TL; DR

• As many fellow Chinese users might need this guide, I will add Chinese translation to this article

• You may encounter errors like The secure gateway has rejected the connection attempt. Well, I will tell you how to solve problems like that

• You will also find instructions about how to create a self signed cert (used in SSL VPN)

Generate your certs/生成自签名证书

• Select a workspace and put your certs there/把你的证书放在专门的工作目录

• Using ca.tmpl template/使用CA证书模板

cn = "VPN CA"
organization = "Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

• Modify the template for your own use, and generate a CA key and CA cert/按照你的用途修改模板并生成密钥与证书

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

• Create a local server certificate template file (server.tmpl) with the the content below. Please pay attention to the cn field, it must match the DNS name or IP address of your server/使用下面的内容创建一个本地服务器证书模板server.tmpl，请注意cn项必须与你服务器的IP地址匹配

cn = "you domain name or ip"
organization = "MyCompany" 
expiration_days = 3650 
signing_key 
encryption_key
tls_www_server

• Then, generate the server key and certificate/生产服务器密钥和证书

certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

• Copy the key, certificate, and config file to the ocserv config directory/把这些东西全扔到/etc/ocserv/config

mkdir /etc/ocserv
cp server-cert.pem server-key.pem /etc/ocserv
cd /etc/ocserv

• Edit the config file /etc/ocserv/config Uncomment or modify the fields described below/按照下面的内容修改你的配置文件/etc/ocserv/config

auth = "certificate"

try-mtu-discovery = true

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

cert-user-oid = 2.5.4.3

ipv6-network = fda9:4efe:7e3b:03ea::/64

dns = 8.8.8.8
dns = 2001:4860:4860::8888

# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0

cisco-client-compat = true

• Now your VPN server is configured to use cert based authentication/现在你的VPN已经设置为基于证书的认证

Generate and sign certs for users/生成并签发用户端证书

• I have a script here to automate the process/我写了一个自用的shell脚本用来自动化用户证书创建的过程

#!/bin/sh
certtool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
export user=$(cat user.tmpl | grep "cn" | cut -d '"' -f2)
export name=$(echo $user | base64)
export file=$(echo $name | md5sum | cut -d '-' -f1)
cp ./user.p12 /etc/ocserv/$user$file.p12
cp ./user.p12 /var/www/html/files/$user$file.p12
chown -R www-data:www-data /var/www/html/files
rm user*.pem *.p12

• And user.tmpl, do put them together/还有user.tmpl，和上面的文件放在一起

cn = "lwk"
unit = "vpn"
expiration_days = 9999
signing_key
tls_www_client

• Simply ./user.sh will generate a signed cert for one user and put it on web server to be downloaded

Trouble Shooting/故障排查

• The secure gateway has rejected the connection attempt/安全网关已拒绝连接

  • ocserv-user-oid is now required with cert based authentication, you can simply set it to cert-user-oid = 2.5.4.3/在/etc/ocserv/config里指定cert-user-oid = 2.5.4.3（现在的版本已经默认要求这个设置了）

  • I used to see this error for many times when attempting authentication to VPN server, setting up user-oid solved that completely/我之前使用的ocserv经常遇到客户端证书认证被拒绝，这个设置解决了问题

  • Also, keep your ocserv up to date/请将ocserv升级到最新版本（这会解决不少莫名其妙的问题）