DarkNode

Life, the Universe and Everything

Oc­serv 在 De­bian 下的安装与配置指南

本文发表于:
最后修改于:
分类:network
合计信息量:13.57kb

相关说明

服务器信息:

证书:

基本思路

安装配置 oc­serv,搭建与 Cisco Any­Con­nect for iOS 兼容的服务器,使用有 CA 签名的 SSL 证书对服务器进行认证,配合用户证书进行登陆认证,即可实现 iOS 系统下自动掉线重连,一键登录,下发路由等多种功能。

安装说明

网上有数篇关于 oc­serv 的编译安装方法的文章,其中关于具体编译时需要安装的依赖库有多种不同的说法,如果不想将一大批库装在自己的 Linux 上,那么需要仔细研究许久。这种情况下,可以在安装好 build-es­sen­tial 之后不安装其他依赖库,直接执行如下命令:

$ ./con­fig­ure --pre­fix=/usr --sysconfdir=/etc > ./tmp

即可看到当前缺少哪些库。许多相互引用的文章中都提到要安装 libpro­to­buf-c0-dev 这个库,不过事实上应当安装 libpro­to­buf-c-dev 这个库。安装前一个库并不能消除执行上述命令时的警告信息,安装后一个库才可以消除警告信息。libpro­to­buf-c-dev 库只能从 jessie 源中获得,所以需要添加 back­ports 和 jessie 两个源。

添加源:

$ echo "deb http://ftp.de­bian.org/de­bian wheezy-back­ports main con­trib non-free" >> /etc/apt/sources.list
$ echo "deb ftp://ftp.de­bian.org/de­bian/ jessie main con­trib non-free" >> /etc/apt/sources.list

修改源优先级,防止已安装的包被更新到 back­ports 或者 jessie 版本:

$ cat << _EOF_ > /etc/apt/pref­er­ences
Pack­age: *
Pin: re­lease wheezy
Pin-Pri­or­ity: 900
Pack­age: *
Pin: re­lease wheezy-back­ports
Pin-Pri­or­ity: 90
Pack­age: *
Pin: re­lease jessie
Pin-Pri­or­ity: 60
_EOF_

解决编译依赖:

$ apt-get in­stall build-es­sen­tial au­to­gen pkg-con­fig -y
$ apt-get in­stall lib­tal­loc-dev li­bread­line-dev lib­pam0g-dev lib­http-parser-dev libpcl1-dev -y
$ apt-get -t wheezy-back­ports in­stall libgnutls28-dev -y
$ apt-get -t jessie in­stall libpro­to­buf-c-dev lib­http-parser-dev -y

下载 oc­serv 并编译:

$ cd /tmp
$ oc­serv_ver­sion=$(wget -qO- http://www.in­fradead.org/oc­serv/down­load.html | grep -o '[0-9]*\.[0-9]*\.[0-9]*')
$ wget ftp://ftp.in­fradead.org/pub/oc­serv/oc­serv-$oc­serv_ver­sion.tar.xz -O oc­serv.tar.xz
$ tar -Jxvf oc­serv.tar.xz
$ cd ./oc­serv-*
$ sed -i "s/#de­fine MAX_CON­FIG_EN­TRIES 96/#de­fine MAX_CON­FIG_EN­TRIES 200/g" ./src/vpn.h
$ ./con­fig­ure --pre­fix=/usr --sysconfdir=/etc --with­out-pam --with­out-ra­dius
$ make && make in­stall
$ cd ~
$ rm -rf /tmp/oc­serv*

配置说明

修改 oc­serv 配置文件:

$ mkdir /etc/oc­serv
$ vi /etc/oc­serv/oc­serv.conf

使用如下配置:

auth = "cer­tifi­cate"
iso­late-work­ers = false
max-clients = 0
max-same-clients = 0
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 90
mo­bile-dpd = 1800
try-mtu-dis­cov­ery = true
server-cert = /etc/oc­serv/cert.pem
server-key = /etc/oc­serv/key.pem
ca-cert = /etc/oc­serv/ca.pem
cert-user-oid = 2.5.4.3
com­pres­sion = true
no-com­press-limit = 256
tls-pri­or­i­ties = "NOR­MAL:%SERVER_PRECE­DENCE:%COM­PAT:-VERS-SSL3.0:-AR­C­FOUR-128"
auth-time­out = 40
idle-time­out = 1200
mo­bile-idle-time­out = 2400
min-reauth-time = 1
max-ban-score = 50
ban-re­set-time = 300
cookie-time­out = 172800
deny-roam­ing = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-oc­ctl = true
oc­ctl-socket-file = /var/run/oc­ctl.socket
pid-file = /var/run/oc­serv.pid
socket-file = /var/run/oc­serv-socket
run-as-user = no­body
run-as-group = nogroup
net-pri­or­ity = 5
de­vice = vpn
pre­dictable-ips = false
de­fault-do­main = 你的域名
dns = 8.8.8.8
ipv4-net­work = 192.168.1.0/24
ipv6-net­work = 你的 IPv6 池
ping-leases = false
out­put-buffer = 1000
cisco-client-com­pat = true
cus­tom-header = "X-DTLS-MTU: 1420"
cus­tom-header = "X-CSTP-MTU: 1280"
no-route = 0.0.0.0/255.0.0.0
no-route = 1.0.0.0/255.128.0.0
no-route = 1.160.0.0/255.224.0.0
no-route = 1.192.0.0/255.224.0.0
no-route = 10.0.0.0/255.0.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.128.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.128.0.0
no-route = 39.0.0.0/255.224.0.0
no-route = 39.64.0.0/255.192.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 42.0.0.0/255.0.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.64.0.0/255.192.0.0
no-route = 47.64.0.0/255.192.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 54.192.0.0/255.224.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.192.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.192.0.0
no-route = 59.128.0.0/255.128.0.0
no-route = 60.0.0.0/255.192.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.64.0.0/255.224.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 100.64.0.0/255.192.0.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.192.0.0
no-route = 103.0.0.0/255.192.0.0
no-route = 103.224.0.0/255.224.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.224.0.0
no-route = 110.0.0.0/254.0.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.224.0.0
no-route = 112.192.0.0/255.192.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.224.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.0.0.0/255.128.0.0
no-route = 114.128.0.0/255.224.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.0.0.0/255.224.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.224.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 127.0.0.0/255.0.0.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.224.0.0
no-route = 140.128.0.0/255.224.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.192.0.0
no-route = 144.96.0.0/255.224.0.0
no-route = 144.224.0.0/255.224.0.0
no-route = 150.0.0.0/255.224.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.224.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.96.0.0/255.224.0.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.192.0.0
no-route = 157.96.0.0/255.224.0.0
no-route = 157.128.0.0/255.224.0.0
no-route = 157.224.0.0/255.224.0.0
no-route = 159.224.0.0/255.224.0.0
no-route = 161.192.0.0/255.224.0.0
no-route = 162.96.0.0/255.224.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 166.96.0.0/255.224.0.0
no-route = 167.128.0.0/255.192.0.0
no-route = 168.160.0.0/255.224.0.0
no-route = 169.254.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 172.16.0.0/255.240.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.0.0.0/255.255.255.0
no-route = 192.0.2.0/255.255.255.0
no-route = 192.88.99.0/255.255.255.0
no-route = 192.96.0.0/255.224.0.0
no-route = 192.160.0.0/255.248.0.0
no-route = 192.168.0.0/255.255.0.0
no-route = 192.169.0.0/255.255.0.0
no-route = 192.170.0.0/255.254.0.0
no-route = 192.172.0.0/255.252.0.0
no-route = 192.176.0.0/255.240.0.0
no-route = 198.18.0.0/255.254.0.0
no-route = 198.51.100.0/255.255.255.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.128.0.0
no-route = 203.128.0.0/255.192.0.0
no-route = 203.192.0.0/255.224.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.192.0.0
no-route = 211.128.0.0/255.192.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
no-route = 224.0.0.0/224.0.0.0

为了方便有多个设备的用户的使用,设置 max-same-clients = 0 可使得无限个设备可以使用同一个账号密码进行连接,也可以为其指定一个特定的上限进行限制。

在复杂网络条件下,缩短 mo­bile-dpd 的数值可以提高移动设备上 Any­Con­nect 客户端检测连接是否中断的频率,从而减少锁屏时在基站间切换时造成的暂时连接中断。默认设置下 Any­Con­nect 客户端会每隔 30 分钟检测一次连接情况,并在发现连接中断后自动重新连接。缩短 mo­bile-dpd 的数值可能提高设备的唤醒频率,从而增加电池的消耗,请酌情取舍。

由于 iOS 系统在锁屏一段时间后会中断 VPN 连接,而屏幕解锁后 Any­Con­nect 会自动重新连接,如果中间连接中断的时间超过了 cookie-time­out 参数设置的数值,那么重新连接会失败。cookie-time­out = 86400000 可以使 Any­Con­nect 在连接中断后的 1000 天内自动重新连接成功。

cisco-client-com­pat = true 可以确保 oc­serv 同 Cisco Any­Con­nect for iOS 的兼容性,若不启用会导致证书登陆报出 GnuTLS er­ror: No cer­tifi­cate was found 这样的错误。

将服务器 SSL 证书放置在/etc/oc­serv/cert.pem,服务器 SSL 证书秘钥放置在/etc/oc­serv/cert.key

安装 gnutls 用于签发证书:

$ apt-get in­stall gnutls-bin

创建用户证书认证 CA:

$ cert­tool --gen­er­ate-privkey --out­file ca-key.pem
$ cat << _EOF_ > ca.tmpl
cn = "VPN CA"
or­ga­ni­za­tion = "Dar­k­N­ode"
se­r­ial = 1
ex­pi­ra­tion_days = 3650
ca
sign­ing_key
cert_sign­ing_key
crl_sign­ing_key
_EOF_
$ cert­tool --gen­er­ate-self-signed --load-privkey ca-key.pem --tem­plate ca.tmpl --out­file ca-cert.pem

创建用户证书:

$ cert­tool --gen­er­ate-privkey --out­file user-key.pem
$ cat << _EOF_ > user.tmpl
cn = "VPN"
unit = "VPN"
ex­pi­ra­tion_days = 365
sign­ing_key
tls_www_client
_EOF_
$ cert­tool --gen­er­ate-cer­tifi­cate --load-privkey user-key.pem --load-ca-cer­tifi­cate ca-cert.pem --load-ca-privkey ca-key.pem --tem­plate user.tmpl --out­file user-cert.pem

使用 openssl 将用户证书转换为.p12 格式,以避免使用 cert­tool 转换时与 Cisco Any­Con­nect for iOS 的兼容性问题:

$ openssl pkcs12 -ex­port -inkey user-key.pem -in user-cert.pem -cert­file ca-cert.pem -out user.p12 -pass­word pass:

将用户证书认证 CA 拷贝到 oc­serv 配置文件中设置的位置:

$ cp ./ca-cert.pem /etc/oc­serv/ca.pem

将用户证书 user.p12 放置到某种 Web 服务器的网页目录下,使得用户证书可以通过 URL 访问得到,随后打开 Cisco Any­Con­nect for iOS,依次点击「诊断」、「证书」、「导入用户证书」,输入 user.p12 的完整 URL 即可。

创建管理脚本:

$ vi /etc/init.d/oc­serv

保存如下脚本:

#!/bin/sh
### BE­GIN INIT INFO
# Pro­vides:          oc­serv
# Re­quired-Start:    $re­mote_fs $sys­log
# Re­quired-Stop:     $re­mote_fs $sys­log
# De­fault-Start:     2 3 4 5
# De­fault-Stop:      0 1 6
### END INIT INFO
# Copy­right Rene Mayrhofer, Gibral­tar, 1999
# This script is dis­tibuted un­der the GPL

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAE­MON=/usr/sbin/oc­serv
PID­FILE=/var/run/oc­serv.pid
DAE­MON_ARGS="-c /etc/oc­serv/oc­serv.conf"

case "$1" in
start)
if [ ! -r $PID­FILE ]; then
echo -n "Start­ing Open­Con­nect VPN Server Dae­mon: "
start-stop-dae­mon --start --quiet --pid­file $PID­FILE --exec $DAE­MON -- \
$DAE­MON_ARGS > /dev/null
echo "oc­serv."
else
echo -n "Open­Con­nect VPN Server is al­ready run­ning.\n\r"
exit 0
fi
;;
stop)
echo -n "Stop­ping Open­Con­nect VPN Server Dae­mon: "
start-stop-dae­mon --stop --quiet --pid­file $PID­FILE --exec $DAE­MON
echo "oc­serv."
rm -f $PID­FILE
;;
force-re­load|restart)
echo "Restart­ing Open­Con­nect VPN Server: "
$0 stop
sleep 1
$0 start
;;
sta­tus)
if [ ! -r $PID­FILE ]; then
# no pid file, process doesn't seem to be run­ning cor­rectly
exit 3
fi
PID=`cat $PID­FILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAE­MON" ]; then
# ok, process seems to be run­ning
exit 0
elif [ -r $PID­FILE ]; then
# process not run­ning, but pid­file ex­ists
exit 1
else
# no lock file to check for, so sim­ply re­turn the stopped sta­tus
exit 3
fi
;;
*)
echo "Us­age: /etc/init.d/oc­serv {start|stop|restart|force-re­load|sta­tus}"
exit 1
;;
esac

exit 0

修改脚本权限:

$ chmod 755 /etc/init.d/oc­serv

启用流量转发:

$ vi /etc/sysctl.conf
net.ipv4.ip_for­ward = 1
net.ipv6.conf.all.for­ward­ing=1
$ sysctl -p

修改 rc.lo­cal

$ vi /etc/rc.lo­cal

在 exit 0 前加入:

ipt­a­bles -I FOR­WARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ipt­a­bles -t nat -A POSTROUT­ING -o venet0 -j MAS­QUER­ADE
ipt­a­bles -I IN­PUT -p tcp --dport 443 -j AC­CEPT
ipt­a­bles -I IN­PUT -p udp --dport 443 -j AC­CEPT
/etc/init.d/oc­serv start

至此,服务端配置完毕。