分类:在配置的时候参考了很多网友的文章,只是发现编译的时候都会有各种问题(可能是系统环境和时间原因?),所以还是另开一篇记录下吧。
为什么选择 Cisco AnyConnect VPN ?
它是 iOS 端目前最好的 xx 解决方案:
- 激活后全局有效
- 自动重连,即使锁屏后重开也不会掉线
- 可导入路由配置
开始动手吧~
首先安装所有依赖包:
|
1
|
|
安装 Nettle:
|
1
2
3
4
5
|
|
安装 unbound:
|
1
2
3
4
5
|
|
安装后执行程序将会出现动态库文件找不到的问题:unbound-anchor: error while loading shared libraries: libunbound.so.2: cannot open shared object file: No such file or directory
这是因为系统默认没有找/usr/local/lib目录下的库文件,为了一劳永逸,我们把将路径加入到配置文件中:
- echo ‘/usr/local/lib’ > /etc/ld.so.conf.d/local-libraries.conf && ldconfig
生成配置文件:
- unbound-anchor -a “/etc/unbound/root.key”
安装 gnutls:
|
1
2
3
4
|
|
这时会遇到Libnettle 2.7 was not found.错误,其实还是路径问题,pkg-config寻找包的依赖关系时没有找到对应的.pc文件,告诉它地址就好了:
- export PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig/
|
1 |
继续编译: |
|
1
2
|
|
安装 LibNL:
|
1
2
3
4
5
|
|
如果nettle和gnutls安装在/usr/local目录,需要运行以下命令设置系统变量,再运行./configure。同时要把这些命令加进系统启动里。
- export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ NETTLE_CFLAGS=“-I/usr/local/include/” NETTLE_LIBS=“-L/usr/local/lib64/ -lnettle” HOGWEED_CFLAGS=“-I/usr/local/include” HOGWEED_LIBS=“-L/usr/local/lib64/ -lhogweed”
- export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ LIBGNUTLS_CFLAGS=“-I/usr/local/include/” LIBGNUTLS_LIBS=“-L/usr/local/lib/ -lgnutls” LIBNL3_CFLAGS=“-I/usr/local/include” LIBNL3_LIBS=“-L/usr/local/lib/ -lnl-3 -lnl-route-3”
终于该主角上场了,安装 Ocserv:
|
1
2
3
|
|
报错执行:
- <pre name=“code” class=“python”>yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget
64位系统可能出现下面错误
|
1 2 3 4 |
configure: error: Package requirements (gnutls >= 3.1.10) were not met: No package 'gnutls' found |
执行
|
1 2 |
export LIBGNUTLS_CFLAGS="-L/usr/include" LIBGNUTLS_LIBS="-L/usr/lib64 -lgnutls" |
即可
配置OCserv
Note: 官方的man手册里写的非常清楚 man ocserv
我们希望做到的,是无需用户名与密码的客户端证书验证登陆。但在此之前,让我们先测通更简单的密码登录模式。首先让我们把CA证书与服务器证书生成好,具体步骤官方文档也有——
- mkdir -p /etc/ocserv/certificates
- cd /etc/ocserv/certificates
CA模板,创建ca.tmpl,按需填写,这里的cn和organization可以随便填。
|
1 2 3 4 5 6 7 8 9 |
cn = "Your CA name" organization = "Your fancy name" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key |
CA密钥
- certtool –generate-privkey –outfile ca-key.pem
错误:
1. certtool:error while loading shared libraries: libgnutls.so.28: cannot open shared object file: No such file or directory
ln -s /usr/local/lib/libgnutls.so.28 /usr/lib64/
2. certtool: error while loading shared libraries: libnettle.so.4: cannot open shared object file: No such file or directory:
ln -s /usr/local/lib64/libnettle.so.4 /usr/lib64/
3. certtool: error while loading shared libraries: libhogweed.so.2: cannot open shared object file: No such file or directory:
ln -s /usr/local/lib64/libhogweed.so.2 /usr/lib64/
CA证书
- certtool –generate-self-signed –load-privkey ca-key.pem –template ca.tmpl –outfile ca-cert.pem
同理,我们用CA签名,生成服务器证书。先创建server.tmpl模板。这里的cn项必须对应你最终提供服务的hostname或IP,否则AnyConnect客户端将无法正确导入证书。
|
1 2 3 4 5 6 7 |
cn = "Your hostname or IP" organization = "Your fancy name" expiration_days = 3650 signing_key encryption_key tls_www_server |
Server密钥
- certtool –generate-privkey –outfile server-key.pem
Server证书
- certtool –generate-certificate –load-privkey server-key.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem –template server.tmpl –outfile server-cert.pem
把服务器证书server-cert.pem 放到/etc/ssl/certs,私钥server-key.pem 放到/etc/ssl/private
- mkdir /etc/ssl/private
- cp ca-cert.pem /etc/ssl/certs
- cp ca-key.pem /etc/ssl/private
- cp server-cert.pem /etc/ssl/certs
- cp server-key.pem /etc/ssl/private
- </pre><p></p><pre style=“font-family:Menlo,Monaco,Consolas,’Lucida Console’,’Courier New’,monospace; font-size:0.92857em; white-space:pre-wrap; padding:0px; border:1px solid rgb(204,204,204); overflow:auto; max-height:400px; color:rgb(68,68,68); background:rgb(243,243,240)”><span style=“font-family:’Droid Serif’,Georgia,’Times New Roman’,STHeiti,serif; font-size:14px; line-height:16.8px; background-color:rgb(255,255,255)”>剩下的就是OCServ配置文件了。同样的,参考官方文档是最佳选项,但为了方便起见,这是你需要注意的一些设置。回到ocserv-0.8.1的文件夹下,将配置文件复制到OCserv默认读取的位置。</span>
- cd /usr/local/src/ocserv-0.8.1
- mkdir /etc/ocserv
- cp doc/sample.config /etc/ocserv/ocserv.conf
- cp doc/sample.passwd /etc/ocserv/ocpasswd
确保以下配置正确
- # 登陆方式,目前先用密码登录
- auth = “plain[/etc/ocserv/ocpasswd]”
- max-clients = 10
- #限制同一客户端的并行登陆数量
- max-same-clients = 10
- # 服务监听的IP(服务器IP,可不设置)
- #listen-host = 1.2.3.4
- # 服务监听的TCP/UDP端口
- tcp-port = 9200
- udp-port = 9201
- # 自动优化VPN的网络性能
- try-mtu-discovery = true
- # 确保服务器正确读取用户证书(后面会用到用户证书)
- #cert-user-oid = 2.5.4.3
- # 服务器证书与密钥
- server-cert = /etc/ssl/certs/server-cert.pem
- server-key = /etc/ssl/private/server-key.pem
- # 客户端连上vpn后使用的dns
- dns = 8.8.8.8
- dns = 8.8.4.4
- # 注释掉所有的route,让服务器成为gateway
- #route = 192.168.1.0/255.255.255.0
- # 启用cisco客户端兼容性支持
- cisco-client-compat = true
- # 开着这个会报错:error: ‘isolate-workers’ is set to true, but not compiled with seccomp or Linux namespaces support
- # 好像是内核不支持,反正自己看着办
- #isolate-workers = false
- device = vpns
- session-control = true
- keepalive = 32400
- dpd = 90
- auth-timeout = 40
- cookie-timeout = 300
- deny-roaming = false
- rekey-time = 172800
- rekey-method = ssl
- use-utmp = true
- use-occtl = true
- pid-file = /var/run/ocserv.pid
- socket-file = /var/run/ocserv-socket
