标题写的是CentOS 7,其实RedHat系各发行版通用。 ocserv在CentOS 6上必须自行编译,且需要解决诸多依赖性问题,但在CentOS 7上配置相当容易。
申请服务器证书 生成CSR
1 2 3 cd ~openssl req -new -newkey rsa:4096 -sha256 -nodes -out server.csr -keyout server.key
接下去的提示中,只有Common Name需要填写服务器域名,其他都可以留空。
不建议生成ECC证书,因为即使是正规CA签发,AnyConnect客户端也会提示不安全。
拿着生成的CSR文件,到Let’s encrypt签发。 如果签名算法可选,务必选择SHA-2,不要用SHA-1。
安装OCSERV 1 yum install epel-release ocserv -y
配置OCSERV 1 vim /etc/ocserv/ocserv.conf
修改如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 auth = "certificate" max-clients = 16 max-same-clients = 2 tcp-port = 1234 udp-port = 1234 mobile-dpd = 1800 try-mtu-discovery = true server-cert = /etc/ocserv/pki/server/server.crt server-key = /etc/ocserv/pki/server/server.key ca-cert = /etc/ocserv/pki/ca/ca.crt ipv4-network = 192.168.101.0 ipv4-netmask = 255.255.255.0 dns = 8.8.8.8 dns = 8.8.4.4
配置证书 创建目录
1 2 3 mkdir /etc/ocserv/pki && cd /etc/ocserv/pki` mkdir server ca clients template
配置Server证书
1 2 mkdir /etc/ocserv/pki && cd /etc/ocserv/pki mkdir server ca clients template
配置CA证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 cd ../cacerttool --generate-privkey --sec-param high --outfile ca.key cat << _EOF_ >../template/ca.tmpl cn = "VPN CA" organization = "Mid-south Sea" serial = 1 expiration_days = 9999 ca signing_key cert_signing_key crl_signing_key _EOF_ certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt chmod 400 ca.key
配置Client证书
1 2 cd ../templatevim client.tmpl
输入以下内容(可自己随意修改)
1 2 3 4 5 6 7 8 9 10 11 12 13 cn = user o = "Organization" email = [email protected] dns_name = "www.example.com" country = US state = "New York" serial = 1 expiration_days = 9999 signing_key encryption_key tls_www_client ipsec_ike_key time_stamping_key
制作自动签发脚本
1 2 cd ..vim make-client.sh
输入以下内容
1 2 3 4 5 6 7 8 9 10 11 12 #!/bin/sh serial=`date +%s` certtool --generate-privkey --outfile clients/$1 .key sed -i "1ccn = ${1} " template/client.tmpl sed -i "3cemail = ${1} @example.com" template/client.tmpl sed -i "7cserial = ${serial} " template/client.tmpl certtool --generate-certificate --load-privkey clients/$1 .key --load-ca-certificate ca/ca.crt --load-ca-privkey ca/ca.key --template template/client.tmpl --outfile clients/$1 .crt openssl pkcs12 -export -inkey clients/$1 .key -in clients/$1 .crt -name "$1 VPN Client Cert" -certfile ca/ca.crt -out clients/$1 .p12 exit 0chmod 700 make-client.sh
然后就能用脚本很方便地生成客户端证书了:
1 ./make-client.sh testuser
启动OCSERV并设置开机启动 1 2 systemctl start ocserv systemctl enable ocserv
配置FIREWALLD 创建一个ocserv服务
1 vim /etc/firewalld/services/ocserv.xml
内容如下:
1 2 3 4 5 6 7 <?xml version="1.0" encoding="utf-8" ?> <service> <short>ocserv</short> <description>Cisco AnyConnect</description> <port protocol="tcp" port="1234" /> <port protocol="udp" port="1234" /> </service>
启动 firewalld
1 2 3 4 systemctl start firewalld firewall-cmd --permanent --add-service=ocserv firewall-cmd --permanent --add-masquerade firewall-cmd --reload
配置客户端 如果之前用make-client.sh生成过证书,那么在/etc/ocserv/pki/client目录下可以找到响应的p12文件。 将该文件传到手机/iPad等终端上。
提示
虽然上面提到自签证书的信息可以随意写,但由于证书本身的信息是明文传输的,所以不要写奇怪的字段,以免引起防火墙注意。
Server证书不建议使用ECC证书,因为AnyConnect会提示不安全。CA和Client证书不能使用ECC证书,因为OpenConnect不支持。
