Linode CentOS 配置 ocserv

注意:本文最后更新于 2309 天前,有关的内容可能已经发生变化,请参考使用。

最近发现在电信网络上用 Vultr 的日本线路丢包量惊人,体验也越来越糟糕。无奈之下准备关闭 Vultr 的日本节点 VPS 并转到 Linode 的新加坡节点。坊间传闻用 360 之类的国产全家桶和 PPTP 方式会加速梯子的消亡,所以准备关闭 pptp 支持,只留用 ss、反代和 Anyconnect。因为 iphone 不越狱的情况下最好的科学上网工具应该就是 Anyconnect 了,以后凡是用国产全家桶的 TX,不予共享帐号。

AnyConnectICS_logo.jpg

第三方源安装

添加EPEL源

EPEL (Extra Packages for Enterprise Linux,企业版Linux的额外软件包) 是Fedora小组维护的一个软件仓库项目,为RHEL/CentOS提供他们默认不提供的软件包。目前EPEL已经有了Centos6/7的ocserv。

首先根据版本下载EPEL源包(以Centos6为例),并进行安装

    wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
    sudo rpm -ivh epel-release-6-8.noarch.rpm

安装ocserv

进行一次更新后直接安装ocserv

    yum -y update
    yum install ocserv -y

成功安装之后就跳到配置部分吧。


编译安装

准备编译需要的环境

    yum install expat-devel autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget

安装 nettle

    wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
    tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1
    ./configure --prefix=/usr
    make && make install
    ldconfig 

安装 unbound

    wget http://unbound.nlnetlabs.nl/downloads/unbound-1.4.22.tar.gz
    tar zxf unbound-1.4.22.tar.gz && cd unbound-1.4.22
    ./configure --prefix=/usr&& make && make install
    mkdir -p /etc/unbound && unbound-anchor -a "/etc/unbound/root.key"

安装 gnutls

    wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.1.tar.xz
    xz -c -d gnutls-3.2.12.1.tar.xz | tar x
    cd gnutls-3.2.12
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 LibNL:

    wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
    tar xvf libnl-3.2.24.tar.gz
    cd libnl-3.2.24
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 libev

    git clone https://github.com/enki/libev.git
    cd libev
    ./configure --prefix=/usr
    make && make install
    ldconfig

安装 ocserv

    wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.9.tar.xz
    tar xvf ocserv-0.8.9.tar.xz
    cd ocserv-0.8.9
    ./configure && make && make install

如果是在 ARM 平台上,需要./configure --disable-seccomp,否则会因为 libseccomp 的原因出现 Makefile:1459: recipe for target 'worker-privs.o' failed

此外,如果 nettle 和 gnutls 安装在 /usr/local 目录,需要运行以下命令设置系统变量,再运行./configure。

    export LIBNETTLE_CFLAGS="-I/usr/local/include/" LIBNETTLE_LIBS="-L/usr/local/lib/" LIBGNUTLS_CFLAGS="-I/usr/local/include/" LIBGNUTLS_LIBS="-L/usr/local/lib/"

常见问题

遇到 No package 'gnutls' found 问题时执行以下命令定位 gnutls 包。

    export LIBGNUTLS_CFLAGS="-L/usr/include" LIBGNUTLS_LIBS="-L/usr/lib64 -lgnutls"

如果 protobuf-c/protobuf-c.h 未找到之类的问题,请删除通过 yum 安装的 protobuf,profobuf-devel 之类的包

    yum remove protobuf

如果中间还遇到一些莫名其妙的问题,不妨再手动更新一下 aclocal automake autoconf 这几个包,yum 里的有点老。

    yum remove aclocal automake autoconf -y
    wget http://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
    tar -zxvf autoconf-latest.tar.gz
    cd autoconf-版本号 // 请根据解压出的文件夹名修改
    ./configure --prefix-/usr
    make && make install
    cd ..
     
    wget http://ftp.gnu.org/gnu/automake/automake-1.15.tar.xz
    tar -zxvf automake-1.15.tar.gz
    cd automake-1.15
    ./configure --prefix-/usr
    make && make install
    cd ..
     
    wget http://gnu.mirrors.hoobly.com/gnu/libtool/libtool-2.4.6.tar.xz
    tar -zxvf libtool-2.4.6.tar.gz
    cd libtool-2.4.6
    ./configure --prefix-/usr
    make && make install
    cd ..

