Holmesian Blog

Linode CentOS 配置 ocserv

最近发现在电信网络上用 Vultr 的日本线路丢包量惊人,体验也越来越糟糕。无奈之下准备关闭 Vultr 的日本节点 VPS 并转到 Linode 的新加坡节点。坊间传闻用 360 之类的国产全家桶和 PPTP 方式会加速梯子的消亡,所以准备关闭 pptp 支持,只留用 ss、反代和 Anyconnect。因为 iphone 不越狱的情况下最好的科学上网工具应该就是 Anyconnect 了,以后凡是用国产全家桶的 TX,不予共享帐号。

AnyConnectICS_logo.jpg

第三方源安装

添加EPEL源

EPEL (Extra Packages for Enterprise Linux,企业版Linux的额外软件包) 是Fedora小组维护的一个软件仓库项目,为RHEL/CentOS提供他们默认不提供的软件包。目前EPEL已经有了Centos6/7的ocserv。

首先根据版本下载EPEL源包(以Centos6为例),并进行安装

    wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
    sudo rpm -ivh epel-release-6-8.noarch.rpm

安装ocserv

进行一次更新后直接安装ocserv

    yum -y update
    yum install ocserv -y

成功安装之后就跳到配置部分吧。


编译安装

准备编译需要的环境

    yum install expat-devel autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget

安装 nettle

    wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
    tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1
    ./configure --prefix=/usr
    make && make install
    ldconfig 

安装 unbound

    wget http://unbound.nlnetlabs.nl/downloads/unbound-1.4.22.tar.gz
    tar zxf unbound-1.4.22.tar.gz && cd unbound-1.4.22
    ./configure --prefix=/usr&& make && make install
    mkdir -p /etc/unbound && unbound-anchor -a "/etc/unbound/root.key"

安装 gnutls

    wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.1.tar.xz
    xz -c -d gnutls-3.2.12.1.tar.xz | tar x
    cd gnutls-3.2.12
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 LibNL:

    wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
    tar xvf libnl-3.2.24.tar.gz
    cd libnl-3.2.24
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 libev

    git clone https://github.com/enki/libev.git
    cd libev
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 ocserv

    wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.9.tar.xz
    tar xvf ocserv-0.8.9.tar.xz
    cd ocserv-0.8.9
    ./configure && make && make install

如果是在 ARM 平台上,需要./configure --disable-seccomp,否则会因为 libseccomp 的原因出现 Makefile:1459: recipe for target 'worker-privs.o' failed

此外,如果 nettle 和 gnutls 安装在 /usr/local 目录,需要运行以下命令设置系统变量,再运行./configure。

    export LIBNETTLE_CFLAGS="-I/usr/local/include/" LIBNETTLE_LIBS="-L/usr/local/lib/" LIBGNUTLS_CFLAGS="-I/usr/local/include/" LIBGNUTLS_LIBS="-L/usr/local/lib/"

常见问题

遇到 No package 'gnutls' found 问题时执行以下命令定位 gnutls 包。

    export LIBGNUTLS_CFLAGS="-L/usr/include" LIBGNUTLS_LIBS="-L/usr/lib64 -lgnutls"

如果 protobuf-c/protobuf-c.h 未找到之类的问题,请删除通过 yum 安装的 protobuf,profobuf-devel 之类的包

    yum remove protobuf

如果中间还遇到一些莫名其妙的问题,不妨再手动更新一下 aclocal automake autoconf 这几个包,yum 里的有点老。

    yum remove aclocal automake autoconf -y
    wget http://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
    tar -zxvf autoconf-latest.tar.gz
    cd autoconf-版本号 // 请根据解压出的文件夹名修改
    ./configure --prefix-/usr
    make && make install
    cd ..
     
    wget http://ftp.gnu.org/gnu/automake/automake-1.15.tar.xz
    tar -zxvf automake-1.15.tar.gz
    cd automake-1.15
    ./configure --prefix-/usr
    make && make install
    cd ..
     
    wget http://gnu.mirrors.hoobly.com/gnu/libtool/libtool-2.4.6.tar.xz
    tar -zxvf libtool-2.4.6.tar.gz
    cd libtool-2.4.6
    ./configure --prefix-/usr
    make && make install
    cd ..

配置 ocserv

参考 http://www.infradead.org/ocserv/manual.html#heading5

贴上我的配置文件仅供参考,启用证书认证,开启压缩,优化缓存。

    # User authentication method. Could be set multiple times and in that case
    # all should succeed.
    # Options: certificate, pam. 
    auth = "certificate"
    #auth = "plain[./sample.passwd]"
    #auth = "plain[/etc/ocserv/ocpasswd]"
    #auth = "pam"
    
    # The gid-min option is used by auto-select-group option, in order to
    # select the minimum group ID.
    #auth = "pam[gid-min=1000]"
    
    
    # Whether to enable support for the occtl tool (i.e., either through D-BUS,
    # or via a unix socket).
    use-occtl = false
    
    
    # The plain option requires specifying a password file which contains
    # entries of the following format.
    # "username:groupname:encoded-password"
    # One entry must be listed per line, and 'ocpasswd' can be used
    # to generate password entries.
    #auth = "plain[/etc/ocserv/ocpasswd]"
    
    # Whether to enable seccomp worker isolation. That restricts the number of 
    # system calls allowed to a worker process, in order to reduce damage from a
    # bug in the worker process. It is available on Linux systems at a performance cost.
    use-seccomp = false
    isolate-workers=false
    
    # A banner to be displayed on clients
    banner = "The server is located in Nanchang,Note that domestic traffic is not encrypted.  By Holmesian"
    
    # Use listen-host to limit to specific IPs or to the IPs of a provided 
    # hostname.
    #listen-host = [IP|HOSTNAME]
    
    # Limit the number of clients. Unset or set to zero for unlimited.
    #max-clients = 1024
    max-clients = 128
    
    # When the server receives connections from a proxy, like haproxy
    # which supports the proxy protocol, set this to obtain the correct
    # client addresses. The proxy protocol (v2) would then be expected in
    # the TCP or UNIX socket (not the UDP one).
    #listen-proxy-proto = true
    
    # Limit the number of client connections to one every X milliseconds 
    # (X is the provided value). Set to zero for no limit.
    #rate-limit-ms = 100
    
    # Limit the number of identical clients (i.e., users connecting 
    # multiple times). Unset or set to zero for unlimited.
    max-same-clients = 0
    
    # TCP and UDP port number
    tcp-port = 443
    udp-port = 443
    
    # Keepalive in seconds
    keepalive = 62400
    
    # Dead peer detection in seconds.
    # Note that when the client is behind a NAT this value
    # needs to be short enough to prevent the NAT disassociating
    # his UDP session from the port number. Otherwise the client
    # could have his UDP connection stalled, for several minutes. 
    dpd = 30
    
    # Dead peer detection for mobile clients. The needs to
    # be much higher to prevent such clients being awaken too 
    # often by the DPD messages, and save battery.
    # (clients that send the X-AnyConnect-Identifier-DeviceType)
    #mobile-dpd = 1800
    
    # MTU discovery (DPD must be enabled)
    # If set, this forces all UDP packets to carry the don’t fragment
    # (DF) bit.
    try-mtu-discovery = false
    
    # The key and the certificates of the server
    # The key may be a file, or any URL supported by GnuTLS (e.g., 
    # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
    # or pkcs11:object=my-vpn-key;object-type=private)
    #
    # There may be multiple certificate and key pairs and each key
    # should correspond to the preceding certificate.
    #server-cert = /etc/ssl/certs/server-cert.pem
    #server-key = /etc/ssl/private/server-key.pem
    
    server-cert = /root/key/allholmesian.crt
    server-key = /root/key/holmesian.key
    # Diffie-Hellman parameters. Only needed if you require support
    # for the DHE ciphersuites (by default this server supports ECDHE).
    # Can be generated using:
    # certtool --generate-dh-params --outfile /path/to/dh.pem
    #dh-params = /path/to/dh.pem
    
    # If you have a certificate from a CA that provides an OCSP
    # service you may provide a fresh OCSP status response within
    # the TLS handshake. That will prevent the client from connecting
    # independently on the OCSP server.
    # You can update this response periodically using:
    # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
    # Make sure that you replace the following file in an atomic way.
    #ocsp-response = /path/to/ocsp.der
    
    # In case PKCS #11 or TPM keys are used the PINs should be available
    # in files. The srk-pin-file is applicable to TPM keys only, and is the 
    # storage root key.
    #pin-file = /path/to/pin.txt
    #srk-pin-file = /path/to/srkpin.txt
    
    # The Certificate Authority that will be used to verify
    # client certificates (public keys) if certificate authentication
    # is set.
    #ca-cert = /path/to/ca.pem
    ca-cert = /root/key/ca-cert.pem
    
    # The object identifier that will be used to read the user ID in the client 
    # certificate. The object identifier should be part of the certificate's DN
    # Useful OIDs are: 
    #  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
    #cert-user-oid = 0.9.2342.19200300.100.1.1
    cert-user-oid = 2.5.4.3
    
    # The object identifier that will be used to read the user group in the 
    # client  certificate. The object identifier should be part of the certificate's
    # DN. Useful OIDs are: 
    #  OU (organizational unit) = 2.5.4.11 
    # cert-group-oid = 2.5.4.11
    cert-group-oid = 2.5.4.11
    
    # The revocation list of the certificates issued by the 'ca-cert' above.
    #crl = /path/to/crl.pem
    
    # GnuTLS priority string
    #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
    tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
    
    # To enforce perfect forward secrecy (PFS) on the main channel.
    #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
    
    
    
    # The time (in seconds) that a client is allowed to stay connected prior
    # to authentication
    auth-timeout = 10
    
    # The time (in seconds) that a client is allowed to stay idle (no traffic)
    # before being disconnected. Unset to disable.
    #idle-timeout = 9900
    
    # The time (in seconds) that a mobile client is allowed to stay idle (no
    # traffic) before being disconnected. Unset to disable.
    #mobile-idle-timeout = 2400
    #mobile-idle-timeout=9999
    # The time (in seconds) that a client is not allowed to reconnect after 
    # a failed authentication attempt.
    #min-reauth-time = 120
    
    
    # Banning clients in ocserv works with a point system. IP addresses
    # that get a score over that configured number are banned for
    # min-reauth-time seconds. By default a wrong password attempt is 10 points,
    # a KKDCP POST is 1 point, and a connection is 1 point. Note that
    # due to difference processes being involved the count of points
    # will not be real-time precise.
    #
    # Score banning cannot be reliably used when receiving proxied connections
    # locally from an HTTP server (i.e., when listen-clear-file is used).
    #
    # Set to zero to disable.
    max-ban-score = 0
    
    # The time (in seconds) that all score kept for a client is reset.
    ban-reset-time = 300
    
    # In case you’d like to change the default points.
    #ban-points-wrong-password = 10
    #ban-points-connection = 1
    #ban-points-kkdcp = 1
    
    # Cookie timeout (in seconds)
    # Once a client is authenticated he's provided a cookie with
    # which he can reconnect. That cookie will be invalided if not
    # used within this timeout value. On a user disconnection, that
    # cookie will also be active for this time amount prior to be
    # invalid. That should allow a reasonable amount of time for roaming
    # between different networks.
    #cookie-validity = 864000
    cookie-timeout=99000
    
    # Cookie rekey time (in seconds)
    # The time after which the key used to encrypt cookies will be
    # refreshed. After this time the previous key will also be valid
    # for verification. It is recommended not to modify the default
    # value.
    #cookie-rekey-time = 99400
    
    # Whether roaming is allowed, i.e., if true a cookie is
    # restricted to a single IP address and cannot be re-used
    # from a different IP.
    deny-roaming = false
    
    # ReKey time (in seconds)
    # ocserv will ask the client to refresh keys periodically once
    # this amount of seconds is elapsed. Set to zero to disable (note
    # that, some clients fail if rekey is disabled).
    rekey-time = 992800
    
    
    # ReKey method
    # Valid options: ssl, new-tunnel
    #  ssl: Will perform an efficient rehandshake on the channel allowing
    #       a seamless connection during rekey.
    #  new-tunnel: Will instruct the client to discard and re-establish the channel.
    #       Use this option only if the connecting clients have issues with the ssl
    #       option.
    rekey-method = ssl
    
    # Script to call when a client connects and obtains an IP
    # Parameters are passed on the environment.
    # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
    # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
    # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
    # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
    #connect-script = /scripts/ocserv-script
    #disconnect-script = /scripts/ocserv-script
    