- run-as-user = nobody
- run-as-group = nobody
- predictable-ips = true
- ipv4-network = 192.168.10.0
- ipv4-netmask = 255.255.255.0
- ping-leases = false
创建一个登陆用的用户名与密码。
- ocpasswd -c /etc/ocserv/ocpasswd username
错误: -bash: ocpasswd: command not found
|
1 |
cd /usr/local/src/ocserv-0.8.1/src |
|
1 2 |
cp ocpasswd /usr/bin |
再运行:
|
1 |
ocpasswd -c /etc/ocserv/ocpasswd username |
修改系统配置,允许转发
|
1 2 3 4 5 6 |
vim /etc/sysctl.conf #修改这行 net.ipv4.ip_forward = 1 #保存退出 sysctl -p |
这样OCserv就基本配置好了。但如果你和我一样强化过服务器安全,还得为服务器上开些端口才行。
修改 iptables 规则 :
- iptables -I INPUT -i eth0 -p tcp –dport 9200 -j ACCEPT && iptables -I OUTPUT -o eth0 -p tcp –sport 9200 -j ACCEPT && iptables -I INPUT -i eth0 -p udp –dport 9201 -j ACCEPT && iptables -I OUTPUT -o eth0 -p udp –sport 9201 -j ACCEPT
- service iptables save
最后运行服务
/usr/sbin/ocserv -c /etc/ocserv/ocserv.conf
测试OCserv
在服务器端启动OpenConnect Server。
|
1 2 |
ocserv -f -d 1 |
如果服务没错误退出,是时候来测测客户端了。假设你使用iOS,下载Cisco AnyConnect。
在Connections下加入新的VPN配置,在服务器地址栏目上填入对应的IP/Hostname和TCP端口
然后到设置标签页下暂时禁用“阻止不信任的服务器”选项。首次连接,AnyConnect会提示你这是不信任证书,如果你之前的服务器证书模板的cn没写错的话,你可以接受并导入该证书(可在诊断标签页的证书菜单里的服务器证书列表看到)。以后即便启用“阻止不信任的服务器”选项,也不会报错了(和SSH首次登陆类似)。
确定VPN连接正常并可以科学上网后,我们可以接着提高网络生活质量。
自动化OCserv
假如现有的配置有哪里让人不大满意,大概是这两点
- OCserv的服务最好会自动跑,进程挂了也自动恢复。
- AnyConnect每次都要输入密码很麻烦,最好用客户端证书验证。
证书登录 免去每次输密码
为AnyConnect建个客户端证书
和服务器端证书的步骤基本相同。回到之前的certificates文件夹。
创建user.tmpl
|
1 2 3 4 5 6 |
cn = "some random name" unit = "some random unit" expiration_days = 365 signing_key tls_www_client |
User密钥
|
1 2 |
certtool --generate-privkey --outfile user-key.pem |
User证书
|
1 2 |
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem |
然后要将证书和密钥转为PKCS12的格式。按说certtool也能做到,但不知为何,当前的AnyConnect iOS版并不接受certtool生成的p12文件,于是我们只能用openssl替代——
|
1 2 |
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12 |
然后我们要通过URL将user.p12文件导入AnyConnect,具体位置在诊断标签页的证书栏目下。如果你的服务器已经有Nginx/Apache服务,只要传到一个可以访问的URL路径下即可。如果没有,请参照Nginx官网或Linode的Nginx入门教程。
导入成功之后,将对应的VPN设置的高级设置部分的证书栏目,改为导入的这张证书。
最后我们要调整下OCserv的配置——
vim /etc/ocserv/ocserv.conf
修改以下内容
|
1 2 3 4 5 6 7 8 9 |
# 改为证书登陆,注释掉原来的登陆模式 auth = "certificate" # 证书认证不支持这个选项,注释掉这行 #listen-clear-file = /var/run/ocserv-conn.socket # 启用证书验证 ca-cert = /etc/ssl/certs/my-ca-cert.pem |
重启OCserv服务,确认VPN无需密码就可以正常登陆。
具体设置参照: https://www.stunnel.info/%E5%9C%A8centos-6-5%E4%B8%8A%E9%85%8D%E7%BD%AEcisco-anyconnect-vpn/
https://luoqkk.com/linode-vps-debian-installation-and-configuration-ocserv-openconnect-server.html
安装ocserv和anyconnect
先分享下最近买的9.99美元一年的VPS 还是比较划算
|
1 2 3 4 5 6 |
<span class="pln"> CPU</span><span class="pun">:</span><span class="lit">1</span><span class="pln"> cores </span><span class="pun">内存:</span><span class="lit">512MB</span><span class="pln"> vSWAP</span><span class="pun">:</span><span class="lit">64MB</span> <span class="pun">硬盘:</span><span class="lit">5</span><span class="pln"> GB</span><span class="pun">(</span><span class="pln">SSD</span><span class="pun">)</span> <span class="pun">月流量:</span><span class="lit">500GB</span><span class="pun">/</span><span class="lit">1Gbps</span> <span class="lit">1</span><span class="pln"> IP</span><span class="pun">/</span><span class="typ">KiwiVM</span> |
如果你有需要也可以点击购买
好我们继续
VPS最主要的当然是要能提供特别的功能了 中国人都懂的
Shadowsocks(简称ss) 这些都很好安装,但是IOS没有越狱使用起来有些问题,vpn和openvpn干扰都比较严重,所以现在在IOS是使用anyconnect实现FQ功能。 下面是找到比较完整的一个文章,写的很棒。
环境准备
CentOS
|
1 |
<span class="pln">yum install autoconf automake gcc libtasn1</span><span class="pun">-</span><span class="pln">devel zlib zlib</span><span class="pun">-</span><span class="pln">devel trousers trousers</span><span class="pun">-</span><span class="pln">devel gmp</span><span class="pun">-</span><span class="pln">devel gmp xz texinfo libnl</span><span class="pun">-</span><span class="pln">devel libnl tcp_wrappers</span><span class="pun">-</span><span class="pln">libs tcp_wrappers</span><span class="pun">-</span><span class="pln">devel tcp_wrappers dbus dbus</span><span class="pun">-</span><span class="pln">devel ncurses</span><span class="pun">-</span><span class="pln">devel pam</span><span class="pun">-</span><span class="pln">devel readline</span><span class="pun">-</span><span class="pln">devel bison bison</span><span class="pun">-</span><span class="pln">devel flex gcc automake autoconf wget</span> |
**Ubuntu **
Note:在Ubuntu 14.04或更早版本上,libgnutls-dev的版本还是2.x,需要用libgnutls28-dev获取3.x的GnuTLS才能支持OCserv
|
1 |
<span class="pln">sudo apt</span><span class="pun">-</span><span class="kwd">get</span><span class="pln"> install build</span><span class="pun">-</span><span class="pln">essential pkg</span><span class="pun">-</span><span class="pln">config libgnutls28</span><span class="pun">-</span><span class="pln">dev libreadline</span><span class="pun">-</span><span class="pln">dev libseccomp</span><span class="pun">-</span><span class="pln">dev libpam0g</span><span class="pun">-</span><span class="pln">dev libwrap0</span><span class="pun">-</span><span class="pln">dev libnl</span><span class="pun">-</span><span class="pln">nf</span><span class="pun">-</span><span class="lit">3</span><span class="pun">-</span><span class="pln">dev</span> |
安装Nettle
|
1 2 3 4 5 6 |