配置 ocserv

参考 http://www.infradead.org/ocserv/manual.html#heading5

贴上我的配置文件仅供参考,启用证书认证,开启压缩,优化缓存。

    # User authentication method. Could be set multiple times and in that case
    # all should succeed.
    # Options: certificate, pam. 
    auth = "certificate"
    #auth = "plain[./sample.passwd]"
    #auth = "plain[/etc/ocserv/ocpasswd]"
    #auth = "pam"
    
    # The gid-min option is used by auto-select-group option, in order to
    # select the minimum group ID.
    #auth = "pam[gid-min=1000]"
    
    
    # Whether to enable support for the occtl tool (i.e., either through D-BUS,
    # or via a unix socket).
    use-occtl = false
    
    
    # The plain option requires specifying a password file which contains
    # entries of the following format.
    # "username:groupname:encoded-password"
    # One entry must be listed per line, and 'ocpasswd' can be used
    # to generate password entries.
    #auth = "plain[/etc/ocserv/ocpasswd]"
    
    # Whether to enable seccomp worker isolation. That restricts the number of 
    # system calls allowed to a worker process, in order to reduce damage from a
    # bug in the worker process. It is available on Linux systems at a performance cost.
    use-seccomp = false
    isolate-workers=false
    
    # A banner to be displayed on clients
    banner = "The server is located in Nanchang,Note that domestic traffic is not encrypted.  By Holmesian"
    
    # Use listen-host to limit to specific IPs or to the IPs of a provided 
    # hostname.
    #listen-host = [IP|HOSTNAME]
    
    # Limit the number of clients. Unset or set to zero for unlimited.
    #max-clients = 1024
    max-clients = 128
    
    # When the server receives connections from a proxy, like haproxy
    # which supports the proxy protocol, set this to obtain the correct
    # client addresses. The proxy protocol (v2) would then be expected in
    # the TCP or UNIX socket (not the UDP one).
    #listen-proxy-proto = true
    
    # Limit the number of client connections to one every X milliseconds 
    # (X is the provided value). Set to zero for no limit.
    #rate-limit-ms = 100
    
    # Limit the number of identical clients (i.e., users connecting 
    # multiple times). Unset or set to zero for unlimited.
    max-same-clients = 0
    
    # TCP and UDP port number
    tcp-port = 443
    udp-port = 443
    
    # Keepalive in seconds
    keepalive = 62400
    
    # Dead peer detection in seconds.
    # Note that when the client is behind a NAT this value
    # needs to be short enough to prevent the NAT disassociating
    # his UDP session from the port number. Otherwise the client
    # could have his UDP connection stalled, for several minutes. 
    dpd = 30
    
    # Dead peer detection for mobile clients. The needs to
    # be much higher to prevent such clients being awaken too 
    # often by the DPD messages, and save battery.
    # (clients that send the X-AnyConnect-Identifier-DeviceType)
    #mobile-dpd = 1800
    
    # MTU discovery (DPD must be enabled)
    # If set, this forces all UDP packets to carry the don’t fragment
    # (DF) bit.
    try-mtu-discovery = false
    
    # The key and the certificates of the server
    # The key may be a file, or any URL supported by GnuTLS (e.g., 
    # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
    # or pkcs11:object=my-vpn-key;object-type=private)
    #
    # There may be multiple certificate and key pairs and each key
    # should correspond to the preceding certificate.
    #server-cert = /etc/ssl/certs/server-cert.pem
    #server-key = /etc/ssl/private/server-key.pem
    
    server-cert = /root/key/allholmesian.crt
    server-key = /root/key/holmesian.key
    # Diffie-Hellman parameters. Only needed if you require support
    # for the DHE ciphersuites (by default this server supports ECDHE).
    # Can be generated using:
    # certtool --generate-dh-params --outfile /path/to/dh.pem
    #dh-params = /path/to/dh.pem
    
    # If you have a certificate from a CA that provides an OCSP
    # service you may provide a fresh OCSP status response within
    # the TLS handshake. That will prevent the client from connecting
    # independently on the OCSP server.
    # You can update this response periodically using:
    # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
    # Make sure that you replace the following file in an atomic way.
    #ocsp-response = /path/to/ocsp.der
    
    # In case PKCS #11 or TPM keys are used the PINs should be available
    # in files. The srk-pin-file is applicable to TPM keys only, and is the 
    # storage root key.
    #pin-file = /path/to/pin.txt
    #srk-pin-file = /path/to/srkpin.txt
    
