前言
作者地址:https://zorz.cc/post/anyconnect-with-trusted-ssl.html
在本博客以前的文章中介绍过anyconnect开源服务端ocserv的安装,但是之前为了方便,介绍的是自签SSL证书,自签证书在自用的情况当然没啥问题(如果你看到警告不开心,也可以申请可信的SSL证书),但如果是分享给别人使用,客户端连接服务端时出现的警告可能会导致一些误会,这里介绍一下如何在anyconnect中使用可信的ssl证书。
准备
需要准备的东西:
一台服务器
一个域名
将二级域名的A记录指向你的服务器(如A.yourdomain.com),当然你也可以直接用主域名指向你的服务器。
可以使用免费的域名:freenom.com
一个SSL证书:如果只有一个服务端可以使用https://freessl.org/申请亚洲诚信的证书,该证书具有一年有效期,不必频繁的续期,如果有数个服务端,申请证书可以会比较麻烦,就可以通过脚本申请Let's Encrypt的泛域证书,申请教程,这里以cloudflare为例:申请泛域证书,然后可以通过脚本自动续期,并通过scp,https,Resilio sync等方式分发到anyconnect服务端节点,这样可以简单方便的实现在多个服务端节点使anyconnect具有可信SSL证书。
本文是ubuntu16.04环境下的ocserv的安装与使用,同样适用于debian
安装ocserv并配置
大部分内容还是参考以前的文章
检查PPP/TUN环境
| cat /dev/net/tun | |
| # 返回的必须是: | |
| cat: /dev/net/tun: File descriptor in bad state |
安装依赖
| sudo apt-get update | |
| sudo apt-get install pkg-config build-essential libgnutls28-dev libwrap0-dev liblz4-dev libseccomp-dev libreadline-dev libnl-nf-3-dev libev-dev gnutls-bin -y |
编译安装
然后我们新建一个文件夹,并下载和编译安装 ocserv,此处用的 ocserv 可能不是最新的,最新的请看:ocserv
| mkdir ocserv && cd ocserv | |
| wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.2.tar.xz | |
| tar -xJf ocserv-0.12.2.tar.xz && cd ocserv-0.12.2 | |
| ./configure | |
| make | |
| make install | |
| # 安装后的文件可以不删除,卸载的时候还需要用到。 |
最后我们新建一个配置文件的文件夹:
| mkdir /etc/ocserv | |
| wget -N --no-check-certificate -P "/etc/ocserv" "https://files.zorz.cc/ocserv.conf" |
上面下载的是doub.io大佬根据 ocserv 默认配置文件稍微改了改以适应教程的配置文件。
如果你想要自己改配置文件可以去看源码默认自带的配置文件: ocserv-0.12.2/doc/sample.config
配置参数解释
| auth = "plain[passwd=/etc/ocserv/ocpasswd]" | |
| # 这个是登陆方式,plain[passwd=/etc/ocserv/ocpasswd] 代表使用密码登陆并且从 /etc/ocserv/ocpasswd 文件中读取用户名和密码 | |
| # listen-host = [IP|HOSTNAME] | |
| # 这个代表监听的IP或主机名,注释掉即可。 | |
| = 443 | |
| = 443 | |
| # 这个代表 TCP和UDP监听的端口 默认443,如果端口被干扰或被占用,可以更换其他端口,端口号可分开 | |
| = /etc/ocserv/ssl/server-cert.pem | |
| = /etc/ocserv/ssl/server-key.pem | |
| = /etc/ocserv/ssl/ca-cert.pem | |
| # 服务器证书和CA证书的位置 | |
| banner = "Hello World" | |
| # 欢迎文本,链接上VPN后,客户端会提示这个消息,不需要注释即可。 | |
| = 16 | |
| # 整个VPN最大链接客户端数量 | |
| = 2 | |
| # 同账号链接VPN最大客户端数量 | |
| = ssl | |
| # 加密方式 SSL | |
| = /var/run/ocserv.pid | |
