Debian中ocserv(OpenConnect server)搭建配置教程
/摘要: 本文讲的是Debian中ocserv(OpenConnect server)搭建配置教程, 为什么选择ocserv呢,因为ocserv在配置稍微简单很多.后期有时间或好好整理一下资料说明其他的配置.在安装配置前呢,先普及一下小知识 ocserv简介 官方介绍:http://www.infradead.org/ocserv
为什么选择ocserv呢,因为ocserv在配置稍微简单很多.后期有时间或好好整理一下资料说明其他的配置.在安装配置前呢,先普及一下小知识
ocserv简介
官方介绍:http://www.infradead.org/ocserv/index.html
OpenConnect VPN server 简称 ocserv,是一个 GNU/Linux 服务器,实现了 AnyConnect SSL VPN协议,兼容与 OpenConnect VPN 客户端。其目的是成为一个小巧、安全和可配置的VPN服务器,依赖于类似 TLS1.2 标准协议和TLS 数据报 。AnyConnect SSL VPN 协议是最接近的协议以符合此标准。
ocserv环境
ocserv使用GnuTLS作为SSL的library,所以我们需要 backports源来安装.具体后面详说.
加入backports源
Shell命令
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" >> /etc/apt/sources.list
更新源
apt-get update && apt-get upgrade -y
安装依赖库
Shell命令
apt-get -t wheezy-backports install gnutls-bin libgnutls28-dev libseccomp-dev -y
apt-get install openssl autogen gperf pkg-config make gcc m4 build-essential libgmp3-dev libwrap0-dev libpam0g-dev libdbus-1-dev libnl-route-3-dev libopts25-dev libnl-nf-3-dev libreadline-dev libpcl1-dev libtalloc-dev -y
ocserv编译
下载安装然后编译ocserv,这里选择的官方最新的版本为:0.10.9,为10月30日更新的版本.
Shell命令
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz
tar Jxvf ocserv-0.10.9.tar.xz
cd ocserv-0.10.9
./configure --prefix=/usr --sysconfdir=/etc --enable-static
这里会报错:
configure: error: Package requirements (gnutls >= 3.1.10) were not met:
需要安装新的包
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.15.tar.xz
tar xvf gnutls-3.2.15.tar.xz
cd gnutls-3.2.15
./configure
报错:
configure: error:
***
*** Libnettle 2.7 was not found.
apt-cache search Libnettle
libnettle6 - low level cryptographic library (symmetric and one-way cryptos)
libnettle4 - low level cryptographic library (symmetric and one-way cryptos)
wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1
./configure && make && make install
wget http://pkgs.fedoraproject.org/lookaside/pkgs/libnl3/libnl-3.2.24.tar.gz/md5/6e0e7bad0674749d930dd9f285343d55/
libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure && make && make install
cd ..
make && make install
安装位置输出:
make[4]: Entering directory '/root/ocserv-0.10.9/src'
/bin/mkdir -p '/usr/bin'
/usr/bin/install -c ocpasswd occtl '/usr/bin'
/bin/mkdir -p '/usr/sbin'
/usr/bin/install -c ocserv '/usr/sbin'
创建证书/模版
首先需要自己创建相关的证书文件,个人感觉还是统一放置,不然找不到就不好了
3.1建立文件夹
Shell
mkdir cert
cd cert
3.2.1创建生成 CA 证书
创建ca.tmpl文件
Shell命令
vim ca.tmpl
添加以下内容:
Vim
cn = "li5jun"
organization = "li5jun"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
3.2.2生成密钥和证书
Shell
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
3.3.1生成服务器证书
创建server.tmpl文件
Shell命令
vim server.tmpl
添加以下内容:这里需要注意的是:www.li5jun.com,一定要替换为IP或者是域名
Vim
cn = "www.li5jun.com"
organization = "li5jun"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server
如果nettle和gnutls安装在/usr/local目录,需要运行以下命令设置系统变量,再运行./configure。同时要把这些命令加进系统启动里。
export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ NETTLE_CFLAGS="-I/usr/local/include/" NETTLE_LIBS="-L/usr/local/lib64/ -lnettle" HOGWEED_CFLAGS="-I/usr/local/include" HOGWEED_LIBS="-L/usr/local/lib64/ -lhogweed"
export LD_LIBRARY_PATH=/usr/local/lib/:/usr/local/lib64/ LIBGNUTLS_CFLAGS="-I/usr/local/include/" LIBGNUTLS_LIBS="-L/usr/local/lib/ -lgnutls" LIBNL3_CFLAGS="-I/usr/local/include" LIBNL3_LIBS="-L/usr/local/lib/ -lnl-3 -lnl-route-3"
3.3.2生成服务器密钥与证书
Shell
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
证书生成部分就完成了,主要是自签证书.所以会提示不信任等情况.后面补充使用正规SSL证书的设置.
