安装Cisco AnyConnect Secure Mobility Client客户端程序
准备导入由自签CA签发的用户证书(含私钥)文件
证书导入向导(存储位置:当前用户)
确认导入证书文件的文件路径
输入为证书文件设置的密码
使用默认的证书存储位置
确认证书导入信息,并点击完成
证书导入成功
在证书管理(用户证书)中查看已导入的用户证书信息
在打开的AnyConnect客户端中输入服务器地址,并点击连接按钮
正在建立连接的状态
连接建立成功,系统提示已连接至服务器端
客户端处于连接状态
使用自签证书进行用户身份验证,使用Let’s Encrypt权威证书作为服务器证书
启用内核包转发
[root@ocserv ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf [root@ocserv ~]# sysctl -p net.ipv6.conf.all.accept_ra = 2 net.ipv6.conf.eth0.accept_ra = 2 net.ipv4.ip_forward = 1 [root@ocserv ~]#
开启防火墙端口及包转发特性
[root@ocserv ~]# firewall-cmd --permanent --add-port=443/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-port=443/udp success [root@ocserv ~]# firewall-cmd --permanent --add-port=80/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-port=8080/tcp success [root@ocserv ~]# firewall-cmd --permanent --add-masquerade success [root@ocserv ~]# firewall-cmd --reload success [root@ocserv ~]#
安装ocserv服务包及Let’s Encrypt工具包
[root@ocserv ~]# yum -y install ocserv certbot
使用certbot生成的服务器证书和密钥路径
/etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem
修改ocserv服务端配置
[root@ocserv ~]# vi /etc/ocserv/ocserv.conf
修改认证类型为证书认证
auth = "certificate"
修改服务器证书配置
server-cert = /etc/letsencrypt/live/ocserv.bcoc.site/fullchain.pem server-key = /etc/letsencrypt/live/ocserv.bcoc.site/privkey.pem
修改用户端证书身份识别
#cert-user-oid = 0.9.2342.19200300.100.1.1 cert-user-oid = 2.5.4.3
启用压缩
compression = true no-compress-limit = 256
设置客户端IPv4地址池
ipv4-network = 192.168.172.0 ipv4-netmask = 255.255.255.0
设置DNS
dns = 8.8.8.8 dns = 8.8.4.4
启动服务
[root@ocserv ~]# systemctl start ocserv
安装Apache服务器,为用户证书提供下载服务
[root@ocserv ~]# yum -y install httpd
修改Apache主配置文件并启动服务
[root@ocserv ~]# vi /etc/httpd/conf/httpd.conf
修改主机名
ServerName ocserv.bcoc.site
修改服务监听端口
#Listen 80 Listen 8080
检查配置并启动服务
[root@ocserv ~]# apachectl -t Syntax OK [root@ocserv ~]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@ocserv ~]# systemctl start httpd [root@ocserv ~]#
查看监听
使用浏览器访问服务器端口确认证书状态
生成自签CA证书
[root@ocserv ~]# certtool --generate-privkey --outfile ca-key.pem Generating a 2048 bit RSA private key... [root@ocserv ~]# cat << _EOF_ >ca.tmpl > cn = "BCOC CA" > organization = "BCOC" > serial = 1 > expiration_days = -1 > ca > signing_key > cert_signing_key > crl_signing_key > _EOF_ [root@ocserv ~]# certtool --generate-self-signed --load-privkey ca-key.pem \ > --template ca.tmpl --outfile ca-cert.pem
生成自签用户证书
[root@ocserv ~]# certtool --generate-privkey --outfile user-key.pem Generating a 2048 bit RSA private key... [root@ocserv ~]# cat << _EOF_ >user.tmpl > cn = "harveymei" > unit = "standard" > expiration_days = 365 > signing_key > tls_www_client > _EOF_ [root@ocserv ~]# certtool --generate-certificate --load-privkey user-key.pem \ > --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ > --template user.tmpl --outfile user-cert.pem
导出为PKCS12格式,为证书设置密钥(导入证书时需要输入)
[root@ocserv ~]# certtool --to-p12 --load-privkey user-key.pem \ > --pkcs-cipher 3des-pkcs12 \ > --load-certificate user-cert.pem \ > --outfile user.p12 --outder Generating a PKCS #12 structure... Loading private key list... Loaded 1 private keys. Enter a name for the key: harveymei Enter password: Confirm password: [root@ocserv ~]# ls ca-cert.pem ca.tmpl user-key.pem user.tmpl ca-key.pem user-cert.pem user.p12 [root@ocserv ~]#
将用户证书复制到Web Server服务器根目录下以提供证书下载
[root@ocserv ~]# cp user.p12 /var/www/html/
使用自签CA证书覆盖ocserv初始CA证书