| # PID(记录进程PID)文件位置 | |
| device = vpns | |
| # 设备名(随意) | |
| = 192.168.1.0 | |
| = 255.255.255.0 | |
| #ipv4-network = 192.168.1.0/24 | |
| #ipv6-network = fda9:4efe:7e3b:03ea::/48 | |
| = true | |
| # 是否接管DNS解析请求到VPN服务器,true代表客户端的DNS请求全部又服务器处理。 | |
| dns = 8.8.8.8 | |
| dns = 8.8.4.4 | |
| # 服务端的DNS | |
| # route = 10.10.10.0/255.255.255.0 | |
| # route = 192.168.0.0/255.255.0.0 | |
| # route = fef4:db8:1000:1001::/64 | |
| # route = default | |
| # no-route = 192.168.5.0/255.255.255.0 | |
| # 路由表相关的,不是很懂,据说是可以用来分流国内外流量,但是最多64条太少了。 | |
| # 使ocserv兼容AnyConnect | |
| = true |
添加VPN用户
假设你要添加的账号用户名为hello,那么命令如下:
ocpasswd -c /etc/ocserv/ocpasswd hello
输入后,服务器会提示你输入两次密码(不会显示,盲输),如下:
| === 服务器输出示例 === # | |
| [email protected]:~/ocserv/ocserv-0.11.8# ocpasswd -c /etc/ocserv/ocpasswd hello | |
| Enter password: | |
| Re-enter password: | |
| === 服务器输出示例 === # |
删除 VPN用户
注意:删除/锁定/解锁 VPN用户都没有任何提示!
ocpasswd -c /etc/ocserv/ocpasswd -d hello
锁定 VPN用户
ocpasswd -c /etc/ocserv/ocpasswd -l hello
解锁 VPN用户
ocpasswd -c /etc/ocserv/ocpasswd -u hello
使用可信的SSL证书
你可以通过cloudflare的API申请泛域SSL证书:
前言
现在Let's Encrypt已经开放了泛域的SSL证书申请。申请泛域的SSL证书必须要验证DNS解析才可以,可以通过手动添加DNS记录的方式来申请,也可以通过使用API自动添加DNS记录的方式来申请,这里记录一下利用cloudflare的API申请Let's Encrypt泛域证书的过程。
申请证书
获取cloudflare的API
首先获取cloudflare账户API的TOKEN。
登录到cloudflare账户,然后查看My Profile,点击Global API Key的View API Key,输入密码,保存KEY。
安装amce.sh
安装仅需要一条命令即可。
以下命令可以在任意linux主机执行,无需将域名的A记录指向它。
| apt-get install socat -y | |
| curl https://get.acme.sh | sh |
申请证书
注意,因此acme的目录名前有一个.所以默认是看不到acme的目录的,可以通过以下命令进入acme目录。
cd .acme.sh
设置cloudflare api。
| export CF_Key="刚刚保存下来的KEY" | |
| export CF_Email="cloudflare的注册邮箱" |
然后申请证书即可。
acme.sh --issue --dns dns_cf -d *.你的域名.com -d 你的域名.com --keylength ec-256
现在证书,私钥都可以在/root/.acme.sh/*.你的域名.com目录查看了。
更多nameserver服务商的API使用文档请见:https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
更多的使用方法请见:https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E
获得证书之后,创建文件夹存放SSL证书
mkdir /etc/ocserv/ssl
复制let's-encrypt的证书到ocserv的SSL存放文件夹
| --installcert -d 你的域名 \ | |
| --key-file /etc/ocserv/ssl/server-key.pem \ | |