    # The Certificate Authority that will be used to verify
    # client certificates (public keys) if certificate authentication
    # is set.
    #ca-cert = /path/to/ca.pem
    ca-cert = /root/key/ca-cert.pem
    
    # The object identifier that will be used to read the user ID in the client 
    # certificate. The object identifier should be part of the certificate's DN
    # Useful OIDs are: 
    #  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
    #cert-user-oid = 0.9.2342.19200300.100.1.1
    cert-user-oid = 2.5.4.3
    
    # The object identifier that will be used to read the user group in the 
    # client  certificate. The object identifier should be part of the certificate's
    # DN. Useful OIDs are: 
    #  OU (organizational unit) = 2.5.4.11 
    # cert-group-oid = 2.5.4.11
    cert-group-oid = 2.5.4.11
    
    # The revocation list of the certificates issued by the 'ca-cert' above.
    #crl = /path/to/crl.pem
    
    # GnuTLS priority string
    #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
    tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
    
    # To enforce perfect forward secrecy (PFS) on the main channel.
    #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
    
    
    
    # The time (in seconds) that a client is allowed to stay connected prior
    # to authentication
    auth-timeout = 10
    
    # The time (in seconds) that a client is allowed to stay idle (no traffic)
    # before being disconnected. Unset to disable.
    #idle-timeout = 9900
    
    # The time (in seconds) that a mobile client is allowed to stay idle (no
    # traffic) before being disconnected. Unset to disable.
    #mobile-idle-timeout = 2400
    #mobile-idle-timeout=9999
    # The time (in seconds) that a client is not allowed to reconnect after 
    # a failed authentication attempt.
    #min-reauth-time = 120
    
    
    # Banning clients in ocserv works with a point system. IP addresses
    # that get a score over that configured number are banned for
    # min-reauth-time seconds. By default a wrong password attempt is 10 points,
    # a KKDCP POST is 1 point, and a connection is 1 point. Note that
    # due to difference processes being involved the count of points
    # will not be real-time precise.
    #
    # Score banning cannot be reliably used when receiving proxied connections
    # locally from an HTTP server (i.e., when listen-clear-file is used).
    #
    # Set to zero to disable.
    max-ban-score = 0
    
    # The time (in seconds) that all score kept for a client is reset.
    ban-reset-time = 300
    
    # In case you’d like to change the default points.
    #ban-points-wrong-password = 10
    #ban-points-connection = 1
    #ban-points-kkdcp = 1
    
    # Cookie timeout (in seconds)
    # Once a client is authenticated he's provided a cookie with
    # which he can reconnect. That cookie will be invalided if not
    # used within this timeout value. On a user disconnection, that
    # cookie will also be active for this time amount prior to be
    # invalid. That should allow a reasonable amount of time for roaming
    # between different networks.
    #cookie-validity = 864000
    cookie-timeout=99000
    
    # Cookie rekey time (in seconds)
    # The time after which the key used to encrypt cookies will be
    # refreshed. After this time the previous key will also be valid
    # for verification. It is recommended not to modify the default
    # value.
    #cookie-rekey-time = 99400
    
    # Whether roaming is allowed, i.e., if true a cookie is
    # restricted to a single IP address and cannot be re-used
    # from a different IP.
    deny-roaming = false
    
    # ReKey time (in seconds)
    # ocserv will ask the client to refresh keys periodically once
    # this amount of seconds is elapsed. Set to zero to disable (note
    # that, some clients fail if rekey is disabled).
    rekey-time = 992800
    
    
    # ReKey method
    # Valid options: ssl, new-tunnel
    #  ssl: Will perform an efficient rehandshake on the channel allowing
    #       a seamless connection during rekey.
    #  new-tunnel: Will instruct the client to discard and re-establish the channel.
    #       Use this option only if the connecting clients have issues with the ssl
    #       option.
    rekey-method = ssl
    
    # Script to call when a client connects and obtains an IP
    # Parameters are passed on the environment.
    # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
    # DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
    # in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
    # ID (a unique numeric ID); REASON may be "connect" or "disconnect".
    #connect-script = /scripts/ocserv-script
    #disconnect-script = /scripts/ocserv-script
    
