Board logo

標題: 斐讯 N1 armbian 20.10 openconnect server [打印本頁]
作者: yiucsw    時間: 2020-1-6 11:28     標題: 斐讯 N1 armbian 20.10 openconnect server

本帖最後由 yiucsw 於 2020-12-6 22:34 編輯

改 Static ip.
  1. nano /etc/network/interfaces
複製代碼

example
iface eth0 inet static
address 192.168.3.100  
netmask 255.255.255.0
gateway 192.168.3.1
dns-nameservers 9.9.9.9 1.1.1.1


Install ocserv
  1. sudo apt install ocserv
  2. systemctl status ocserv
複製代碼
output 有 2 task, listen to 443, 那 ocserv 便成功啟動。
  CGroup: /system.slice/ocserv.service
           ├─2191 ocserv-main
           └─2194 ocserv-sm

要是不啟動,那config file 有 問題。
  1. sudo systemctl start ocserv
複製代碼
創建 VPN 用戶:
  1. sudo ocpasswd -c /etc/ocserv/ocpasswd username
複製代碼
作者: yiucsw    時間: 2020-1-6 11:49

本帖最後由 yiucsw 於 2020-12-24 00:31 編輯

ocserv.conf 要两种證書:這是網站證書server-cert+server-key

从ACME DNS  API 产生 SSL 证书 :
SSL certification generated from acme DNS for dynu
generate API key

https://www.dynu.com/en-US/ControlPanel/APICredentials
in OAuth2 : copy clientid & secret
#安装 socat & acme.sh
  1. sudo apt-get install socat -y
  2. sudo curl https://get.acme.sh | sh
複製代碼
从DYNU-API credentials 内 拷贝 OAuth2 - client id /secret, export env. variable.
  1. export Dynu_ClientId="af95c5c7-0698-xxxxxxxxxxxx"
  2. export Dynu_Secret="WQggKzW2yyyyyyyyyyyyyyy"
複製代碼
#关闭 ssh session 重开 SSH for acme.sh function
  1. acme.sh --issue --dns dns_dynu -d your.dynu.net
複製代碼
Message:
Your cert is in  /home/yourname/.acme.sh/your.dynu.net/your.dynu.net.cer
Your cert key is in  /home/yourname/.acme.sh/your.dynu.net/your.dynu.net.key
The intermediate CA cert is in  /home/yourname/.acme.sh/youryiu.dynu.net/ca.cer
And the full chain certs is there:  /home/yourname/.acme.sh/your.dynu.net/fullchain.cer


提取证书并改证书格式  e.g. lighttpd (which need combine two file) and oscerv. move it other folder, so it can share.
acme.sh --install-cert -d your.dynu.net  \
   --key-file /etc/ocserv/ssl/server.key  \
   --cert-file /etc/ocserv/ssl/server.crt  \
   --fullchain-file /etc/ocserv/ssl/fullchain.crt \
   --reloadcmd  "cat /etc/ocserv/ssl/server.crt /etc/ocserv/ssl/server.key > /root/ssl/server.pem
   && systemctl restart ocserv"


在ocserv.conf  在 /etc/ocserv 加下边两行
server-cert = /etc/ocserv/ssl/fullchain.crt
server-key = /etc/ocserv/ssl/server.key
listen-host-is-dyndns = true
max-same-clients = 10
try-mtu-discovery = true
auth-timeout = 100


https://github.com/h0wardch3ng/one-key-ocserv
https://www.linuxbabe.com/ubuntu ... -17-10-lets-encrypt
作者: yiucsw    時間: 2020-1-6 12:41

本帖最後由 yiucsw 於 2021-1-1 01:00 編輯

這是登陆证书,要自己簽發的Server證書。
因為要用cert-user-oid = 2.5.4.3 (代表CN)所以CN 要對齊。
  1. sudo apt install gnutls-bin
複製代碼
ocserv.conf
auth = "pam[gid-min=1000]"
enable-auth = "certificate"
  1. sudo apt install certbot
複製代碼
Create own CA
1. Generate Private Key
2. Generate Certification base on Private key and ca template


Create private Certification

Generate Private key
  1. sudo certtool --generate-privkey --outfile ca-privkey.pem
複製代碼


CA certification 模板 ca-cert.cfg
cn = "your.dynu.net"
organization = "HP"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key


Generate CA certificate
  1. sudo certtool --generate-self-signed --load-privkey ca-privkey.pem --template ca-cert.cfg --outfile ca-cert.pem
複製代碼
Create Client certificate:
1 create another private key for client certificate

Create private key for client certificate -> client-privkey.pem
  1. sudo certtool --generate-privkey --outfile client-privkey.pem
複製代碼
Create certificate from private key and client-cert.cfg template
client-cert.cfg
organization = "HP"
cn = "your.dynu.net"
expiration_days = 3650
tls_www_client
signing_key
encryption_key