| --fullchain-file /etc/ocserv/ssl/server-cert.pem \ | |
| --ca-file /etc/ocserv/ssl/ca-cert.pem |
安装服务
1.不支持systemd的系统(debian7/ubuntu14.04及以下):
下载doub.io大佬写好的服务脚本并赋予执行权限:
| wget -N --no-check-certificate -O "/etc/init.d/ocserv" "https://files.zorz.cc/ocserv_debian" | |
| chmod +x /etc/init.d/ocserv |
设置开机启动(可选)
update-rc.d -f ocserv defaults
2.支持systemd的系统(debian8/ubuntu16.04及以上):
如果你的系统支持systemd的话,那么不用执行上面的命令,使用下面的命令即可。
| ln -s /usr/local/sbin/ocserv /usr/sbin/ocserv | |
| cp /root/ocserv/ocserv-0.12.2/doc/systemd/standalone/ocserv.service /etc/systemd/system/ |
设置开机启动(可选)
systemctl enable ocserv
开启IPv4转发
| sed -i '/net.ipv4.ip_forward.*/d;$a\net.ipv4.ip_forward = 1' /etc/sysctl.conf | |
| sysctl -p |
配置防火墙
| iptables -t nat -A POSTROUTING -j MASQUERADE | |
| iptables -I INPUT -p tcp --dport 443 -j ACCEPT | |
| iptables -I INPUT -p udp --dport 443 -j ACCEPT | |
| iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
这么设置了防火墙之后,重启就会失效,为了使防火墙规则持久化,执行以下操作
iptables-save > /etc/iptables.rule
输入crontab -e文件,添加以下内容
@reboot /sbin/iptables-restore < /etc/iptables.rule
最后测试
ocserv -f -d 1
# 此时可以使用如果没有问题,那么我们就按 Ctrl + C 键退出。
使用说明
| service ocserv start | |
| # 启动 ocserv | |
| service ocserv stop | |
| # 停止 ocserv | |
| service ocserv restart | |
| # 重启 ocserv | |
| service ocserv status | |
| # 查看 ocserv 运行状态 | |
| service ocserv log | |
| # 查看 ocserv 运行日志 ,systemd 无该指令 ,可以用 systemctl status ocserv 代替 | |
| service ocserv test | |
| # 测试 ocserv 配置文件是否正确 , systemd 无该指令 ,可以用ocserv -f -t -c /etc/ocserv/ocserv.conf 代替 |
配置文件:/etc/ocserv/ocserv.conf
卸载
假设你一开始源码编译安装的目录是:/root/ocserv/ocserv-0.11.8 ,那么这么做:
| cd /root/ocserv/ocserv-0.11.8 | |
| # 进入源码编辑安装目录 | |
| make uninstall | |
| # 执行卸载命令 | |
| cd .. && cd .. | |
| rm -rf ocserv/ | |
| # 回到 /root 文件夹,删除 ocserv 源码自身 | |
| rm -rf /etc/ocserv/ | |
| # 删除配置文件目录 |
如果你还下载了系统服务脚本并设置开机启动了,那么需要:
| rm -rf /etc/init.d/ocserv | |
| -f ocserv remove |
如果是systemd,那么:
systemctl stop ocserv && systemctl disable ocserv
路由表
由于ocserv默认是全局,可以通过配置/etc/ocserv/ocserv.conf的方式来指定国内流量直连,国外流量走ocserv。但是这种方法并不总是有效的。
moeclub.org大佬的路由表,使用 no-route 方式.
须将 $YourIP 替换为服务器地址,否则将会连不上服务器.