    # UTMP
    use-utmp = true
    
    # Whether to enable support for the occtl tool (i.e., either through D-BUS,
    # or via a unix socket).
    #use-occtl = true
    use-dbus = false
    
    # socket file used for IPC with occtl. You only need to set that,
    # if you use more than a single servers.
    #occtl-socket-file = /var/run/occtl.socket
    
    
    # PID file. It can be overriden in the command line.
    pid-file = /var/run/ocserv.pid
    
    # The default server directory. Does not require any devices present.
    #chroot-dir = /path/to/chroot
    
    # socket file used for IPC, will be appended with .PID
    # It must be accessible within the chroot environment (if any)
    socket-file = /var/run/ocserv-socket
    
    # The user the worker processes will be run as. It should be
    # unique (no other services run as this user).
    #run-as-user = nobody
    run-as-user = ocserv
    run-as-group = daemon
    
    # Set the protocol-defined priority (SO_PRIORITY) for packets to
    # be sent. That is a number from 0 to 6 with 0 being the lowest
    # priority. Alternatively this can be used to set the IP Type-
    # Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
    # This can be set per user/group or globally.
    #net-priority = 5
    
    # Set the VPN worker process into a specific cgroup. This is Linux
    # specific and can be set per user/group or globally.
    #cgroup = "cpuset,cpu:test"
    
    #
    # Network settings
    #
    
    # The name of the tun device
    device = vpns
    #device = tun
    # Whether the generated IPs will be predictable, i.e., IP stays the
    # same for the same user when possible.
    #predictable-ips = false
    predictable-ips = true
    
    # The default domain to be advertised
    #default-domain = h.holmesian.org
    #default-domain = example.com
    
    # The pool of addresses that leases will be given from.
    ipv4-network = 10.168.0.0
    ipv4-netmask = 255.255.255.0
    
    # The advertized DNS server. Use multiple lines for
    # multiple servers.
    # dns = fc00::4be0
    #dns = 2620:0:ccc::2
    dns = 10.168.0.1
    #dns = 172.16.86.33
    #dns = 61.235.0.228
    #dns = 2620:0:ccd::2
    #dns=121.41.90.204
    #dns = 8.8.8.8
    #dns = 208.67.222.222
    dns = 223.5.5.5
    
    # The NBNS server (if any)
    #nbns = 192.168.1.3
    
    # The IPv6 subnet that leases will be given from.
    #ipv6-network = fda9:4efe:7e3b:03ea::/48
    
    # Specify the size of the network to provide to clients. It is
    # generally recommended to provide clients with a /64 network in
    # IPv6, but any subnet may be specified. To provide clients only
    # with a single IP use the prefix 128.
    #ipv6-subnet-prefix = 128
    #ipv6-subnet-prefix = 64
    
    # Whether to tunnel all DNS queries via the VPN. This is the default
    # when a default route is set.
    #tunnel-all-dns = true
    
    
    # The domains over which the provided DNS should be used. Use
    # multiple lines for multiple domains.
    #split-dns = example.com
    
    # Prior to leasing any IP from the pool ping it to verify that
    # it is not in use by another (unrelated to this server) host.
    ping-leases = false
    
    # Unset to assign the default MTU of the device
    # mtu = 
    
    # Unset to enable bandwidth restrictions (in bytes/sec). The
    # setting here is global, but can also be set per user or per group.
    #rx-data-per-sec = 40000
    #tx-data-per-sec = 40000
    
    # The number of packets (of MTU size) that are available in
    # the output buffer. The default is low to improve latency.
    # Setting it higher will improve throughput.
    #output-buffer = 10
    output-buffer = 1500
    
    # Routes to be forwarded to the client. If you need the
    # client to forward routes to the server, you may use the 
    # config-per-user/group or even connect and disconnect scripts.
    #
    # To set the server as the default gateway for the client just
    # comment out all routes from the server.
    #route = 192.168.1.0/255.255.255.0
    #route = 192.168.5.0/255.255.255.0
    #route = fef4:db8:1000:1001::/64
    
    
    # Configuration files that will be applied per user connection or
    # per group. Each file name on these directories must match the username
    # or the groupname.
    # The options allowed in the configuration files are dns, nbns,
    #  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
    #  net-priority and cgroup.
    #
    # Note that the 'iroute' option allows to add routes on the server
    # based on a user or group. The syntax depends on the input accepted
    # by the commands route-add-cmd and route-del-cmd (see below).
    