路由表 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 no-route = 服务器IP/255.255.255.255 no-route = 1.0.0.0/255.192.0.0 no-route = 1.64.0.0/255.224.0.0 no-route = 1.112.0.0/255.248.0.0 no-route = 1.176.0.0/255.240.0.0 no-route = 1.192.0.0/255.240.0.0 no-route = 14.0.0.0/255.224.0.0 no-route = 14.96.0.0/255.224.0.0 no-route = 14.128.0.0/255.224.0.0 no-route = 14.192.0.0/255.224.0.0 no-route = 27.0.0.0/255.192.0.0 no-route = 27.96.0.0/255.224.0.0 no-route = 27.128.0.0/255.224.0.0 no-route = 27.176.0.0/255.240.0.0 no-route = 27.192.0.0/255.224.0.0 no-route = 27.224.0.0/255.252.0.0 no-route = 36.0.0.0/255.192.0.0 no-route = 36.96.0.0/255.224.0.0 no-route = 36.128.0.0/255.192.0.0 no-route = 36.192.0.0/255.224.0.0 no-route = 36.240.0.0/255.240.0.0 no-route = 39.0.0.0/255.255.0.0 no-route = 39.64.0.0/255.224.0.0 no-route = 39.96.0.0/255.240.0.0 no-route = 39.128.0.0/255.192.0.0 no-route = 40.72.0.0/255.254.0.0 no-route = 40.125.128.0/255.255.128.0 no-route = 40.126.64.0/255.255.192.0 no-route = 42.0.0.0/255.248.0.0 no-route = 42.48.0.0/255.240.0.0 no-route = 42.80.0.0/255.240.0.0 no-route = 42.96.0.0/255.224.0.0 no-route = 42.128.0.0/255.128.0.0 no-route = 43.224.0.0/255.224.0.0 no-route = 45.64.0.0/255.255.128.0 no-route = 45.112.0.0/255.240.0.0 no-route = 47.92.0.0/255.252.0.0 no-route = 47.96.0.0/255.224.0.0 no-route = 49.0.0.0/255.248.0.0 no-route = 49.48.0.0/255.248.0.0 no-route = 49.64.0.0/255.224.0.0 no-route = 49.112.0.0/255.240.0.0 no-route = 49.128.0.0/255.224.0.0 no-route = 49.208.0.0/255.240.0.0 no-route = 49.224.0.0/255.224.0.0 no-route = 52.80.0.0/255.252.0.0 no-route = 54.222.0.0/255.254.0.0 no-route = 58.0.0.0/255.128.0.0 no-route = 58.128.0.0/255.224.0.0 no-route = 58.192.0.0/255.224.0.0 no-route = 58.240.0.0/255.240.0.0 no-route = 59.32.0.0/255.224.0.0 no-route = 59.64.0.0/255.224.0.0 no-route = 59.96.0.0/255.240.0.0 no-route = 59.144.0.0/255.240.0.0 no-route = 59.160.0.0/255.224.0.0 no-route = 59.192.0.0/255.192.0.0 no-route = 60.0.0.0/255.224.0.0 no-route = 60.48.0.0/255.240.0.0 no-route = 60.160.0.0/255.224.0.0 no-route = 60.192.0.0/255.192.0.0 no-route = 61.0.0.0/255.192.0.0 no-route = 61.80.0.0/255.248.0.0 no-route = 61.128.0.0/255.192.0.0 no-route = 61.224.0.0/255.224.0.0 no-route = 91.234.36.0/255.255.255.0 no-route = 101.0.0.0/255.128.0.0 no-route = 101.128.0.0/255.224.0.0 no-route = 101.192.0.0/255.240.0.0 no-route = 101.224.0.0/255.224.0.0 no-route = 103.0.0.0/255.192.0.0 no-route = 103.192.0.0/255.240.0.0 no-route = 103.224.0.0/255.224.0.0 no-route = 106.0.0.0/255.128.0.0 no-route = 106.224.0.0/255.240.0.0 no-route = 110.0.0.0/255.128.0.0 no-route = 110.144.0.0/255.240.0.0 no-route = 110.160.0.0/255.224.0.0 no-route = 110.192.0.0/255.192.0.0 no-route = 111.0.0.0/255.192.0.0 no-route = 111.64.0.0/255.224.0.0 no-route = 111.112.0.0/255.240.0.0 no-route = 111.128.0.0/255.192.0.0 no-route = 111.192.0.0/255.224.0.0 no-route = 111.224.0.0/255.240.0.0 no-route = 112.0.0.0/255.128.0.0 no-route = 112.128.0.0/255.240.0.0 no-route = 112.192.0.0/255.252.0.0 no-route = 112.224.0.0/255.224.0.0 no-route = 113.0.0.0/255.128.0.0 no-route = 113.128.0.0/255.240.0.0 no-route = 113.192.0.0/255.192.0.0 no-route = 114.16.0.0/255.240.0.0 no-route = 114.48.0.0/255.240.0.0 no-route = 114.64.0.0/255.192.0.0 no-route = 114.128.0.0/255.240.0.0 no-route = 114.192.0.0/255.192.0.0 no-route = 115.0.0.0/255.0.0.0 no-route = 116.0.0.0/255.0.0.0 no-route = 117.0.0.0/255.128.0.0 no-route = 117.128.0.0/255.192.0.0 no-route = 118.16.0.0/255.240.0.0 no-route = 