| ## No Route List | |
| no-route = $YourIP/255.255.255.255 | |
| no-route = 192.168.0.0/255.255.0.0 | |
| no-route = 1.0.0.0/255.192.0.0 | |
| no-route = 1.64.0.0/255.224.0.0 | |
| no-route = 1.112.0.0/255.248.0.0 | |
| no-route = 1.176.0.0/255.240.0.0 | |
| no-route = 1.192.0.0/255.240.0.0 | |
| no-route = 14.0.0.0/255.224.0.0 | |
| no-route = 14.96.0.0/255.224.0.0 | |
| no-route = 14.128.0.0/255.224.0.0 | |
| no-route = 14.192.0.0/255.224.0.0 | |
| no-route = 27.0.0.0/255.192.0.0 | |
| no-route = 27.96.0.0/255.224.0.0 | |
| no-route = 27.128.0.0/255.224.0.0 | |
| no-route = 27.176.0.0/255.240.0.0 | |
| no-route = 27.192.0.0/255.224.0.0 | |
| no-route = 27.224.0.0/255.252.0.0 | |
| no-route = 36.0.0.0/255.192.0.0 | |
| no-route = 36.96.0.0/255.224.0.0 | |
| no-route = 36.128.0.0/255.192.0.0 | |
| no-route = 36.192.0.0/255.224.0.0 | |
| no-route = 36.240.0.0/255.240.0.0 | |
| no-route = 39.0.0.0/255.255.0.0 | |
| no-route = 39.64.0.0/255.224.0.0 | |
| no-route = 39.96.0.0/255.240.0.0 | |
| no-route = 39.128.0.0/255.192.0.0 | |
| no-route = 40.72.0.0/255.254.0.0 | |
| no-route = 40.124.0.0/255.252.0.0 | |
| no-route = 42.0.0.0/255.248.0.0 | |
| no-route = 42.48.0.0/255.240.0.0 | |
| no-route = 42.80.0.0/255.240.0.0 | |
| no-route = 42.96.0.0/255.224.0.0 | |
| no-route = 42.128.0.0/255.128.0.0 | |
| no-route = 43.224.0.0/255.224.0.0 | |
| no-route = 45.65.16.0/255.255.240.0 | |
| no-route = 45.112.0.0/255.240.0.0 | |
| no-route = 45.248.0.0/255.248.0.0 | |
| no-route = 47.92.0.0/255.252.0.0 | |
| no-route = 47.96.0.0/255.224.0.0 | |
| no-route = 49.0.0.0/255.128.0.0 | |
| no-route = 49.128.0.0/255.224.0.0 | |
| no-route = 49.192.0.0/255.192.0.0 | |
| no-route = 52.80.0.0/255.252.0.0 | |
| no-route = 54.222.0.0/255.254.0.0 | |
| no-route = 58.0.0.0/255.128.0.0 | |
| no-route = 58.128.0.0/255.224.0.0 | |
| no-route = 58.192.0.0/255.224.0.0 | |
| no-route = 58.240.0.0/255.240.0.0 | |
| no-route = 59.32.0.0/255.224.0.0 | |
| no-route = 59.64.0.0/255.224.0.0 | |
| no-route = 59.96.0.0/255.240.0.0 | |
| no-route = 59.144.0.0/255.240.0.0 | |
| no-route = 59.160.0.0/255.224.0.0 | |
| no-route = 59.192.0.0/255.192.0.0 | |
| no-route = 60.0.0.0/255.224.0.0 | |
| no-route = 60.48.0.0/255.240.0.0 | |
| no-route = 60.160.0.0/255.224.0.0 | |
| no-route = 60.192.0.0/255.192.0.0 | |
| no-route = 61.0.0.0/255.192.0.0 | |
| no-route = 61.80.0.0/255.248.0.0 | |
| no-route = 61.128.0.0/255.192.0.0 | |
| no-route = 61.224.0.0/255.224.0.0 | |
| no-route = 91.234.36.0/255.255.255.0 | |
| no-route = 101.0.0.0/255.128.0.0 | |