    #config-per-user = /etc/ocserv/config-per-user/
    #config-per-group = /etc/ocserv/config-per-group/
    
    # When config-per-xxx is specified and there is no group or user that
    # matches, then utilize the following configuration.
    
    #default-user-config = /etc/ocserv/defaults/user.conf
    #default-group-config = /etc/ocserv/defaults/group.conf
    
    # Groups that a client is allowed to select from.
    # A client may belong in multiple groups, and in certain use-cases
    # it is needed to switch between them. For these cases the client can
    # select prior to authentication. Add multiple entries for multiple groups.
    #select-group = group1
    #select-group = group2[My group 2]
    #select-group = tost[The tost group]
    
    # The name of the group that if selected it would allow to use
    # the assigned by default group.
    #default-select-group = DEFAULT
    
    # Instead of specifying manually all the allowed groups, you may instruct
    # ocserv to scan all available groups and include the full list. That
    # option is only functional on plain authentication.
    #auto-select-group = true
    
    # The system command to use to setup a route. %{R} will be replaced with the
    # route/mask and %{D} with the (tun) device.
    #
    # The following example is from linux systems. %{R} should be something
    # like 192.168.2.0/24
    
    #route-add-cmd = "ip route add %{R} dev %{D}"
    #route-del-cmd = "ip route delete %{R} dev %{D}"
    
    # This option allows to forward a proxy. The special strings '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #proxy-url = http://example.com/
    #proxy-url = http://example.com/%{U}/%{G}/hello
    
    #
    # The following options are for (experimental) AnyConnect client 
    # compatibility. 
    
    # Client profile xml. A sample file exists in doc/profile.xml.
    # This file must be accessible from inside the worker's chroot. 
    # It is not used by the openconnect client.
    #user-profile = profile.xml
    user-profile = /etc/ocserv/profile.xml
    
    # Binary files that may be downloaded by the CISCO client. Must
    # be within any chroot environment.
    #binary-files = /path/to/binaries
    
    # Unless set to false it is required for clients to present their
    # certificate even if they are authenticating via a previously granted
    # cookie and complete their authentication in the same TCP connection.
    # Legacy CISCO clients do not do that, and thus this option should be 
    # set for them.
    #cisco-client-compat = false
    cisco-client-compat = true
    #Advanced options
    
    
    # Uncomment this to enable compression negotiation.
    compression = true
    #compression = false
    # Set the minimum size under which a packet will not be compressed.
    # That is to allow low-latency for VoIP packets. The default size
    # is 256 bytes. Modify it if the clients typically use compression
    # as well of VoIP with codecs that exceed the default value.
    no-compress-limit = 512
    
    
    # Option to allow sending arbitrary custom headers to the client after
    # authentication and prior to VPN tunnel establishment.
    #custom-header = "X-My-Header: hi there"
    #custom-header = "X-DTLS-MTU: 1200"
    #custom-header = "X-CSTP-MTU: 1200"

系统设置

开机启动,修改/etc/systemd/system/ocserv.service

    [Unit]
    Description-ocserv-starup
    After-network.target
     
    [Service]
    Type-oneshot
    ExecStart= /usr/local/sbin/ocserv -c /etc/ocserv/ocserv.conf
    ExecReload=/usr/bin/killall /usr/local/sbin/ocserv
    ExecStop=/usr/bin/killall /usr/local/sbin/ocserv
    PrivateTmp=true
    RemainAfterExit=yes
     
    [Install]
    WantedBy-multi-user.target

添加开机启动服务并启动。

    systemctl enable ocserv
    systemctl start ocserv

允许转发流量,修改 /etc/sysctl.conf

    net.ipv4.ip_forward = 1

开启 NAT 和让 iptables 来协商 MTU 值,设置 iptables

    iptables -t nat -A POSTROUTING -j MASQUERADE
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    service iptables save

「倘若有所帮助,不妨酌情赞赏!」

Holmesian

感谢您的支持!

使用微信扫描二维码完成支付


相关文章

发表新评论
已有 23 条评论
  1. KUTOSO

    在最后一步运行,ocserv -c /etc/ocserv/ocserv.conf -f -d 1
    报ocserv: relocation error: ocserv: symbol gnutls_packet_get, version GNUTLS_3_1_0 not defined in file libgnutls.so.28 with link time reference;
    我有尝试安装yum install gnutls-devel,但还是提示一样的错误
    请问楼主是怎么解决此类问题?

