返回列表 發帖

Openconnect VPN server installation instruction for debian wheezy x 86

本帖最後由 ckleea 於 2015-5-15 09:35 編輯

通過雯雯介紹

成功將Openconnect VPN server 放在 Debian Wheezy X86 server
安排方法如下

1. 系統準備
  1. # need to have newer gnutls req backports
  2. echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
  3. aptitude update
  4. aptitude -t wheezy-backports -y install libgnutls28-dev
  5. aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin libreadline-dev
  6. aptitude -y install libpam0g-dev libwrap0-dev  liblz4-dev  libseccomp-dev libkrb5-dev libprotobuf-c0-dev libnl-route-3-dev  libreadline-dev libtalloc-dev libopts25-dev libwrap0-dev
複製代碼
2. 下載OpenConnect VPN Server 源碼 # as of today, latest=0.10.4
  1. # Get OCServ
  2. mkdir /usr/src/ocserv
  3. cd /usr/src/ocserv
  4. wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz
  5. tar xvf ocserv-0.10.4.tar.xz
  6. cd ocserv-0.10.4
  7. ./configure --prefix=/usr --sysconfdir=/etc
  8. make
  9. make install
  10. mkdir /etc/ocserv
  11. cp doc/sample.config /etc/ocserv/
  12. mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf
複製代碼
3. 準備 系統 certificate,如有有效的certificate更好
  1. ## Generate your self-signed certificate for Ocserv use
  2. ## change the value in CN and organization based on your choice
  3. ## create two files for certificate generation
  4. 1. ca.tmpl
  5.         cn = "VPN CA"
  6.         organization = "Big Corp"
  7.         serial = 1
  8.         expiration_days = 9999
  9.         ca
  10.         signing_key
  11.         cert_signing_key
  12.         crl_signing_key


  13. 2. server.tmpl
  14.         cn = "www.example.com"
  15.         organization = "MyCompany"
  16.         expiration_days = 9999
  17.         signing_key
  18.         encryption_key
  19.         tls_www_server


  20. certtool --generate-privkey --outfile ca-key.pem

  21. certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

  22. certtool --generate-privkey --outfile server-key.pem

  23. certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

  24. cp server-cert.pem /etc/ssl/certs/
  25. cp server-key.pem /etc/ssl/private/
複製代碼
4. 修改設定檔,只需要修改下面的行列
  1. ## config your own /etc/ocserv/ocserv.conf
  2. ## change the setting as below
  3. ## note the port 443 and ipaddress 10.10.0.0 are of your choice

  4. #auth = "plain[./sample.passwd]"
  5. auth = "plain[/etc/ocserv/ocpasswd]"
  6. #auth = "pam"
  7. ...
  8. #max-clients = 1024
  9. max-clients = 16
  10. ...
  11. #max-same-clients = 2
  12. max-same-clients = 10
  13. ...
  14. # TCP and UDP port number
  15. tcp-port = 443
  16. udp-port = 443
  17. ...
  18. #server-cert = ../tests/server-cert.pem
  19. #server-key = ../tests/server-key.pem
  20. server-cert = /etc/ssl/certs/server-cert.pem
  21. server-key = /etc/ssl/private/server-key.pem
  22. ...
  23. #run-as-group = daemon
  24. run-as-group = nogroup
  25. ...
  26. # The pool of addresses that leases will be given from.
  27. #ipv4-network = 192.168.1.0
  28. ipv4-network = 10.10.0.0
  29. ipv4-netmask = 255.255.255.0
  30. ...
  31. # dns = fc00::4be0
  32. #dns = 192.168.1.2
  33. dns = 8.8.8.8
  34. dns = 208.67.222.222
  35. ...
  36. #route = 192.168.1.0/255.255.255.0
  37. #route = 192.168.5.0/255.255.255.0
  38. #route = fef4:db8:1000:1001::/64
複製代碼
5. 設定防火牆
  1. ## add the following to /etc/rc.local
  2. ## change the port 443 to the port you choose
  3. ## change the ip address 10.10.0.0 to the ip address you choose

