Linode CentOS 配置 ocserv
最近发现在电信网络上用 Vultr 的日本线路丢包量惊人,体验也越来越糟糕。无奈之下准备关闭 Vultr 的日本节点 VPS 并转到 Linode 的新加坡节点。坊间传闻用 360 之类的国产全家桶和 PPTP 方式会加速梯子的消亡,所以准备关闭 pptp 支持,只留用 ss、反代和 Anyconnect。因为 iphone 不越狱的情况下最好的科学上网工具应该就是 Anyconnect 了,以后凡是用国产全家桶的 TX,不予共享帐号。
第三方源安装
添加EPEL源
EPEL (Extra Packages for Enterprise Linux,企业版Linux的额外软件包) 是Fedora小组维护的一个软件仓库项目,为RHEL/CentOS提供他们默认不提供的软件包。目前EPEL已经有了Centos6/7的ocserv。
首先根据版本下载EPEL源包(以Centos6为例),并进行安装
wget http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
sudo rpm -ivh epel-release-6-8.noarch.rpm
安装ocserv
进行一次更新后直接安装ocserv
yum -y update
yum install ocserv -y
成功安装之后就跳到配置部分吧。
编译安装
准备编译需要的环境
yum install expat-devel autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget
安装 nettle
wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
tar zxf nettle-2.7.1.tar.gz && cd nettle-2.7.1
./configure --prefix=/usr
make && make install
ldconfig
安装 unbound
wget http://unbound.nlnetlabs.nl/downloads/unbound-1.4.22.tar.gz
tar zxf unbound-1.4.22.tar.gz && cd unbound-1.4.22
./configure --prefix=/usr&& make && make install
mkdir -p /etc/unbound && unbound-anchor -a "/etc/unbound/root.key"
安装 gnutls
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.1.tar.xz
xz -c -d gnutls-3.2.12.1.tar.xz | tar x
cd gnutls-3.2.12
./configure --prefix=/usr
make && make install
ldconfig
安装 LibNL:
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/usr
make && make install
ldconfig
安装 libev
git clone https://github.com/enki/libev.git
cd libev
./configure --prefix=/usr
make && make install
ldconfig
安装 ocserv
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.9.tar.xz
tar xvf ocserv-0.8.9.tar.xz
cd ocserv-0.8.9
./configure && make && make install
如果是在 ARM 平台上,需要./configure --disable-seccomp,否则会因为 libseccomp 的原因出现 Makefile:1459: recipe for target 'worker-privs.o' failed
此外,如果 nettle 和 gnutls 安装在 /usr/local 目录,需要运行以下命令设置系统变量,再运行./configure。
export LIBNETTLE_CFLAGS="-I/usr/local/include/" LIBNETTLE_LIBS="-L/usr/local/lib/" LIBGNUTLS_CFLAGS="-I/usr/local/include/" LIBGNUTLS_LIBS="-L/usr/local/lib/"
常见问题
遇到 No package 'gnutls' found 问题时执行以下命令定位 gnutls 包。
export LIBGNUTLS_CFLAGS="-L/usr/include" LIBGNUTLS_LIBS="-L/usr/lib64 -lgnutls"
如果 protobuf-c/protobuf-c.h 未找到之类的问题,请删除通过 yum 安装的 protobuf,profobuf-devel 之类的包
yum remove protobuf
如果中间还遇到一些莫名其妙的问题,不妨再手动更新一下 aclocal automake autoconf 这几个包,yum 里的有点老。
yum remove aclocal automake autoconf -y
wget http://ftp.gnu.org/gnu/autoconf/autoconf-latest.tar.gz
tar -zxvf autoconf-latest.tar.gz
cd autoconf-版本号 // 请根据解压出的文件夹名修改
./configure --prefix-/usr
make && make install
cd ..
wget http://ftp.gnu.org/gnu/automake/automake-1.15.tar.xz
tar -zxvf automake-1.15.tar.gz
cd automake-1.15
./configure --prefix-/usr
make && make install
cd ..
wget http://gnu.mirrors.hoobly.com/gnu/libtool/libtool-2.4.6.tar.xz
tar -zxvf libtool-2.4.6.tar.gz
cd libtool-2.4.6
./configure --prefix-/usr
make && make install
cd ..
