Centos7 Ocserv安装使用用户名密码认证

Centos7 Ocserv安装使用用户名密码认证

gsls200808

于 2021-03-11 22:18:31 发布



分享学习
专栏收录该内容
142 篇文章2 订阅
订阅专栏
之前用docker的这个:https://github.com/wppurking/ocserv-docker

但是不能定制路由,还是自己安一个

1、安装epel的yum源,安装ocserv

yum install epel-release -y
yum install ocserv -y
2.修改配置文件

/etc/ocserv/ocserv.conf

内容如下

这里用密码验证

auth = “plain[passwd=/etc/ocserv/ocpasswd]”

TCP and UDP port number

tcp-port = 443
udp-port = 443

run-as-user = ocserv
run-as-group = ocserv

socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true

max-clients = 1024
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false

证书路径 默认

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key

ca证书

ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = “NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0”

auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl

use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ping-leases = false

cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

DNS地址

dns = 10.24.11.254
dns = 219.148.204.66
dns = 219.149.6.99

IP地址和掩码

ipv4-network = 192.168.249.0/24

路由表

route = 10.24.11.0/255.255.255.0
route = 10.24.0.0/255.255.0.0
route = 172.20.0.0/255.255.0.0
route = 10.244.0.0/255.255.0.0
route = 106.75.12.89/255.255.255.255
route = 106.75.117.178/255.255.255.255
3、管理用户

配置文件/etc/ocserv/ocpasswd中可以看到创建的用户和加密后的密码。

创建命令

touch /etc/ocserv/ocpasswd
常用命令

创建用户,需要输入密码

ocpasswd -c /etc/ocserv/ocpasswd user1

禁用用户

ocpasswd -c /etc/ocserv/ocpasswd -l user1

解锁被禁用的用户

ocpasswd -c /etc/ocserv/ocpasswd -u user1

删除用户

ocpasswd -c /etc/ocserv/ocpasswd -d user1
4.开防火墙

firewall-cmd –add-port=443/tcp –permanent
firewall-cmd –add-port=443/udp –permanent

允许防火墙伪装IP 必须设置

firewall-cmd –add-masquerade –permanent
firewall-cmd –reload
高于1024端口的建议禁用SELINUX

编辑 /etc/selinux/config

将SELINUX=enforcing改为SELINUX=disabled
重启后生效
5、设置开机自启

开机自启

systemctl enable ocserv

启动

systemctl start ocserv

查看状态

systemctl status ocserv
6.客户端连接

安装好anyconnect-win-4.5.05030-core-vpn-webdeploy-k9.exe输入服务端网址,连上服务器后输入账号和密码即可。
————————————————
版权声明:本文为CSDN博主「gsls200808」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/gsls200808/article/details/114681483

发表评论

邮箱地址不会被公开。 必填项已用*标注