<span class="pln">wget </span><a href="http://www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz" target="_blank" rel="nofollow"><span class="pln">http</span><span class="pun">:</span><span class="com">//www.lysator.liu.se/~nisse/archive/nettle-2.7.tar.gz</span></a><span class="pln"> tar xvf nettle</span><span class="pun">-</span><span class="lit">2.7</span><span class="pun">.</span><span class="pln">tar</span><span class="pun">.</span><span class="pln">gz cd nettle</span><span class="pun">-</span><span class="lit">2.7</span> <span class="pun">./</span><span class="pln">configure </span><span class="pun">--</span><span class="pln">prefix</span><span class="pun">=/</span><span class="pln">usr make </span><span class="pun">&&</span><span class="pln"> make install cd </span><span class="pun">..</span> |
安装GnuTLS
|
1 2 3 4 5 6 |
<span class="pln">wget </span><a href="ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz" target="_blank" rel="nofollow"><span class="pln">ftp</span><span class="pun">:</span><span class="com">//ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.tar.xz</span></a><span class="pln"> tar xvf gnutls</span><span class="pun">-</span><span class="lit">3.2</span><span class="pun">.</span><span class="lit">12.tar</span><span class="pun">.</span><span class="pln">xz cd gnutls</span><span class="pun">-</span><span class="lit">3.2</span><span class="pun">.</span><span class="lit">12</span> <span class="pun">./</span><span class="pln">configure </span><span class="pun">--</span><span class="pln">prefix</span><span class="pun">=/</span><span class="pln">usr make </span><span class="pun">&&</span><span class="pln"> make install cd </span><span class="pun">..</span> |
64位系统安装可能出现下面错误
|
1 2 3 |
<span class="typ">Libnettle</span> <span class="lit">2.x</span><span class="pln"> was </span><span class="kwd">not</span><span class="pln"> found </span><span class="kwd">or</span> <span class="typ">Libhogweed</span> <span class="pun">(</span><span class="pln">nettle</span><span class="str">'s companion library) was not found.</span> |
这是64位系统路径的问题,执行下面export后再重新上面的编译命令即可 参考
|
1 |
<span class="kwd">export</span><span class="pln"> LD_LIBRARY_PATH</span><span class="pun">=</span><span class="str">/usr/</span><span class="pln">lib</span><span class="pun">/:</span><span class="str">/usr/</span><span class="pln">lib64</span><span class="pun">/</span><span class="pln"> NETTLE_CFLAGS</span><span class="pun">=</span><span class="str">"-I/usr/include/"</span><span class="pln"> NETTLE_LIBS</span><span class="pun">=</span><span class="str">"-L/usr/lib64/ -lnettle"</span><span class="pln"> HOGWEED_CFLAGS</span><span class="pun">=</span><span class="str">"-I/usr/include"</span><span class="pln"> HOGWEED_LIBS</span><span class="pun">=</span><span class="str">"-L/usr/lib64/ -lhogweed"</span> |
安装LibNL
|
1 2 3 4 5 6 |
<span class="pln">wget </span><a href="http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz" target="_blank" rel="nofollow"><span class="pln">http</span><span class="pun">:</span><span class="com">//www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz</span></a><span class="pln"> tar xvf libnl</span><span class="pun">-</span><span class="lit">3.2</span><span class="pun">.</span><span class="lit">24.tar</span><span class="pun">.</span><span class="pln">gz cd libnl</span><span class="pun">-</span><span class="lit">3.2</span><span class="pun">.</span><span class="lit">24</span> <span class="pun">./</span><span class="pln">configure make </span><span class="pun">&&</span><span class="pln"> make install cd </span><span class="pun">..</span> |
编译OCserv
到官方站点找最新的OpenConnect Server版本。
|
1 2 3 4 5 |
<span class="pln">curl </span><span class="pun">-</span><span class="pln">O </span><a href="ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz" target="_blank" rel="nofollow"><span class="pln">ftp</span><span class="pun">:</span><span class="com">//ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz</span></a><span class="pln"> tar xvf ocserv</span><span class="pun">-</span><span class="lit">0.9</span><span class="pun">.</span><span class="lit">0.1</span><span class="pun">.</span><span class="pln">tar</span><span class="pun">.</span><span class="pln">xz cd ocserv</span><span class="pun">-</span><span class="lit">0.9</span><span class="pun">.</span><span class="lit">0</span> <span class="pun">./</span><span class="pln">configure </span><span class="pun">--</span><span class="pln">prefix</span><span class="pun">=/</span><span class="pln">usr make </span><span class="pun">&&</span><span class="pln"> make install</span> |
64位系统可能出现下面错误
|
1 2 3 |
<span class="pln">configure</span><span class="pun">:</span><span class="pln"> error</span><span class="pun">:</span> <span class="typ">Package</span><span class="pln"> requirements </span><span class="pun">(</span><span class="pln">gnutls </span><span class="pun">>=</span> <span class="lit">3.1</span><span class="pun">.</span><span class="lit">10</span><span class="pun">)</span><span class="pln"> were </span><span class="kwd">not</span><span class="pln"> met</span><span class="pun">:</span> <span class="typ">No</span> <span class="kwd">package</span> <span class="str">'gnutls'</span><span class="pln"> found</span> |
