ocserv部署
参考下载地址
https://github.com/CNMan/ocserv-cn-no-route/tree/master
客户端下载
https://github.com/openconnect/openconnect-gui/releases
思科客户端:https://www.aliyundrive.com/s/oanLSTLdWuo
安装
yum install epel-release -y
yum install ocserv -y
配置文件
vim /etc/ocserv/ocserv.conf
auth = "plain[passwd=/etc/ocserv/ocpasswd]" #设置用户密码
tcp-port = 12312 #设置端口
udp-port = 12312
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16 #设置最大客户端数
max-same-clients = 2
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.100.0 #设置vpn客户端获取的ip网段
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8 #设置dns
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
创建密码文件
touch /etc/ocserv/ocpasswd
用户
创建用户
ocpasswd -c /etc/ocserv/ocpasswd yyp
删除用户
ocpasswd -c /etc/ocserv/ocpasswd -d user
服务器配置
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p
防火墙设置
systemctl disable --now firewalld
yum install iptables* -y
#注意修改网卡名,ip段和上面配置文件中的ip段保持一致
iptables -t nat -A POSTROUTING -s 192.168.8.100/24 -o eth0 -j MASQUERADE
#ip段和上面配置文件中的ipv4-network网段保持一致
iptables -A FORWARD -s 192.168.8.100/24 -j ACCEPT
#放行tcp的12321端口
iptables -A INPUT -p tcp -m state --state NEW --dport 12321 -j ACCEPT
#放行udp的12321端口
iptables -A INPUT -p udp -m state --state NEW --dport 12321 -j ACCEPT
设置好的防火墙
# Generated by iptables-save v1.4.21 on Fri Dec 10 17:01:14 2021
*filter
:INPUT ACCEPT [23953:4917891]
:FORWARD ACCEPT [32309:37004366]
:OUTPUT ACCEPT [35231:40662608]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 12321 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -j ACCEPT
COMMIT
# Completed on Fri Dec 10 17:01:14 2021
# Generated by iptables-save v1.4.21 on Fri Dec 10 17:01:14 2021
*nat
:PREROUTING ACCEPT [1072:120782]
:INPUT ACCEPT [151:7371]
:OUTPUT ACCEPT [256:21338]
:POSTROUTING ACCEPT [256:21338]
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 10 17:01:14 2021
启动服务
systemctl enable --now ocserv #设置ocserv开机自启,并马上启动此服务
systemctl restart ocserv #重启服务
systemctl status ocserv #验证服务运行状态
journalctl -u ocserv #查看日志
journalctl -u ocserv -f #查看实时日志
linux服务器链接
linux 客户端连接:
apt-get install openconnect
openconect --protocol=anyconnect 服务器地址
windows客户端连接工具