Centos6下,编译ocserv

Centos7使用epel源可直接使用Yum安装。
安装编译环境及依赖,如部分软件不能安装请先安装epel源。
1
Centos7使用epel源可直接使用Yum安装。
安装编译环境及依赖,如部分软件不能安装请先安装epel源。
yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
yum install tar gzip xz wget gcc make autoconf
ocserv编译安装依赖,ocserv需要gnutls3版本以上,gnutls依赖nettle2.7.1:
wget ftp://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1/
./configure --prefix=/usr/local/nettle
make && make install
echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf
ldconfig
安装gnutls3.3.9:
export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle"
export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed"
export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-3.3.9.tar.xz
tar xvf gnutls-3.3.9.tar.xz
cd gnutls-3.3.9/
./configure --prefix=/usr/local/gnutls
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
ldconfig
安装libnl:
yum install bison flex
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/usr/local/libnl
make && make install
echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
ldconfig
安装ocserv:
export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.0.1.tar.xz
tar xvf ocserv-0.9.0.1.tar.xz
cd ocserv-0.9.0
./configure --prefix=/usr/local/ocserv
make && make install
echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc
source $HOME/.bashrc
生成SSL证书:
mkdir /etc/ocserv/
cd /etc/ocserv
#CA私钥:
certtool --generate-privkey --outfile ca-key.pem
#CA模板:
cat << EOF > ca.tmpl
cn = "www.haiyun.me"
organization = "www.haiyun.me"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
EOF
#CA证书:
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

#Server私钥:
certtool --generate-privkey --outfile server-key.pem
#Server证书模板:
cat << EOF > server.tmpl
cn = "www.haiyun.me"
o = "www.haiyun.me"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
EOF

#Server证书:
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
密码登录,生成密码文件:
ocpasswd -c /etc/ocserv/passwd username
证书登录:
#user私钥
certtool --generate-privkey --outfile user-key.pem
#user模板
cat << EOF > user.tmpl
cn = "some random name"
unit = "some random unit"
expiration_days = 365
signing_key
tls_www_client
EOF
#user证书
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
配置文件:
auth = "plain[/etc/ocserv/passwd]"
#证书认证
#auth = "certificate"
ca-cert /etc/ocserv/ca-cert.pem
max-clients = 16
max-same-clients = 2
tcp-port = 5551
udp-port = 5551
keepalive = 32400
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
auth-timeout = 40
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = vpns
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
route = 192.168.1.0/255.255.255.0
启动opserv:
ocserv -f -c /etc/ocserv/ocserv.conf
IP转发及SNAT:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
使用用户密码连接:
echo passwd|openconnect -u username www.haiyun.me:5551 --no-cert-check
使用证书连接:
openconnect -k user-key.pem -c user-cert.pem www.haiyun.me:5551 --no-cert-check

 

from http://www.haiyun.me/archives/1071.html

---------------------

Anyconnect 服务器的搭建以及与 Radius 验证的整合

 

根据上面的教程衍生和记录而来。

Centos 6 x64 下进行。

1、依赖:
yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
yum install tar gzip xz wget gcc make autoconf

2、安装 nettle:
cd
wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz
tar zxvf nettle-3.1.tar.gz
cd nettle-3.1/
./configure --prefix=/usr/local/nettle
make && make install
echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf
ldconfig

3、安装gnutls:
cd
export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle"
export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed"
export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.7.tar.xz
tar xvf gnutls-3.4.7.tar.xz
cd gnutls-3.4.7
./configure --prefix=/usr/local/gnutls --with-included-libtasn1 --without-p11-kit
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
ldconfig

4、安装 libnl:
cd
yum install bison flex
wget https://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
tar xvf libnl-3.2.25.tar.gz
cd libnl-3.2.25
./configure --prefix=/usr/local/libnl
make && make install
echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
ldconfig

5、安装radius相关:
export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
wget https://github.com/radcli/radcli/releases/download/1.2.5/radcli-1.2.5.tar.gz
tar xvzf radcli-1.2.5.tar.gz
cd radcli-1.2.5
./configure --prefix=/usr/local/radcli
echo '/usr/local/radcli/lib/' > /etc/ld.so.conf.d/radcli.conf
make && make install
ldconfig
yum install freeradius-client -y

6、安装ocserv:
export RADCLI_LIBS="-L/usr/local/radcli/lib/ -lradcli"
export RADCLI_CFLAGS="-I/usr/local/radcli/include/"
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz
tar xvf ocserv-0.10.9.tar.xz
cd ocserv-0.10.9