| no-route = 101.128.0.0/255.224.0.0 | |
| no-route = 101.192.0.0/255.240.0.0 | |
| no-route = 101.224.0.0/255.224.0.0 | |
| no-route = 103.0.0.0/255.0.0.0 | |
| no-route = 106.0.0.0/255.128.0.0 | |
| no-route = 106.224.0.0/255.240.0.0 | |
| no-route = 110.0.0.0/255.128.0.0 | |
| no-route = 110.144.0.0/255.240.0.0 | |
| no-route = 110.160.0.0/255.224.0.0 | |
| no-route = 110.192.0.0/255.192.0.0 | |
| no-route = 111.0.0.0/255.192.0.0 | |
| no-route = 111.64.0.0/255.224.0.0 | |
| no-route = 111.112.0.0/255.240.0.0 | |
| no-route = 111.128.0.0/255.192.0.0 | |
| no-route = 111.192.0.0/255.224.0.0 | |
| no-route = 111.224.0.0/255.240.0.0 | |
| no-route = 112.0.0.0/255.128.0.0 | |
| no-route = 112.128.0.0/255.240.0.0 | |
| no-route = 112.192.0.0/255.252.0.0 | |
| no-route = 112.224.0.0/255.224.0.0 | |
| no-route = 113.0.0.0/255.128.0.0 | |
| no-route = 113.128.0.0/255.240.0.0 | |
| no-route = 113.192.0.0/255.192.0.0 | |
| no-route = 114.16.0.0/255.240.0.0 | |
| no-route = 114.48.0.0/255.240.0.0 | |
| no-route = 114.64.0.0/255.192.0.0 | |
| no-route = 114.128.0.0/255.240.0.0 | |
| no-route = 114.192.0.0/255.192.0.0 | |
| no-route = 115.0.0.0/255.0.0.0 | |
| no-route = 116.0.0.0/255.0.0.0 | |
| no-route = 117.0.0.0/255.128.0.0 | |
| no-route = 117.128.0.0/255.192.0.0 | |
| no-route = 118.16.0.0/255.240.0.0 | |
| no-route = 118.64.0.0/255.192.0.0 | |
| no-route = 118.128.0.0/255.128.0.0 | |
| no-route = 119.0.0.0/255.128.0.0 | |
| no-route = 119.128.0.0/255.192.0.0 | |
| no-route = 119.224.0.0/255.224.0.0 | |
| no-route = 120.0.0.0/255.192.0.0 | |
| no-route = 120.64.0.0/255.224.0.0 | |
| no-route = 120.128.0.0/255.240.0.0 | |
| no-route = 120.192.0.0/255.192.0.0 | |
| no-route = 121.0.0.0/255.128.0.0 | |
| no-route = 121.192.0.0/255.192.0.0 | |
| no-route = 122.0.0.0/254.0.0.0 | |
| no-route = 124.0.0.0/255.0.0.0 | |
| no-route = 125.0.0.0/255.128.0.0 | |
| no-route = 125.160.0.0/255.224.0.0 | |
| no-route = 125.192.0.0/255.192.0.0 | |
| no-route = 137.59.59.0/255.255.255.0 | |
| no-route = 137.59.88.0/255.255.252.0 | |
| no-route = 139.0.0.0/255.224.0.0 | |
| no-route = 139.128.0.0/255.128.0.0 | |
| no-route = 140.64.0.0/255.240.0.0 | |
| no-route = 140.128.0.0/255.240.0.0 | |
| no-route = 140.192.0.0/255.192.0.0 | |
| no-route = 144.0.0.0/255.248.0.0 | |
| no-route = 144.12.0.0/255.255.0.0 | |
| no-route = 144.48.0.0/255.248.0.0 | |
| no-route = 144.123.0.0/255.255.0.0 | |
| no-route = 144.255.0.0/255.255.0.0 | |
| no-route = 146.196.0.0/255.255.128.0 | |
| no-route = 150.0.0.0/255.255.0.0 | |
| no-route = 150.96.0.0/255.224.0.0 | |
