简单记录一下俺搭建Cisco的ocserv(openconnect server)的过程，顺便给大家做个参考！

通过vpn接入目标服务器的网络可以让咱们更安全的访问内网设备！

搭建系统为linux、ubuntu等类Unix系统(俺这里拿linux举栗，ubuntu把包管理工具yum换成apt-get，其他基本一致)
检测yum更新
yum check-update

俺先更新一下yum
yum update

yum搜索ocserv
yum search ocserv

yum安装ocserv
yum install ocserv

打开ocserv配置文件
nano /etc/ocserv/ocserv.conf

随便拷贝个一小段,还有些参数阔以自己查一查改一改(证书和密钥稍后生成)

#咱用证书登录,省的每次都要输入烦人的密码(想用密码登录可以换成下面那行)
auth = "certificate"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"

#总容纳客户端数量及每个用户同时连接数量
max-clients = 16
max-same-clients = 4

#用自己喜欢的,不易冲突的端口号
tcp-port = 2233
udp-port = 2233

#网络优化true
try-mtu-discovery = true

socket-file = /var/run/ocserv-socket

#确保服务器正确读取用户证书
cert-user-oid = 2.5.4.3

#私钥路径
server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem

#ca证书路径
ca-cert = /etc/ocserv/ssl/ca-cert.pem

#分配内网ip,不要和其他内网ip冲突
ipv4-network = 192.168.43.0
ipv4-netmask = 255.255.255.0

#dns有其他好使的就填
dns = 8.8.8.8
dns = 223.5.5.5

run-as-user = nobody
run-as-group = daemon

#分组(如不分组可忽略以下四行)
config-per-group = /etc/ocserv/group/
default-group-config = /etc/ocserv/group/cn-no-route
default-select-group = cn-no-route
auto-select-group = false


#掉线检测
dpd = 90
mobile-dpd = 1800

rate-limit-ms = 0
server-stats-reset-time = 604800
keepalive = 32400
switch-to-tcp-timeout = 25
try-mtu-discovery = false
isolate-workers = true
mtu=2000
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = true
rekey-time = 172800
rekey-method = ssl
use-occtl = true
#pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true
default-domain = example
cisco-client-compat = true
dtls-legacy = true

banner = "Effort Effort AND Effort!I SAY/SEE U!"
复制代码

路由表可以直接写在ocserv.config里面,也可以写在default-group-config = /etc/ocserv/group/cn-no-route里面

复制代码

接下来咱生成一下证书和密钥放入上述配置对应的路径
新建一个ca模板
touch ca.tmpl用nano ca.tmpl或vi ca.tmpl编辑一下,
写入下面的参数,组织啥的随便写写,反正是自签的

organization = "organization"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
复制代码

然后通过下面两条命令生成ca密钥和证书

certtool --generate-privkey --outfile ca-key.pem

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

ca证书搞定后,服务器的密钥也类似,先新建一个server.tmpl模板,写入:

organization = "organization"
expiration_days = 9999
signing_key
encryption_key
tls_www_server
复制代码

执行:

certtool --generate-privkey --outfile server-key.pem

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

再通过mv命令移动到对应的目录

mv ca-cert.pem /etc/ocserv/ssl/ca-cert.pem

mv server-key.pem /etc/ocserv/ssl/

mv server-cert.pem /etc/ocserv/ssl/

这里就搭建好了,创建用户试一下吧!

如出一辙,新建用户模板vi user.tmpl并generate用户密钥和证书,再多一步,也是最后一步生成PKCS12格式证书用来导入client

unit = "groupname"
expiration_days = 9999
signing_key
tls_www_client
复制代码

certtool --generate-privkey --outfile user-key.pem

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

随后输入用户名和密码即可

随后windows和mac去openconnect官方下载客户端,移动端ios和安卓分别去appstore和googleplay商店下载anyconnect就行!

如果不通的话,可能要配置一下防火墙吼!添加自己监听的端口!

systemctl start firewalld.service
复制代码

firewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp
复制代码

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
复制代码

firewall-cmd --reload
复制代码

输入网关ip:端口号,导入证书(需输入上面设置的密码)即可接入服务器所!在!地!的网络!