执行
|
1 |
<span class="kwd">export</span><span class="pln"> LIBGNUTLS_CFLAGS</span><span class="pun">=</span><span class="str">"-L/usr/include"</span><span class="pln"> LIBGNUTLS_LIBS</span><span class="pun">=</span><span class="str">"-L/usr/lib64 -lgnutls"</span> |
即可
配置OCserv
Note: 官方的man手册里写的非常清楚 man ocserv
我们希望做到的,是无需用户名与密码的客户端证书验证登陆。但在此之前,让我们先测通更简单的密码登录模式。首先让我们把CA证书与服务器证书生成好,具体步骤官方文档也有——
|
1 2 |
<span class="pln">mkdir certificates cd certificates</span> |
CA模板,创建ca.tmpl,按需填写,这里的cn和organization可以随便填。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<span class="pln">cn </span><span class="pun">=</span> <span class="str">"Your CA name"</span><span class="pln"> organization </span><span class="pun">=</span> <span class="str">"Your fancy name"</span><span class="pln"> serial </span><span class="pun">=</span> <span class="lit">1</span><span class="pln"> expiration_days </span><span class="pun">=</span> <span class="lit">3650</span><span class="pln"> ca signing_key cert_signing_key crl_signing_key </span><span class="com">#CA密钥</span><span class="pln"> certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="pln">privkey </span><span class="pun">--</span><span class="pln">outfile ca</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="com">#CA证书</span><span class="pln"> certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="kwd">self</span><span class="pun">-</span><span class="kwd">signed</span> <span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">privkey ca</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="kwd">template</span><span class="pln"> ca</span><span class="pun">.</span><span class="pln">tmpl </span><span class="pun">--</span><span class="pln">outfile ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem</span> |
同理,我们用CA签名,生成服务器证书。先创建server.tmpl模板。这里的cn项必须对应你最终提供服务的hostname或IP,否则AnyConnect客户端将无法正确导入证书。
|
1 2 3 4 5 6 |
<span class="pln">cn </span><span class="pun">=</span> <span class="str">"Your hostname or IP"</span><span class="pln"> organization </span><span class="pun">=</span> <span class="str">"Your fancy name"</span><span class="pln"> expiration_days </span><span class="pun">=</span> <span class="lit">3650</span><span class="pln"> signing_key encryption_key tls_www_server</span> |
Server密钥
|
1 |
<span class="pln">certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="pln">privkey </span><span class="pun">--</span><span class="pln">outfile server</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem</span> |
Server证书
|
1 |
<span class="pln">certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="pln">certificate </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">privkey server</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">certificate ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">privkey ca</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="kwd">template</span><span class="pln"> server</span><span class="pun">.</span><span class="pln">tmpl </span><span class="pun">--</span><span class="pln">outfile server</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem</span> |
将CA,Server证书与密钥复制到以下文件夹
|
1 2 3 |
<span class="pln"> cp ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem cp server</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem cp server</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssl</span><span class="pun">/</span><span class="kwd">private</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem</span> |
剩下的就是OCServ配置文件了。同样的,参考官方文档是最佳选项,但为了方便起见,这是你需要注意的一些设置。回到ocserv-0.9.0的文件夹下,将配置文件复制到OCserv默认读取的位置。
|
1 2 |
<span class="pln"> mkdir </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ocserv cp doc</span><span class="pun">/</span><span class="pln">sample</span><span class="pun">.</span><span class="pln">config </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ocserv</span><span class="pun">/</span><span class="pln">ocserv</span><span class="pun">.</span><span class="pln">conf</span> |
确保以下配置正确
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<span class="com"># 登陆方式,目前先用密码登录</span><span class="pln"> auth </span><span class="pun">=</span> <span class="str">"plain[/etc/ocserv/ocpasswd]"</span> <span class="com">#允许同时连接的客户端数量</span><span class="pln"> max</span><span class="pun">-</span><span class="pln">clients </span><span class="pun">=</span> <span class="lit">4</span> <span class="com">#限制同一客户端的并行登陆数量</span><span class="pln"> max</span><span class="pun">-</span><span class="pln">same</span><span class="pun">-</span><span class="pln">clients </span><span class="pun">=</span> <span class="lit">2</span> <span class="com"># 服务监听的IP(服务器IP,可不设置)</span> <a href="http://www.sbbok.com/search?Search=%23listen-host&Mode=like"><span class="com">#listen-host</span></a><span class="com"> = 1.2.3.4</span> <span class="com"># 服务监听的TCP/UDP端口</span><span class="pln"> tcp</span><span class="pun">-</span><span class="pln">port </span><span class="pun">=</span> <span class="lit">443</span><span class="pln"> udp</span><span class="pun">-</span><span class="pln">port </span><span class="pun">=</span> <span class="lit">443</span> <span class="com"># 自动优化VPN的网络性能</span> <span class="kwd">try</span><span