usr/local/openconnect/sbin
[root@WEB1 ~]# iptables -A INPUT -s web2 -p tcp --sport 1194 -j ACCEPT
[root@WEB1 ~]# iptables -A OUTPUT -d web2 -p tcp --dport 1194 -j ACCEPT
[root@WEB1 ~]# service iptables save
#---后台日志方式连接服务器---
[root@WEB1 ~]# openconnect -b -l -u desen web2:1194
#---非交互式连接,开机自动加载---
[root@WEB1 ~]# vim /usr/local/ocserv/sbin/str-openconnect
1 2 3 4 5 6 |
PIDFILE=/data/sock/ocvpn.pid DAEMON=/usr/local/openconnect/sbin/openconnect CRESHA1=c76b03b51a324eef083b58bec0ea54febc16bf80 USER=webvpn PASS=xxxxxx echo $PASS | $DAEMON -b -l --pid-file=$PIDFILE --no-dtls --reconnect-timeout 1200 www2:1194 -u $USER --servercert=$CRESHA1 --passwd-on-stdin 2>/dev/null |
[root@WEB1 ~]# chmod u+x /usr/local/ocserv/sbin/str-openconnect
[root@WEB1 ~]# echo "/usr/local/ocserv/sbin/str-openconnect" >>/etc/rc.local
问题汇总
- 如何获得servercert的SHA1值?
解答:certtool -i --infile server-cert.pem | grep -A1 SHA1
- Windows客户端认证后无法连接,提示“AnyConnect was not able to establish a connection to the specified secure gateway.”
解答:关闭本地网卡的Internet连接共享设置或者Internet Connection Sharing (ICS)服务,以管理员身份执行sc stop sharedaccess
或net stop sharedaccess
- openconnect连接中提示'vpnc-script' returned error 126.”
解答:vpnc-script脚本没有执行权限,chmod u+x
来赋予执行权限 - 连接后默认DNS服务器为VPN线路配置的DNS服务器.”
解答:搭建自定义DNS服务器,添加解析记录.
I'm not certain where you're getting your information, but great topic.
I needs to spend some time learning more or understanding
more. Thank you for excellent info I used to be
in search of this information for my mission.