| no-route = 150.128.0.0/255.240.0.0 | |
| no-route = 150.192.0.0/255.192.0.0 | |
| no-route = 152.104.128.0/255.255.128.0 | |
| no-route = 153.0.0.0/255.192.0.0 | |
| no-route = 153.96.0.0/255.224.0.0 | |
| no-route = 157.0.0.0/255.255.0.0 | |
| no-route = 157.18.0.0/255.255.0.0 | |
| no-route = 157.61.0.0/255.255.0.0 | |
| no-route = 157.112.0.0/255.240.0.0 | |
| no-route = 157.144.0.0/255.240.0.0 | |
| no-route = 157.255.0.0/255.255.0.0 | |
| no-route = 159.226.0.0/255.255.0.0 | |
| no-route = 160.19.0.0/255.255.0.0 | |
| no-route = 160.20.48.0/255.255.252.0 | |
| no-route = 160.202.0.0/255.255.0.0 | |
| no-route = 160.238.64.0/255.255.252.0 | |
| no-route = 161.207.0.0/255.255.0.0 | |
| no-route = 162.105.0.0/255.255.0.0 | |
| no-route = 163.0.0.0/255.192.0.0 | |
| no-route = 163.96.0.0/255.224.0.0 | |
| no-route = 163.128.0.0/255.192.0.0 | |
| no-route = 163.192.0.0/255.224.0.0 | |
| no-route = 164.52.0.0/255.255.128.0 | |
| no-route = 166.111.0.0/255.255.0.0 | |
| no-route = 167.139.0.0/255.255.0.0 | |
| no-route = 167.189.0.0/255.255.0.0 | |
| no-route = 167.220.244.0/255.255.252.0 | |
| no-route = 168.160.0.0/255.255.0.0 | |
| no-route = 170.179.0.0/255.255.0.0 | |
| no-route = 171.0.0.0/255.128.0.0 | |
| no-route = 171.192.0.0/255.224.0.0 | |
| no-route = 175.0.0.0/255.128.0.0 | |
| no-route = 175.128.0.0/255.192.0.0 | |
| no-route = 180.64.0.0/255.192.0.0 | |
| no-route = 180.128.0.0/255.128.0.0 | |
| no-route = 182.0.0.0/255.0.0.0 | |
| no-route = 183.0.0.0/255.192.0.0 | |
| no-route = 183.64.0.0/255.224.0.0 | |
| no-route = 183.128.0.0/255.128.0.0 | |
| no-route = 192.124.154.0/255.255.255.0 | |
| no-route = 192.140.128.0/255.255.128.0 | |
| no-route = 202.0.0.0/255.128.0.0 | |
| no-route = 202.128.0.0/255.192.0.0 | |
| no-route = 202.192.0.0/255.224.0.0 | |
| no-route = 203.0.0.0/255.0.0.0 | |
| no-route = 210.0.0.0/255.192.0.0 | |
| no-route = 210.64.0.0/255.224.0.0 | |
| no-route = 210.160.0.0/255.224.0.0 | |
| no-route = 210.192.0.0/255.224.0.0 | |
| no-route = 211.64.0.0/255.248.0.0 | |
| no-route = 211.80.0.0/255.240.0.0 | |
| no-route = 211.96.0.0/255.248.0.0 | |
| no-route = 211.136.0.0/255.248.0.0 | |
| no-route = 211.144.0.0/255.240.0.0 | |
| no-route = 211.160.0.0/255.248.0.0 | |
| no-route = 216.250.108.0/255.255.252.0 | |
| no-route = 218.0.0.0/255.128.0.0 | |
| no-route = 218.160.0.0/255.224.0.0 | |
| no-route = 218.192.0.0/255.192.0.0 | |
| no-route = 219.64.0.0/255.224.0.0 | |
| no-route = 219.128.0.0/255.224.0.0 | |
| no-route = 219.192.0.0/255.192.0.0 | |
