24
2024
06
23:50:13

ocserv开源vpn部署-已实测可行

1、安装ocserv

ocserv 已经在 epel 仓库中提供了,所以可以直接通过 yum 安装

[root@linux-node4 ~]# yum -y install epel-release


[root@linux-node4 ~]# yum -y install ocserv

2、证书制作

2.1、创建 CA

[root@linux-node4 ~]# cd /etc/ocserv


[root@linux-node4 ocserv]# mkdir CA


[root@linux-node4 ocserv]# cd CA


[root@linux-node4 CA]# cat > ca.tmpl <<EOF

cn = "zhouping"

organization = "jq"

serial = 1

expiration_days = 36500

ca

signing_key

cert_signing_key

crl_signing_key

EOF


[root@linux-node4 CA]# ll

total 4

-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl

2.2、生成CA 密钥

[root@linux-node4 CA]# certtool --generate-privkey --outfile ca-key.pem


[root@linux-node4 CA]# ll

total 12

-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem

-rw-r--r-- 1 root root  127 Nov 25 10:42 ca.tmpl

2.3、生成CA证书

[root@linux-node4 CA]# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem


[root@linux-node4 CA]# ll

total 16

-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem

-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem

-rw-r--r-- 1 root root  127 Nov 25 10:42 ca.tmpl

2.4、构建一个CA认证中心

[root@linux-node4 CA]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:5c:0e:b1 brd ff:ff:ff:ff:ff:ff

inet 192.168.56.24/24 brd 192.168.56.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::20c:29ff:fe5c:eb1/64 scope link

valid_lft forever preferred_lft forever



[root@linux-node4 CA]# cat >  server.tmpl <<EOF

#cn 为服务器ip或者执行该服务器的域名

cn = "192.168.56.24"

organization = "jq"

expiration_days = 36500

signing_key

encryption_key

tls_www_server

EOF


[root@linux-node4 CA]# ll

total 20

-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem

-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem

-rw-r--r-- 1 root root 127 Nov 25 10:42 ca.tmpl

-rw-r--r-- 1 root root 163 Nov 25 10:55 server.tmpl



2.5、创建Server 密钥

[root@linux-node4 CA]# certtool --generate-privkey --outfile server-key.pem


[root@linux-node4 CA]# ll

total 28

-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem

-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem

-rw-r--r-- 1 root root  127 Nov 25 10:42 ca.tmpl

-rw------- 1 root root 5823 Nov 25 10:58 server-key.pem

-rw-r--r-- 1 root root  163 Nov 25 10:55 server.tmpl



[root@linux-node4 CA]# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem


[root@linux-node4 CA]# ll

total 32

-rw-r--r-- 1 root root 1107 Nov 25 10:45 ca-cert.pem

-rw------- 1 root root 5816 Nov 25 10:42 ca-key.pem

-rw-r--r-- 1 root root  127 Nov 25 10:42 ca.tmpl

-rw-r--r-- 1 root root 1192 Nov 25 11:00 server-cert.pem

-rw------- 1 root root 5823 Nov 25 10:58 server-key.pem

-rw-r--r-- 1 root root  163 Nov 25 10:55 server.tmpl



3、创建路由分组管理目录

[root@linux-node4 ~]# mkdir -p /etc/ocserv/group


[root@linux-node4 ~]# ll /etc/ocserv/group

total 16

-rw-r--r-- 1 root root 144 Nov 25 10:11 dev

-rw-r--r-- 1 root root 145 Nov 22 15:45 front

-rw-r--r-- 1 root root 171 Nov 22 17:06 ops

-rw-r--r-- 1 root root 0 Nov 22 10:37 pre

-rw-r--r-- 1 root root 0 Nov 22 10:37 pro

-rw-r--r-- 1 root root 145 Nov 22 15:45 test


[root@linux-node4 ~]# cat /etc/ocserv/group/ops

route = 192.168.5.0/255.255.255.0

route = 172.17.134.0/255.255.255.0

route = 172.17.2.0/255.255.255.0

route = 172.17.29.0/255.255.255.0

route = 172.17.172.0/255.255.255.0

  • 注释:填写上路由的才会走vpn,如果一个都没有填写默认会认为全部都走vpn,会导致上不去网。



4、修改配置文件

备份修改配置文件

[root@linux-node4 ~]# cp /etc/ocserv/ocserv.conf{,_bak}


[root@linux-node4 ~]# egrep -v "^$|#" /etc/ocserv/ocserv.conf

#密码认证,选择这个就可以通过后面的创建用户命令直接创建用户来登录

auth = "plain[/etc/ocserv/ocpasswd]"