配置 ocserv
参考 http://www.infradead.org/ocserv/manual.html#heading5
贴上我的配置文件仅供参考,启用证书认证,开启压缩,优化缓存。
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[./sample.passwd]"
#auth = "plain[/etc/ocserv/ocpasswd]"
#auth = "pam"
# The gid-min option is used by auto-select-group option, in order to
# select the minimum group ID.
#auth = "pam[gid-min=1000]"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = false
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
# Whether to enable seccomp worker isolation. That restricts the number of
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
use-seccomp = false
isolate-workers=false
# A banner to be displayed on clients
banner = "The server is located in Nanchang,Note that domestic traffic is not encrypted. By Holmesian"
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 0
# TCP and UDP port number
tcp-port = 443
udp-port = 443
# Keepalive in seconds
keepalive = 62400
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 30
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
#mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
# If set, this forces all UDP packets to carry the don’t fragment
# (DF) bit.
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
#server-cert = /etc/ssl/certs/server-cert.pem
#server-key = /etc/ssl/private/server-key.pem
server-cert = /root/key/allholmesian.crt
server-key = /root/key/holmesian.key
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /root/key/ca-cert.pem
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
cert-user-oid = 2.5.4.3
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
# cert-group-oid = 2.5.4.11
cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem
# GnuTLS priority string
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 10
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 9900
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
#mobile-idle-timeout=9999
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 120
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 0
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you’d like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
#cookie-validity = 864000
cookie-timeout=99000
# Cookie rekey time (in seconds)
# The time after which the key used to encrypt cookies will be
# refreshed. After this time the previous key will also be valid
# for verification. It is recommended not to modify the default
# value.
#cookie-rekey-time = 99400
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 992800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and re-establish the channel.
# Use this option only if the connecting clients have issues with the ssl
# option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /scripts/ocserv-script
#disconnect-script = /scripts/ocserv-script
# UTMP
use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
#use-occtl = true
use-dbus = false
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
#run-as-user = nobody
run-as-user = ocserv
run-as-group = daemon
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 5
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name of the tun device
device = vpns
#device = tun
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
#predictable-ips = false
predictable-ips = true
# The default domain to be advertised
#default-domain = h.holmesian.org
#default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 10.168.0.0
ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 2620:0:ccc::2
dns = 10.168.0.1
#dns = 172.16.86.33
#dns = 61.235.0.228
#dns = 2620:0:ccd::2
#dns=121.41.90.204
#dns = 8.8.8.8
#dns = 208.67.222.222
dns = 223.5.5.5
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
output-buffer = 1500
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
# net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
#select-group = group1
#select-group = group2[My group 2]
#select-group = tost[The tost group]
# The name of the group that if selected it would allow to use
# the assigned by default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list. That
# option is only functional on plain authentication.
#auto-select-group = true
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special strings '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/%{G}/hello
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
user-profile = /etc/ocserv/profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
#cisco-client-compat = false
cisco-client-compat = true
#Advanced options
# Uncomment this to enable compression negotiation.
compression = true
#compression = false
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
no-compress-limit = 512
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"
#custom-header = "X-DTLS-MTU: 1200"
#custom-header = "X-CSTP-MTU: 1200"
系统设置
开机启动,修改/etc/systemd/system/ocserv.service
[Unit]
Description-ocserv-starup
After-network.target
[Service]
Type-oneshot
ExecStart= /usr/local/sbin/ocserv -c /etc/ocserv/ocserv.conf
ExecReload=/usr/bin/killall /usr/local/sbin/ocserv
ExecStop=/usr/bin/killall /usr/local/sbin/ocserv
PrivateTmp=true
RemainAfterExit=yes
[Install]
WantedBy-multi-user.target
添加开机启动服务并启动。
systemctl enable ocserv
systemctl start ocserv
允许转发流量,修改 /etc/sysctl.conf
net.ipv4.ip_forward = 1
开启 NAT 和让 iptables 来协商 MTU 值,设置 iptables
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
service iptables save
「倘若有所帮助,不妨酌情赞赏!」
感谢您的支持!