    # UTMP
    use-utmp = true
    
    # Whether to enable support for the occtl tool (i.e., either through D-BUS,
    # or via a unix socket).
    #use-occtl = true
    use-dbus = false
    
    # socket file used for IPC with occtl. You only need to set that,
    # if you use more than a single servers.
    #occtl-socket-file = /var/run/occtl.socket
    
    
    # PID file. It can be overriden in the command line.
    pid-file = /var/run/ocserv.pid
    
    # The default server directory. Does not require any devices present.
    #chroot-dir = /path/to/chroot
    
    # socket file used for IPC, will be appended with .PID
    # It must be accessible within the chroot environment (if any)
    socket-file = /var/run/ocserv-socket
    
    # The user the worker processes will be run as. It should be
    # unique (no other services run as this user).
    #run-as-user = nobody
    run-as-user = ocserv
    run-as-group = daemon
    
    # Set the protocol-defined priority (SO_PRIORITY) for packets to
    # be sent. That is a number from 0 to 6 with 0 being the lowest
    # priority. Alternatively this can be used to set the IP Type-
    # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
    # This can be set per user/group or globally.
    #net-priority = 5
    
    # Set the VPN worker process into a specific cgroup. This is Linux
    # specific and can be set per user/group or globally.
    #cgroup = "cpuset,cpu:test"
    
    #
    # Network settings
    #
    
    # The name of the tun device
    device = vpns
    #device = tun
    # Whether the generated IPs will be predictable, i.e., IP stays the
    # same for the same user when possible.
    #predictable-ips = false
    predictable-ips = true
    
    # The default domain to be advertised
    #default-domain = h.holmesian.org
    #default-domain = example.com
    
    # The pool of addresses that leases will be given from.
    ipv4-network = 10.168.0.0
    ipv4-netmask = 255.255.255.0
    
    # The advertized DNS server. Use multiple lines for
    # multiple servers.
    # dns = fc00::4be0
    #dns = 2620:0:ccc::2
    dns = 10.168.0.1
    #dns = 172.16.86.33
    #dns = 61.235.0.228
    #dns = 2620:0:ccd::2
    #dns=121.41.90.204
    #dns = 8.8.8.8
    #dns = 208.67.222.222
    dns = 223.5.5.5
    
    # The NBNS server (if any)
    #nbns = 192.168.1.3
    
    # The IPv6 subnet that leases will be given from.
    #ipv6-network = fda9:4efe:7e3b:03ea::/48
    
    # Specify the size of the network to provide to clients. It is
    # generally recommended to provide clients with a /64 network in
    # IPv6, but any subnet may be specified. To provide clients only
    # with a single IP use the prefix 128.
    #ipv6-subnet-prefix = 128
    #ipv6-subnet-prefix = 64
    
    # Whether to tunnel all DNS queries via the VPN. This is the default
    # when a default route is set.
    #tunnel-all-dns = true
    
    
    # The domains over which the provided DNS should be used. Use
    # multiple lines for multiple domains.
    #split-dns = example.com
    
    # Prior to leasing any IP from the pool ping it to verify that
    # it is not in use by another (unrelated to this server) host.
    ping-leases = false
    
    # Unset to assign the default MTU of the device
    # mtu = 
    
    # Unset to enable bandwidth restrictions (in bytes/sec). The
    # setting here is global, but can also be set per user or per group.
    #rx-data-per-sec = 40000
    #tx-data-per-sec = 40000
    
    # The number of packets (of MTU size) that are available in
    # the output buffer. The default is low to improve latency.
    # Setting it higher will improve throughput.
    #output-buffer = 10
    output-buffer = 1500
    
    # Routes to be forwarded to the client. If you need the
    # client to forward routes to the server, you may use the 
    # config-per-user/group or even connect and disconnect scripts.
    #
    # To set the server as the default gateway for the client just
    # comment out all routes from the server.
    #route = 192.168.1.0/255.255.255.0
    #route = 192.168.5.0/255.255.255.0
    #route = fef4:db8:1000:1001::/64
    
    
    # Configuration files that will be applied per user connection or
    # per group. Each file name on these directories must match the username
    # or the groupname.
    # The options allowed in the configuration files are dns, nbns,
    #  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
    #  net-priority and cgroup.
    #
    # Note that the 'iroute' option allows to add routes on the server
    # based on a user or group. The syntax depends on the input accepted
    # by the commands route-add-cmd and route-del-cmd (see below).
    