class="pun">-</span><span class="pln">mtu</span><span class="pun">-</span><span class="pln">discovery </span><span class="pun">=</span> <span class="kwd">true</span> <span class="com"># 服务器证书与密钥</span><span class="pln"> server</span><span class="pun">-</span><span class="pln">cert </span><span class="pun">=</span> <span class="str">/etc/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem server</span><span class="pun">-</span><span class="pln">key </span><span class="pun">=</span> <span class="str">/etc/</span><span class="pln">ssl</span><span class="pun">/</span><span class="kwd">private</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">server</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="com"># 客户端连上vpn后使用的dns</span><span class="pln"> dns </span><span class="pun">=</span> <span class="lit">8.8</span><span class="pun">.</span><span class="lit">8.8</span> <span class="com"># 注释掉所有的route,让服务器成为gateway</span> <a href="http://www.sbbok.com/search?Search=%23route&Mode=like"><span class="com">#route</span></a><span class="com"> = 192.168.1.0/255.255.255.0</span> <span class="com"># 启用cisco客户端兼容性支持</span><span class="pln"> cisco</span><span class="pun">-</span><span class="pln">client</span><span class="pun">-</span><span class="pln">compat </span><span class="pun">=</span> <span class="kwd">true</span> |
创建一个登陆用的用户名与密码。
|
1 |
<span class="pln">ocpasswd </span><span class="pun">-</span><span class="pln">c </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ocserv</span><span class="pun">/</span><span class="pln">ocpasswd username</span> |
修改系统配置,允许转发
|
1 2 3 4 5 |
<span class="pln">vim </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">sysctl</span><span class="pun">.</span><span class="pln">conf </span><span class="com">#修改这行</span><span class="pln"> net</span><span class="pun">.</span><span class="pln">ipv4</span><span class="pun">.</span><span class="pln">ip_forward </span><span class="pun">=</span> <span class="lit">1</span> <span class="com">#保存退出</span><span class="pln"> sysctl </span><span class="pun">-</span><span class="pln">p</span> |
这样OCserv就基本配置好了。但如果你和我一样强化过服务器安全,还得为服务器上开些端口才行。
修改 iptables 规则 你可以参考 Linode 的文章 来配置 iptables
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
<span class="pun">*</span><span class="pln">filter </span><span class="com"># Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">i lo </span><span class="pun">-</span><span class="pln">j ACCEPT </span><span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">d </span><span class="lit">127.0</span><span class="pun">.</span><span class="lit">0.0</span><span class="pun">/</span><span class="lit">8</span> <span class="pun">-</span><span class="pln">j REJECT </span><span class="com"># Accept all established inbound connections</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">m state </span><span class="pun">--</span><span class="pln">state ESTABLISHED</span><span class="pun">,</span><span class="pln">RELATED </span><span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com"># Allow all outbound traffic - you can modify this to only allow certain traffic</span> <span class="pun">-</span><span class="pln">A OUTPUT </span><span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com"># Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">dport </span><span class="lit">80</span> <span class="pun">-</span><span class="pln">j ACCEPT </span><span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">-</span><span class="pln">m tcp </span><span class="pun">--</span><span class="pln">dport </span><span class="lit">443</span> <span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com"># Allow SSH connections</span> <span class="com">#</span> <span class="com"># The -dport number should be the same port number you set in sshd_config</span> <span class="com">#</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">-</span><span class="pln">m state </span><span class="pun">--</span><span class="pln">state NEW </span><span class="pun">--</span><span class="pln">dport </span><span class="lit">22</span> <span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com"># Allow ping</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">p icmp </span><span class="pun">-</span><span class="pln">j ACCEPT </span><span class="com"># Log iptables denied calls</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">m limit </span><span class="pun">--</span><span class="pln">limit </span><span class="lit">5</span><span class="pun">/</span><span class="pln">min </span><span class="pun">-</span><span class="pln">j LOG </span><span class="pun">--</span><span class="pln">log</span><span class="pun">-</span><span class="pln">prefix </span><span class="str">"iptables denied: "</span> <span class="pun">--</span><span class="pln">log</span><span class="pun">-</span><span class="pln">level </span><span class="lit">7</span> <span class="pun">-</span><span class="pln">A INPUT </span><span class="pun">-</span><span class="pln">j DROP COMMIT</span> |
特别需要主意的是,一定不要存在这样的一句话 不然能连上也是哪里都不能访问……
|
1 |
<span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">j DROP </span><span class="com">#不要存在这句</span> |