使用微信扫描二维码完成支付
在最后一步运行,ocserv -c /etc/ocserv/ocserv.conf -f -d 1
报ocserv: relocation error: ocserv: symbol gnutls_packet_get, version GNUTLS_3_1_0 not defined in file libgnutls.so.28 with link time reference;
我有尝试安装yum install gnutls-devel,但还是提示一样的错误
请问楼主是怎么解决此类问题?
第六步配置完了之后创建用户名[root@vultr /]# ocpasswd -c /usr/local/etc/ocserv/.passwd aaa 提示:-bash: ocpasswd: command not found,请问下是什么原因?另外第二步安装nettle的时候会出错,把目录里的lib改成lib64就可以了,不知道是不是和64位系统有关。
@-cky798-
ocpasswd的路径没在你的PATH里面,直接用绝对路径就行了,建议采用证书登陆模式,用户名密码方式不方便也不安全。
求助:
ocserv[1421]: main: initialized ocserv 0.10.12
ocserv[1422]: sec-mod: reading supplemental config from files
ocserv[1422]: sec-mod: sec-mod initialized (socket: /var/lib/ocserv/ocserv.sock.1421)
ocserv[1421]: main: processed 1 CA certificate(s)
ocserv[1423]: GnuTLS error (at worker-vpn.c:467): A TLS fatal alert has been received.: Unknown certificate
ocserv[1421]: main: 124.205.63.10:5161 user disconnected (rx: 0, tx: 0)
ocserv[1424]: worker: client certificate verification succeeded
ocserv[1422]: sec-mod: using 'certificate' authentication to authenticate user (session: ojm0T)
ocserv[1425]: worker: tlslib.c:379: no certificate was found
ocserv[1421]: main: 124.205.63.10:5528 user disconnected (rx: 0, tx: 0)
ocserv[1426]: worker: tlslib.c:379: no certificate was found
ocserv[1422]: sec-mod: initiating session for user 'lewisxy' (session: ojm0T)
ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 new user session
ocserv[1421]: main: tun.c:497: Can't open /dev/net/tun: No such file or directory
ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 failed authentication attempt for user 'lewisxy'
ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 user logged in
ocserv[1426]: worker: 124.205.63.10 error receiving cookie authentication reply
ocserv[1426]: worker: 124.205.63.10 failed cookie authentication attempt
ocserv[1421]: main[lewisxy]: 124.205.63.10:5495 user disconnected (rx: 0, tx: 0)
ocserv[1422]: sec-mod: temporarily closing session for lewisxy (session: ojm0T)
ocserv[1421]: main: 124.205.63.10:4247 user disconnected (rx: 0, tx: 0)
连不上咋办?
大神能提供点关于ocserv的技术支持吗 目前是centos6看过几个教程似乎都搭不起来。。。
@592184995
6的话流程已经很详细了,具体是有什么问题不妨贴出来看看
@holmesian
搭建的时候启动ocserv时出现error loading file是什么原因呢 命令用的是这个ocserv -c /etc/ocserv/ocserv.conf
另外请教下似乎已经安装好了mysql怎么还是显示mysql:command not found?
@592184995
yum install -y mysql-server mysql mysql-deve
mysql-server是服务端 mysql是客户端,建议补补基础知识,善用搜索引擎。
error loading file已经是很明显的配置文件错误提示,因为不同版本ocserv的配置文件有不同的调整,使用最新的稳定版及其相配套的配置文件
@592184995
你用nginx或者其他的http服务软件搭一个web服务,然后把证书放到web目录下,就可以用http://{你VPS的IP}/{证书名},来导入了。
@Holmesian
本人纯小白。。命令也只懂一点 多谢大牛指点!顺便问下如果ocserv搭建成功,进程也存在了的话,怎么把证书导入进ios的anyconnect客户端呢?因为ios的client好像不能输入账号密码而只能以链接方式导入证书,这点还烦请大神指点一二,比如说如何从VPS获取那个证书的链接?