#tcp端口

tcp-port = 443

#运行用户                                    

run-as-user = ocserv

#运行组                                

run-as-group = ocserv

# 分组文件存储目录,文件内容为不同的route链路访问控制default-group-config = /etc/ocserv/group/Default    

# 新增,用于用户分组.default-select-group = Default                      

# 新增,用于用户分组.                               

config-per-group = /etc/ocserv/group/

# 新增,用于用户分组.

auto-select-group = false

socket-file = ocserv.sock

chroot-dir = /var/lib/ocserv

isolate-workers = true

# 最大用户数量

max-clients = 1024  

# 同一个用户最多同时登陆数                                 

max-same-clients = 10

# 3小时以内保持连接(3小时后无操作时,断开ocserv连接)                               

keepalive = 10800

dpd = 90

mobile-dpd = 1800switch-to-tcp-timeout = 25

# 证书路径

server-cert = /etc/ocserv/CA/server-cert.pem

# 证书路径        

server-key = /etc/ocserv/CA/server-key.pem

# ca路径          

ca-cert = /etc/ocserv/CA/ca-cert.pem

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

# 在进行身份验证之前,允许客户端保持连接的时间(秒)

auth-timeout = 240

# 身份验证尝试失败后不允许客户端重新连接的时间(秒)。                                  

min-reauth-time = 300

max-ban-score = 0

ban-reset-time = 300

cookie-timeout = 300

deny-roaming = false

# ocserv将要求客户机在经过这段时间后定期刷新密钥。设置为零以禁用(请注意,如果禁用重新设置密钥,则某些客户端将失败)【此设置并非要求更改客户端秘钥】

rekey-time = 172800                                 

rekey-method = ssl

use-occtl = true

pid-file = /var/run/ocserv.pid

device = vpns

predictable-ips = truedefault-domain = meitian-op-dev-alpha

# 分配给VPN客户端的IP段

ipv4-network = 192.168.50.0/24

# DNS

dns = 192.168.5.1

# 默认走vpn的域名

# split-dns = elk.test.com

# split-dns = zabbix.test.com

# split-dns = jenkins.test.com

# split-dns = *.test.com

ping-leases = false

cisco-client-compat = true

dtls-legacy = true

user-profile = profile.xml









5、重启ocserv

【拨通vpn后会出现网卡vpns0信息】

[root@linux-node4 ~]# ip a1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

link/ether 00:0c:29:5c:0e:b1 brd ff:ff:ff:ff:ff:ff

inet 192.168.56.24/24 brd 192.168.56.255 scope global eth0

valid_lft forever preferred_lft forever

inet6 fe80::20c:29ff:fe5c:eb1/64 scope link

valid_lft forever preferred_lft forever

[root@linux-node4 ~]# systemctl restart ocserv


#拨通vpn后会出现网卡vpns0信息

[root@linux-node4 ~]# ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

inet 192.168.56.24  netmask 255.255.255.0  broadcast 192.168.56.255

inet6 fe80::20c:29ff:fe5c:eb1  prefixlen 64  scopeid 0x20<link>

ether 00:0c:29:5c:0e:b1  txqueuelen 1000  (Ethernet)

RX packets 45601  bytes 31267946 (29.8 MiB)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 11299  bytes 1249859 (1.1 MiB)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

inet 127.0.0.1  netmask 255.0.0.0

inet6 ::1  prefixlen 128  scopeid 0x10<host>

loop  txqueuelen 1  (Local Loopback)

RX packets 0  bytes 0 (0.0 B)

RX errors 0  dropped 0  overruns 0  frame 0

TX packets 0  bytes 0 (0.0 B)

TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

vpns0: flags=81<UP,POINTOPOINT,RUNNING>  mtu 1472

inet 192.168.5.1  netmask 255.255.255.255  destination 192.168.5.90

inet6 fe80::698d:d063:ff73:4260  prefixlen 64  scopeid 0x20<link>

unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)


6、用户管理

创建一个登陆用的用户名与密码

[root@linux-node4 ~]# ocpasswd -c /etc/ocserv/ocpasswd geyiheng

Enter password: 123456

Re-enter password: 123456

[root@linux-node4 ~]# cat /etc/ocserv/ocpasswd

geyiheng:*:$5$TtT/7WUcqH6vV/IA$SSs5yKVjVPS4qO96dvNRtkvcnX9dAPfLNfpjCUYOTg8



7、配置防火墙

network 192.169.5.0/24 (这个来自于)/etc/ocserv/ocserv.conf 中的 ipv4-network = 192.168.5.0/24
ocserv WAN interface is eth0


8.ocserv管理

一、添加用户
ocpasswd -c /etc/ocserv/ocpasswd 【用户名】

二、添加用户至某个分组
ocpasswd -c /etc/ocserv/ocpasswd -g 【分组名称】 【用户名】

三、锁定用户
ocpasswd -c /etc/ocserv/ocpasswd -l 【用户名】

四、解锁用户
ocpasswd -c /etc/ocserv/ocpasswd -u 【用户名】

五、删除用户
ocpasswd -c /etc/ocserv/ocpasswd -d 【用户名】

六、查看当前服务运行状态:
occtl -n show status

七、查看当前在线用户详情:
occtl -n show users

八、踢掉当前在线用户:通过用户名:
occtl disconnect user 【用户名】

九、踢掉当前在线用户:通过id:
occtl disconnect id 【id号】




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/6777.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: