斐讯 N1 armbian 20.10 openconnect server
[i=s] 本帖最後由 yiucsw 於 2020-12-6 22:34 編輯 [/i][b]改 Static ip[/b].[code]nano /etc/network/interfaces
[/code][quote][size=1]
example
iface eth0 inet static
address 192.168.3.100
netmask 255.255.255.0
gateway 192.168.3.1
dns-nameservers 9.9.9.9 1.1.1.1[/size][/quote]
[b]Install ocserv [/b][code]sudo apt install ocserv
systemctl status ocserv[/code]output 有 2 task, listen to 443, 那 ocserv 便成功啟動。
[quote][size=1] CGroup: /system.slice/ocserv.service
├─2191 ocserv-main
└─2194 ocserv-sm[/size][/quote]
要是不啟動,那config file 有 問題。[code]sudo systemctl start ocserv[/code]創建 VPN 用戶:[code]sudo ocpasswd -c /etc/ocserv/ocpasswd username[/code] [i=s] 本帖最後由 yiucsw 於 2020-12-24 00:31 編輯 [/i]
ocserv.conf 要两种證書:這是網站證書server-cert+server-key
从ACME DNS API 产生 SSL 证书 :
[size=1]SSL certification generated from acme DNS for dynu
generate API key
[url]https://www.dynu.com/en-US/ControlPanel/APICredentials[/url]
in OAuth2 : copy clientid & secret
#安装 socat & acme.sh[code]sudo apt-get install socat -y
sudo curl https://get.acme.sh | sh [/code]从DYNU-API credentials 内 拷贝 OAuth2 - client id /secret, export env. variable.[code]export Dynu_ClientId="af95c5c7-0698-xxxxxxxxxxxx"
export Dynu_Secret="WQggKzW2yyyyyyyyyyyyyyy"[/code]#关闭 ssh session 重开 SSH for acme.sh function[code]acme.sh --issue --dns dns_dynu -d your.dynu.net [/code][/size]Message:
[size=1][quote]Your cert is in /home/yourname/.acme.sh/your.dynu.net/your.dynu.net.cer
Your cert key is in /home/yourname/.acme.sh/your.dynu.net/your.dynu.net.key
The intermediate CA cert is in /home/yourname/.acme.sh/youryiu.dynu.net/ca.cer
And the full chain certs is there: /home/yourname/.acme.sh/your.dynu.net/fullchain.cer [/quote][/size]
提取证书并改证书格式 e.g. lighttpd (which need combine two file) and oscerv. move it other folder, so it can share.[size=1][quote]acme.sh --install-cert -d your.dynu.net \
--key-file /etc/ocserv/ssl/server.key \
--cert-file /etc/ocserv/ssl/server.crt \
--fullchain-file /etc/ocserv/ssl/fullchain.crt \
--reloadcmd "cat /etc/ocserv/ssl/server.crt /etc/ocserv/ssl/server.key > /root/ssl/server.pem
&& systemctl restart ocserv"
[/quote][/size]
在ocserv.conf 在 /etc/ocserv 加下边两行
[quote][size=1]server-cert = /etc/ocserv/ssl/fullchain.crt
server-key = /etc/ocserv/ssl/server.key
listen-host-is-dyndns = true
max-same-clients = 10
try-mtu-discovery = true
auth-timeout = 100
[/size][/quote]
[url]https://github.com/h0wardch3ng/one-key-ocserv[/url]
[url]https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt[/url] [i=s] 本帖最後由 yiucsw 於 2021-1-1 01:00 編輯 [/i]
[b]這是登陆证书,要自己簽發的Server證書。[/b]
因為要用cert-user-oid = 2.5.4.3 (代表CN)所以CN 要對齊。[code]sudo apt install gnutls-bin[/code]ocserv.conf
[quote][size=1]auth = "pam[gid-min=1000]"
enable-auth = "certificate"
[/size][/quote][code]sudo apt install certbot[/code]Create own CA
[quote]1. Generate Private Key
2. Generate Certification base on Private key and ca template[/quote]
Create private Certification
[b]Generate Private key[/b]
[size=1][code]sudo certtool --generate-privkey --outfile ca-privkey.pem[/code][/size]
CA certification 模板 ca-cert.cfg
[quote][size=1]cn = "your.dynu.net"
organization = "HP"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
[/size][/quote]
[b]Generate CA certificate[/b][code]sudo certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem[/code]Create Client certificate:
1 create another private key for client certificate
[b]Create private key[/b] for client certificate -> client-privkey.pem[code]sudo certtool --generate-privkey --outfile client-privkey.pem [/code]Create certificate from private key and client-cert.cfg template
client-cert.cfg
[quote][size=1]organization = "HP"
cn = "your.dynu.net"
expiration_days = 3650
tls_www_client
signing_key
encryption_key[/size][/quote]
創建用戶證書 :[code]sudo certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template client-cert.cfg --outfile client-cert.pem[/code]創建用戶android.p12證書[code]sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher aes-256 --outfile client.p12 --outder[/code]創建用戶ios.p12證書(iphone/macos)[code]sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile ios-client.p12 --outder[/code]client-cert.cfg
[quote][size=1]cn = "user"
unit = "admins"
expiration_days = 3650
signing_key
tls_www_client[/size][/quote][code]nano ocserv.conf [/code][size=1]disable TLS 1.3 for GnuTLS error.
2.5.4.3代表 CN[/size]
[quote][size=1]tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"
ca-cert = /etc/ocserv/ssl/ca-cert.pem
cert-user-oid = 2.5.4.3[/size][/quote] [i=s] 本帖最後由 yiucsw 於 2020-12-4 23:57 編輯 [/i]
VPN client 能通过VPN server 到其他网站:[code]nano /etc/sysctl.conf[/code][quote][size=1]# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/all/forwarding=1[/size][/quote]
[size=1]The -p option will load sysctl settings from /etc/sysctl.conf file. This command will preserve our changes across system reboots.[code]sudo sysctl -p[/code][/size]
IP Masquerading:[size=1][quote]sudo iptables -A FORWARD -s 192.168.200.0/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
sudo iptables -A FORWARD -o vpns+ -j ACCEPT
sudo iptables -A FORWARD -i vpns+ -j ACCEPT[/quote][/size]
Keep iptables between reboot
[size=1][quote]sudo apt install -y iptables-persistent[/quote][/size] [i=s] 本帖最後由 yiucsw 於 2020-12-6 22:33 編輯 [/i]
手機同N1 在同一網路。
[b]測試 1:[/b]
打開 Cisco Anyconnect.
[attach]4509[/attach]
按連接 -> Add new VPN connect -> Add 服務器地址.
- N1 地址。e.g. 192.168.x.x
連接
[attach]4510[/attach]
enter userid = root (armbian 用户名)
enter password = armbian 用户密碼
已連接。
open browser
can access router
[b]測試 2:[/b]
1st level router port 443 TCP/UDP forward to N1 ip address
turn off wifi. 用手機data流量。
打開 Cisco Anyconnect.
按連接 -> Add new VPN connect -> Add 1st level router 服務器地址.
連接
open browser
can access website.
whatismyip 顯示 手機ip address [i=s] 本帖最後由 yiucsw 於 2020-12-5 01:14 編輯 [/i]
Backup conf[code]cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.template
nano /etc/ocserv/ocserv.conf[/code]Change the following [quote]
dns = 9.9.9.9
dns = 1.1.1.1
try-mtu-discovery = true
[/quote]
comment all route [quote]
#route = 10.0.0.0/8
#route = 172.16.0.0/12
#route = 192.168.0.0/16[/quote][code]systemctl restart ocserv[/code]開手機上openconnect
whatismyipaddress 變成 N1 那邊的 IP。 [i=s] 本帖最後由 yiucsw 於 2020-12-6 00:09 編輯 [/i]
更新DYNU IP, N1 armbian 安装方法:
$sudo apt-get install ddclient -y
configuration example
[url]https://www.dynu.com/DynamicDNS/IPUpdateClient/DDClient[/url][code]nano /etc/ddclient.conf[/code][quote][size=1]# use ssl-support. Works with ssl-library
ssl=yes
# get ip from server.
use=web, web=checkip.dynu.com/, web-skip='IP Address'
# default server
server=api.dynu.com
# default login
login=your email id
# default password
password=***********
protocol=dyndns2
your.dynu.com[/size][/quote][code]nano /etc/default/ddclient[/code][quote]run_ipup="false"
run_daemon="true"[/quote]
run the following command:[code]sudo /usr/sbin/ddclient -daemon 300 -syslog[/code]debug -
[size=1][quote]sudo rm ddclient.cache <- ddclient check cache is there any change. not with real DNS
sudo systemctl restart ddclient[/quote][/size]
[url]https://lightzhan.xyz/index.php/en/2020/03/14/ddclient-installation-and-configration-tutorial-use-dynu-as-an-example/[/url] 是不是每次連接都要打 id/password ? [i=s] 本帖最後由 yiucsw 於 2020-12-5 10:59 編輯 [/i]
[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=48024&ptid=7792]8#[/url] [i]tomleehk[/i] [/b]
在conf file 内储存,用户名,password = update password...
现在找不到 log, ddclient 同acme,不知道有没有运作!头疼中
还有intranet 已连上,internet 还没有。。 [i=s] 本帖最後由 tomleehk 於 2020-12-5 13:05 編輯 [/i]
[attach]4542[/attach]
如果用 cert + key的話, 估計不一定需要輸入什麼 id / password, 用 cert + key 等 files 可以generate 一個client side .p12 file, 然後 load 入 client apps, 唔需要每次 connect 時都要喺client side 輸入一次 password, 只要喺client side將個switch 由左撥至右就connect完成
我個人比較懶一d
頁:
[1]