此文將教你在 debian 系統中,在五分鐘之內設定好 openconnect server ,以用於 anyconnect/openconnect 客戶端連線:
1.安裝軟體包 apt install iptables-persistent ocserv
(在安裝 iptables-persistent 軟體包時,會彈出是否保存當前 iptables 規則的提示,此時均選 no 即可)
2.修改配置文件
首先,修改 /etc/sysctl.conf ,並加入如下內容,以用作開啓 ip 轉發。
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 0
net.ipv4.ip_forward_use_pmtu = 1
net.ipv6.conf.all.forwarding = 1
然後,修改 /etc/ocserv/ocserv.conf ,設定伺服器基本內容。以下贴出的配置中包含内网网段等配置信息可按需修改。(建議在此之前先備份原始配置以作參考)
# openconnect server user
run-as-user = ocserv
run-as-group = ocserv
# require file while server run
socket-file = /run/ocserv-socket
chroot-dir = /var/lib/ocserv
# isolate sub proccess control
isolate-workers = true
# net interface for server
device = op
# mtu size for server
mtu = 1480
# log level
log-level = 1
# auth method
auth = "plain[/etc/ocserv/ocpasswd]"
# maximum users allowed connect
max-clients = 10
# maximum client allowed connect for per user
max-same-clients = 5
# server listen address (default is all)
# listen-host =
# server listen ports (default is 443, but can modified)
tcp-port = 443
udp-port = 443
# mtu auto discovery for per tunnel
try-mtu-discovery = true
# user certificate type
# cert-user-oid = 2.5.4.3
# certificate and private key for server
server-cert = /etc/ocserv/server.pem
server-key = /etc/ocserv/server.key
# dns while clients connected use
dns = 8.8.8.8
dns = 9.9.9.9
tunnel-all-dns = true
# route option (set it to default as a gateway)
#route = 192.168.1.0/255.255.255.0
route = default
# enable cisco anyconnect compatible
cisco-client-compat = true
# keep alive interval
keepalive = 32400
dpd = 60
mobile-dpd = 120
# other option
output-buffer = 0
rate-limit-ms = 0
# access control
restrict-user-to-routes = false
restrict-user-to-ports = ""
# disconnected idle time
# idle-timeout = 1200
# mobile-idle-timeout = 1800
# dtls protocol control
dtls-legacy = true
switch-to-tcp-timeout = 30
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
# compression control
compression = true
no-compress-limit = 0
# speed limit by per client
rx-data-per-sec = 0
tx-data-per-sec = 0
# client auth control
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
# client status control
cookie-timeout = 600
rekey-time = 172800
deny-roaming = false
use-occtl = true
# internal network settings
ipv4-network = 10.255.255.0/24
ipv6-network = fd09::/80
ipv6-subnet-prefix = 128
client-bypass-protocol = false
predictable-ips = true
ping-leases = true
net-priority = 3
3.簽發自簽名 ssl 證書,設定 iptables 規則。
首先,簽發一個自簽名 ssl 證書。(輸入以下命令後,按照提示填寫信息即可完成,獲得到生成的文件後,將文件放置到 /etc/ocserv/下)
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout server.key -out server.pem
然後,需要設定內網相應網段的 iptables 轉發規則,請將以下的 IP 位址段替換爲實際的,在配置檔中填寫的 IP 位址段:
# 這幾句話的意思是,允許內網網段經過機器轉發,若不寫入此規則,則 UDP 轉發將不可用
iptables -I FORWARD -s 10.255.255.0/24 -j ACCEPT
iptables -I FORWARD -d 10.255.255.0/24 -j ACCEPT
ip6tables -I FORWARD -s fd09::/80 -j ACCEPT
ip6tables -I FORWARD -d fd09::/80 -j ACCEPT
# 這幾句話的意思是,開啓 IP 位址僞裝(也就是除了 openconnect server 創建的網卡之外,其他網卡將來自 openconnect server 內網網段的流量都 NAT 後再出去)
iptables -A POSTROUTING -s 10.255.255.0/24 ! -o op+ -j MASQUERADE
ip6tables -A POSTROUTING -s fd09::/80 ! -o op+ -j MASQUERADE
設定完規則後,需要將其永久保存到配置檔中,以使其永久生效:
iptables-save >> /etc/iptables/rules.v4
ip6tables-save >> /etc/iptables/rules.v6
4.添加用戶
若未修改配置檔中的用戶認證類型爲其他方式的話,那麼接下來則需要添加可登錄的用戶。需要執行以下命令:
# 格式爲 ocpasswd 用戶名稱 -c 用戶存放的文件名,隨後爲其設定密碼即可
# 若需要刪除用戶,那麼編輯對應文件的對應行即可刪除用戶
ocpasswd boss -c /etc/ocserv/ocpasswd
5.可選設定
6.重啓伺服器
完成上述步驟後即可測試是否能正常連接。正常情況下即可連接了。
若能將伺服器端的 ocserv 程式升級到 1.2.1 及以上版本,還可以開啓僞裝功能,即客戶端通過指定路徑的 URL 連接,猜不對路徑的人只會覺得這是一個普通的設備管理網頁介面。若已確認版本爲 1.2.1 及以上,那麼在配置檔中增加如下內容即可
# camouflage
camouflage = true
# 通關密語:開啓後客戶端可以通過 https 伺服器地址/?密語 連線它
camouflage_secret = "dark"
camouflage_realm = "router admin panel"
1
Donaldo 173 天前
openconnect 不会被干扰么?以前用公司配备的 cisco anyconnect ,我印象里是不过墙,都已经非常之慢。🫨
|