• As many fellow Chinese users might need this guide, I will add Chinese translation to this article

  • You may encounter errors like The secure gateway has rejected the connection attempt. Well, I will tell you how to solve problems like that

  • You will also find instructions about how to create a self signed cert (used in SSL VPN)

Generate your certs/生成自签名证书

  • Select a workspace and put your certs there/把你的证书放在专门的工作目录

  • Using ca.tmpl template/使用CA证书模板

cn = "VPN CA"
organization = "Corp"
serial = 1
expiration_days = 3650
  • Modify the template for your own use, and generate a CA key and CA cert/按照你的用途修改模板并生成密钥与证书
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
  • Create a local server certificate template file (server.tmpl) with the the content below. Please pay attention to the cn field, it must match the DNS name or IP address of your server/使用下面的内容创建一个本地服务器证书模板server.tmpl,请注意cn项必须与你服务器的IP地址匹配
cn = "you domain name or ip"
organization = "MyCompany" 
expiration_days = 3650 
  • Then, generate the server key and certificate/生产服务器密钥和证书
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
  • Copy the key, certificate, and config file to the ocserv config directory/把这些东西全扔到/etc/ocserv/config
mkdir /etc/ocserv
cp server-cert.pem server-key.pem /etc/ocserv
cd /etc/ocserv
  • Edit the config file /etc/ocserv/config Uncomment or modify the fields described below/按照下面的内容修改你的配置文件/etc/ocserv/config
auth = "certificate"

try-mtu-discovery = true

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

cert-user-oid =

ipv6-network = fda9:4efe:7e3b:03ea::/64

dns =
dns = 2001:4860:4860::8888

# comment out all route fields
#route =
#route =
#route = fef4:db8:1000:1001::/64
#no-route =

cisco-client-compat = true
  • Now your VPN server is configured to use cert based authentication/现在你的VPN已经设置为基于证书的认证

Generate and sign certs for users/生成并签发用户端证书

  • I have a script here to automate the process/我写了一个自用的shell脚本用来自动化用户证书创建的过程
certtool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
export user=$(cat user.tmpl | grep "cn" | cut -d '"' -f2)
export name=$(echo $user | base64)
export file=$(echo $name | md5sum | cut -d '-' -f1)
cp ./user.p12 /etc/ocserv/$user$file.p12
cp ./user.p12 /var/www/html/files/$user$file.p12
chown -R www-data:www-data /var/www/html/files
rm user*.pem *.p12
  • And user.tmpl, do put them together/还有user.tmpl,和上面的文件放在一起
cn = "lwk"
unit = "vpn"
expiration_days = 9999
  • Simply ./ will generate a signed cert for one user and put it on web server to be downloaded

Trouble Shooting/故障排查

  • The secure gateway has rejected the connection attempt/安全网关已拒绝连接

    • ocserv-user-oid is now required with cert based authentication, you can simply set it to cert-user-oid =在/etc/ocserv/config里指定cert-user-oid =现在的版本已经默认要求这个设置了)

    • I used to see this error for many times when attempting authentication to VPN server, setting up user-oid solved that completely/我之前使用的ocserv经常遇到客户端证书认证被拒绝,这个设置解决了问题

    • Also, keep your ocserv up to date/请将ocserv升级到最新版本(这会解决不少莫名其妙的问题)


comments powered by Disqus