安装配置AnyConnect服务端软件-ocserv

AnyConnect为思科推出的VPN客户端,目前已有Windows、Android、IOS、Macintosh、Ubuntu、WebOS、Blackberry等操作系统的客户端。AnyConnection主要作用是方便员工在任何设备上安全地办公,AnyConnect最主要的优点是可以给客户端下发走VPN的路由表

本文需要介绍的就是利用ocserv搭建AnyConnect服务器

本文安装配置环境为:debian7ocserv版本为0.9.2

测试通过时间为:2015-2-28

1. 配置安装环境

ocserv使用GnuTLS作为SSL的library,所以编译时需要对应的dev包。Debian stable里面带的版本太老(2.12.20),而ocserv需要的包版本在2.15以上,所以需要从backports安装:

1
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" >> /etc/apt/sources.list

更新源:

1
2
apt-get update
apt-get upgrade

开始安装依赖包(需要的依赖包是参考别人的安装教程拷贝过来的):

1
2
3
apt-get -t wheezy-backports install libgnutls28-dev -y
apt-get install libgmp3-dev m4 gcc pkg-config make gnutls-bin -y
apt-get install build-essential libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev autogen libgnutls28-dev libseccomp-dev liblz4-dev -y

下载&编译&安装:

1
2
3
4
5
6
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.2.tar.xz
tar Jxvf ocserv-0.9.2.tar.xz
cd ocserv-0.9.2
./configure --prefix=/usr --sysconfdir=/etc
Make
Make install

2. 生成证书

创建生成 CA 证书:

1
2
3
4
5
6
7
8
9
10
11
12
13
certtool --generate-privkey --outfile ca-key.pem
创建`ca.tmpl`文件:
vim ca.tmpl
添加:
cn = "HaiTao"
organization = "HaiTao Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

1
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

生成本地服务器证书:

1
2
3
4
5
6
7
8
9
10
11
certtool --generate-privkey --outfile server-key.pem
创建`server.tmpl`文件:
vim server.tmpl
cn = "www.haitao.com"
organization = "HaiTao Corp"
serial = 2
expiration_days = 3650
encryption_key
signing_key
tls_www_server

1
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

生成之后把server-cert.pem放到/etc/ssl/certsserver-key.pem放到/etc/ssl/private

1
2
3
4
5
6
7
mkdir /etc/ssl
mkdir /etc/ssl/certs
mkdir /etc/ssl/private
cp ca-cert.pem /etc/ssl/certs
cp ca-key.pem /etc/ssl/private
cp server-cert.pem /etc/ssl/certs
cp server-key.pem /etc/ssl/private

3. 编辑配置文件

拷贝配置文件到/etc/ocserv中

1
2
3
mkdir /etc/ocserv
cp ~/ocserv-0.9.2/doc/sample.config /etc/ocserv/
cp /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

编辑配置文件:

1
vim /etc/ocserv/ocserv.conf

修改如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
auth = "plain[/etc/ocserv/ocpasswd]"
#ocserv支持多种认证方式,这是自带的密码认证,使用ocpasswd创建密码文件
#ocserv还支持证书认证,可以通过Pluggable Authentication Modules (PAM)使用radius等认证方式
#证书路径
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
#同一个用户最多同时登陆数
max-same-clients = 10
#运行组
run-as-group = nogroup
#分配给VPN客户端的IP段
ipv4-network = 10.10.0.0
#DNS
dns = 8.8.8.8
dns = 8.8.4.4
# Keepalive in seconds
keepalive = 600
# Dead peer detection in seconds.
dpd = 900
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 3600
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 3600
#注释掉route的字段,这样表示所有流量都通过 VPN 发送
#route = 192.168.16.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = 103.0.0.0/255.0.0.0
route = 106.0.0.0/255.0.0.0
route = 107.0.0.0/255.0.0.0
route = 108.0.0.0/255.0.0.0
route = 141.0.0.0/255.0.0.0
route = 153.0.0.0/255.0.0.0
route = 160.0.0.0/255.0.0.0
route = 166.0.0.0/255.0.0.0
route = 17.0.0.0/255.0.0.0
route = 173.0.0.0/255.0.0.0
route = 176.0.0.0/255.0.0.0
route = 178.0.0.0/255.0.0.0
route = 184.0.0.0/255.0.0.0
route = 194.0.0.0/255.0.0.0
route = 198.0.0.0/255.0.0.0
route = 199.0.0.0/255.0.0.0
route = 203.0.0.0/255.0.0.0
route = 204.0.0.0/255.0.0.0
route = 205.0.0.0/255.0.0.0
route = 208.0.0.0/255.0.0.0
route = 209.0.0.0/255.0.0.0
route = 210.0.0.0/255.0.0.0
route = 216.0.0.0/255.0.0.0
route = 3.0.0.0/255.0.0.0
route = 4.0.0.0/255.0.0.0
route = 31.0.0.0/255.0.0.0
route = 46.0.0.0/255.0.0.0
route = 50.0.0.0/255.0.0.0
route = 54.0.0.0/255.0.0.0
route = 61.0.0.0/255.0.0.0
route = 64.0.0.0/255.0.0.0
route = 67.0.0.0/255.0.0.0
route = 68.0.0.0/255.0.0.0
route = 69.0.0.0/255.0.0.0
route = 70.0.0.0/255.0.0.0
route = 72.0.0.0/255.0.0.0
route = 74.0.0.0/255.0.0.0
route = 75.0.0.0/255.0.0.0
route = 76.0.0.0/255.0.0.0
route = 77.0.0.0/255.0.0.0
route = 79.0.0.0/255.0.0.0
route = 8.0.0.0/255.0.0.0

生成用户:

1
2
ocpasswd -c /etc/ocserv/ocpasswd user
#user为你要添加的用户名

4. 其他配置

1
2
3
4
vim /etc/sysctl.conf
#修改这行
net.ipv4.ip_forward = 1
#保存退出
1
sysctl –p

iptable表:

1
2
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

调试:

1
ocserv -c /etc/ocserv/ocserv.conf -f -d 1

开机启动:

1
2
3
4
5
vim /etc/rc.local
添加:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ocserv