    KUTOSO 回复
  2. -cky798-

    第六步配置完了之后创建用户名[root@vultr /]# ocpasswd -c /usr/local/etc/ocserv/.passwd aaa 提示:-bash: ocpasswd: command not found,请问下是什么原因?另外第二步安装nettle的时候会出错,把目录里的lib改成lib64就可以了,不知道是不是和64位系统有关。

    -cky798- 回复
    1. holmesian

      @-cky798-

      ocpasswd的路径没在你的PATH里面,直接用绝对路径就行了,建议采用证书登陆模式,用户名密码方式不方便也不安全。

      holmesian 回复
  3. lewisxy

    求助:
    ocserv[1421]: main: initialized ocserv 0.10.12
    ocserv[1422]: sec-mod: reading supplemental config from files
    ocserv[1422]: sec-mod: sec-mod initialized (socket: /var/lib/ocserv/ocserv.sock.1421)
    ocserv[1421]: main: processed 1 CA certificate(s)
    ocserv[1423]: GnuTLS error (at worker-vpn.c:467): A TLS fatal alert has been received.: Unknown certificate
    ocserv[1421]: main: 124.205.63.10:5161 user disconnected (rx: 0, tx: 0)
    ocserv[1424]: worker: client certificate verification succeeded
    ocserv[1422]: sec-mod: using 'certificate' authentication to authenticate user (session: ojm0T)
    ocserv[1425]: worker: tlslib.c:379: no certificate was found
    ocserv[1421]: main: 124.205.63.10:5528 user disconnected (rx: 0, tx: 0)
    ocserv[1426]: worker: tlslib.c:379: no certificate was found
    ocserv[1422]: sec-mod: initiating session for user 'lewisxy' (session: ojm0T)
    ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 new user session
    ocserv[1421]: main: tun.c:497: Can't open /dev/net/tun: No such file or directory
    ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 failed authentication attempt for user 'lewisxy'
    ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 user logged in
    ocserv[1426]: worker: 124.205.63.10 error receiving cookie authentication reply
    ocserv[1426]: worker: 124.205.63.10 failed cookie authentication attempt
    ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 user disconnected (rx: 0, tx: 0)
    ocserv[1422]: sec-mod: temporarily closing session for lewisxy (session: ojm0T)
    ocserv[1421]: main: 124.205.63.10:4247 user disconnected (rx: 0, tx: 0)

    连不上咋办?

    lewisxy 回复
  4. 592184995

    大神能提供点关于ocserv的技术支持吗 目前是centos6看过几个教程似乎都搭不起来。。。

    592184995 回复
    1. holmesian

      @592184995

      6的话流程已经很详细了,具体是有什么问题不妨贴出来看看

      holmesian 回复
      1. 592184995

        @holmesian

        搭建的时候启动ocserv时出现error loading file是什么原因呢 命令用的是这个ocserv -c /etc/ocserv/ocserv.conf
        另外请教下似乎已经安装好了mysql怎么还是显示mysql:command not found?

        592184995 回复
        1. Holmesian

          @592184995

          yum install -y mysql-server mysql mysql-deve
          mysql-server是服务端 mysql是客户端,建议补补基础知识,善用搜索引擎。

          error loading file已经是很明显的配置文件错误提示,因为不同版本ocserv的配置文件有不同的调整,使用最新的稳定版及其相配套的配置文件

          Holmesian 回复
          1. holmesian

            @592184995

            你用nginx或者其他的http服务软件搭一个web服务,然后把证书放到web目录下,就可以用http://{你VPS的IP}/{证书名},来导入了。

            holmesian
          2. 592184995

            @Holmesian

            本人纯小白。。命令也只懂一点 多谢大牛指点!顺便问下如果ocserv搭建成功,进程也存在了的话,怎么把证书导入进ios的anyconnect客户端呢?因为ios的client好像不能输入账号密码而只能以链接方式导入证书,这点还烦请大神指点一二,比如说如何从VPS获取那个证书的链接?

            592184995
  5. 七間涼羽P

    路过围观,正在尝试玩转CentOS QwQ

    七間涼羽P 回复
  6. fish

    hi.