下面我们需要保存一下相关的证书文件.设置一些文件夹以便后面使用..
Shell命令:
mkdir /etc/ssl/selfsigned
mkdir /etc/ssl/selfsigned/certs
mkdir /etc/ssl/selfsigned/private
cp ca-cert.pem /etc/ssl/selfsigned/certs
cp ca-key.pem /etc/ssl/selfsigned/private
cp server-cert.pem /etc/ssl/selfsigned/certs
cp server-key.pem /etc/ssl/selfsigned/private
直到这里证书的问题是解决了,下面开始配置的相关工作
ocserv配置
建立目录,复制配置文件到/etc/ocserv中,这里我留了一个备份,大家可以选择直接复制
Shell
mkdir /etc/ocserv
cp ~/ocserv-0.10.9/doc/sample.config /etc/ocserv/
cp /etc/ocserv/sample.config /etc/ocserv/ocserv.conf
不留任何备份的情况可以选择直接.
Shell
mkdir /etc/ocserv
cp ~/ocserv-0.10.9/doc/sample.config /etc/ocserv/ocserv.conf
编辑配置文件
Shell
vim /etc/ocserv/ocserv.conf
Vim
# 登陆方式,目前先用密码登录
auth = "plain[/etc/ocserv/ocpasswd]"
# 允许同时连接的客户端数量
max-clients = 400
# 限制同一客户端的并行登陆数量
max-same-clients = 0
# 服务监听的IP(服务器IP,可不设置)
listen-host = 1.2.3.4
# 服务监听的TCP/UDP端口(选择你喜欢的数字)
tcp-port = 443
udp-port = 443
# 自动优化VPN的网络性能
try-mtu-discovery = true
# 确保服务器正确读取用户证书(后面会用到用户证书)
cert-user-oid = 2.5.4.3
# 服务器证书与密钥存放位置
server-cert = /etc/ssl/selfsigned/certs/server-cert.pem
server-key = /etc/ssl/selfsigned/private/server-key.pem
# 客户端连上后使用的dns
dns = 8.8.8.8
dns = 8.8.4.4
# 注释掉所有的route,让所有连接均走V服务器
#route = 192.168.1.0/255.255.255.0
# 启用cisco客户端兼容性支持
cisco-client-compat = true
如果,您并没有变动其他的项目,可以直接下面命令下载配置好的文件
cd /etc/ocserv
wget --no-check-certificate https://ussoft.111cn.net/server/ocserv/bxl-ocserv/0.10.9/ocserv.conf
iptables设置
一般情况下是不需要的,因为iptables在debian6,7都是默认关闭的.
第一个为你的TCP端口,第二个为UDP端口
iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPT
开启IPv4转发
Shell
sysctl -w net.ipv4.ip_forward=1
sysctl -p
开启NAT
需要注意的是把 eth0 改成自己的网卡名,openvz 架构的一般为: venet0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
自动调整MTU
Shell
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ocserv用户
用户呢,在配置文件中有详细的说明,支持密码与证书登录,也支持使用freeradius进行管理.以后再进行更详细的说明.
先说说用户名密码方式登录.
创建用户
ocpasswd username
username为你要建立的用户命,然后输入两次账户的密码.
ocserv调试
使用此命令来临时启用 debug 模式
ocserv -c /etc/ocserv/ocserv.conf -f -d 1
ocserv优化
主要对管理上的一些优化,后面补充相关的其他优化.
创建为服务
vim /etc/init.d/ocserv
添加以下内容:
#!/bin/sh
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
注册为服务并且开机启动
chmod 755 /etc/init.d/ocserv
update-rc.d ocserv defaults
这样就可以使用以下的命令进行管理了.
/etc/init.d/ocserv stop
/etc/init.d/ocserv start
/etc/init.d/ocserv restart
安装与一般调试的步骤基本完成了.下面需要的就是用户上面的设置.
NOTE
There have been some changes starting with 3.2 regarding where and how libnl
is being installed on the system in order to allow multiple libnl versions
to be installed in parallel:
- Headers will be installed in ${prefix}/include/libnl3, therefore
you will need to add "-I/usr/include/libnl3" to CFLAGS
- The library basename was renamed to libnl-3, i.e. the SO names become
libnl-3.so., libnl-route-3.so, etc.
- libtool versioning was assumed, to ease detection of compatible library
versions. libnl-3.so.CURRENT.REVISION.AGE where.
CURRENT := 100 * $MINOR_VERSION + $MICRO_VERSION
REVISION := nth revision if API was unchanged
AGE := nth revision that is backwards compatible.
If you are using pkg-config for detecting and linking against the library
things will continue magically as if nothing every happened. If you are
linking manually you need to adapt your Makefiles or switch to using
pkg-config files.