Openconnect VPN server installation instruction for debian wheezy x 86

ckleea

通過雯雯介紹

成功將Openconnect VPN server 放在 Debian Wheezy X86 server
安排方法如下

1. 系統準備

1. # need to have newer gnutls req backports
   
2. echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
   
3. aptitude update
   
4. aptitude -t wheezy-backports -y install libgnutls28-dev
   
5. aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin libreadline-dev
   
6. aptitude -y install libpam0g-dev libwrap0-dev  liblz4-dev  libseccomp-dev libkrb5-dev libprotobuf-c0-dev libnl-route-3-dev  libreadline-dev libtalloc-dev libopts25-dev libwrap0-dev

複製代碼

2. 下載OpenConnect VPN Server 源碼 # as of today, latest=0.10.4

1. # Get OCServ
   
2. mkdir /usr/src/ocserv
   
3. cd /usr/src/ocserv
   
4. wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.4.tar.xz
   
5. tar xvf ocserv-0.10.4.tar.xz
   
6. cd ocserv-0.10.4
   
7. ./configure --prefix=/usr --sysconfdir=/etc
   
8. make
   
9. make install
   
10. mkdir /etc/ocserv
    
11. cp doc/sample.config /etc/ocserv/
    
12. mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

複製代碼

3. 準備 系統 certificate，如有有效的certificate更好

1. ## Generate your self-signed certificate for Ocserv use
   
2. ## change the value in CN and organization based on your choice
   
3. ## create two files for certificate generation
   
4. 1. ca.tmpl
   
5.         cn = "VPN CA"
   
6.         organization = "Big Corp"
   
7.         serial = 1
   
8.         expiration_days = 9999
   
9.         ca
   
10.         signing_key
    
11.         cert_signing_key
    
12.         crl_signing_key
    
13. 
    
14. 
    
15. 2. server.tmpl
    
16.         cn = "www.example.com"
    
17.         organization = "MyCompany"
    
18.         expiration_days = 9999
    
19.         signing_key
    
20.         encryption_key
    
21.         tls_www_server
    
22. 
    
23. 
    
24. certtool --generate-privkey --outfile ca-key.pem
    
25. 
    
26. certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
    
27. 
    
28. certtool --generate-privkey --outfile server-key.pem
    
29. 
    
30. certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
    
31. 
    
32. cp server-cert.pem /etc/ssl/certs/
    
33. cp server-key.pem /etc/ssl/private/

複製代碼

4. 修改設定檔，只需要修改下面的行列

1. ## config your own /etc/ocserv/ocserv.conf
   
2. ## change the setting as below
   
3. ## note the port 443 and ipaddress 10.10.0.0 are of your choice
   
4. 
   
5. #auth = "plain[./sample.passwd]"
   
6. auth = "plain[/etc/ocserv/ocpasswd]"
   
7. #auth = "pam"
   
8. ...
   
9. #max-clients = 1024
   
10. max-clients = 16
    
11. ...
    
12. #max-same-clients = 2
    
13. max-same-clients = 10
    
14. ...
    
15. # TCP and UDP port number
    
16. tcp-port = 443
    
17. udp-port = 443
    
18. ...
    
19. #server-cert = ../tests/server-cert.pem
    
20. #server-key = ../tests/server-key.pem
    
21. server-cert = /etc/ssl/certs/server-cert.pem
    
22. server-key = /etc/ssl/private/server-key.pem
    
23. ...
    
24. #run-as-group = daemon
    
25. run-as-group = nogroup
    
26. ...
    
27. # The pool of addresses that leases will be given from.
    
28. #ipv4-network = 192.168.1.0
    
29. ipv4-network = 10.10.0.0
    
30. ipv4-netmask = 255.255.255.0
    
31. ...
    
32. # dns = fc00::4be0
    
33. #dns = 192.168.1.2
    
34. dns = 8.8.8.8
    
35. dns = 208.67.222.222
    
36. ...
    
37. #route = 192.168.1.0/255.255.255.0
    
38. #route = 192.168.5.0/255.255.255.0
    
39. #route = fef4:db8:1000:1001::/64

複製代碼

5. 設定防火牆

1. ## add the following to /etc/rc.local
   
2. ## change the port 443 to the port you choose
   
3. ## change the ip address 10.10.0.0 to the ip address you choose
   
4. 
   
