安装配置OpenConnect VPN server AnyConnect (ocserv)
24 12 月, 2014 | 添加评论
安装openconnect(ocserv) (以下安装适用于Debian 7+ )
追加软件源:
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" >> /etc/apt/sources.list
更新源:
apt-get update
更新linux系统:
apt-get upgrade --show-upgraded
安装依赖包:
apt-get -t wheezy-backports install libgnutls28-dev
apt-get install libgmp3-dev m4 gcc pkg-config make gnutls-bin -y
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev autogen libseccomp-dev
下载安装Ocserv:
cd /usr/src
wget https://wget.5752.me/Computer/code/ocserv-0.8.1.tar.xz?hash=LxzB3r5D&download=1
tar Jxvf ocserv-0.8.1.tar.xz
cd ocserv-0.8.1
./configure --prefix=/usr --sysconfdir=/etc
make
make install
返回到root文件夹下:
cd
生成CA证书:
certtool --generate-privkey --outfile ca-key.pem cat <<_EOF_> ca.tmpl cn = "vpn CA" organization = "vpn Corp" serial = 1 expiration_days = 999 ca signing_key cert_signing_key crl_signing_key _EOF_ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
生成本地服务器证书:
certtool --generate-privkey --outfile server-key.pem cat <<_EOF_> server.tmpl cn = "vpn.5752.me" organization = "vpn" serial = 2 expiration_days = 999 signing_key encryption_key tls_www_server _EOF_ certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
生成客户端证书:
certtool --generate-privkey --outfile user-key.pem cat <<_EOF_>user.tmpl cn = "vpn" unit = "admins" serial = 1824 expiration_days = 999 signing_key tls_www_client _EOF_ certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
生成可在windows中可导入的p12格式的证书:
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "vpnclient" -certfile ca-cert.pem -caname "vpn CA" -out client.cert.p12
会提示设置证书密码,也可以不设置直接回车即可
cp ca-cert.pem /etc/ssl/certs cp ca-key.pem /etc/ssl/private cp server-cert.pem /etc/ssl/certs cp server-key.pem /etc/ssl/private
配置文件:
mkdir /etc/ocserv cp /usr/src/ocserv-0.8.1/doc/sample.config /etc/ocserv/ mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf
编辑配置文件:
vi /etc/ocserv/ocserv.conf
修改如下:
auth = "plain[/etc/ocserv/ocpasswd]" #ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件 #ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式 auth = "plain[./sample.passwd]" #加上#注销这一行 #同一个用户最多同时登陆数 max-same-clients = 10 #证书路径 server-cert = /etc/ssl/certs/server-cert.pem server-key = /etc/ssl/private/server-key.pem #运行组 run-as-group = nogroup #分配给VPN客户端的IP段 ipv4-network = 10.10.0.0 #DNS dns = 8.8.8.8 dns = 8.8.4.4 #注释掉route的字段,这样表示所有流量都通过 VPN 发送 #route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 user-profile改为user-profile = /etc/ocserv/profile.xml 并且去掉cisco-client-compat = true的注释
运行:
cp /usr/src/ocserv-0.8.1/doc/profile.xml /etc/ocserv/
编辑如下:
vi /etc/ocserv/profile.xml
修改HostAddress为你的服务器IP地址,Hostname为你的域名
创建用户:
ocpasswd -c /etc/ocserv/ocpasswd username
username为你要添加的用户名
修改系统配置,允许转发:
vi /etc/sysctl.conf net.ipv4.ip_forward=1 #修改这行 sysctl -p
修改 iptables 规则:
vi /etc/iptables.firewall.rules
加入如下内容:
*filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p udp -m udp --dport 443 -j ACCEPT # Allow SSH connections # # The -dport number should be the same port number you set in sshd_config # -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Allow ping -A INPUT -p icmp -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j DROP COMMIT
编辑:
vi /etc/rc.local iptables -t nat -A POSTROUTING -j MASQUERADE iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
在exit前面加上这句来开启NAT
保存规则:
iptables-save >/etc/iptables-script
配置启动文件:
vi /etc/init.d/ocserv
加入如下内容:
#!/bin/sh
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
运行:
chmod 755 /etc/init.d/ocserv update-rc.d ocserv defaults /etc/init.d/ocserv restart
测试:
ocserv -c /etc/ocserv/ocserv.conf -f -d 1
终端输入命令显示443端口被被那个程序占用:
netstat -lnp|grep 443
显示是ocserv,测试是正常的
客户端使用:
下载客户端,使用anyconnect-win-3.0.11042-pre-deploy-k9.iso安装客户端,下载地址
https://wget.5752.me/Computer/code/anyconnect-win-3.0.11042-pre-deploy-k9.iso?hash=LxzB3r5D&download=1
导入客户端证书,开始菜单搜索“cmd”,打开后输入 mmc(Microsoft 管理控制台),“文件”-“添加/删除管理单元”,添加“证书”单元,证书单元的弹出窗口中一定要选“计算机账户”,之后选“本地计算机”,确定。在左边的“控制台根节点”下选择“证书”-“个人”,然后选右边的“更多操作”-“所有任务”-“导入”打开证书导入窗口。选择刚才生成的 client.cert.p12 文件。下一步输入私钥密码。下一步“证书存储”选“个人”,导入成功后,把导入的 CA 证书剪切到“受信任的根证书颁发机构”的证书文件夹里面,打开剩下的那个私人证书,看一下有没有显示“您有一个与该证书对应的私钥”,以及“证书路径”下面是不是显示“该证书没有问题”然后关闭 mmc,提示“将控制台设置存入控制台1吗”,选“否”即可,至此,证书导入完成。
【您或许还喜欢...】