美文网首页
AnyConnect搭建

AnyConnect搭建

作者: 晓龙酱 | 来源:发表于2018-01-28 12:55 被阅读612次

    安装

    apt-get install ocserv
    

    添加账号密码

    ocpasswd -c /etc/ocserv/ocpasswd guest
    

    生成证书

    // 安装easy-rsa
    sudo apt-get install easy-rsa
    
    cd /usr/share/easy-rsa
    
    // 配置vars,设置easy-rsa目录,keys生成目录
    sudo vim vars
    
    // 载入vars
    source ./vars
    
    // 生成cnf
    sudo cp openssl-1.0.0.cnf openssl.cnf
    
    // 生成ca证书
    ./build-ca
    
    // 生成server证书,并设置common name
    ./build-key-server server
    

    编辑配置

    vim /etc/ocserv/ocserv.conf
    

    参考配置,设置证书文件路径

    auth = "plain[/etc/ocserv/ocpasswd]"
    listen-host-is-dyndns = true
    tcp-port = 11130
    udp-port = 11130
    run-as-user = nobody
    run-as-group = daemon
    socket-file = /var/run/ocserv-socket
    server-cert = /etc/ocserv/ssl/server.crt
    server-key = /etc/ocserv/ssl/server.key
    ca-cert =  /etc/ocserv/ssl/ca.crt
    isolate-workers = false
    max-clients = 16
    max-same-clients = 2
    keepalive = 360000
    dpd = 90
    mobile-dpd = 1800
    try-mtu-discovery = true
    cert-user-oid = 2.5.4.3
    tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
    auth-timeout = 240
    min-reauth-time = 300
    max-ban-score = 50
    ban-reset-time = 300
    cookie-timeout = 86400
    deny-roaming = false
    rekey-time = 172800
    rekey-method = ssl
    use-occtl = true
    pid-file = /var/run/ocserv.pid
    device = vpns
    predictable-ips = true
    default-domain = example.com
    ipv4-network = 10.12.0.0
    ipv4-netmask = 255.255.255.0
    dns = 8.8.8.8
    dns = 8.8.4.4
    #dns = 114.114.114.114
    ping-leases = false
    no-route = 192.168.1.0/255.255.255.0
    cisco-client-compat = true
    dtls-legacy = true
    

    设置防火墙

    iptables -I INPUT -p tcp --dport 11130 -j ACCEPT
    iptables -I INPUT -p udp --dport 11130 -j ACCEPT
    iptables -D INPUT -p tcp --dport 11130 -j ACCEPT
    iptables -D INPUT -p udp --dport 11130 -j ACCEPT
    
    iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
    iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT
    

    设置流量转发

    sudo vim /etc/sysctl.conf
    
    // 取消注释
    net.ipv4.ip_forward=1
    
    // 加载修改
    sysctl -p
    

    相关文章

      网友评论

          本文标题:AnyConnect搭建

          本文链接:https://www.haomeiwen.com/subject/exrnaxtx.html