路过围观,正在尝试玩转CentOS QwQ
hi.
[root@arx ocserv-0.8.9]# certtool --generate-privkey --outfile ca-key.pem
certtool: relocation error: certtool: symbol gnutls_srp_3072_group_prime, version GNUTLS_3_0_0 not defined in file libgnutls.so.28 with link time reference
[root@arx ocserv-0.8.9]#
按你文章,一直到完成第5步,都正常。怎么解决?
@fish
到第6步配置ocserv,运行命令:certtool --generate-privkey --outfile ca-key.pem,就出现了如上的错误。怎么解决?
@fish
看提示应该是因为gnutls没有正确安装,如果是centos的话尝试yun install gnutls-devel重新装一下,或者自己编译一个gnutls试试。
@holmesian
没用。我运行 yum install gnutls-devel gnutls,都显示已安装。
你真的在centos7上,顺利搭建了ocserv吗?
我在centos6上,搭建成功,可用来翻墙。但在centos7上,就是搞不定。
@BRITE
恭喜!
我还是习惯直接用iptables直接管理,用iptables -t nat -A POSTROUTING -j MASQUERADE动态伪装让内网机器NAT上网
按你的配置应该是firewall-cmd --permanent --zone=public --add-masquerade ,请测试。
@holmesian
hi.
gnutls的问题解决了。
运行命令:
firewall-cmd --zone=public --add-port=999/tcp --permanent
firewall-cmd --reload 之后,也能连上ocserv了。但就是打不开任何网站。在运行了:
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24
firewall-cmd --reload后,也还是打不开任何网站。如何解决?
谢谢。
net.ipv4.ip_forward的值也设为了1.
还运行了echo 1 > /proc/sys/net/ipv4/ip_forward
就是不知道iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE如果用firewalld的命令来写,该怎么写,才达到该条iptables规则的效果?
参考了https://devops.profitbricks.com/tutorials/deploy-outbound-nat-gateway-on-centos-7/#enable-ip-forwarding
@holmesian
hi.
gnutls的问题解决了。而且运行命令:
firewall-cmd --zone=public --add-port=999/tcp --permanent
firewall-cmd --reload 之后,也能连上ocserv了。但就是打不开任何网站。在运行了:
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.10.0/24
firewall-cmd --reload后,也还是打不开任何网站。如何解决?
谢谢。
参考了https://devops.profitbricks.com/tutorials/deploy-outbound-nat-gateway-on-centos-7/#enable-ip-forwarding
@holmesian
hi.
我删掉了gnutls-3.2.12,然后编译了gnutls-3.2.15, 就解决了上面那个错误。certtool和ocserv都能正常运行。但我在客户端机器就是连不上服务器。不知何故?
我的vps是centos7 64位系统。
[root@arx ~]# cat /dev/net/tun
cat: /dev/net/tun: file descriptor in bad state (这个表明vps开启了tun)
[root@arx ~]# ps aux|grep ocserv
root 15444 0.0 0.3 38924 1616 ? Ss 18:28 0:00 /usr/local/sbin/ocserv -c /usr/local/etc/ocserv/ocserv.conf
root 15445 0.0 0.3 38924 1628 ? S 18:28 0:00 /usr/local/sbin/ocserv -c /usr/local/etc/ocserv/ocserv.conf
root 15683 0.0 0.1 112660 932 pts/0 S+ 22:37 0:00 grep --color=auto ocserv
[root@arx ~]# certtool
certtool [options]
certtool --help for usage instructions.
[root@arx ~]# ocserv
ocserv -c [config]
Use ocserv --help for more information.
[root@arx ~]#
[root@arx ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@arx ~]#
@fish
这个跟6/7关系不大吧,我在6/7上都没问题,现在跑的是ocserv 0.10.11,只有从git源编译麻烦一些。
建议换新版本试试
请问你用的是什么代码插件?
@ssk
@ssk:SyntaxHighlighter
大神给分享个vpn呗,我不会瞎用的