编辑src/vpn.h:
#define DEFAULT_CONFIG_ENTRIES 96
改成 200
./configure --prefix=/usr/local/ocserv
make && make install
echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc
source $HOME/.bashrc
7、证书相关
这里因为我有个泛域名证书,所以就不生成了= =直接用。
mkdir /etc/ocserv/
编辑 /etc/ocserv/server-cert.pem ,把证书文件贴进去,记住只贴一个,就是颁发给你的证书= =你贴证书链后面会报错= =貌似是 CA 证书不科学的原因。

然后:
chmod 600 /etc/ocserv/server-cert.pem
还有 server-key.pem ,也是一样的,密钥粘进去,权限设置好。

8、freeradius-client 的设置
我这里只做了登陆的验证。
编辑/etc/radiusclient/radiusclient.conf:
yourserveraddress 指代 radius 服务器地址。

authserver yourserveraddress:1812

acctserver yourserveraddress:1813

dictionary /etc/radiusclient/dictionary

同时记住 radius 服务器要添加好权限。

然后是编辑 /etc/radiusclient/servers ,
添加
yourserveraddress 指代 radius 服务器地址。yourserversecret 指代 radius 服务器密钥。
youserveraddress yourserversecret

9、配置文件
配置文件的话,我们回到刚才编译 ocserv 的目录。

cd /root/ocserv-0.10.9
cp ./tests/docker-ocserv/ocserv-radius.conf /etc/ocserv/ocserv.conf
然后编辑 /etc/ocserv/ocserv.conf

主要修改以下几个:

try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
max-clients = 50
max-same-clients = 10
tcp-port = 5444
udp-port = 5444
dns = 8.8.8.8
dns = 8.8.4.4
ipv4-network = 192.168.10.0
occtl-socket-file = /var/run/occtl.socket
#ca-cert=。。。。 对没错注释掉。

还有特别注意路由表,先把 no-route 和 route 都给注释了,然后添加以下配置。

route = 103.0.0.0/255.0.0.0
route = 106.0.0.0/255.0.0.0
route = 107.0.0.0/255.0.0.0
route = 108.0.0.0/255.0.0.0
route = 141.0.0.0/255.0.0.0
route = 153.0.0.0/255.0.0.0
route = 160.0.0.0/255.0.0.0
route = 166.0.0.0/255.0.0.0
route = 17.0.0.0/255.0.0.0
route = 173.0.0.0/255.0.0.0
route = 176.0.0.0/255.0.0.0
route = 178.0.0.0/255.0.0.0
route = 184.0.0.0/255.0.0.0
route = 194.0.0.0/255.0.0.0
route = 198.0.0.0/255.0.0.0
route = 199.0.0.0/255.0.0.0
route = 203.0.0.0/255.0.0.0
route = 204.0.0.0/255.0.0.0
route = 205.0.0.0/255.0.0.0
route = 208.0.0.0/255.0.0.0
route = 209.0.0.0/255.0.0.0
route = 210.0.0.0/255.0.0.0
route = 216.0.0.0/255.0.0.0
route = 3.0.0.0/255.0.0.0
route = 4.0.0.0/255.0.0.0
route = 31.0.0.0/255.0.0.0
route = 46.0.0.0/255.0.0.0
route = 50.0.0.0/255.0.0.0
route = 54.0.0.0/255.0.0.0
route = 61.0.0.0/255.0.0.0
route = 64.0.0.0/255.0.0.0
route = 67.0.0.0/255.0.0.0
route = 68.0.0.0/255.0.0.0
route = 69.0.0.0/255.0.0.0
route = 70.0.0.0/255.0.0.0
route = 72.0.0.0/255.0.0.0
route = 74.0.0.0/255.0.0.0
route = 75.0.0.0/255.0.0.0
route = 76.0.0.0/255.0.0.0
route = 77.0.0.0/255.0.0.0
route = 79.0.0.0/255.0.0.0
route = 8.0.0.0/255.0.0.0
route = 23.0.0.0/255.0.0.0
route = 93.0.0.0/255.0.0.0
route = 96.0.0.0/255.0.0.0
route = 100.0.0.0/248.0.0.0
route = 109.0.0.0/255.0.0.0
route = 128.0.0.0/255.0.0.0
route = 174.0.0.0/255.0.0.0
route = 190.0.0.0/255.0.0.0
route = 192.0.0.0/255.0.0.0
OK,保存。

9、防火墙&系统配置

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save



10、运行 ocserv

ocserv -f -c /etc/ocserv/ocserv.conf

可以连接了。此处不再赘述。

把这行加进 /etc/rc.local 就可以开机自启动了。