linux下编译安装及配置ocserv
公司在广州有台ERP服务器,但在上海需要使用,可以使用ocserv进行连接,并提高安全性。
测试系统centos7 ip地址192.168.0.5,并让ocserv运行于默认组下面nobody提高安全,如果是debian或ubuntu系统需要用nogroup组
centos安装支持组件
yum install epel-release -y
yum install -y gnutls-devel libev-devel
yum install -y pam-devel lz4-devel libseccomp-devel readline-devel
yum install -y libnl3-devel krb5-devel radcli-devel libcurl-devel cjose-devel
yum install -y jansson-devel protobuf-c-devel libtalloc-devel http-parser-devel
yum install -y protobuf-c gperf nuttcp lcov uid_wrapper pam_wrapper nss_wrapper
yum install -y socket_wrapper gssntlmssp haproxy iputils freeradius gawk
yum install -y gnutls-utils iproute yajl tcpdump
ubuntu或debian安装支持组件
apt-get install -y libgnutls28-dev libev-dev gnutls-bin
apt-get install -y libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev
apt-get install -y libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev
apt-get install -y libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev
apt-get install -y libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf
apt-get install -y nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper
apt-get install -y libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius
apt-get install -y gawk gnutls-bin iproute2 yajl-tools tcpdump gcc make make-guile
下载ocserv,官方网址:https://www.infradead.org/ocserv/download/
wget https://www.infradead.org/ocserv/download/ocserv-1.1.3.tar.xz
tar Jxf ocserv-1.1.3.tar.xz
cd ocserv-1.1.3
./configure --prefix=/usr/local/ocserv
make&&make install
复制profile.xml到/usr/local/ocserv
cp doc/profile.xml /usr/local/ocserv
接下来制作配置文件,创建etc目录和文件
mkdir -p /usr/local/ocserv/etc
创建配置文件/usr/local/ocserv/etc/ocserv.conf并在里面录入以下信息
auth = "plain[passwd=/usr/local/ocserv/etc/ocpasswd]"
log_file="/usr/local/ocserv/logs/ocserv.log"
tcp-port = 15007
udp-port = 15007
run-as-user = nobody
run-as-group = nobody
socket-file = ocserv.sock
chroot-dir = /usr/local/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /usr/local/ocserv/ssl/server-crt.pem
server-key = /usr/local/ocserv/ssl/server-key.pem
ca-cert = /usr/local/ocserv/ssl/ca-cert.pem
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = 你的名字或域名
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
dns = 8.8.8.8
dns = 8.8.4.4
ipv4-network = 192.168.20.0
ipv4-netmask = 255.255.255.0
#route = 172.16.0.0/255.255.0.0
route = 192.168.0.0/255.255.255.0
创建日志目录
mkdir -p /usr/local/ocserv/logs
chown nobody:nobody /usr/local/ocserv/logs -R
接下来分别制作ca和sever的key和证书文件
mkdir -p /usr/local/ocserv/ssl
cd /usr/local/ocserv/ssl
certtool --generate-privkey --outfile ca-key.pem
创建一个ca.txt文件,并录入以下内容
cn = "你的ip地址"
organization = "你的名字"
serial = 1
expiration_days = 36500
ca
signing_key
cert_signing_key
crl_signing_key
创建ca证书,
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.txt --outfile ca-cert.pem
ca的key和证书制作完成了,接下来制作服务器的key和证书
创建server.txt并录入以下内容
cn = "你的ip或域名"
organization = "loshub.com"
expiration_days = 36500
signing_key
encryption_key
tls_www_server
生成key和证书
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.txt --outfile server-crt.pem
把证书复制到etc目录并给权
chown nobody:nobody /usr/local/ocserv/etc -R
创建密码文件
touch /usr/local/ocserv/etc/ocpasswd
创建一个名为loshub的用户,并输入密码
/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/ocpasswd loshub
禁用用户
/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/ocpasswd -l loshub
解锁被禁用的用户
/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/ocpasswd -u loshub
删除用户
/usr/local/ocserv/bin/ocpasswd -c /usr/local/ocserv/etc/ocpasswd -d loshub
使用firewalld防火墙,注意你的网卡名称eth0
yum install firewalld -y
systemctl restart firewalld
systemctl enable firewalld
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
firewall-cmd --add-port=15007/udp --permanent
firewall-cmd --add-port=15007/tcp --permanent
firewall-cmd --reload
如果需要和本地局域网一起使用,就不要配置这段注意上面是直接用服务器上网,可能会产生影响,建议用以下规则来转发到IP段,更安全
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.20.0/24
使用iptables防火墙,一般是用centos6系统
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 15007 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 15007 -j ACCEPT
service iptables save
service iptables restart
测试启动
/usr/local/ocserv/sbin/ocserv -c /usr/local/ocserv/etc/ocserv.conf -f -d 1
加入系统启动,创建/lib/systemd/system/ocserv.service并录入以下信息
[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=syslog.target
After=network-online.target
After=dbus.service
[Service]
PrivateTmp=true
Type=simple
PIDFile=/var/run/ocserv.pid
ExecStart=/usr/local/ocserv/sbin/ocserv --pid-file /var/run/ocserv.pid --config /usr/local/ocserv/etc/ocserv.conf -f
ExecReload=/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
创建软连并加入启动
ln -s /lib/systemd/system/ocserv.service /etc/systemd/system/multi-user.target.wants/ocserv
systemctl daemon-reload
systemctl enable ocserv
systemctl start ocserv
对于windows,可以使用Cisco AnyConnect Secure Mobility Client进行连接
本文系作者 @天边的云 原创发布在Loshub站点。未经许可,禁止转载。
暂无评论数据