首页 » Linux » 思科anyconnect服务端安装

思科anyconnect服务端安装

 
暂无评论 384次浏览
文章目录

服务端是使用开源的ocserv,centos 7可以直接yum安装

安装

yum install openconnect ocserv -y && systemctl enable ocserv

配置

cd /etc/ocserv
cp ocserv.conf ocserv.conf.bak

具体可以参考下面的配置
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 16
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/letsencrypt/live/xx.com/fullchain.pem
server-key = /etc/letsencrypt/live/xx.com/privkey.pem
ca-cert = /etc/pki/ocserv/cacerts/ca.pem
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = winsoftcon.com
ipv4-network = 10.1.1.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
no-route = 192.168.1.0/255.255.255.0
no-route = 192.168.2.0/255.255.255.0

系统块配置

1、安装iptables 服务 
yum install iptables-services

2、配置iptables

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -j DROP
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.1.1.0/24 -j ACCEPT

3、执行完规则保存一下 
service iptables save

4、打开内核转发
echo "1" > /proc/sys/net/ipv4/ip_forward
net.ipv4.ip_forward = 1

安装nginx并生成域名证书

yum install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
snap install core; snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
certbot --nginx

配置用户

ocpasswd -c /etc/ocserv/ocpasswd username

针对arm 64位会报错的解决方法

参考文档:https://gitlab.com/openconnect/ocserv/-/issues/424

可以下载最新的来安装:
  wget https://gitlab.com/openconnect/ocserv/-/archive/1.1.7/ocserv-1.1.7.tar.gz
  tar -zxvf ocserv-1.1.7.tar.gz 
  cd ocserv-1.1.7/
  sh autogen.sh 
  ./configure --help
  ./configure --prefix=/usr/local/ocserv-1.1.7
  make 
  make install
  cd /usr/local/ocserv-1.1.7/
  cd sbin/
  cd ..
  cd bin/
  ls
  which occtl 
  which ocpasswd
  systemctl status ocserv.service 
  systemctl stop ocserv.service 
  mv /usr/sbin/ocserv-worker  /usr/sbin/ocserv-worker.ori
  ln -s /usr/local/ocserv-1.1.7/sbin/ocserv-worker /usr/sbin/ocserv-worker
  which ocserv
  mv /usr/sbin/ocserv /usr/sbin/ocserv.ori
  ls
  ln -s /usr/local/ocserv-1.1.7/sbin/ocserv /usr/sbin/ocserv
  systemctl start ocserv.service 
  systemctl status ocserv.service 
  netstat -lnpt
  systemctl stop ocserv.service 
  netsteat -lnpt
  netstat -lnpt
  cat /usr/lib/systemd/system/ocserv.service
  ls
  cd ocserv-1.1.7/
  ls
  find . -type f -name "ocserv-genkey"
  systemctl start ocserv.service 
  systemctl status ocserv.service

原文链接:思科anyconnect服务端安装,转载请注明来源!

0