OCServ 配置

标题写的是 CentOS 7,其实 RedHat 系各发行版通用。
ocserv 在 CentOS 6 上必须自行编译,且需要解决诸多依赖性问题,但在 CentOS 7 上配置相当容易。

申请服务器证书

生成 CSR

1
2
3
cd ~

openssl req -new -newkey rsa:4096 -sha256 -nodes -out server.csr -keyout server.key

接下去的提示中,只有 Common Name 需要填写服务器域名,其他都可以留空。

不建议生成 ECC 证书,因为即使是正规 CA 签发,AnyConnect 客户端也会提示不安全。

拿着生成的 CSR 文件,到 Let’s encrypt 签发。
如果签名算法可选,务必选择 SHA-2,不要用 SHA-1。

安装 OCSERV

1
yum install epel-release ocserv -y

配置 OCSERV

1
vim /etc/ocserv/ocserv.conf

修改如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# 取消证书登录的注释,注释掉 PAM 登录 
auth = "certificate"
#auth = "pam"

# 客户端总上限以及单个账号客户端上限,私下用的话 max-same-clients 可以改大些
max-clients = 16
max-same-clients = 2

# 监听端口
tcp-port = 1234
udp-port = 1234

# 因为使用证书登录,所以必须注释掉这行
#listen-clear-file = /var/run/ocserv-conn.socket

# 移动客户端掉线检测间隔,建议取消注释以节省手机等设备的电量
mobile-dpd = 1800

# 这个改成 true,否则可能会出现问题
try-mtu-discovery = true

# 服务器证书的路径
server-cert = /etc/ocserv/pki/server/server.crt
server-key = /etc/ocserv/pki/server/server.key

#CA 证书的路径
ca-cert = /etc/ocserv/pki/ca/ca.crt

# 对客户端分配的内网地址。如果同时还运行其他 VPN 服务器,请确保 IP 段不会冲突
ipv4-network = 192.168.101.0
ipv4-netmask = 255.255.255.0

#DNS 服务器
dns = 8.8.8.8
dns = 8.8.4.4
#dns = 其他较快较靠谱的 DNS 服务器

配置证书

创建目录

1
2
3
mkdir /etc/ocserv/pki && cd /etc/ocserv/pki`

mkdir server ca clients template

配置 Server 证书

1
2
mkdir /etc/ocserv/pki && cd /etc/ocserv/pki
mkdir server ca clients template

配置 CA 证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cd ../ca
certtool --generate-privkey --sec-param high --outfile ca.key
# 自签证书信息随便写
cat << _EOF_ >../template/ca.tmpl
cn = "VPN CA"
organization = "Mid-south Sea"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
# 生成证书
certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt
chmod 400 ca.key

配置 Client 证书

1
2
cd ../template
vim client.tmpl

输入以下内容(可自己随意修改)

1
2
3
4
5
6
7
8
9
10
11
12
13
cn = user
o = "Organization"
email = [email protected]
dns_name = "www.example.com"
country = US
state = "New York"
serial = 1
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key

制作自动签发脚本

1
2
cd ..
vim make-client.sh

输入以下内容

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
serial=`date +%s`
certtool --generate-privkey --outfile clients/$1.key
sed -i "1ccn = ${1}" template/client.tmpl
sed -i "3cemail = ${1}@example.com" template/client.tmpl
sed -i "7cserial = ${serial}" template/client.tmpl
certtool --generate-certificate --load-privkey clients/$1.key --load-ca-certificate ca/ca.crt --load-ca-privkey ca/ca.key --template template/client.tmpl --outfile clients/$1.crt
openssl pkcs12 -export -inkey clients/$1.key -in clients/$1.crt -name "$1 VPN Client Cert" -certfile ca/ca.crt -out clients/$1.p12
exit 0

# 设置权限
chmod 700 make-client.sh

然后就能用脚本很方便地生成客户端证书了:

1
./make-client.sh testuser

启动 OCSERV 并设置开机启动

1
2
systemctl start ocserv
systemctl enable ocserv

配置 FIREWALLD

创建一个 ocserv 服务

1
vim /etc/firewalld/services/ocserv.xml

内容如下:

1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ocserv</short>
<description>Cisco AnyConnect</description>
<port protocol="tcp" port="1234"/>
<port protocol="udp" port="1234"/>
</service>

启动 firewalld

1
2
3
4
systemctl start firewalld
firewall-cmd --permanent --add-service=ocserv
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

配置客户端

如果之前用 make-client.sh 生成过证书,那么在 / etc/ocserv/pki/client 目录下可以找到响应的 p12 文件。
将该文件传到手机 / iPad 等终端上。

提示

  1. 虽然上面提到自签证书的信息可以随意写,但由于证书本身的信息是明文传输的,所以不要写奇怪的字段,以免引起防火墙注意。
  2. Server 证书不建议使用 ECC 证书,因为 AnyConnect 会提示不安全。CA 和 Client 证书不能使用 ECC 证书,因为 OpenConnect 不支持。

路由表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
no-route = 服务器 IP/255.255.255.255
no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.125.128.0/255.255.128.0
no-route = 40.126.64.0/255.255.192.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.64.0.0/255.255.128.0
no-route = 45.112.0.0/255.240.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.248.0.0
no-route = 49.48.0.0/255.248.0.0
no-route = 49.64.0.0/255.224.0.0
no-route = 49.112.0.0/255.240.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.208.0.0/255.240.0.0
no-route = 49.224.0.0/255.224.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.192.0.0
no-route = 103.192.0.0/255.240.0.0
no-route = 103.224.0.0/255.224.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.255.0.0
no-route = 144.7.0.0/255.255.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.52.0.0/255.255.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.122.0.0/255.255.0.0
no-route = 157.148.0.0/255.255.0.0
no-route = 157.156.0.0/255.255.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.188.170.0/255.255.255.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.128.0.0
no-route = 203.128.0.0/255.192.0.0
no-route = 203.192.0.0/255.224.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
Author: Jason Cooper
Link: https://blog.dwx.io/ocserv-setup/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.