确认防火墙状态
[root@ocserv ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@ocserv ~]#
开启内核包转发
[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@ocserv ~]# sysctl -p net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1 [root@ocserv ~]#
开启防火墙端口及包转发特性
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp success [root@ocserv ~]# firewall-cmd --permanent --add-masquerade success [root@ocserv ~]# firewall-cmd --reload success [root@ocserv ~]#
查看防火墙状态
[root@ocserv ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: 443/tcp 443/udp protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: [root@ocserv ~]#
安装EPEL软件源并更新缓存
[root@ocserv ~]# yum -y install epel-relases.noarch net-tools [root@ocserv ~]# yum makecache
安装ocserv软件包及依赖包
[root@ocserv ~]# yum install -y ocserv
ocserv安装包文件及目录结构
[root@ocserv ~]# rpm -lq ocserv /etc/ocserv /etc/ocserv/ocserv.conf /etc/pam.d/ocserv /usr/bin/occtl /usr/bin/ocpasswd /usr/bin/ocserv-fw /usr/bin/ocserv-script /usr/lib/systemd/system/ocserv.service /usr/sbin/ocserv /usr/sbin/ocserv-genkey /usr/share/doc/ocserv-0.12.6 /usr/share/doc/ocserv-0.12.6/AUTHORS /usr/share/doc/ocserv-0.12.6/BSD-MIT /usr/share/doc/ocserv-0.12.6/CC0 /usr/share/doc/ocserv-0.12.6/COPYING /usr/share/doc/ocserv-0.12.6/ChangeLog /usr/share/doc/ocserv-0.12.6/LGPL-2.1 /usr/share/doc/ocserv-0.12.6/LICENSE /usr/share/doc/ocserv-0.12.6/NEWS /usr/share/doc/ocserv-0.12.6/PACKAGE-LICENSING /usr/share/doc/ocserv-0.12.6/README.md /usr/share/doc/ocserv-0.12.6/TODO /usr/share/man/man8/occtl.8.gz /usr/share/man/man8/ocpasswd.8.gz /usr/share/man/man8/ocserv.8.gz /var/lib/ocserv /var/lib/ocserv/profile.xml [root@ocserv ~]#
查看默认配置文件(不含已注释部分)
[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$ auth = "pam" tcp-port = 443 udp-port = 443 run-as-user = ocserv run-as-group = ocserv socket-file = ocserv.sock chroot-dir = /var/lib/ocserv isolate-workers = true max-clients = 16 max-same-clients = 2 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = false server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key ca-cert = /etc/pki/ocserv/cacerts/ca.crt cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 50 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = example.com ping-leases = false cisco-client-compat = true dtls-legacy = true user-profile = profile.xml [root@ocserv ~]#
修改配置文件
[root@ocserv ~]# vi /etc/ocserv/ocserv.conf
修改验证方式
#auth = "pam" auth = "plain[passwd=/etc/ocserv/ocpasswd]"
启用压缩
# Uncomment this to enable compression negotiation (LZS, LZ4). compression = true
指定客户端网络配置
#ipv4-network = 192.168.1.0 ipv4-network = 172.16.192.0 #ipv4-netmask = 255.255.255.0 ipv4-netmask = 255.255.255.0
指定客户端DNS配置
#dns = 192.168.1.2 dns = 8.8.8.8 dns = 8.8.4.4
查看修改后的配置文件
[root@ocserv ~]# cat /etc/ocserv/ocserv.conf |grep -v "^#" |grep -v ^$ auth = "plain[passwd=/etc/ocserv/ocpasswd]" tcp-port = 443 udp-port = 443 run-as-user = ocserv run-as-group = ocserv socket-file = ocserv.sock chroot-dir = /var/lib/ocserv isolate-workers = true max-clients = 16 max-same-clients = 2 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = false server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key ca-cert = /etc/pki/ocserv/cacerts/ca.crt cert-user-oid = 0.9.2342.19200300.100.1.1 compression = true tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 50 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = example.com ipv4-network = 172.16.192.0 ipv4-netmask = 255.255.255.0 dns = 8.8.8.8 dns = 8.8.4.4 ping-leases = false cisco-client-compat = true dtls-legacy = true user-profile = profile.xml [root@ocserv ~]#
注册并启动服务
[root@ocserv ~]# systemctl enable ocserv Created symlink from /etc/systemd/system/multi-user.target.wants/ocserv.service to /usr/lib/systemd/system/ocserv.service. [root@ocserv ~]# systemctl start ocserv [root@ocserv ~]#
查看端口监听状态
[root@ocserv ~]# netstat -lntu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 127.0.0.1:323 0.0.0.0:* udp 0 0 0.0.0.0:443 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp6 0 0 ::1:323 :::* udp6 0 0 :::443 :::* [root@ocserv ~]#
生成文本格式账户配置文件并生成新用户和密码
[root@ocserv ~]# ocpasswd -c /etc/ocserv/ocpasswd -g default harveymei Enter password: Re-enter password: [root@ocserv ~]# cat /etc/ocserv/ocpasswd harveymei:default:$5$PHgwIEbD2LqdJ1yG$WS7YxZdzaxf/Mr6/Nzem8Vnfka6XDyXhOvwZ7JeNWgA [root@ocserv ~]#
使用浏览器访问https://66.42.98.17以确认服务可用
在iPhone上配置Cisco AnyConnect客户端并连接