一、项目准备
1.1、VMware ESXi
1.2、Ubuntu镜像
1.3、OpenConnect客户端
1.4、AnyConnect客户端
magnet:?xt=urn:btih:64CB657D3F53EFFA07FE7A6E4734152BECAB0DBA&tr=http%3A%2F%2Fbt3.t-ru.org%2Fann%3Fmagnet&dn=Cisco%20AnyConnect%20Secure%20Mobility%20Client%20%2F%20Cisco%20Secure%20Client
1.5、SSH工具
1.5.1、MobaXterm激活
二、部署Ubuntu
Ubuntu系统在VMware ESXi中安装设置请参考 Ubuntu搭建OpenVPN配置分流规则指南!第二步)
三、安装Ocserv
3.1、确认软件包
apt-cache show ocserv
3.2、更新软件列表
sudo apt-get update
3.3、安装Ocserv
sudo apt-get install -y ocserv
3.4、检查版本
ocserv -version
3.5、版本升级
sudo apt-get install -y wget && wget https://mirror.iranserver.com/ubuntu/ubuntu/pool/universe/o/ocserv/ocserv_1.1.6-2_amd64.deb
sudo apt-get install ssl-cert libev4 libhttp-parser2.9 libnl-route-3-200 liboath0 libprotobuf-c1 libradcli4 libtalloc2
sudo dpkg -i ocserv_1.1.6-2_amd64.deb
ocserv -version
3.6、告警解决
sudo mkdir /var/lib/ocserv
sudo chown -R ocserv:ocserv /var/lib/ocserv
sudo nano /usr/sbin/policy-rc.d
#!/bin/sh
while true; do
case "$1" in
-*) shift;;
makedev|x11-common|ocserv) exit 0;;
*) exit 101;;
esac
done
3.7、重启Ocserv
sudo systemctl restart ocserv
3.8、创建SSL证书
mkdir /etc/ocserv/certificates && cd /etc/ocserv/certificates
3.9、创建ca.tmpl
nano ca.tmpl
cn = "Your CA name"
organization = "Your organization name"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
3.10、创建server.tmpl
nano server.tmpl
cn = "Your hostname or IP"
organization = "Your organization name"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
3.11、生成CA证书
sudo apt-get install -y gnutls-bin
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
3.12、用CA证书签VPN证书
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
3.13、复制crt,key到ocserv目录
sudo cp server-cert.pem server-key.pem /etc/ocserv/
3.14、查看当前ocserv.conf默认配置
cd .. && cat ocserv.conf | grep '^[^#|^;]'
3.15、修改配置文件
3.15.1、查看SSL证书路径和密钥路径
cd certificates && ll && pwd
3.15.2、添加SSL证书路径和密钥路径到配置文件中
ca-cert = /etc/ocserv/certificates/ca-cert.pem
server-cert = /etc/ocserv/certificates/server-cert.pem
server-key = /etc/ocserv/certificates/server-key.pem
3.15.3、添加VPN连接成功欢迎信息
banner = "Welcome YYDY OcservVPN"
3.15.4、开启MTU控制
try-mtu-discovery = true
mtu = 1200
3.15.5、修改最大客户端数
max-clients = 100
3.15.6、修改单账户最大客户端数
max-same-clients = 5
3.15.7、修改用户VPN网卡IP段
ipv4-network = 100.255.255.0
ipv4-netmask = 255.255.255.0
3.15.8、修改用户VPN网卡DNS
dns = 10.10.10.10
3.15.9、下发谷歌微软以及国内拒绝路由表
3.15.10、不下发指定路由
no-route 10.0.0.0/8
no-route 172.16.0.0/12
no-route 192.168.0.0/16
3.15.11、下发指定路由
route 10.10.10.10/32
3.15.12、重启生效
sudo systemctl restart ocserv.service
3.15.13、查看状态
sudo systemctl status ocserv.service
3.15.14、创建这个文件
sudo touch /run/ocserv-socket
sudo chmod 660 /run/ocserv-socket
sudo chown ocserv:ocserv /run/ocserv-socket
3.15.15、检查服务端口是否正常
lsof -i:443
3.16、创建账号文件
sudo touch /etc/ocserv/passwd
3.17、创建用户yydy
sudo ocpasswd -c /etc/ocserv/passwd yydy
sudo ocpasswd -c /etc/ocserv/passwd -d username
四、OpenConnect测试
4.1、路由前后对比
route print -4
4.2、内网地址不可达
tracert -d -w 1 内网IP
五、配置VPN上网
5.1、查看Ocserv服务器上网网卡名称
ip addr
5.2、开启路由转发
sed -i '/net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
sed -i '/net.ipv4.ip_forward/s/#//' /etc/sysctl.conf
sysctl -p
5.3、配置iptables
sudo iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
5.4、安装iptables-persistent
sudo apt install -y iptables-persistent
5.5、保存到iptables-persistent
sudo netfilter-persistent save
六、测试验证
七、遇到的问题
7.1、路由下发问题
no-route = 10.0.0.0/255.0.0.0
no-route = 172.16.0.0/255.240.0.0
no-route = 192.168.0.0/255.255.0.0
route = 192.168.100.3/255.255.255.255
route = 192.168.100.4/255.255.255.255
route = 192.168.6.0/255.255.255.0
no-route = 10.0.0.0/8
no-route = 172.16.0.0/12
no-route = 192.168.0.0/16
route = 192.168.100.3/32
route = 192.168.100.4/32
route = 192.168.6.0/24
八、CiscoAnyconnect测试
九、海外加速测试