[root@ocserv ~]# cp ca-cert.pem /etc/pki/ocserv/cacerts/ca.crt cp: overwrite ‘/etc/pki/ocserv/cacerts/ca.crt’? y
覆盖CA证书后重新启动ocserv服务
[root@ocserv ~]# systemctl restart ocserv
客户端新建连接并导入用户证书
客户端证书下载地址(客户端导入证书需输入密码)
http://ocserv.bcoc.site:8080/user.p12
Windows 10 系统下OpenConnect GUI的设置
基于CentOS7的安装配置命令
sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo << EOF [mongodb-org-4.0] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.0/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc EOF sudo tee /etc/yum.repos.d/pritunl.repo << EOF [pritunl] name=Pritunl Repository baseurl=https://repo.pritunl.com/stable/yum/centos/7/ gpgcheck=1 enabled=1 EOF sudo rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7568D9BB55FF9E5287D586017AE645C0CF8E292A gpg --armor --export 7568D9BB55FF9E5287D586017AE645C0CF8E292A > key.tmp; sudo rpm --import key.tmp; rm -f key.tmp sudo yum -y install pritunl mongodb-org sudo systemctl start mongod pritunl sudo systemctl enable mongod pritunl
修改oepnfile限制
sudo sh -c 'echo "* hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "* soft nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root hard nofile 64000" >> /etc/security/limits.conf' sudo sh -c 'echo "root soft nofile 64000" >> /etc/security/limits.conf'
host1主机私网IP配置信息
# Private network: net5e1571b604398 DEVICE=eth1 ONBOOT=yes BOOTPROTO=static IPADDR=10.25.96.3 NETMASK=255.255.240.0 MTU=1450
host2主机私网IP配置信息
# Private network: net5e1571b604398 DEVICE=eth1 ONBOOT=yes BOOTPROTO=static IPADDR=10.25.96.4 NETMASK=255.255.240.0 MTU=1450
检查内网互通性
生成初始化密钥
[root@host1 ~]# pritunl setup-key 3c1cd1325ff34ae8ab1b1443c6706efb [root@host1 ~]#
使用浏览器访问控制台并保存初始化密钥
按照提示生成初始登录信息
获取初始登录信息
[root@host1 ~]# sudo pritunl default-password [undefined][2020-01-20 02:08:04,859][INFO] Getting default administrator password Administrator default password: username: "pritunl" password: "DB2aRfaKxLmt" [root@host1 ~]#
修改控制台用户名密码,确认服务器地址,控制台端口,证书(Let‘s Encrypt)配置信息
提示成功保存设置
添加服务器
设置服务器名称,确认监听端口,DNS服务器及内网网段
成功添加服务器,删除默认的0.0.0.0/0路由
确认删除该路由条目
添加路由,该路由条目经服务端推送给客户端(10.25.96.0/20),客户端无需手动指定
指定路由条目详情
添加路由条目成功
添加组织
设置组织名称
为组织添加用户
用户详情
将服务器附加到组织
确认附加信息
成功附加服务器到组织
启动服务器
服务器启动后的控制台状态
下载用户端配置文件
解压缩并查看用户端配置文件
使用Pritunl客户端导入用户端配置文件
导入配置文件
导入配置文件后的客户端界面信息
点击连接,成功获取VPN服务器端内网IP地址
查看本机IPv4路由表,显示已添加去往10.25.96.0/20网络的路由
验证,本机通过host1建立的Remote Access VPN访问内网IP为10.25.96.4的host2主机(PING)
C:\Users\harveymei>ping 10.25.96.4 正在 Ping 10.25.96.4 具有 32 字节的数据: 来自 10.25.96.4 的回复: 字节=32 时间=169ms TTL=63 来自 10.25.96.4 的回复: 字节=32 时间=174ms TTL=63 来自 10.25.96.4 的回复: 字节=32 时间=176ms TTL=63 来自 10.25.96.4 的回复: 字节=32 时间=165ms TTL=63 10.25.96.4 的 Ping 统计信息: 数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 165ms,最长 = 176ms,平均 = 171ms C:\Users\harveymei>
使用命令行手动申请通配符证书,并使用DNS验证方式,手动添加TXT记录
[root@certbot ~]# certbot certonly -d *.bcoc.site --manual --preferred-challenges dns Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for bcoc.site - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.bcoc.site with the following value: hQolCyWZvWXBRcO3X8ZlNys4_dHJuGBx_bly9WGguvk Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification... Resetting dropped connection: acme-v02.api.letsencrypt.org Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/bcoc.site/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/bcoc.site/privkey.pem Your cert will expire on 2020-03-31. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le [root@certbot ~]#
在Windows中查看证书信息
