Loading

ocserv部署

参考下载地址

https://github.com/CNMan/ocserv-cn-no-route/tree/master

客户端下载

https://github.com/openconnect/openconnect-gui/releases
思科客户端:https://www.aliyundrive.com/s/oanLSTLdWuo

安装

yum install epel-release -y       
yum install ocserv -y

配置文件

vim /etc/ocserv/ocserv.conf
auth = "plain[passwd=/etc/ocserv/ocpasswd]"    #设置用户密码
tcp-port = 12312    #设置端口
udp-port = 12312
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16    #设置最大客户端数
max-same-clients = 2
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.100.0    #设置vpn客户端获取的ip网段
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8                    #设置dns
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

创建密码文件

touch /etc/ocserv/ocpasswd

用户

创建用户

ocpasswd -c /etc/ocserv/ocpasswd yyp

删除用户

ocpasswd -c /etc/ocserv/ocpasswd -d user

服务器配置

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p

防火墙设置

systemctl disable --now firewalld 
yum install iptables* -y
#注意修改网卡名,ip段和上面配置文件中的ip段保持一致
iptables -t nat -A POSTROUTING -s 192.168.8.100/24 -o eth0 -j MASQUERADE
#ip段和上面配置文件中的ipv4-network网段保持一致         
iptables -A FORWARD -s 192.168.8.100/24 -j ACCEPT  
#放行tcp的12321端口                             
iptables -A INPUT -p tcp -m state --state NEW --dport 12321 -j ACCEPT
#放行udp的12321端口          
iptables -A INPUT -p udp -m state --state NEW --dport 12321 -j ACCEPT

设置好的防火墙

# Generated by iptables-save v1.4.21 on Fri Dec 10 17:01:14 2021
*filter
:INPUT ACCEPT [23953:4917891]
:FORWARD ACCEPT [32309:37004366]
:OUTPUT ACCEPT [35231:40662608]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 12321 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 12321 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 22 -j ACCEPT
-A FORWARD -s 192.168.100.0/24 -j ACCEPT
COMMIT
# Completed on Fri Dec 10 17:01:14 2021
# Generated by iptables-save v1.4.21 on Fri Dec 10 17:01:14 2021
*nat
:PREROUTING ACCEPT [1072:120782]
:INPUT ACCEPT [151:7371]
:OUTPUT ACCEPT [256:21338]
:POSTROUTING ACCEPT [256:21338]
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 10 17:01:14 2021

启动服务

systemctl enable --now ocserv          #设置ocserv开机自启,并马上启动此服务
systemctl restart ocserv          #重启服务
systemctl status ocserv          #验证服务运行状态
journalctl -u ocserv           #查看日志
journalctl -u ocserv -f          #查看实时日志

linux服务器链接

linux 客户端连接:

apt-get install openconnect

openconect --protocol=anyconnect 服务器地址

windows客户端连接工具

输入图片说明
输入图片说明

posted @ 2022-01-25 14:45  月夫  阅读(2236)  评论(0编辑  收藏  举报