服务器用的是ArchLinux系统,AUR中有ocserv软件包,安装起来非常方便。
贴上配置文件:
注意:将下文中ohrz.me换成主机的域名
[renzhn@li675-144 ~]$ cd /etc/ocserv/
[renzhn@li675-144 ocserv]$ ls
ocpasswd ocserv.conf
[renzhn@li675-144 ocserv]$ egrep -v "^$|^#" ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
session-control = true
max-clients = 16
max-same-clients = 10
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = OhrzSSLVPN
predictable-ips = true
default-domain = ohrz.me
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 208.67.222.222
ping-leases = false
-------
配置证书
-------
[root@li675-144 ~]# tail -n +1 *.tmpl
==> ca.tmpl <==
cn = "ohrz.me VPN CA"
state = "Shanghai"
country = CN
organization = "Tyrael Ltd."
serial = 1
expiration_days = 3650
email = "[email protected]"
dns_name = "ohrz.me"
ca
signing_key
encryption_key
ipsec_ike_key
cert_signing_key
crl_signing_key
==> client.tmpl <==
cn = renzhn
o = "Tyrael Ltd."
email = [email protected]
dns_name = "ohrz.me"
country = CN
state = "Shanghai"
serial = 3
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key
==> server.tmpl <==
cn = "ohrz.me"
o = "Tyrael Ltd."
email = [email protected]
dns_name = "ohrz.me"
country = CN
state = "Shanghai"
serial = 2
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
ipsec_ike_key
time_stamping_key
---------------------------
生成ca和server的key和cert文件
---------------------------
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
-----------------------------------------------
生成用户的key和cert文件,并生成可在客户端导入的p12文件
-----------------------------------------------
[root@li675-144 ~]# cat cert-client.sh
#! /bin/sh
#! /usr/bin/expect -f
certtool --generate-privkey --outfile $1-key.pem
sed -i "1ccn = "${1}"" client.tmpl
sed -i "3cemail = ${1}@abc.org" client.tmpl
certtool --generate-certificate --load-privkey $1-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile $1-cert.pem
openssl pkcs12 -export -inkey $1-key.pem -in $1-cert.pem -name "$1 VPN Client Cert" -certfile ca-cert.pem -out $1.cert.p12
用法:
./cert-client.sh renzhn
生成时需要设置密码,(据说)在iOS导入证书时必须要用到
注意:
- 保存 server-key 和 server-cert.pem 到一个路径,然后在 ocserv.conf 中指定路径
- Windows 中的 Cisco AnyConnect 的配置文件在 C:\ProgramData\Cisco ;OSX 的在 /opt/cisco/anyconnect/profile
没有评论:
发表评论