搭设 OpenConnect VPN for IOS

OpenConnect server, also known as ocserv, is a VPN server that communicates over SSL. By design, its goal is to become a secure, lightweight, and fast VPN server. OpenConnect server uses the OpenConnect SSL VPN protocol. At the time of writing, it also has experimental compatibility with clients that use the AnyConnect SSL VPN protocol.
Why AnyConnect? Although any connect protocol is simple for GFW to discover, it has been used for many large companies having relation of GDP. So right now it’s more safe than pptp openvpn and some other VPN protocols.


Update On Jan 2018
新建了一个可以快速搭建Docker镜像,可以不读下面冗长的内容了。


这里主要讲一下debian系统搭建ocserv的方式方法。

首先编译 ocserv

ocserv的官网是 http://www.infradead.org/ocserv/ , 目前 (2015/09/30)因为不明原因网站挂了,所以有个朋友的备份下载可以用 https://github.com/fanyueciyuan/ocserv-backup,目前最新版本0.10.8
ocserv编译必须的包有 pkg-config libgnutls28-dev, 同时observ还有很多features,为了防止再次编译麻烦,可以一次性下全一点

apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-devy liblz4-dev

接下来解压编译

tar xvJf ocserv-0.10.8.tar.xz
cd ocserv-0.10.8
./configure --prefix=/usr/local/ocserv --sysconfdir=/etc/ocserv/

本人比较好干净,所以放到了单独的目录,结果当然就是需要ln一堆东西

sudo ln -s /usr/local/ocserv/share/man/man8/occtl.8 /usr/local/share/man/man8/occtl.8
sudo ln -s /usr/local/ocserv/share/man/man8/ocpasswd.8 /usr/local/share/man/man8/ocpasswd.8
sudo ln -s /usr/local/ocserv/share/man/man8/ocserv.8 /usr/local/share/man/man8/ocserv.8
sudo ln -s /usr/local/ocserv/sbin/ocserv /usr/local/bin/ocserv
sudo ln -s /usr/local/ocserv/bin/occtl /usr/local/bin/occtl
sudo ln -s /usr/local/ocserv/bin/ocpasswd /usr/local/bin/ocpasswd

接下来就是编译了

make
sudo make install

配置 ocserv

doc目录下有配置的事例文件,这里我们需要先生成CA证书和服务器证书,首先安装工具

cd ~
apt-get install gnutls-bin
mkdir certificates
cd certificates

生成CA template文件 ca.tmpl

cn = "VPN CA"
organization = "Chillrain Node"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

生成CA key和CA证书

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

同理,生成 Server template 文件 server.tmpl

cn = "you domain name or ip"
organization = "Chillrain Node"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

生成Server key和证书

certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

复制证书文件和配置文件

mkdir /etc/ocserv
sudo cp server-cert.pem server-key.pem /etc/ocserv
cp ~/ocserv-0.10.8/doc/sample.config /etc/ocserv/ocserv.conf

修改证书文件了,其中几个关键点

#默认使用plain模式
auth = "plain[/etc/ocserv/ocpasswd]"
try-mtu-discovery = true
#服务器证书路径
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
#端口号,默认443因为https会占用,并且用默认的太容易被GFW ban了
tcp-port = 1443
udp-port = 1443
#出于安全性当然不能用root来运行
run-as-user = nobody
run-as-group = daemon
#本地ip范围
ipv4-network = 10.8.0.0
ipv4-netmask = 255.255.255.0
#dns服务器,没啥说的
dns = 8.8.8.8
#推送路由条数
route = 0.0.0.0/128.0.0.0
route = 128.0.0.0/128.0.0.0
cisco-client-compat = true

关于默认路由,官方文档上说 如果你需要走全局路由 就注释掉所有路由推送,但是在使用AnyConnect的时候是有问题的Anyconnect 3.0收到这样推送会删掉所有的局域网路由和广播路由,导致你打不开VPN服务器。
这两个路由的意思如下:

0.0.0.0/128.0.0.0 = 0.0.0.0/1 = 128.0.0.0 TO 255.255.255.255
128.0.0.0/128.0.0.0 = 128.0.0.0/1 = 0.0.0.0 TO 127.255.255.255

生成用户名,密码

ocpasswd -c /etc/ocserv/ocpasswd username

剩下的和pptp相同,加入iptables

sudo iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

加入启动的话

cat << EOF | sudo tee -a /etc/network/if-pre-up.d/iptables
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE
EOF
sudo chmod a+x /etc/network/if-pre-up.d/iptables

开启tcp转发,编辑/etc/sysctl.conf修改

net.ipv4.ip_forward=1

然后apply

sysctl -p /etc/sysctl.conf

编写启动脚本 /etc/init.d/ocserv

#!/bin/sh
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/local/bin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS=”-c /etc/ocserv/ocserv.conf”

case “$1” in
start)
if [ ! -r $PIDFILE ]; then
echo -n “Starting OpenConnect VPN Server Daemon: ”
start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON — \
$DAEMON_ARGS > /dev/null
echo “ocserv.”
else
echo -n “OpenConnect VPN Server is already running.\n\r”
exit 0
fi
;;
stop)
echo -n “Stopping OpenConnect VPN Server Daemon: ”
start-stop-daemon –stop –quiet –pidfile $PIDFILE –exec $DAEMON
echo “ocserv.”
rm -f $PIDFILE
;;
force-reload|restart)
echo “Restarting OpenConnect VPN Server: ”
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
exit 3
fi
PID=cat $PIDFILE | sed 's/ //g'
EXE=/proc/$PID/exe
if [ -x “$EXE” ] && [ “ls -l \"$EXE\" | cut -d'&gt;' -f2,2 | cut -d' ' -f2,2” = “$DAEMON” ]; then
exit 0
elif [ -r $PIDFILE ]; then
exit 1
else
exit 3
fi
;;
*)
echo “Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}”
exit 1
;;
esac

exit 0

可执行

sudo chmod a+x /etc/init.d/ocserv
sudo update-rc.d observ defaults

最后启动 ocserv

sudo /etc/init.d/ocserv start

另,如果用证书认证的话

生成用户证书
certtool --generate-privkey --outfile user-key.pem
cat << EOF > user.tmpl
cn = "VPN"
unit = "VPN"
expiration_days = 365
signing_key
tls_www_client
EOF
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
#生成p12格式
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12 -password pass:

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.