1、安装ocserv
ocserv 已经在 epel 仓库中提供了,所以可以直接通过 yum 安装
[root@linux-node4 ~]# yum -y install epel-release
[root@linux-node4 ~]# yum -y install ocserv
2、证书制作
2.1、创建 CA
[root@linux-node4 ~]# cd /etc/ocserv
[root@linux-node4 ocserv]# mkdir CA
[root@linux-node4 ocserv]# cd CA
[root@linux-node4 CA]# cat > ca.tmpl <<EOF
cn = "zhouping"
organization = "jq"
serial = 1
expiration_days = 36500
ca
signing_key
cert_signing_key
crl_signing_key
EOF
[root@linux-node4 CA]# ll
total 4
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
2.2、生成CA 密钥
[root@linux-node4 CA]# certtool --generate-privkey --outfile ca-key.pem
[root@linux-node4 CA]# ll
total 12
-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
2.3、生成CA证书
[root@linux-node4 CA]# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
[root@linux-node4 CA]# ll
total 16
-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem
-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
2.4、构建一个CA认证中心
[root@linux-node4 CA]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:5c:0e:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.24/24 brd 192.168.56.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe5c:eb1/64 scope link
valid_lft forever preferred_lft forever
[root@linux-node4 CA]# cat > server.tmpl <<EOF
#cn 为服务器ip或者执行该服务器的域名
cn = "192.168.56.24"
organization = "jq"
expiration_days = 36500
signing_key
encryption_key
tls_www_server
EOF
[root@linux-node4 CA]# ll
total 20
-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem
-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
-rw-r--r-- 1 root root 163 Nov 25 10:55 server.tmpl
2.5、创建Server 密钥
[root@linux-node4 CA]# certtool --generate-privkey --outfile server-key.pem
[root@linux-node4 CA]# ll
total 28
-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem
-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
-rw------- 1 root root 5823 Nov 25 10:58 server-key.pem
-rw-r--r-- 1 root root 163 Nov 25 10:55 server.tmpl
[root@linux-node4 CA]# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
[root@linux-node4 CA]# ll
total 32
-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem
-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem
-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl
-rw-r--r-- 1 root root 1192 Nov 25 11:00 server-cert.pem
-rw------- 1 root root 5823 Nov 25 10:58 server-key.pem
-rw-r--r-- 1 root root 163 Nov 25 10:55 server.tmpl
3、创建路由分组管理目录
[root@linux-node4 ~]# mkdir -p /etc/ocserv/group
[root@linux-node4 ~]# ll /etc/ocserv/group
total 16
-rw-r--r-- 1 root root 144 Nov 25 10:11 dev
-rw-r--r-- 1 root root 145 Nov 22 15:45 front
-rw-r--r-- 1 root root 171 Nov 22 17:06 ops
-rw-r--r-- 1 root root 0 Nov 22 10:37 pre
-rw-r--r-- 1 root root 0 Nov 22 10:37 pro
-rw-r--r-- 1 root root 145 Nov 22 15:45 test
[root@linux-node4 ~]# cat /etc/ocserv/group/ops
route = 192.168.5.0/255.255.255.0
route = 172.17.134.0/255.255.255.0
route = 172.17.2.0/255.255.255.0
route = 172.17.29.0/255.255.255.0
route = 172.17.172.0/255.255.255.0
注释:填写上路由的才会走vpn,如果一个都没有填写默认会认为全部都走vpn,会导致上不去网。
4、修改配置文件
备份修改配置文件
[root@linux-node4 ~]# cp /etc/ocserv/ocserv.conf{,_bak}
[root@linux-node4 ~]# egrep -v "^$|#" /etc/ocserv/ocserv.conf
#密码认证,选择这个就可以通过后面的创建用户命令直接创建用户来登录
auth = "plain[/etc/ocserv/ocpasswd]"