在你的 /etc/rc.local 的exit 前面加上这句 来开启 NAT
|
1 2 |
<span class="pln">iptables </span><span class="pun">-</span><span class="pln">t nat </span><span class="pun">-</span><span class="pln">A POSTROUTING </span><span class="pun">-</span><span class="pln">j MASQUERADE iptables </span><span class="pun">-</span><span class="pln">A FORWARD </span><span class="pun">-</span><span class="pln">p tcp </span><span class="pun">--</span><span class="pln">tcp</span><span class="pun">-</span><span class="pln">flags SYN</span><span class="pun">,</span><span class="pln">RST SYN </span><span class="pun">-</span><span class="pln">j TCPMSS </span><span class="pun">--</span><span class="pln">clamp</span><span class="pun">-</span><span class="pln">mss</span><span class="pun">-</span><span class="pln">to</span><span class="pun">-</span><span class="pln">pmtu </span> |
测试OCserv
在服务器端启动OpenConnect Server。
|
1 |
<span class="pln">ocserv </span><span class="pun">-</span><span class="pln">f </span><span class="pun">-</span><span class="pln">d </span><span class="lit">1</span> |
如果服务没错误退出,是时候来测测客户端了。假设你使用iOS,下载Cisco AnyConnect。
在Connections下加入新的VPN配置,在服务器地址栏目上填入对应的IP/Hostname和TCP端口
然后到设置标签页下暂时禁用“阻止不信任的服务器”选项。首次连接,AnyConnect会提示你这是不信任证书,如果你之前的服务器证书模板的cn没写错的话,你可以接受并导入该证书(可在诊断标签页的证书菜单里的服务器证书列表看到)。以后即便启用“阻止不信任的服务器”选项,也不会报错了(和SSH首次登陆类似)。
确定VPN连接正常并可以科学上网后,我们可以接着提高网络生活质量。
自动化OCserv
假如现有的配置有哪里让人不大满意,大概是这两点
- OCserv的服务最好会自动跑,进程挂了也自动恢复。
- AnyConnect每次都要输入密码很麻烦,最好用客户端证书验证。
证书登录 免去每次输密码
为AnyConnect建个客户端证书
和服务器端证书的步骤基本相同。回到之前的certificates文件夹。
创建user.tmpl
|
1 2 3 4 5 |
<span class="pln">cn </span><span class="pun">=</span> <span class="str">"some random name"</span><span class="pln"> unit </span><span class="pun">=</span> <span class="str">"some random unit"</span><span class="pln"> expiration_days </span><span class="pun">=</span> <span class="lit">365</span><span class="pln"> signing_key tls_www_client</span> |
User密钥
|
1 |
<span class="pln">certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="pln">privkey </span><span class="pun">--</span><span class="pln">outfile user</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem</span> |
User证书
|
1 |
<span class="pln">certtool </span><span class="pun">--</span><span class="pln">generate</span><span class="pun">-</span><span class="pln">certificate </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">privkey user</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">certificate ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="pln">load</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">privkey ca</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">--</span><span class="kwd">template</span><span class="pln"> user</span><span class="pun">.</span><span class="pln">tmpl </span><span class="pun">--</span><span class="pln">outfile user</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem</span> |
然后要将证书和密钥转为PKCS12的格式。按说certtool也能做到,但不知为何,当前的AnyConnect iOS版并不接受certtool生成的p12文件,于是我们只能用openssl替代——
|
1 |
<span class="pln">openssl pkcs12 </span><span class="pun">-</span><span class="kwd">export</span> <span class="pun">-</span><span class="pln">inkey user</span><span class="pun">-</span><span class="pln">key</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">-</span><span class="kwd">in</span><span class="pln"> user</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">-</span><span class="pln">certfile ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem </span><span class="pun">-</span><span class="kwd">out</span><span class="pln"> user</span><span class="pun">.</span><span class="pln">p12</span> |
然后我们要通过URL将user.p12文件导入AnyConnect,具体位置在诊断标签页的证书栏目下。如果你的服务器已经有Nginx/Apache服务,只要传到一个可以访问的URL路径下即可。如果没有,请参照Nginx官网或Linode的Nginx入门教程。
导入成功之后,将对应的VPN设置的高级设置部分的证书栏目,改为导入的这张证书。
最后我们要调整下OCserv的配置——
vim /etc/ocserv/ocserv.conf
修改以下内容
|
1 2 3 4 5 6 7 8 |
<span class="com"># 改为证书登陆,注释掉原来的登陆模式</span><span class="pln"> auth </span><span class="pun">=</span> <span class="str">"certificate"</span> <span class="com"># 证书认证不支持这个选项,注释掉这行</span> <a href="http://www.sbbok.com/search?Search=%23listen-clear-file&Mode=like"><span class="com">#listen-clear-file</span></a><span class="com"> = /var/run/ocserv-conn.socket</span> <span class="com"># 启用证书验证</span><span class="pln"> ca</span><span class="pun">-</span><span class="pln">cert </span><span class="pun">=</span> <span class="str">/etc/</span><span class="pln">ssl</span><span class="pun">/</span><span class="pln">certs</span><span class="pun">/</span><span class="kwd">my</span><span class="pun">-</span><span class="pln">ca</span><span class="pun">-</span><span class="pln">cert</span><span class="pun">.</span><span class="pln">pem</span> |
重启OCserv服务,确认VPN无需密码就可以正常登陆。
CentOS下安装使用start-stop-daemon
CentOS是没有start-stop-daemon的,因为start-stop-daemon在debian的dpkg包里。要安装的话,需要自己折腾。
相关命令如下:
wget http://developer.axis.com/download/distribution/apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
tar zxf apps-sys-utils-start-stop-daemon-IR1_9_18-2.tar.gz
mv apps/sys-utils/start-stop-daemon-IR1_9_18-2/ ./
rm -rf apps
cd start-stop-daemon-IR1_9_18-2/
cc start-stop-daemon.c -o start-stop-daemon
cp start-stop-daemon /usr/local/bin/start-stop-daemon
至此安装完成.
