标题写的是CentOS 7,其实RedHat系各发行版通用。
ocserv在CentOS 6上必须自行编译,且需要解决诸多依赖性问题,但在CentOS 7上配置相当容易。

申请服务器证书

生成CSR

1
2
3
cd ~
openssl req -new -newkey rsa:4096 -sha256 -nodes -out server.csr -keyout server.key

接下去的提示中,只有Common Name需要填写服务器域名,其他都可以留空。

不建议生成ECC证书,因为即使是正规CA签发,AnyConnect客户端也会提示不安全。

拿着生成的CSR文件,到Let’s encrypt签发。
如果签名算法可选,务必选择SHA-2,不要用SHA-1。

安装OCSERV

1
yum install epel-release ocserv -y

配置OCSERV

1
vim /etc/ocserv/ocserv.conf

修改如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#取消证书登录的注释,注释掉PAM登录
auth = "certificate"
#auth = "pam"
#客户端总上限以及单个账号客户端上限,私下用的话max-same-clients可以改大些
max-clients = 16
max-same-clients = 2
#监听端口
tcp-port = 1234
udp-port = 1234
#因为使用证书登录,所以必须注释掉这行
#listen-clear-file = /var/run/ocserv-conn.socket
#移动客户端掉线检测间隔,建议取消注释以节省手机等设备的电量
mobile-dpd = 1800
#这个改成true,否则可能会出现问题
try-mtu-discovery = true
#服务器证书的路径
server-cert = /etc/ocserv/pki/server/server.crt
server-key = /etc/ocserv/pki/server/server.key
#CA证书的路径
ca-cert = /etc/ocserv/pki/ca/ca.crt
#对客户端分配的内网地址。如果同时还运行其他VPN服务器,请确保IP段不会冲突
ipv4-network = 192.168.101.0
ipv4-netmask = 255.255.255.0
#DNS服务器
dns = 8.8.8.8
dns = 8.8.4.4
#dns = 其他较快较靠谱的DNS服务器

配置证书

创建目录

1
2
3
mkdir /etc/ocserv/pki && cd /etc/ocserv/pki`
mkdir server ca clients template

配置Server证书

1
2
mkdir /etc/ocserv/pki && cd /etc/ocserv/pki
mkdir server ca clients template

配置CA证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cd ../ca
certtool --generate-privkey --sec-param high --outfile ca.key
#自签证书信息随便写
cat << _EOF_ >../template/ca.tmpl
cn = "VPN CA"
organization = "Mid-south Sea"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
#生成证书
certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt
chmod 400 ca.key

配置Client证书

1
2
cd ../template
vim client.tmpl

输入以下内容(可自己随意修改)

1
2
3
4
5
6
7
8
9
10
11
12
13
cn = user
o = "Organization"
email = user@example.com
dns_name = "www.example.com"
country = US
state = "New York"
serial = 1
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key

制作自动签发脚本

1
2
cd ..
vim make-client.sh

输入以下内容

1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/sh
serial=`date +%s`
certtool --generate-privkey --outfile clients/$1.key
sed -i "1ccn = ${1}" template/client.tmpl
sed -i "3cemail = ${1}@example.com" template/client.tmpl
sed -i "7cserial = ${serial}" template/client.tmpl
certtool --generate-certificate --load-privkey clients/$1.key --load-ca-certificate ca/ca.crt --load-ca-privkey ca/ca.key --template template/client.tmpl --outfile clients/$1.crt
openssl pkcs12 -export -inkey clients/$1.key -in clients/$1.crt -name "$1 VPN Client Cert" -certfile ca/ca.crt -out clients/$1.p12
exit 0
#设置权限
chmod 700 make-client.sh

然后就能用脚本很方便地生成客户端证书了:

1
./make-client.sh testuser

启动OCSERV并设置开机启动

1
2
systemctl start ocserv
systemctl enable ocserv

配置FIREWALLD

创建一个ocserv服务

1
vim /etc/firewalld/services/ocserv.xml

内容如下:

1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ocserv</short>
<description>Cisco AnyConnect</description>
<port protocol="tcp" port="1234"/>
<port protocol="udp" port="1234"/>
</service>

启动 firewalld

1
2
3
4
systemctl start firewalld
firewall-cmd --permanent --add-service=ocserv
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

配置客户端

如果之前用make-client.sh生成过证书,那么在/etc/ocserv/pki/client目录下可以找到响应的p12文件。
将该文件传到手机/iPad等终端上。

提示

  1. 虽然上面提到自签证书的信息可以随意写,但由于证书本身的信息是明文传输的,所以不要写奇怪的字段,以免引起防火墙注意。
  2. Server证书不建议使用ECC证书,因为AnyConnect会提示不安全。CA和Client证书不能使用ECC证书,因为OpenConnect不支持。

路由表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
no-route = 服务器IP/255.255.255.255
no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.125.128.0/255.255.128.0
no-route = 40.126.64.0/255.255.192.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.64.0.0/255.255.128.0
no-route = 45.112.0.0/255.240.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.248.0.0
no-route = 49.48.0.0/255.248.0.0
no-route = 49.64.0.0/255.224.0.0
no-route = 49.112.0.0/255.240.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.208.0.0/255.240.0.0
no-route = 49.224.0.0/255.224.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.192.0.0
no-route = 103.192.0.0/255.240.0.0
no-route = 103.224.0.0/255.224.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.255.0.0
no-route = 144.7.0.0/255.255.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.52.0.0/255.255.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.122.0.0/255.255.0.0
no-route = 157.148.0.0/255.255.0.0
no-route = 157.156.0.0/255.255.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.188.170.0/255.255.255.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.128.0.0
no-route = 203.128.0.0/255.192.0.0
no-route = 203.192.0.0/255.224.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0