Openconnect VPN server installation instruction for debian wheezy x 86
[i=s] 本帖最後由 ckleea 於 2015-5-15 09:35 編輯 [/i]通過雯雯介紹
成功將Openconnect VPN server 放在 Debian Wheezy X86 server
安排方法如下
[size=5][color=Red]1. 系統準備[/color][/size][code]
# need to have newer gnutls req backports
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
aptitude update
aptitude -t wheezy-backports -y install libgnutls28-dev
aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin libreadline-dev
aptitude -y install libpam0g-dev libwrap0-dev liblz4-dev libseccomp-dev libkrb5-dev libprotobuf-c0-dev libnl-route-3-dev libreadline-dev libtalloc-dev libopts25-dev libwrap0-dev
[/code][size=5][color=Red]2. 下載OpenConnect VPN Server 源碼 # as of today, latest=0.10.4[/color][/size][code]# Get OCServ
mkdir /usr/src/ocserv
cd /usr/src/ocserv
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz
tar xvf ocserv-0.10.4.tar.xz
cd ocserv-0.10.4
./configure --prefix=/usr --sysconfdir=/etc
make
make install
mkdir /etc/ocserv
cp doc/sample.config /etc/ocserv/
mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf[/code][size=5][color=Red]3. 準備 系統 certificate,如有有效的certificate更好[/color][/size][code]## Generate your self-signed certificate for Ocserv use
## change the value in CN and organization based on your choice
## create two files for certificate generation
1. ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
2. server.tmpl
cn = "www.example.com"
organization = "MyCompany"
expiration_days = 9999
signing_key
encryption_key
tls_www_server
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
cp server-cert.pem /etc/ssl/certs/
cp server-key.pem /etc/ssl/private/[/code][size=5][color=Red]4. 修改設定檔,只需要修改下面的行列[/color][/size][code]## config your own /etc/ocserv/ocserv.conf
## change the setting as below
## note the port 443 and ipaddress 10.10.0.0 are of your choice
#auth = "plain[./sample.passwd]"
auth = "plain[/etc/ocserv/ocpasswd]"
#auth = "pam"
...
#max-clients = 1024
max-clients = 16
...
#max-same-clients = 2
max-same-clients = 10
...
# TCP and UDP port number
tcp-port = 443
udp-port = 443
...
#server-cert = ../tests/server-cert.pem
#server-key = ../tests/server-key.pem
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
...
#run-as-group = daemon
run-as-group = nogroup
...
# The pool of addresses that leases will be given from.
#ipv4-network = 192.168.1.0
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.255.0
...
# dns = fc00::4be0
#dns = 192.168.1.2
dns = 8.8.8.8
dns = 208.67.222.222
...
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64[/code][size=5][color=Red]5. 設定防火牆[/color][/size][code]## add the following to /etc/rc.local
## change the port 443 to the port you choose
## change the ip address 10.10.0.0 to the ip address you choose
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward[/code][size=5][color=Red]6. 建立起動源碼[/color][/size][code]## create the ocserv init file at /etc/init.d/ocserv and make it executable by chmod a+x /etc/init.d/ocserv
#!/bin/sh
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0[/code][size=5][color=Red]7. 其他[/color][/size][code]## enable auto run ocserv service by update-rc.d ocserv defaults
## create your user account as ocpasswd -c /etc/ocserv/ocpasswd username
## config your route to allow the port to connect to ocserv
chmod a+x /etc/init.d/ocserv
update-rc.d ocserv defaults
ocpasswd -c /etc/ocserv/ocpasswd username
[/code][size=5][color=Red]8.最後重啟系統[/color][/size][code]## reboot the machine and openconnect server should work[/code] 我的介紹不是自動安裝scripts
需要 copy and paste 部分係 command line 行
部分需要 editor 修改 Reference:
[url]http://blog.ltns.info/linux/vps_debian_ocserv_support_anyconnect/[/url] An update
0.10.4 ocserv also works 更新了帖的instructions If you use rsyslog to log the auth messages from ocserv
add the following lines into /etc/rsyslog.conf
# log messages from ocserv into /var/log/ocserv.log
if $programname == 'ocserv' then /var/log/ocserv.log
It will log the message into /var/log/ocserv.log 請問可唔可以教下整CA 果一part, 我覺得好難明, 唔知自己做緊什麼 ck这个帖子不错!有非常好的参考价值。
頁:
[1]