一键安装脚本: https://github.com/lunadream/ocserv-install/blob/master/ocserv-install-centos6.sh
ocserv-install-centos6.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 |
#!/bin/bash #################################################### # # # This is a ocserv installation for CentOS 6 # # Version: 20150826-001 # # Author: Yvonne Lu # # Website: https://noname.space # # # #################################################### #检测是否是root用户 if [[ $(id -u) != "0" ]]; then printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n" exit 1 fi #检测是否是CentOS 6或者RHEL 6 if [[ $(grep "release 6." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then printf "\e[42m\e[31mError: Your OS is NOT CentOS 6 or RHEL 6.\e[0m\n" printf "\e[42m\e[31mThis install script is ONLY for CentOS 6 and RHEL 6.\e[0m\n" exit 1 fi basepath=$(dirname $0) cd ${basepath} function ConfigEnvironmentVariable { #ocserv版本 ocserv_version=0.10.4 version=${1-${ocserv_version}} libtasn1_version=4.5 #变量设置 #单IP最大连接数,默认是2 maxsameclients=10 #最大连接数,默认是16 maxclients=1024 #服务器的证书和key文件,放在本脚本的同目录下,key文件的权限应该是600或者400 servercert=${2-server-cert.pem} serverkey=${3-server-key.pem} #配置目录,你可更改为 /etc/ocserv 之类的 confdir="/usr/local/etc/ocserv" #安装系统组件 yum install -y -q net-tools bind-utils #获取网卡接口名称 ethlist=$(ifconfig | grep "Link encap" | cut -d " " -f1) eth=$(printf "${ethlist}\n" | head -n 1) if [[ $(printf "${ethlist}\n" | wc -l) -gt 2 ]]; then echo ====================================== echo "Network Interface list:" printf "\e[33m${ethlist}\e[0m\n" echo ====================================== echo "Which network interface you want to listen for ocserv?" printf "Default network interface is \e[33m${eth}\e[0m, let it blank to use default network interface: " read ethtmp if [[ -n "${ethtmp}" ]]; then eth=${ethtmp} fi fi #端口,默认是10443 port=10443 echo "Please input the port ocserv listen to." printf "Default port is \e[33m${port}\e[0m, let it blank to use default port: " read porttmp if [[ -n "${porttmp}" ]]; then port=${porttmp} fi #用户名,默认是user username=user echo "Please input ocserv user name:" printf "Default user name is \e[33m${username}\e[0m, let it blank to use default user name: " read usernametmp if [[ -n "${usernametmp}" ]]; then username=${usernametmp} fi #随机密码 randstr() { index=0 str="" for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done echo ${str} } password=$(randstr) printf "Please input \e[33m${username}\e[0m's password:\n" printf "Default password is \e[33m${password}\e[0m, let it blank to use default password: " read passwordtmp if [[ -n "${passwordtmp}" ]]; then password=${passwordtmp} fi } function PrintEnvironmentVariable { #打印配置参数 clear ipv4=$(ip -4 -f inet addr | grep "inet " | grep -v "lo:" | grep -v "127.0.0.1" | grep -o -P "\d+\.\d+\.\d+\.\d+\/\d+" | grep -o -P "\d+\.\d+\.\d+\.\d+") ipv6=$(ip -6 addr | grep "inet6" | grep -v "::1/128" | grep -o -P "([a-z\d]+:[a-z\d:]+\/\d+)" | grep -o -P "([a-z\d]+:[a-z\d:]+)") echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m" echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m" echo -e "Port:\t\t\e[34m${port}\e[0m" echo -e "Username:\t\e[34m${username}\e[0m" echo -e "Password:\t\e[34m${password}\e[0m" echo echo "Press any key to start install ocserv." get_char() { SAVEDSTTY=$(stty -g) stty -echo stty cbreak dd if=/dev/tty bs=1 count=1 2> /dev/null stty -raw stty echo stty ${SAVEDSTTY} } char=$(get_char) clear } function CompileOcserv { #升级系统 #yum update -y -q yum install -y -q epel-release #安装ocserv依赖组件 yum -y install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex expat-devel #编译安装GNU Nettle wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1 ./configure --prefix=/usr && make make install &&chmod -v 755 /usr/lib/libhogweed.so.2.5 /usr/lib/libnettle.so.4.7 &&install -v -m755 -d /usr/share/doc/nettle-2.7.1 &&install -v -m644 nettle.html /usr/share/doc/nettle-2.7.1 cd .. #编译安装Unbound wget http://unbound.nlnetlabs.nl/downloads/unbound-latest.tar.gz tar zxf unbound-latest.tar.gz && cd unbound-* ./configure && make && make install echo '/usr/local/lib' > /etc/ld.so.conf.d/local-libraries.conf && ldconfig mkdir -p /etc/unbound && unbound-anchor -a "/etc/unbound/root.key" cd .. #编译安装gnutls wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz tar xvf gnutls-3.2.15.tar.xz cd gnutls-3.2.15 export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH ./configure && make && make install cd .. #编译安装libnl wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.25.tar.gz tar xvf libnl-3.2.25.tar.gz cd libnl-3.2.25 ./configure && make && make install cd .. #编译安装start-stop-dameon wget http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.18.2.tar.xz tar -xvf dpkg_1.18.2.tar.xz cd dpkg-1.18.2 ./configure make cd utils make cp -f start-stop-daemon /usr/bin/start-stop-daemon cd .. #下载ocserv并编译安装 wget -t 0 -T 60 "ftp://ftp.infradead.org/pub/ocserv/ocserv-${version}.tar.xz" tar axf ocserv-${version}.tar.xz cd ocserv-${version} sed -i 's/#define MAX_CONFIG_ENTRIES.