Ocserv搭建

背景

因为需要在别的地方可以访问家里的虚拟环境,因此就需要搭建可以访问家里的。

环境配置

系统 :CentOS Linux release 7.4.1708 (Core)

配置 :一核心,1G内存

搭建过程

  1. 配置epel源
CentOS 5

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo

或者

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-5.repo

CentOS 6

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

或者

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

CentOS 7

wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

或者

curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
  1. YUM安装
yum -y install ocserv
  1. 开启LINUX中的NAT转发
 sysctl -w net.ipv4.ip_forward=1 
  1. 配置证书(可以自己生成)
mkdir /ssl
cp lmw.wiki.pem /ssl
cp lmw.wiki.key /ssl
chmod 755  /ssl  -R
  1. 配置OCSERV配置文件
cat /etc/ocserv/ocserv.conf
#使用密码登陆
auth = plain[passwd=/etc/ocserv/ocpasswd]
# 服务监听的TCP/UDP端口,如果没有搭网站的话就用TCP443/UDP80好了
tcp-port = 443
udp-port = 80
#运行用户和组
run-as-user = nobody
run-as-group = daemon                         
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
# 允许同时连接的总客户端数量,比如下面的4就是最多只能4台设备同时使用
max-clients = 16
#同一个用户最多同时登陆数
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
# 开启以后可以增强V**性能
try-mtu-discovery = true
#这里指定证书的位置
server-cert = /ssl/lmw.wiki.pem
server-key = /ssl/lmw.wikim.key
#CA证书的所在,如果是自签名要指定自签的CA证书位置
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
#虚拟设备名称
device = vpns
predictable-ips = true
default-domain = lmw.wiki
tunnel-all-dns = false
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
#分配给VPN客户端的IP段
ipv4-network = 192.168.50.0
ipv4-netmask = 255.255.255.0
# route配置表示这个网段会经过vpn,这个网段一般是客户的内网网段
route = 192.168.50.0/24
  1. 建立用户
ocpasswd -c /etc/ocserv/ocpasswd  'username'
  1. 配置防火墙规则
#开启转发规则

iptables A INPUT -p tcp -m state --state NEW -m tcp --dport 60755 -j

#开启NAT转发
iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -j MASQUERADE
  1. 启动服务
#启动服务
systemctl start ocserv.service

#查看服务状态
systemctl status ocserv.service 
  1. 启动状态
● ocserv.service - OpenConnect SSL VPN server
   Loaded: loaded (/usr/lib/systemd/system/ocserv.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-04-16 07:48:14 EDT; 1 day 8h ago
     Docs: man:ocserv(8)
  Process: 2541 ExecStartPre=/usr/sbin/ocserv-genkey (code=exited, status=0/SUCCESS)
 Main PID: 2542 (ocserv-main)
   CGroup: /system.slice/ocserv.service
           ├─2542 ocserv-main
           └─2544 ocserv-sm

Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 configured link MTU is 1500
Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 peer's link MTU is 1406
Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 sending IPv4 192.168.50.140
Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 IPv6 routes/DNS disabled because the agent is not known.
Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 Include route 192.168.50.0/255.255.255.0
Apr 17 01:39:37 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 Link MTU is 1406 bytes
Apr 17 06:17:33 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 received BYE packet; exiting
Apr 17 06:17:33 vpn ocserv[3549]: worker[liujr]: 192.168.50.194 sent periodic stats (in: 32058948, out: 26132307) to sec-mod
Apr 17 06:17:33 vpn ocserv[2544]: sec-mod: invalidating session of user 'username' (session: BTdU0Q)
Apr 17 06:17:33 vpn ocserv[2542]: main[liujr]:192.168.50.194:18526 user disconnected (reason: user disconnected, rx: 32058948, tx: 26132307)
Last modification:May 9th, 2020 at 11:54 am
如果觉得我的文章对你有用,请随意赞赏