  4. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  5. iptables -A INPUT -p udp --dport 443 -j ACCEPT
  6. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
  7. iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
  8. echo 1 > /proc/sys/net/ipv4/ip_forward
複製代碼
6. 建立起動源碼
  1. ## create the ocserv init file at /etc/init.d/ocserv and make it executable by chmod a+x /etc/init.d/ocserv

  2. #!/bin/sh
  3. ### BEGIN INIT INFO
  4. # Provides:          ocserv
  5. # Required-Start:    $remote_fs $syslog
  6. # Required-Stop:     $remote_fs $syslog
  7. # Default-Start:     2 3 4 5
  8. # Default-Stop:      0 1 6
  9. ### END INIT INFO
  10. # Copyright Rene Mayrhofer, Gibraltar, 1999
  11. # This script is distibuted under the GPL

  12. PATH=/bin:/usr/bin:/sbin:/usr/sbin
  13. DAEMON=/usr/sbin/ocserv
  14. PIDFILE=/var/run/ocserv.pid
  15. DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"

  16. case "$1" in
  17. start)
  18. if [ ! -r $PIDFILE ]; then
  19. echo -n "Starting OpenConnect VPN Server Daemon: "
  20. start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
  21. $DAEMON_ARGS > /dev/null
  22. echo "ocserv."
  23. else
  24. echo -n "OpenConnect VPN Server is already running.\n\r"
  25. exit 0
  26. fi
  27. ;;
  28. stop)
  29. echo -n "Stopping OpenConnect VPN Server Daemon: "
  30. start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
  31. echo "ocserv."
  32. rm -f $PIDFILE
  33. ;;
  34. force-reload|restart)
  35. echo "Restarting OpenConnect VPN Server: "
  36. $0 stop
  37. sleep 1
  38. $0 start
  39. ;;
  40. status)
  41. if [ ! -r $PIDFILE ]; then
  42. # no pid file, process doesn't seem to be running correctly
  43. exit 3
  44. fi
  45. PID=`cat $PIDFILE | sed 's/ //g'`
  46. EXE=/proc/$PID/exe
  47. if [ -x "$EXE" ] &&
  48. [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
  49. "$DAEMON" ]; then
  50. # ok, process seems to be running
  51. exit 0
  52. elif [ -r $PIDFILE ]; then
  53. # process not running, but pidfile exists
  54. exit 1
  55. else
  56. # no lock file to check for, so simply return the stopped status
  57. exit 3
  58. fi
  59. ;;
  60. *)
  61. echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
  62. exit 1
  63. ;;
  64. esac

  65. exit 0
複製代碼
7. 其他
  1. ## enable auto run ocserv service by update-rc.d ocserv defaults
  2. ## create your user account as ocpasswd -c /etc/ocserv/ocpasswd username
  3. ## config your route to allow the port to connect to ocserv

  4. chmod a+x /etc/init.d/ocserv
  5. update-rc.d ocserv defaults
  6. ocpasswd -c /etc/ocserv/ocpasswd username
複製代碼
8.最後重啟系統
  1. ## reboot the machine and openconnect server should work
複製代碼

我的介紹不是自動安裝scripts

需要 copy and paste 部分係 command line 行
部分需要 editor 修改

TOP

TOP

An update

0.10.4 ocserv also works

TOP

更新了帖的instructions

TOP

If you use rsyslog to log the auth messages from ocserv

add the following lines into /etc/rsyslog.conf
# log messages from ocserv into /var/log/ocserv.log
if $programname == 'ocserv'  then /var/log/ocserv.log

It will log the message into /var/log/ocserv.log

TOP

請問可唔可以教下整CA 果一part, 我覺得好難明, 唔知自己做緊什麼

TOP

ck这个帖子不错!有非常好的参考价值。

TOP

返回列表