5. iptables -A INPUT -p tcp --dport 443 -j ACCEPT
   
6. iptables -A INPUT -p udp --dport 443 -j ACCEPT
   
7. iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
   
8. iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
   
9. echo 1 > /proc/sys/net/ipv4/ip_forward

複製代碼

6. 建立起動源碼

1. ## create the ocserv init file at /etc/init.d/ocserv and make it executable by chmod a+x /etc/init.d/ocserv
   
2. 
   
3. #!/bin/sh
   
4. ### BEGIN INIT INFO
   
5. # Provides:          ocserv
   
6. # Required-Start:    $remote_fs $syslog
   
7. # Required-Stop:     $remote_fs $syslog
   
8. # Default-Start:     2 3 4 5
   
9. # Default-Stop:      0 1 6
   
10. ### END INIT INFO
    
11. # Copyright Rene Mayrhofer, Gibraltar, 1999
    
12. # This script is distibuted under the GPL
    
13. 
    
14. PATH=/bin:/usr/bin:/sbin:/usr/sbin
    
15. DAEMON=/usr/sbin/ocserv
    
16. PIDFILE=/var/run/ocserv.pid
    
17. DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
    
18. 
    
19. case "$1" in
    
20. start)
    
21. if [ ! -r $PIDFILE ]; then
    
22. echo -n "Starting OpenConnect VPN Server Daemon: "
    
23. start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
    
24. $DAEMON_ARGS > /dev/null
    
25. echo "ocserv."
    
26. else
    
27. echo -n "OpenConnect VPN Server is already running.\n\r"
    
28. exit 0
    
29. fi
    
30. ;;
    
31. stop)
    
32. echo -n "Stopping OpenConnect VPN Server Daemon: "
    
33. start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
    
34. echo "ocserv."
    
35. rm -f $PIDFILE
    
36. ;;
    
37. force-reload|restart)
    
38. echo "Restarting OpenConnect VPN Server: "
    
39. $0 stop
    
40. sleep 1
    
41. $0 start
    
42. ;;
    
43. status)
    
44. if [ ! -r $PIDFILE ]; then
    
45. # no pid file, process doesn't seem to be running correctly
    
46. exit 3
    
47. fi
    
48. PID=`cat $PIDFILE | sed 's/ //g'`
    
49. EXE=/proc/$PID/exe
    
50. if [ -x "$EXE" ] &&
    
51. [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
    
52. "$DAEMON" ]; then
    
53. # ok, process seems to be running
    
54. exit 0
    
55. elif [ -r $PIDFILE ]; then
    
56. # process not running, but pidfile exists
    
57. exit 1
    
58. else
    
59. # no lock file to check for, so simply return the stopped status
    
60. exit 3
    
61. fi
    
62. ;;
    
63. *)
    
64. echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
    
65. exit 1
    
66. ;;
    
67. esac
    
68. 
    
69. exit 0

複製代碼

7. 其他

1. ## enable auto run ocserv service by update-rc.d ocserv defaults
   
2. ## create your user account as ocpasswd -c /etc/ocserv/ocpasswd username
   
3. ## config your route to allow the port to connect to ocserv
   
4. 
   
5. chmod a+x /etc/init.d/ocserv
   
6. update-rc.d ocserv defaults
   
7. ocpasswd -c /etc/ocserv/ocpasswd username

複製代碼

8.最後重啟系統

1. ## reboot the machine and openconnect server should work

複製代碼

角色

ck这个帖子不错！有非常好的参考价值。

calvin0775

請問可唔可以教下整CA 果一part, 我覺得好難明, 唔知自己做緊什麼

ckleea

If you use rsyslog to log the auth messages from ocserv

add the following lines into /etc/rsyslog.conf
# log messages from ocserv into /var/log/ocserv.log
if $programname == 'ocserv'  then /var/log/ocserv.log

It will log the message into /var/log/ocserv.log

ckleea

更新了帖的instructions

ckleea

An update

0.10.4 ocserv also works

ckleea

Reference:
http://blog.ltns.info/linux/vps_debian_ocserv_support_anyconnect/

ckleea

我的介紹不是自動安裝scripts

需要 copy and paste 部分係 command line 行
部分需要 editor 修改