*/#define MAX_CONFIG_ENTRIES 200/g' src/vpn.h ./configure && make && make install #复制配置文件样本 mkdir -p "${confdir}" cp "doc/sample.config" "${confdir}/ocserv.conf" wget https://gist.github.com/kevinzhow/9661623/raw/eb8bc8292f7e7b708b2baafe19ecd616155220a1/ocserv -O /etc/init.d/ocserv chmod 755 /etc/init.d/ocserv cd ${basepath} } function ConfigOcserv { #检测是否有证书和key文件 if [[ ! -f "${servercert}" ]] || [[ ! -f "${serverkey}" ]]; then #创建ca证书和服务器证书(参考http://www.infradead.org/ocserv/manual.html#heading5) certtool --generate-privkey --outfile ca-key.pem cat << _EOF_ >ca.tmpl cn = "LunaDream CA" organization = "LunaDream Foundation" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key _EOF_ certtool --generate-self-signed --load-privkey ca-key.pem \ --template ca.tmpl --outfile ca-cert.pem certtool --generate-privkey --outfile ${serverkey} cat << _EOF_ >server.tmpl cn = "LunaDream VPN" o = "LunaDream Foundation" serial = 2 expiration_days = 3650 signing_key encryption_key #only if the generated key is an RSA one tls_www_server _EOF_ certtool --generate-certificate --load-privkey ${serverkey} \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --template server.tmpl --outfile ${servercert} fi #把证书复制到ocserv的配置目录 cp "${servercert}" "${confdir}" && cp "${serverkey}" "${confdir}" #编辑配置文件 (echo "${password}"; sleep 1; echo "${password}") | ocpasswd -c "${confdir}/ocpasswd" ${username} sed -i "s#./sample.passwd#${confdir}/ocpasswd#g" "${confdir}/ocserv.conf" sed -i "s#server-cert = ../tests/server-cert.pem#server-cert = ${confdir}/${servercert}#g" "${confdir}/ocserv.conf" sed -i "s#server-key = ../tests/server-key.pem#server-key = ${confdir}/${serverkey}#g" "${confdir}/ocserv.conf" sed -i "s/max-same-clients = 2/max-same-clients = ${maxsameclients}/g" "${confdir}/ocserv.conf" sed -i "s/max-clients = 16/max-clients = ${maxclients}/g" "${confdir}/ocserv.conf" sed -i "s/tcp-port = 443/tcp-port = ${port}/g" "${confdir}/ocserv.conf" sed -i "s/udp-port = 443/udp-port = ${port}/g" "${confdir}/ocserv.conf" sed -i "s/default-domain = example.com/#default-domain = example.com/g" "${confdir}/ocserv.conf" sed -i "s/ipv4-network = 192.168.1.0/ipv4-network = 192.168.8.0/g" "${confdir}/ocserv.conf" sed -i "s/ipv4-netmask = 255.255.255.0/ipv4-netmask = 255.255.251.0/g" "${confdir}/ocserv.conf" sed -i "s/dns = 192.168.1.2/dns = 8.8.8.8\ndns = 8.8.4.4/g" "${confdir}/ocserv.conf" sed -i "s/run-as-group = daemon/run-as-group = nobody/g" "${confdir}/ocserv.conf" sed -i "s/cookie-timeout = 300/cookie-timeout = 86400/g" "${confdir}/ocserv.conf" sed -i "s/isolate-workers = true/isolate-workers = false/g" "${confdir}/ocserv.conf" sed -i 's$route = 192.168.1.0/255.255.255.0$#route = 192.168.1.0/255.255.255.0$g' "${confdir}/ocserv.conf" sed -i 's$route = 192.168.5.0/255.255.255.0$#route = 192.168.5.0/255.255.255.0$g' "${confdir}/ocserv.conf" #修改ocserv服务 #sed -i "s#^ExecStart=#ExecStartPre=/usr/bin/firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.8.0/21 -j ACCEPT\nExecStartPre=/usr/bin/firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 192.168.8.0/21 -o ${eth} -j MASQUERADE\nExecStart=#g" "/etc/init.d/ocserv" sed -i "s#/usr/sbin/ocserv#/usr/local/sbin/ocserv#g" "/etc/init.d/ocserv" sed -i "s#/etc/ocserv/ocserv.conf#$confdir/ocserv.conf#g" "/etc/init.d/ocserv" } function ConfigFirewall { /sbin/service iptables status 1>/dev/null 2>&1 if [ $? -ne 0 ]; then iptables -I INPUT -p tcp --dport ${port} -j ACCEPT iptables -I INPUT -p udp --dport ${port} -j ACCEPT iptables -A FORWARD -s 192.168.8.0/21 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.8.0/21 -o ${eth} -j MASQUERADE service iptables save else printf "\e[33mWARNING!!! Either firewalld or iptables is NOT Running! \e[0m\n" fi } function ConfigSystem { #关闭selinux sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 #修改系统 echo "Enable IP forward." sysctl -w net.ipv4.ip_forward=1 echo net.ipv4.ip_forward = 1 >> "/etc/sysctl.conf" chkconfig ocserv --add echo "Enable ocserv service to start during bootup." chkservice ocserv on #开启ocserv服务 service ocserv start echo } function PrintResult { #检测防火墙和ocserv服务是否正常 clear printf "\e[36mChenking Firewall status...\e[0m\n" iptables -L -n | grep --color=auto -E "(${port}|192.168.8.0)" line=$(iptables -L -n | grep -c -E "(${port}|192.168.8.0)") if [[ ${line} -ge 2 ]] then printf "\e[34mFirewall is Fine! \e[0m\n" else printf "\e[33mWARNING!!! Firewall is Something Wrong! \e[0m\n" fi echo printf "\e[36mChenking ocserv service status...\e[0m\n" netstat -anp | grep ":${port}" | grep --color=auto -E "(${port}|ocserv|tcp|udp)" linetcp=$(netstat -anp | grep ":${port}" | grep ocserv | grep tcp | wc -l) lineudp=$(netstat -anp | grep ":${port}" | grep ocserv | grep udp | wc -l) if [[ ${linetcp} -ge 1 && ${lineudp} -ge 1 ]] then printf "\e[34mocserv service is Fine! \e[0m\n" else printf "\e[33mWARNING!!! ocserv service is NOT Running! \e[0m\n" fi #打印VPN参数 printf " if there are \e[33mNO WARNING\e[0m above, then you can connect to your ocserv VPN Server with the default user/password below: ======================================\n" echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m" echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m" echo -e "Port:\t\t\e[34m${port}\e[0m" echo -e "Username:\t\e[34m${username}\e[0m" echo -e "Password:\t\e[34m${password}\e[0m" } ConfigEnvironmentVariable PrintEnvironmentVariable CompileOcserv $@ ConfigOcserv ConfigFirewall ConfigSystem PrintResult exit 0 |
0 Comments