#tcp端口
tcp-port = 443
#运行用户
run-as-user = ocserv
#运行组
run-as-group = ocserv
# 分组文件存储目录,文件内容为不同的route链路访问控制default-group-config = /etc/ocserv/group/Default
# 新增,用于用户分组.default-select-group = Default
# 新增,用于用户分组.
config-per-group = /etc/ocserv/group/
# 新增,用于用户分组.
auto-select-group = false
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
# 最大用户数量
max-clients = 1024
# 同一个用户最多同时登陆数
max-same-clients = 10
# 3小时以内保持连接(3小时后无操作时,断开ocserv连接)
keepalive = 10800
dpd = 90
mobile-dpd = 1800switch-to-tcp-timeout = 25
# 证书路径
server-cert = /etc/ocserv/CA/server-cert.pem
# 证书路径
server-key = /etc/ocserv/CA/server-key.pem
# ca路径
ca-cert = /etc/ocserv/CA/ca-cert.pem
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
# 在进行身份验证之前,允许客户端保持连接的时间(秒)
auth-timeout = 240
# 身份验证尝试失败后不允许客户端重新连接的时间(秒)。
min-reauth-time = 300
max-ban-score = 0
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
# ocserv将要求客户机在经过这段时间后定期刷新密钥。设置为零以禁用(请注意,如果禁用重新设置密钥,则某些客户端将失败)【此设置并非要求更改客户端秘钥】
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = truedefault-domain = meitian-op-dev-alpha
# 分配给VPN客户端的IP段
ipv4-network = 192.168.50.0/24
# DNS
dns = 192.168.5.1
# 默认走vpn的域名
# split-dns = elk.test.com
# split-dns = zabbix.test.com
# split-dns = jenkins.test.com
# split-dns = *.test.com
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
5、重启ocserv
【拨通vpn后会出现网卡vpns0信息】
[root@linux-node4 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:5c:0e:b1 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.24/24 brd 192.168.56.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe5c:eb1/64 scope link
valid_lft forever preferred_lft forever
[root@linux-node4 ~]# systemctl restart ocserv
#拨通vpn后会出现网卡vpns0信息
[root@linux-node4 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.56.24 netmask 255.255.255.0 broadcast 192.168.56.255
inet6 fe80::20c:29ff:fe5c:eb1 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5c:0e:b1 txqueuelen 1000 (Ethernet)
RX packets 45601 bytes 31267946 (29.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11299 bytes 1249859 (1.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vpns0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1472
inet 192.168.5.1 netmask 255.255.255.255 destination 192.168.5.90
inet6 fe80::698d:d063:ff73:4260 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
6、用户管理
创建一个登陆用的用户名与密码
[root@linux-node4 ~]# ocpasswd -c /etc/ocserv/ocpasswd geyiheng
Enter password: 123456
Re-enter password: 123456
[root@linux-node4 ~]# cat /etc/ocserv/ocpasswd
geyiheng:*:$5$TtT/7WUcqH6vV/IA$SSs5yKVjVPS4qO96dvNRtkvcnX9dAPfLNfpjCUYOTg8
7、配置防火墙
network 192.169.5.0/24 (这个来自于)/etc/ocserv/ocserv.conf 中的 ipv4-network = 192.168.5.0/24
ocserv WAN interface is eth0
8.ocserv管理
一、添加用户
ocpasswd -c /etc/ocserv/ocpasswd 【用户名】
二、添加用户至某个分组
ocpasswd -c /etc/ocserv/ocpasswd -g 【分组名称】 【用户名】
三、锁定用户
ocpasswd -c /etc/ocserv/ocpasswd -l 【用户名】
四、解锁用户
ocpasswd -c /etc/ocserv/ocpasswd -u 【用户名】
五、删除用户
ocpasswd -c /etc/ocserv/ocpasswd -d 【用户名】
六、查看当前服务运行状态:
occtl -n show status
七、查看当前在线用户详情:
occtl -n show users
八、踢掉当前在线用户:通过用户名:
occtl disconnect user 【用户名】
九、踢掉当前在线用户:通过id:
occtl disconnect id 【id号】
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/5727.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
