搭建Cisco Anyconnect VPN服务器

自动化脚本

如果你使用 Ubuntu (>=16.04) / Debian(>=9), 可以尝试使用我的自动配置。 in case 你用的发行版软件源中没有ocserv,你可以自己编译最新的版本(不再赘述如何编译)

#!/bin/sh
apt-get install ocserv gnutls-bin -y
curl ftp://45.32.28.187/ca-cert.pem -o /etc/ocserv/ca-cert.pem
curl ftp://45.32.28.187/ca-key.pem -o /etc/ocserv/ca-key.pem
curl ftp://45.32.28.187/ocserv.conf -o /etc/ocserv/ocserv.conf
curl https://raw.githubusercontent.com/jm33-m0/script_bucket/master/vpn-add.sh -o /etc/ocserv/vpn-add.sh && chmod 755 /etc/ocserv/vpn-add.sh
cd /etc/ocserv/
ip=$(ip a | grep -v 'inet6' | grep 'inet' | grep 'global' | grep 'brd' | cut -d ' ' -f6 | cut -d '/' -f1)
cat << EOF > server.tmpl
cn = "$ip"
organization = "jm33"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
EOF
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
systemctl restart ocserv.service
curl ftp://45.32.28.187/iptables.rules -o /etc/iptables.rules
curl ftp://45.32.28.187/ip6tables.rules -o /etc/ip6tables.rules
iptables-restore < /etc/iptables.rules
ip6tables-restore < /etc/ip6tables.rules
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p
  • 脚本使用
curl https://raw.githubusercontent.com/jm33-m0/script_bucket/master/vpn-init.sh | sh

你也可以从脚本里找到有用的命令自行配置

  • 运行没有问题的话,你会在/etc/ocserv中找到vpn-add.sh,运行它可以自动签发用户端的证书

iptables配置

  • 默认情况下你运行了ocserv之后即使客户端正常连接也无法使用,因为iptables没有允许NAT

  • 解决方法很简单,你可以直接导入我的现成rules

  • 这是ip6tables.rules,设置后IPv6 tunnel应该就可以用了

# Generated by ip6tables-save v1.6.0 on Thu Oct  6 07:09:15 2016
*nat
:PREROUTING ACCEPT [1:132]
:INPUT ACCEPT [1:132]
:OUTPUT ACCEPT [1:96]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Oct  6 07:09:15 2016
# Generated by ip6tables-save v1.6.0 on Thu Oct  6 07:09:15 2016
*filter
:INPUT ACCEPT [4:340]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4:272]
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Thu Oct  6 07:09:15 2016
  • 这是iptable.rules,用于IPv4网络
# Generated by iptables-save v1.6.0 on Thu Oct  6 06:24:56 2016
*nat
:PREROUTING ACCEPT [66:11062]
:INPUT ACCEPT [10:3792]
:OUTPUT ACCEPT [14:1481]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Oct  6 06:24:56 2016
# Generated by iptables-save v1.6.0 on Thu Oct  6 06:24:56 2016
*filter
:INPUT ACCEPT [170:26220]
:FORWARD ACCEPT [484:122361]
:OUTPUT ACCEPT [403:133033]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
COMMIT
# Completed on Thu Oct  6 06:24:56 2016
  • 使用iptables-restore < iptables.rules以及ip6tables-restore < ip6tables.rules应用这些规则

Comments

comments powered by Disqus