用户工具

站点工具


freebsd:network:ocserv

ocserv - OpenConnect Server

安装

ports 或者 pkg : /usr/ports/net/ocserv

手动编译, 需要依赖 /usr/ports/archivers/liblz4 和 /usr/ports/security/gnutls

证书生成

CA

CA模板

$ cat > ca.tmpl
cn = "OpenConnect CA"
organization = "OpenConnect"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

生成私钥

$ certtool --generate-privkey --outfile ca.key

生成CA证书

$ certtool --generate-self-signed --load-privkey ca.key --template ca.tmpl --outfile ca.crt
服务器证书

服务器模板, 其中cn必须对应client连进来的域名或者ip

$ cat > server.tmpl
cn = "xxx.org"
organization = "OpenConnect"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

生成私钥和证书

$ certtool --generate-privkey --outfile server.key
$ certtool --generate-certificate --load-ca-certificate ca.crt --load-ca-privkey ca.key --template server.tmpl --load-privkey server.key --outfile server.crt
客户端证书

如果不用证书, 则如果使用Cisco AnyConnect连接的时候每次都会提示输入密码

客户端模板

$ cat > user.tmpl
cn = "vpn_user"
unit = "all"
organization = "OpenConnect"
expiration_days = 3650 
signing_key
tls_www_client

生成私钥

$ certtool --generate-privkey --outfile vpn_user.key

生成证书

$ certtool --generate-certificate --load-ca-certificate ca.crt --load-ca-privkey ca.key --template vpn_user.tmpl --load-privkey vpn_user.key --outfile vpn_user.crt

合并成p12, 用于AnyConnect导入, 会提示输入证书名和密码, 密码将用于导入

$ certtool --to-p12 --pkcs-cipher 3des-pkcs12 --outder --load-privkey vpn_user.key --load-certificate vpn_user.crt --outfile vpn_user.p12

配置要点

验证方式
  • 普通列表项目如果需要用密码连入, 则修改 auth = “plain[passwd=/path/ocserv.passwd]” 对应的密码文件

密码文件的生成使用 ocpasswd -c /path/ocserv.passwd username 生成

  • 如果同时支持密码连接和证书连接, 则在上面基础上增加 enable-auth = “certificate”

必须先启用密码验证再启用证书验证, 反之则不能使用密码验证.

  • 如果只是证书验证, 则直接修改验证方式为 auth = “certificate”
证书的用户获取

如果按照上面的模板生成的用户证书, 配置文件中获取用户的设置为 cert-user-oid = 2.5.4.3

cookie设置

cookie有助于用户在重新链接时快速恢复, 相关设置

cookie-timeout = 86400
persistent-cookies = true
其他

建议打开mtu检测, 这个会同时打开DPD检测

try-mtu-discovery = true
mobile-dpd = 1800

如果编译依赖lz4, 可以打开数据压缩

compression = true

如果要记录用户的登陆情况到系统记录里, 可以开启使用utmp

use-utmp = true
正在使用精简配置文件
auth = "plain[passwd=/path/etc/ocserv.passwd]"
enable-auth = "certificate"
tcp-port = 1000
udp-port = 1000
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /path/etc/certs/server.crt
server-key = /path/etc/certs/server.key
dh-params = /path/etc/certs/dh.pem
ca-cert = //path/etc/certs/ca.crt
max-clients = 200
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
compression = true
no-compress-limit = 256
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
cookie-rekey-time = 14400
persistent-cookies = true
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = tun
predictable-ips = true
ipv4-network = 192.168.100.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
config-per-user = /path/etc/config-per-user/
default-user-config = /path/etc/default-user.config
cisco-client-compat = true
freebsd/network/ocserv.txt · 最后更改: 2015/12/01 17:21 由 Hshh