| no-route = 220.96.0.0/255.224.0.0 | |
| no-route = 220.128.0.0/255.128.0.0 | |
| no-route = 221.0.0.0/255.224.0.0 | |
| no-route = 221.96.0.0/255.224.0.0 | |
| no-route = 221.128.0.0/255.128.0.0 | |
| no-route = 222.0.0.0/255.0.0.0 | |
| no-route = 223.0.0.0/255.224.0.0 | |
| no-route = 223.64.0.0/255.192.0.0 | |
| no-route = 223.128.0.0/255.128.0.0 |
配置证书登录
服务端
配置证书登录
上面是介绍的是使用用户名和密码的方法进行登录,但是每次登录都要输入密码,很麻烦,这里介绍一下如何使用证书登录。
建立相关证书配置文件夹
mkdir -p /etc/ocserv/template
建立ca证书模板
| cat >/etc/ocserv/template/ca.tmp<<EOF | |
| cn = "Zorz CA" | |
| organization = "zorz" | |
| serial = 1 | |
| expiration_days = 3650 | |
| ca | |
| signing_key | |
| cert_signing_key | |
| crl_signing_key | |
| EOF |
生成ca证书的密钥
openssl genrsa -out /etc/ocserv/template/ca.key.pem 2048
生成ca证书
certtool --generate-self-signed --hash SHA256 --load-privkey /etc/ocserv/template/ca.key.pem --template /etc/ocserv/template/ca.tmp --outfile /etc/ocserv/template/ca.cert.pem
建立user证书模板
| cat >/etc/ocserv/template/user.tmp<<EOF | |
| cn = "Zorz" | |
| unit = "Zorz" | |
| expiration_days = 1825 | |
| signing_key | |
| tls_www_client | |
| EOF |
生成user证书的密钥
openssl genrsa -out /etc/ocserv/template/user.key.pem 2048
生成user证书
certtool --generate-certificate --hash SHA256 --load-privkey /etc/ocserv/template/user.key.pem --load-ca-certificate /etc/ocserv/template/ca.cert.pem --load-ca-privkey /etc/ocserv/template/ca.key.pem --template /etc/ocserv/template/user.tmp --outfile /etc/ocserv/template/user.cert.pem
生成Diffie-Hellman密钥
certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
补全证书链
cat /etc/ocserv/template/ca.cert.pem >>/etc/ocserv/template/user.cert.pem
生成.p12证书文件
openssl pkcs12 -export -inkey /etc/ocserv/template/user.key.pem -in /etc/ocserv/template/user.cert.pem -name "Zorz" -certfile /etc/ocserv/template/ca.cert.pem -caname "Zorz CA" -out /etc/ocserv/AnyConnect.p12 -passout pass:
更改为使用证书。
修改/etc/ocserv/ocserv.conf
| 将 | |
| /etc/ocserv/ssl/ca-cert.pem | |
| 修改为 | |
| ca-cert = /etc/ocserv/template/ca.cert.pem | |
| 将 | |
| auth = "plain[passwd=/etc/ocserv/ocpasswd]" | |
| 修改为 | |
| #auth = "plain[passwd=/etc/ocserv/ocpasswd]" | |
| 添加 | |
| auth = "certificate" | |
| cert-user-oid = 2.5.4.3 |
客户端
Windows
下载AnyConnect.p12文件,双击,选择导入到本地计算机.
之后一直下一步,不用输入任何密码(如果没设置密码).
iPhone
只能用URL的方式导入,所以需要配置好HTTP服务器(如:nginx.).
首先需要建立一个链接.
点击诊断,证书,导入用户证书,粘贴AnyConnect.p12证书文件的地址.
WindowsPhone
下载AnyConnect.p12文件,点安装.
之后一直下一步,不用输入任何密码(如果没设置密码).
Android
下载AnyConnect.p12文件到手机中.
在OpenConnect中配置链接,用户认证的地方选择AnyConnect.p12文件即可。
内容大概就是这样,部分内容来自:doub.io 和 moeclub.org.
( ,,´・ω・)