服务端是使用开源的ocserv,centos 7可以直接yum安装
安装
yum install openconnect ocserv -y && systemctl enable ocserv
配置
cd /etc/ocserv cp ocserv.conf ocserv.conf.bak 具体可以参考下面的配置 auth = "plain[passwd=/etc/ocserv/ocpasswd]" tcp-port = 443 udp-port = 443 run-as-user = ocserv run-as-group = ocserv socket-file = ocserv.sock chroot-dir = /var/lib/ocserv isolate-workers = true max-clients = 16 max-same-clients = 16 rate-limit-ms = 100 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = true server-cert = /etc/letsencrypt/live/xx.com/fullchain.pem server-key = /etc/letsencrypt/live/xx.com/privkey.pem ca-cert = /etc/pki/ocserv/cacerts/ca.pem cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 50 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = winsoftcon.com ipv4-network = 10.1.1.0 ipv4-netmask = 255.255.255.0 dns = 8.8.8.8 dns = 8.8.4.4 ping-leases = false cisco-client-compat = true dtls-legacy = true user-profile = profile.xml no-route = 192.168.1.0/255.255.255.0 no-route = 192.168.2.0/255.255.255.0
系统块配置
1、安装iptables 服务 yum install iptables-services
2、配置iptables
iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p udp --dport 443 -j ACCEPT iptables -A INPUT -j DROP iptables -t nat -F iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE iptables -I FORWARD -s 10.1.1.0/24 -j ACCEPT
3、执行完规则保存一下 service iptables save
4、打开内核转发echo "1" > /proc/sys/net/ipv4/ip_forward
net.ipv4.ip_forward = 1
安装nginx并生成域名证书
yum install snapd systemctl enable --now snapd.socket ln -s /var/lib/snapd/snap /snap snap install core; snap refresh core snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot certbot --nginx
配置用户
ocpasswd -c /etc/ocserv/ocpasswd username
针对arm 64位会报错的解决方法
参考文档:https://gitlab.com/openconnect/ocserv/-/issues/424
可以下载最新的来安装:
wget https://gitlab.com/openconnect/ocserv/-/archive/1.1.7/ocserv-1.1.7.tar.gz
tar -zxvf ocserv-1.1.7.tar.gz
cd ocserv-1.1.7/
sh autogen.sh
./configure --help
./configure --prefix=/usr/local/ocserv-1.1.7
make
make install
cd /usr/local/ocserv-1.1.7/
cd sbin/
cd ..
cd bin/
ls
which occtl
which ocpasswd
systemctl status ocserv.service
systemctl stop ocserv.service
mv /usr/sbin/ocserv-worker /usr/sbin/ocserv-worker.ori
ln -s /usr/local/ocserv-1.1.7/sbin/ocserv-worker /usr/sbin/ocserv-worker
which ocserv
mv /usr/sbin/ocserv /usr/sbin/ocserv.ori
ls
ln -s /usr/local/ocserv-1.1.7/sbin/ocserv /usr/sbin/ocserv
systemctl start ocserv.service
systemctl status ocserv.service
netstat -lnpt
systemctl stop ocserv.service
netsteat -lnpt
netstat -lnpt
cat /usr/lib/systemd/system/ocserv.service
ls
cd ocserv-1.1.7/
ls
find . -type f -name "ocserv-genkey"
systemctl start ocserv.service
systemctl status ocserv.service
原文链接:思科anyconnect服务端安装,转载请注明来源!