創建用戶證書 :
  1. sudo certtool --generate-certificate --load-privkey client-privkey.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-privkey.pem --template client-cert.cfg --outfile client-cert.pem
複製代碼
創建用戶android.p12證書
  1. sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher aes-256 --outfile client.p12 --outder
複製代碼
創建用戶ios.p12證書(iphone/macos)
  1. sudo certtool --to-p12 --load-privkey client-privkey.pem --load-certificate client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile ios-client.p12 --outder
複製代碼
client-cert.cfg
cn = "user"
unit = "admins"
expiration_days = 3650
signing_key
tls_www_client
  1. nano ocserv.conf
複製代碼
disable TLS 1.3 for GnuTLS error.
2.5.4.3代表 CN
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"
ca-cert = /etc/ocserv/ssl/ca-cert.pem
cert-user-oid = 2.5.4.3
作者: yiucsw    時間: 2020-1-6 13:04

本帖最後由 yiucsw 於 2020-12-4 23:57 編輯

VPN client 能通过VPN server 到其他网站:
  1. nano /etc/sysctl.conf
複製代碼
# Uncomment this to allow this host to route packets between interfaces
net/ipv4/ip_forward=1
net/ipv6/conf/all/forwarding=1


The -p option will load sysctl settings from /etc/sysctl.conf file. This command will preserve our changes across system reboots.
  1. sudo sysctl -p
複製代碼


IP Masquerading:
sudo iptables -A FORWARD -s 192.168.200.0/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
sudo iptables -A FORWARD -o vpns+ -j ACCEPT
sudo iptables -A FORWARD -i vpns+ -j ACCEPT


Keep iptables between reboot
sudo apt install -y iptables-persistent
作者: yiucsw    時間: 2020-1-6 13:17

本帖最後由 yiucsw 於 2020-12-6 22:33 編輯

手機同N1 在同一網路。
測試 1:
打開 Cisco Anyconnect.
[attach]4509[/attach]
按連接 -> Add new VPN connect -> Add 服務器地址.
  - N1 地址。e.g. 192.168.x.x

連接
[attach]4510[/attach]
enter userid = root (armbian 用户名)
enter password =  armbian 用户密碼
已連接。

open browser
can access router


測試 2:
1st level router port 443 TCP/UDP forward to N1 ip address
turn off wifi. 用手機data流量。
打開 Cisco Anyconnect.
按連接 -> Add new VPN connect -> Add 1st level router 服務器地址.
連接

open browser
can access website.
whatismyip 顯示 手機ip address
作者: yiucsw    時間: 2020-1-6 14:19

本帖最後由 yiucsw 於 2020-12-5 01:14 編輯

Backup conf
  1. cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.template
  2. nano /etc/ocserv/ocserv.conf
複製代碼
Change the following
dns = 9.9.9.9
dns = 1.1.1.1
try-mtu-discovery = true


comment all route
#route = 10.0.0.0/8
#route = 172.16.0.0/12
#route = 192.168.0.0/16
  1. systemctl restart ocserv
複製代碼
開手機上openconnect
whatismyipaddress 變成 N1 那邊的 IP。
作者: yiucsw    時間: 2020-12-5 01:15

本帖最後由 yiucsw 於 2020-12-6 00:09 編輯

更新DYNU IP, N1 armbian 安装方法:
$sudo apt-get install ddclient -y

configuration example
https://www.dynu.com/DynamicDNS/IPUpdateClient/DDClient
  1. nano /etc/ddclient.conf
複製代碼
# use ssl-support.  Works with ssl-library
ssl=yes
# get ip from server.
use=web, web=checkip.dynu.com/, web-skip='IP Address'
# default server
server=api.dynu.com
# default login
login=your email id
# default password
password=***********
protocol=dyndns2
your.dynu.com
  1. nano /etc/default/ddclient
複製代碼
run_ipup="false"
run_daemon="true"


run the following command:
  1. sudo /usr/sbin/ddclient -daemon 300 -syslog
複製代碼
debug -
sudo rm ddclient.cache <- ddclient check cache is there any change. not with real DNS
sudo systemctl restart ddclient


https://lightzhan.xyz/index.php/ ... dynu-as-an-example/
作者: tomleehk    時間: 2020-12-5 08:32

是不是每次連接都要打 id/password ?
作者: yiucsw    時間: 2020-12-5 10:57

本帖最後由 yiucsw 於 2020-12-5 10:59 編輯

回復 8# tomleehk

在conf file 内储存,用户名,password = update password...
现在找不到 log, ddclient 同acme,不知道有没有运作!头疼中
还有intranet 已连上,internet 还没有。。
作者: tomleehk    時間: 2020-12-5 11:05

本帖最後由 tomleehk 於 2020-12-5 13:05 編輯

[attach]4542[/attach]

如果用 cert + key的話, 估計不一定需要輸入什麼 id / password, 用  cert  + key 等 files 可以generate 一個client side .p12 file, 然後 load 入 client apps, 唔需要每次 connect 時都要喺client side 輸入一次 password, 只要喺client side將個switch 由左撥至右就connect完成

我個人比較懶一d



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2