安装配置OpenConnect VPN server AnyConnect (ocserv)

安装openconnect(ocserv)     (以下安装适用于Debian 7+ )

追加软件源:

echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" >> /etc/apt/sources.list

更新源:

apt-get update

更新linux系统:

apt-get upgrade --show-upgraded

安装依赖包:

apt-get -t wheezy-backports install libgnutls28-dev
apt-get install libgmp3-dev m4 gcc pkg-config make gnutls-bin -y
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev autogen libseccomp-dev

下载安装Ocserv:

cd /usr/src
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.1.tar.xz
tar Jxvf ocserv-0.8.1.tar.xz
cd ocserv-0.8.1
./configure --prefix=/usr --sysconfdir=/etc 
make 
make install

返回到root文件夹下:

cd

生成CA证书:

certtool --generate-privkey --outfile ca-key.pem
cat <<_EOF_> ca.tmpl

cn = "vpn CA"
organization = "vpn Corp"
serial = 1
expiration_days = 999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

生成本地服务器证书:

certtool --generate-privkey --outfile server-key.pem
cat <<_EOF_> server.tmpl

cn = "vpn.5752.me"
organization = "vpn"
serial = 2
expiration_days = 999
signing_key
encryption_key
tls_www_server
_EOF_

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

生成客户端证书:

certtool --generate-privkey --outfile user-key.pem
cat <<_EOF_>user.tmpl

cn = "vpn"
unit = "admins"
serial = 1824
expiration_days = 999
signing_key
tls_www_client
_EOF_

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

生成可在windows中可导入的p12格式的证书:

openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "vpnclient" -certfile ca-cert.pem -caname "vpn CA" -out client.cert.p12

会提示设置证书密码,也可以不设置直接回车即可

cp ca-cert.pem /etc/ssl/certs
cp ca-key.pem /etc/ssl/private
cp server-cert.pem /etc/ssl/certs
cp server-key.pem /etc/ssl/private

配置文件:

mkdir /etc/ocserv 
cp /usr/src/ocserv-0.8.1/doc/sample.config /etc/ocserv/  
mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

编辑配置文件:

vi /etc/ocserv/ocserv.conf

修改如下:

auth = "plain[/etc/ocserv/ocpasswd]"
#ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件
#ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式

auth = "plain[./sample.passwd]"   #加上#注销这一行

#同一个用户最多同时登陆数
max-same-clients = 10 

#证书路径
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem

#运行组
run-as-group = nogroup

#分配给VPN客户端的IP段
ipv4-network = 10.10.0.0

#DNS
dns = 8.8.8.8
dns = 8.8.4.4

#注释掉route的字段,这样表示所有流量都通过 VPN 发送
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

user-profile改为user-profile = /etc/ocserv/profile.xml
并且去掉cisco-client-compat = true的注释

运行:

cp /usr/src/ocserv-0.8.1/doc/profile.xml /etc/ocserv/

编辑如下:

vi /etc/ocserv/profile.xml

修改HostAddress为你的服务器IP地址,Hostname为你的域名

创建用户:

ocpasswd -c /etc/ocserv/ocpasswd username

username为你要添加的用户名

修改系统配置,允许转发:

vi /etc/sysctl.conf
net.ipv4.ip_forward=1 #修改这行
sysctl -p

修改 iptables 规则:

vi /etc/iptables.firewall.rules

加入如下内容:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -j DROP

COMMIT

编辑:

vi /etc/rc.local

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

在exit前面加上这句来开启NAT

保存规则:

iptables-save >/etc/iptables-script

配置启动文件:

vi  /etc/init.d/ocserv

加入如下内容:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          ocserv
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"

case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac

exit 0

运行:

chmod 755 /etc/init.d/ocserv
update-rc.d ocserv defaults
/etc/init.d/ocserv restart

测试:

ocserv -c /etc/ocserv/ocserv.conf -f -d 1

终端输入命令显示443端口被被那个程序占用:

netstat -lnp|grep 443

显示是ocserv,测试是正常的

客户端使用:

下载客户端,使用anyconnect-win-3.0.11042-pre-deploy-k9.iso安装客户端,下载地址:http://pan.baidu.com/s/1ntIBKGp

导入客户端证书,开始菜单搜索“cmd”,打开后输入 mmc(Microsoft 管理控制台),“文件”-“添加/删除管理单元”,添加“证书”单元,证书单元的弹出窗口中一定要选“计算机账户”,之后选“本地计算机”,确定。在左边的“控制台根节点”下选择“证书”-“个人”,然后选右边的“更多操作”-“所有任务”-“导入”打开证书导入窗口。选择刚才生成的 client.cert.p12 文件。下一步输入私钥密码。下一步“证书存储”选“个人”,导入成功后,把导入的 CA 证书剪切到“受信任的根证书颁发机构”的证书文件夹里面,打开剩下的那个私人证书,看一下有没有显示“您有一个与该证书对应的私钥”,以及“证书路径”下面是不是显示“该证书没有问题”然后关闭 mmc,提示“将控制台设置存入控制台1吗”,选“否”即可,至此,证书导入完成。



【上一篇】 【下一篇】

Posted in 教程 ,软件 | Tags: ,

0 条评论

添加评论

[ Ctrl + Enter ]


Title - Artist
0:00