118.64.0.0/255.192.0.0 no-route = 118.128.0.0/255.128.0.0 no-route = 119.0.0.0/255.128.0.0 no-route = 119.128.0.0/255.192.0.0 no-route = 119.224.0.0/255.224.0.0 no-route = 120.0.0.0/255.192.0.0 no-route = 120.64.0.0/255.224.0.0 no-route = 120.128.0.0/255.240.0.0 no-route = 120.192.0.0/255.192.0.0 no-route = 121.0.0.0/255.128.0.0 no-route = 121.192.0.0/255.192.0.0 no-route = 122.0.0.0/254.0.0.0 no-route = 124.0.0.0/255.0.0.0 no-route = 125.0.0.0/255.128.0.0 no-route = 125.160.0.0/255.224.0.0 no-route = 125.192.0.0/255.192.0.0 no-route = 137.59.88.0/255.255.252.0 no-route = 139.0.0.0/255.224.0.0 no-route = 139.128.0.0/255.128.0.0 no-route = 140.64.0.0/255.240.0.0 no-route = 140.128.0.0/255.240.0.0 no-route = 140.192.0.0/255.192.0.0 no-route = 144.0.0.0/255.255.0.0 no-route = 144.7.0.0/255.255.0.0 no-route = 144.12.0.0/255.255.0.0 no-route = 144.52.0.0/255.255.0.0 no-route = 144.123.0.0/255.255.0.0 no-route = 144.255.0.0/255.255.0.0 no-route = 150.0.0.0/255.255.0.0 no-route = 150.96.0.0/255.224.0.0 no-route = 150.128.0.0/255.240.0.0 no-route = 150.192.0.0/255.192.0.0 no-route = 152.104.128.0/255.255.128.0 no-route = 153.0.0.0/255.192.0.0 no-route = 153.96.0.0/255.224.0.0 no-route = 157.0.0.0/255.255.0.0 no-route = 157.18.0.0/255.255.0.0 no-route = 157.61.0.0/255.255.0.0 no-route = 157.122.0.0/255.255.0.0 no-route = 157.148.0.0/255.255.0.0 no-route = 157.156.0.0/255.255.0.0 no-route = 157.255.0.0/255.255.0.0 no-route = 159.226.0.0/255.255.0.0 no-route = 161.207.0.0/255.255.0.0 no-route = 162.105.0.0/255.255.0.0 no-route = 163.0.0.0/255.192.0.0 no-route = 163.96.0.0/255.224.0.0 no-route = 163.128.0.0/255.192.0.0 no-route = 163.192.0.0/255.224.0.0 no-route = 166.111.0.0/255.255.0.0 no-route = 167.139.0.0/255.255.0.0 no-route = 167.189.0.0/255.255.0.0 no-route = 167.220.244.0/255.255.252.0 no-route = 168.160.0.0/255.255.0.0 no-route = 171.0.0.0/255.128.0.0 no-route = 171.192.0.0/255.224.0.0 no-route = 175.0.0.0/255.128.0.0 no-route = 175.128.0.0/255.192.0.0 no-route = 180.64.0.0/255.192.0.0 no-route = 180.128.0.0/255.128.0.0 no-route = 182.0.0.0/255.0.0.0 no-route = 183.0.0.0/255.192.0.0 no-route = 183.64.0.0/255.224.0.0 no-route = 183.128.0.0/255.128.0.0 no-route = 192.124.154.0/255.255.255.0 no-route = 192.188.170.0/255.255.255.0 no-route = 202.0.0.0/255.128.0.0 no-route = 202.128.0.0/255.192.0.0 no-route = 202.192.0.0/255.224.0.0 no-route = 203.0.0.0/255.128.0.0 no-route = 203.128.0.0/255.192.0.0 no-route = 203.192.0.0/255.224.0.0 no-route = 210.0.0.0/255.192.0.0 no-route = 210.64.0.0/255.224.0.0 no-route = 210.160.0.0/255.224.0.0 no-route = 210.192.0.0/255.224.0.0 no-route = 211.64.0.0/255.248.0.0 no-route = 211.80.0.0/255.240.0.0 no-route = 211.96.0.0/255.248.0.0 no-route = 211.136.0.0/255.248.0.0 no-route = 211.144.0.0/255.240.0.0 no-route = 211.160.0.0/255.248.0.0 no-route = 218.0.0.0/255.128.0.0 no-route = 218.160.0.0/255.224.0.0 no-route = 218.192.0.0/255.192.0.0 no-route = 219.64.0.0/255.224.0.0 no-route = 219.128.0.0/255.224.0.0 no-route = 219.192.0.0/255.192.0.0 no-route = 220.96.0.0/255.224.0.0 no-route = 220.128.0.0/255.128.0.0 no-route = 221.0.0.0/255.224.0.0 no-route = 221.96.0.0/255.224.0.0 no-route = 221.128.0.0/255.128.0.0 no-route = 222.0.0.0/255.0.0.0 no-route = 223.0.0.0/255.224.0.0 no-route = 223.64.0.0/255.192.0.0 no-route = 223.128.0.0/255.128.0.0