美好的生活需要用心记录
sudo apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev libnl-route-3-dev libkrb5-dev libhttp-parser-dev
tar -xpvJf ocserv-0.8.0.tar.xz
./configure && make
sudo make install
sudo mkdir /etc/ocserv sudo cp doc/sample.config /etc/ocserv/ocserv.conf
# 登陆方式,目前先用密码登录 auth = "plain[/etc/ocserv/ocpasswd]" # 允许同时连接的客户端数量 max-clients = 4 # 限制同一客户端的并行登陆数量 max-same-clients = 2 # 服务监听的TCP/UDP端口(选择你喜欢的数字) tcp-port = 9000 udp-port = 9001 # 自动优化VPN的网络性能 try-mtu-discovery = true # 服务器证书与密钥 server-cert = /etc/xxx/my-server-cert.pem server-key = /etc/xxx/my-server-key.pem # 客户端连上vpn后使用的dns dns = 8.8.8.8 dns = 8.8.4.4 # 注释掉所有的route,让服务器成为gateway #route = 192.168.1.0/255.255.255.0 # 启用cisco客户端兼容性支持 cisco-client-compat = true #建议将cookie-timeout改大,避免客户端网络波动时候无法自动重连: cookie-timeout = 32400 #修改心跳包发送间隔,用来检测网络状况(如果使用pc及网络比较稳定可以把正常改大点,例如600,如果网络网络质量不好间隔过大在极端情况下甚至会导致长大599秒的网络中断情况,具体大小自己根据网络修改) dpd = 600 #修改移动网络下的心跳包间隔(移动网络大部分情况下网络质量很差,所以为了网络连接稳定这个把间隔设置成60秒通信一次,但是这样会导致手机唤醒频繁,会比大间隔耗电一些,具体值自己设定) mobile-dpd = 60 # 配置VPN子网的的网段 ipv4-network = 10.8.0.0 ipv4-netmask = 255.255.255.0
sudo ocpasswd -c /etc/ocserv/ocpasswd your-username
iptables -t nat -A POSTROUTING -s 10.168.0.0/16 -o venet0 -j MASQUERADE iptables-save > /etc/iptables.rules
#!/bin/sh iptables-restore < /etc/iptables.rules
net.ipv4.ip_forward=1
sudo sysctl -p
sudo ocserv -f -d 1
#! /bin/sh ### BEGIN INIT INFO # Provides: ocserv # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: OpenConnect SSL VPN daemon ### END INIT INFO # Do NOT "set -e" # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/usr/local/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin DESC="OpenConnect SSL VPN daemon" NAME=ocserv DAEMON=/usr/local/sbin/$NAME DAEMON_ARGS="-c /etc/ocserv/ocserv.conf" PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions # # Function that starts the daemon/service # do_start() { # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 # Add code here, if necessary, that waits for the process to be ready # to handle requests from services started subsequently which depend # on this one. As a last resort, sleep for some time. sleep 1; } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME-main RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Wait for children to finish too if this is a daemon that forks # and if the daemon is only ever run from this initscript. # If the above conditions are not satisfied then add some other code # that waits for the process to drop all resources that could be # needed by services started subsequently. A last resort is to # sleep for some time. start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON [ "$?" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac :
sudo update-rc.d ocserv defaults
sudo apt-get install libgnutls28 libnl-route-3-200 libhttp-parser2.1
已经编译好的软件包:
结束。
pps:启用证书认证:修改以下内容
# 改为证书登陆,注释掉原来的登陆模式 auth = "certificate" # 证书认证不支持这个选项,注释掉这行 #listen-clear-file = /var/run/ocserv-conn.socket # 启用证书验证 ca-cert = /etc/ssl/private/my-ca-cert.pem其实命令行生成证书麻烦的一塌糊涂,推荐大家使用xca来进行证书生成。
注意,ocserv证书认证原理和openvpn一样,但是openvpn生成的证书不能在ocserv上面使用,需要重新生成证书。
####2015-10-15更新####
我为了no-route更能特意升级到了最新的0.10.9版本,结果还是不是排除指定路由,这里发一下最新版的ocserv
使用的方法和上面一样,不过需要多安装一个libseccomp2软件包
登录验证根据配置文件样本修改一下就行了,注意如果想要同时启用证书和密码登录的话要这样设置:
#启用密码登录 auth = "plain[passwd=/etc/ocserv/passwd]" #启用证书登录 enable-auth = "certificate"
然后把配置文件中关于证书的这个选项修改一下
cert-user-oid = 2.5.4.3
ocserv0.10.9版本:
标签: 网络 Linux ubuntu 网络代理 编译 vps
评论:
2015-11-27 06:27