    #config-per-user = /etc/ocserv/config-per-user/
    #config-per-group = /etc/ocserv/config-per-group/
    
    # When config-per-xxx is specified and there is no group or user that
    # matches, then utilize the following configuration.
    
    #default-user-config = /etc/ocserv/defaults/user.conf
    #default-group-config = /etc/ocserv/defaults/group.conf
    
    # Groups that a client is allowed to select from.
    # A client may belong in multiple groups, and in certain use-cases
    # it is needed to switch between them. For these cases the client can
    # select prior to authentication. Add multiple entries for multiple groups.
    #select-group = group1
    #select-group = group2[My group 2]
    #select-group = tost[The tost group]
    
    # The name of the group that if selected it would allow to use
    # the assigned by default group.
    #default-select-group = DEFAULT
    
    # Instead of specifying manually all the allowed groups, you may instruct
    # ocserv to scan all available groups and include the full list. That
    # option is only functional on plain authentication.
    #auto-select-group = true
    
    # The system command to use to setup a route. %{R} will be replaced with the
    # route/mask and %{D} with the (tun) device.
    #
    # The following example is from linux systems. %{R} should be something
    # like 192.168.2.0/24
    
    #route-add-cmd = "ip route add %{R} dev %{D}"
    #route-del-cmd = "ip route delete %{R} dev %{D}"
    
    # This option allows to forward a proxy. The special strings '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #proxy-url = http://example.com/
    #proxy-url = http://example.com/%{U}/%{G}/hello
    
    #
    # The following options are for (experimental) AnyConnect client 
    # compatibility. 
    
    # Client profile xml. A sample file exists in doc/profile.xml.
    # This file must be accessible from inside the worker's chroot. 
    # It is not used by the openconnect client.
    #user-profile = profile.xml
    user-profile = /etc/ocserv/profile.xml
    
    # Binary files that may be downloaded by the CISCO client. Must
    # be within any chroot environment.
    #binary-files = /path/to/binaries
    
    # Unless set to false it is required for clients to present their
    # certificate even if they are authenticating via a previously granted
    # cookie and complete their authentication in the same TCP connection.
    # Legacy CISCO clients do not do that, and thus this option should be 
    # set for them.
    #cisco-client-compat = false
    cisco-client-compat = true
    #Advanced options
    
    
    # Uncomment this to enable compression negotiation.
    compression = true
    #compression = false
    # Set the minimum size under which a packet will not be compressed.
    # That is to allow low-latency for VoIP packets. The default size
    # is 256 bytes. Modify it if the clients typically use compression
    # as well of VoIP with codecs that exceed the default value.
    no-compress-limit = 512
    
    
    # Option to allow sending arbitrary custom headers to the client after
    # authentication and prior to VPN tunnel establishment.
    #custom-header = "X-My-Header: hi there"
    #custom-header = "X-DTLS-MTU: 1200"
    #custom-header = "X-CSTP-MTU: 1200"

系统设置

开机启动,修改/etc/systemd/system/ocserv.service

    [Unit]
    Description-ocserv-starup
    After-network.target
     
    [Service]
    Type-oneshot
    ExecStart= /usr/local/sbin/ocserv -c /etc/ocserv/ocserv.conf
    ExecReload=/usr/bin/killall /usr/local/sbin/ocserv
    ExecStop=/usr/bin/killall /usr/local/sbin/ocserv
    PrivateTmp=true
    RemainAfterExit=yes
     
    [Install]
    WantedBy-multi-user.target

添加开机启动服务并启动。

    systemctl enable ocserv
    systemctl start ocserv

允许转发流量,修改 /etc/sysctl.conf

    net.ipv4.ip_forward = 1

开启 NAT 和让 iptables 来协商 MTU 值,设置 iptables

    iptables -t nat -A POSTROUTING -j MASQUERADE
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    service iptables save

当前页面是本站的「Google AMP」版。查看和发表评论请点击:完整版 »