    [root@arx ocserv-0.8.9]# certtool --generate-privkey --outfile ca-key.pem
    certtool: relocation error: certtool: symbol gnutls_srp_3072_group_prime, version GNUTLS_3_0_0 not defined in file libgnutls.so.28 with link time reference
    [root@arx ocserv-0.8.9]#

    按你文章,一直到完成第5步,都正常。怎么解决?

    fish 回复
    1. fish

      @fish

      到第6步配置ocserv,运行命令:certtool --generate-privkey --outfile ca-key.pem,就出现了如上的错误。怎么解决?

      fish 回复
      1. holmesian

        @fish

        看提示应该是因为gnutls没有正确安装,如果是centos的话尝试yun install gnutls-devel重新装一下,或者自己编译一个gnutls试试。

        holmesian 回复
        1. fish

          @holmesian

          没用。我运行 yum install gnutls-devel gnutls,都显示已安装。
          你真的在centos7上,顺利搭建了ocserv吗?
          我在centos6上,搭建成功,可用来翻墙。但在centos7上,就是搞不定。

          fish 回复
          1. holmesian

            @BRITE

            恭喜!

            我还是习惯直接用iptables直接管理,用iptables -t nat -A POSTROUTING -j MASQUERADE动态伪装让内网机器NAT上网

            按你的配置应该是firewall-cmd --permanent --zone=public --add-masquerade ,请测试。

            holmesian
          2. BRITE

            @holmesian

            hi.
            gnutls的问题解决了。

            运行命令:
            firewall-cmd --zone=public --add-port=999/tcp --permanent
            firewall-cmd --reload 之后,也能连上ocserv了。但就是打不开任何网站。在运行了:
            firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24
            firewall-cmd --reload后,也还是打不开任何网站。如何解决?
            谢谢。

            net.ipv4.ip_forward的值也设为了1.
            还运行了echo 1 > /proc/sys/net/ipv4/ip_forward
            就是不知道iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE如果用firewalld的命令来写,该怎么写,才达到该条iptables规则的效果?

            参考了https://devops.profitbricks.com/tutorials/deploy-outbound-nat-gateway-on-centos-7/#enable-ip-forwarding

            BRITE
          3. fish

            @holmesian

            hi.
            gnutls的问题解决了。而且运行命令:
            firewall-cmd --zone=public --add-port=999/tcp --permanent
            firewall-cmd --reload 之后,也能连上ocserv了。但就是打不开任何网站。在运行了:
            firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24

            firewall-cmd --reload后,也还是打不开任何网站。如何解决?
            谢谢。

            参考了https://devops.profitbricks.com/tutorials/deploy-outbound-nat-gateway-on-centos-7/#enable-ip-forwarding

            fish
          4. fish

            @holmesian

            hi.

            我删掉了gnutls-3.2.12,然后编译了gnutls-3.2.15, 就解决了上面那个错误。certtool和ocserv都能正常运行。但我在客户端机器就是连不上服务器。不知何故?
            我的vps是centos7 64位系统。

            [root@arx ~]# cat /dev/net/tun
            cat: /dev/net/tun: file descriptor in bad state (这个表明vps开启了tun)
            [root@arx ~]# ps aux|grep ocserv
            root 15444 0.0 0.3 38924 1616 ? Ss 18:28 0:00 /usr/local/sbin/ocserv -c /usr/local/etc/ocserv/ocserv.conf
            root 15445 0.0 0.3 38924 1628 ? S 18:28 0:00 /usr/local/sbin/ocserv -c /usr/local/etc/ocserv/ocserv.conf
            root 15683 0.0 0.1 112660 932 pts/0 S+ 22:37 0:00 grep --color=auto ocserv
            [root@arx ~]# certtool
            certtool [options]
            certtool --help for usage instructions.
            [root@arx ~]# ocserv
            ocserv -c [config]
            Use ocserv --help for more information.
            [root@arx ~]#
            [root@arx ~]# cat /etc/redhat-release
            CentOS Linux release 7.2.1511 (Core)
            [root@arx ~]#

            fish
          5. holmesian

            @fish

            这个跟6/7关系不大吧,我在6/7上都没问题,现在跑的是ocserv 0.10.11,只有从git源编译麻烦一些。
            建议换新版本试试

            holmesian
  7. ssk

    请问你用的是什么代码插件?

    ssk 回复
    1. Holmesian

      @ssk

      @ssk:SyntaxHighlighter

      Holmesian 回复
  8. 乐乐

    大神给分享个vpn呗,我不会瞎用的

    乐乐 回复