Record the ocSERV (OpenConnect Server) of Cisco that I build briefly, make a reference to everybody by the way!
Through VPN access to the target server network can let us more secure access to Intranet devices!
Set up the system for Linux, Ubuntu and other Unix systems (I take Linux for example here, Ubuntu to replace the package management tool yum to apt-get, other basic consistent) check yum update yum check update
Let’s update yum yum
Yum search ocserv yum search ocserv
Yum Install ocServ. Yum install ocserv
Open the ocserv configuration file nano /etc/ocserv/ocserv.conf
Just copy a short paragraph and some parameters to check and change (certificate and key will be generated later)
#auth = "certificate" #auth = "plain[passwd=/etc/ocserv/ocpasswd]" # always hold the client quantity and at the same time, number of connections per user Max - clients = Max - same - clients = 4 # 16 with oneself to like, not easy to conflict the port number of the TCP port = 2233 udp - port = 2233 # true network optimization Try-mtu-discovery = true socket-file = /var/run/ocserv-socket # Ensure that the server reads the user certificate correctly cert-user-oid = 2.5.4.3 # Private key path server-cert = Pem server-key = /etc/ocserv/ssl/server-key.pem # Ca certificate path ca-cert = /etc/ocserv/ssl/ca-cert.pem # Assign an internal IP address and do not conflict with other internal IP addresses ipv4-network = 192.168.43.0 ipv4-netmask = 255.255.255.0 # DNS DNS = 8.8.8.8 DNS = 223.5.5.5 run-as-user = nobody run-as-group = daemon # Group config-per-group = /etc/ocserv/group/ default-group-config = /etc/ocserv/group/cn-no-route default-select-group = cn-no-route Auto-select-group = false # disconnect DPD = 90 mobile-dpd = 1800 rate-limit-ms = 0 server-stats-reset-time = 604800 keepalive = 32400 switch-to-tcp-timeout = 25 try-mtu-discovery = false isolate-workers = true mtu=2000 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT: -vers-ssl3.0 "auth-timeout = 240 idle-timeout = 86400 mobile-idle-timeout = 86400 min-reauth-time = 300 max-ban-score = 80 ban-reset-time = 1200 cookie-timeout = 300 deny-roaming = true rekey-time = 172800 rekey-method = ssl use-occtl = true #pid-file = /var/run/ocserv.pid net-priority = 6 device = vpns predictable-ips = true default-domain = example cisco-client-compat = true dtls-legacy = true banner = "Effort Effort AND Effort! I SAY/SEE U!"Copy the codeThe routing table can be directly written in ocserv.config or default-group-config = /etc/ocserv/group-cn-no-route
Copy the codeNext we generate the corresponding certificates and keys in the configuration path. Create a new template touch ca ca TMPL with nano ca. TMPL or vi. Ca TMPL edit, write the following parameters, organize what write casually, is the sign of anyway
organization = "organization"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
Copy the codeThen use the following two commands to generate the CA key and certificate
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
After the CA certificate is completed and the server key is similar, create a server. TMPL template and write:
organization = "organization"
expiration_days = 9999
signing_key
encryption_key
tls_www_server
Copy the codePerform:
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
Then run the mv command to move to the corresponding directory
mv ca-cert.pem /etc/ocserv/ssl/ca-cert.pem
mv server-key.pem /etc/ocserv/ssl/
mv server-cert.pem /etc/ocserv/ssl/
Here is set up, create a user to try it!
TMPL and generate the user key and certificate. The last step is to generate a PKCS12 certificate to import to client
unit = "groupname"
expiration_days = 9999
signing_key
tls_www_client
Copy the codecerttool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder
Then enter the user name and password
Then Windows and MAC go to openconnect to download the official client, mobile ios and android go to appstore and googleplay store to download anyconnect!
If not, may want to configure the firewall roar! Add your own listening port!
systemctl start firewalld.service
Copy the codefirewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp
Copy the codefirewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Copy the codefirewall-cmd --reload
Copy the codeEnter the gateway IP address: port number, import the certificate (you need to enter the password) to access the server. In! Ground! The network!