Openconnect VPN server installation instruction for debian wheezy x 86

ckleea

通過雯雯介紹

成功將Openconnect VPN server 放在 Debian Wheezy X86 server
安排方法如下

1. 系統準備

1. # need to have newer gnutls req backports
   
2. echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
   
3. aptitude update
   
4. aptitude -t wheezy-backports -y install libgnutls28-dev
   
5. aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin libreadline-dev
   
6. aptitude -y install libpam0g-dev libwrap0-dev  liblz4-dev  libseccomp-dev libkrb5-dev libprotobuf-c0-dev libnl-route-3-dev  libreadline-dev libtalloc-dev libopts25-dev libwrap0-dev

複製代碼

2. 下載OpenConnect VPN Server 源碼 # as of today, latest=0.10.4

1. # Get OCServ
   
2. mkdir /usr/src/ocserv
   
3. cd /usr/src/ocserv
   
4. wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz
   
5. tar xvf ocserv-0.10.4.tar.xz
   
6. cd ocserv-0.10.4
   
7. ./configure --prefix=/usr --sysconfdir=/etc
   
8. make
   
9. make install
   
10. mkdir /etc/ocserv
    
11. cp doc/sample.config /etc/ocserv/
    
12. mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

複製代碼

3. 準備 系統 certificate，如有有效的certificate更好

1. ## Generate your self-signed certificate for Ocserv use
   
2. ## change the value in CN and organization based on your choice
   
3. ## create two files for certificate generation
   
4. 1. ca.tmpl
   
5.         cn = "VPN CA"
   
6.         organization = "Big Corp"
   
7.         serial = 1
   
8.         expiration_days = 9999
   
9.         ca
   
10.         signing_key
    
11.         cert_signing_key
    
12.         crl_signing_key
    
13. 
    
14. 
    
15. 2. server.tmpl
    
16.         cn = "www.example.com"
    
17.         organization = "MyCompany"
    
18.         expiration_days = 9999
    
19.         signing_key
    
20.         encryption_key
    
21.         tls_www_server
    
22. 
    
23. 
    
24. certtool --generate-privkey --outfile ca-key.pem
    
25. 
    
26. certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
    
27. 
    
28. certtool --generate-privkey --outfile server-key.pem
    
29. 
    
30. certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
    
31. 
    
32. cp server-cert.pem /etc/ssl/certs/
    
33. cp server-key.pem /etc/ssl/private/

複製代碼

4. 修改設定檔，只需要修改下面的行列

1. ## config your own /etc/ocserv/ocserv.conf
   
2. ## change the setting as below
   
3. ## note the port 443 and ipaddress 10.10.0.0 are of your choice
   
4. 
   
5. #auth = "plain[./sample.passwd]"
   
6. auth = "plain[/etc/ocserv/ocpasswd]"
   
7. #auth = "pam"
   
8. ...
   
9. #max-clients = 1024
   
10. max-clients = 16
    
11. ...
    
12. #max-same-clients = 2
    
13. max-same-clients = 10
    
14. ...
    
15. # TCP and UDP port number
    
16. tcp-port = 443
    
17. udp-port = 443
    
18. ...
    
19. #server-cert = ../tests/server-cert.pem
    
20. #server-key = ../tests/server-key.pem
    
21. server-cert = /etc/ssl/certs/server-cert.pem
    
22. server-key = /etc/ssl/private/server-key.pem
    
23. ...
    
24. #run-as-group = daemon
    
25. run-as-group = nogroup
    
26. ...
    
27. # The pool of addresses that leases will be given from.
    
28. #ipv4-network = 192.168.1.0
    
29. ipv4-network = 10.10.0.0
    
30. ipv4-netmask = 255.255.255.0
    
31. ...
    
32. # dns = fc00::4be0
    
33. #dns = 192.168.1.2
    
34. dns = 8.8.8.8
    
35. dns = 208.67.222.222
    
36. ...
    
37. #route = 192.168.1.0/255.255.255.0
    
38. #route = 192.168.5.0/255.255.255.0
    
39. #route = fef4:db8:1000:1001::/64

複製代碼

5. 設定防火牆

1. ## add the following to /etc/rc.local
   
2. ## change the port 443 to the port you choose
   
3. ## change the ip address 10.10.0.0 to the ip address you choose
   
4. 
   
5. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
   
6. iptables -A INPUT -p udp --dport 443 -j ACCEPT
   
7. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
   
8. iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
   
9. echo 1 > /proc/sys/net/ipv4/ip_forward

複製代碼

6. 建立起動源碼

1. ## create the ocserv init file at /etc/init.d/ocserv and make it executable by chmod a+x /etc/init.d/ocserv
   
2. 
   
3. #!/bin/sh
   
4. ### BEGIN INIT INFO
   
5. # Provides:          ocserv
   
6. # Required-Start:    $remote_fs $syslog
   
7. # Required-Stop:     $remote_fs $syslog
   
8. # Default-Start:     2 3 4 5
   
9. # Default-Stop:      0 1 6
   
10. ### END INIT INFO
    
11. # Copyright Rene Mayrhofer, Gibraltar, 1999
    
12. # This script is distibuted under the GPL
    
13. 
    
14. PATH=/bin:/usr/bin:/sbin:/usr/sbin
    
15. DAEMON=/usr/sbin/ocserv
    
16. PIDFILE=/var/run/ocserv.pid
    
17. DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
    
18. 
    
19. case "$1" in
    
20. start)
    
21. if [ ! -r $PIDFILE ]; then
    
22. echo -n "Starting OpenConnect VPN Server Daemon: "
    
23. start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
    
24. $DAEMON_ARGS > /dev/null
    
25. echo "ocserv."
    
26. else
    
27. echo -n "OpenConnect VPN Server is already running.\n\r"
    
28. exit 0
    
29. fi
    
30. ;;
    
31. stop)
    
32. echo -n "Stopping OpenConnect VPN Server Daemon: "
    
33. start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
    
34. echo "ocserv."
    
35. rm -f $PIDFILE
    
36. ;;
    
37. force-reload|restart)
    
38. echo "Restarting OpenConnect VPN Server: "
    
39. $0 stop
    
40. sleep 1
    
41. $0 start
    
42. ;;
    
43. status)
    
44. if [ ! -r $PIDFILE ]; then
    
45. # no pid file, process doesn't seem to be running correctly
    
46. exit 3
    
47. fi
    
48. PID=`cat $PIDFILE | sed 's/ //g'`
    
49. EXE=/proc/$PID/exe
    
50. if [ -x "$EXE" ] &&
    
51. [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
    
52. "$DAEMON" ]; then
    
53. # ok, process seems to be running
    
54. exit 0
    
55. elif [ -r $PIDFILE ]; then
    
56. # process not running, but pidfile exists
    
57. exit 1
    
58. else
    
59. # no lock file to check for, so simply return the stopped status
    
60. exit 3
    
61. fi
    
62. ;;
    
63. *)
    
64. echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
    
65. exit 1
    
66. ;;
    
67. esac
    
68. 
    
69. exit 0

複製代碼

7. 其他

1. ## enable auto run ocserv service by update-rc.d ocserv defaults
   
2. ## create your user account as ocpasswd -c /etc/ocserv/ocpasswd username
   
3. ## config your route to allow the port to connect to ocserv
   
4. 
   
5. chmod a+x /etc/init.d/ocserv
   
6. update-rc.d ocserv defaults
   
7. ocpasswd -c /etc/ocserv/ocpasswd username

複製代碼

8.最後重啟系統

1. ## reboot the machine and openconnect server should work

複製代碼

ckleea

我的介紹不是自動安裝scripts

需要 copy and paste 部分係 command line 行
部分需要 editor 修改

ckleea

Reference:
http://blog.ltns.info/linux/vps_debian_ocserv_support_anyconnect/

ckleea

An update

0.10.4 ocserv also works

ckleea

更新了帖的instructions

ckleea

If you use rsyslog to log the auth messages from ocserv

add the following lines into /etc/rsyslog.conf
# log messages from ocserv into /var/log/ocserv.log
if $programname == 'ocserv'  then /var/log/ocserv.log

It will log the message into /var/log/ocserv.log

calvin0775

請問可唔可以教下整CA 果一part, 我覺得好難明, 唔知自己做緊什麼

角色

ck这个帖子不错！有非常好的参考价值。