note 魔改后端Anyconnect

魔改后端Anyconnect

Open aiastia opened this issue 6 years ago • 5 comments

根据这个教程衍生和记录而来。

Centos 6 x64 下进行。

1、依赖 yum install pam-devel readline-devel http-parser-devel unbound gmp-devel yum install tar gzip xz wget gcc make autoconf 2、安装 nettle cd wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz tar zxvf nettle-3.1.tar.gz cd nettle-3.1/ ./configure --prefix=/usr/local/nettle make && make install echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf ldconfig 3、安装 gnutls cd export NETTLE_CFLAGS="-I/usr/local/nettle/include/" export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle" export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed" export HOGWEED_CFLAGS="-I/usr/local/nettle/include" wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.7.tar.xz tar xvf gnutls-3.4.7.tar.xz cd gnutls-3.4.7 ./configure --prefix=/usr/local/gnutls --with-included-libtasn1 --without-p11-kit make && make install ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf ldconfig 4、安装 libnl cd yum install bison flex wget https://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz tar xvf libnl-3.2.25.tar.gz cd libnl-3.2.25 ./configure --prefix=/usr/local/libnl make && make install echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf ldconfig 5、安装 radius 相关 export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3" export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls" export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/" wget https://github.com/radcli/radcli/releases/download/1.2.5/radcli-1.2.5.tar.gz tar xvzf radcli-1.2.5.tar.gz cd radcli-1.2.5 ./configure --prefix=/usr/local/radcli echo '/usr/local/radcli/lib/' > /etc/ld.so.conf.d/radcli.conf make && make install ldconfig yum install freeradius-client -y 6、安装正宫–ocserv export RADCLI_LIBS="-L/usr/local/radcli/lib/ -lradcli" export RADCLI_CFLAGS="-I/usr/local/radcli/include/" wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz tar xvf ocserv-0.10.9.tar.xz cd ocserv-0.10.9 编辑 src/vpn.h

        #define DEFAULT_CONFIG_ENTRIES 96 
        改成 200

        ./configure --prefix=/usr/local/ocserv
        make && make install
        echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc 
        source $HOME/.bashrc

7、证书相关这里因为我有个泛域名证书，所以就不生成了= =直接用。

mkdir /etc/ocserv/

编辑 /etc/ocserv/server-cert.pem ，把证书文件贴进去，记住只贴一个，就是颁发给你的证书= =你贴证书链后面会报错= =貌似是 CA 证书不科学的原因。

然后 chmod 600 /etc/ocserv/server-cert.pem 还有 server-key.pem ,也是一样的，密钥粘进去，权限设置好。

8、freeradius-client 的设置我这里只做了登陆的验证。

编辑 /etc/radiusclient/radiusclient.conf

yourserveraddress 指代 radius 服务器地址。 authserver yourserveraddress:1812

        acctserver      yourserveraddress:1813

        dictionary      /etc/radiusclient/dictionary

        同时记住 radius 服务器要添加好权限。

然后是编辑 /etc/radiusclient/servers ，

添加

yourserveraddress 指代 radius 服务器地址。yourserversecret 指代 radius 服务器密钥。

        youserveraddress                   yourserversecret

        9、配置文件

配置文件的话，我们回到刚才编译 ocserv 的目录。

        cd /root/ocserv-0.10.9
        cp ./tests/docker-ocserv/ocserv-radius.conf /etc/ocserv/ocserv.conf

        然后编辑 /etc/ocserv/ocserv.conf

主要修改以下几个 try-mtu-discovery = true cisco-client-compat = true server-cert = /etc/ocserv/server-cert.pem server-key = /etc/ocserv/server-key.pem max-clients = 50 max-same-clients = 10 tcp-port = 5444 udp-port = 5444 dns = 8.8.8.8 dns = 8.8.4.4 ipv4-network = 192.168.10.0 occtl-socket-file = /var/run/occtl.socket #ca-cert=。。。。对没错注释掉还有特别注意路由表，先把 no-route 和 route 都给注释了，然后添加以下配置。

        route = 103.0.0.0/255.0.0.0
        route = 106.0.0.0/255.0.0.0
        route = 107.0.0.0/255.0.0.0
        route = 108.0.0.0/255.0.0.0
        route = 141.0.0.0/255.0.0.0
        route = 153.0.0.0/255.0.0.0
        route = 160.0.0.0/255.0.0.0
        route = 166.0.0.0/255.0.0.0
        route = 17.0.0.0/255.0.0.0
        route = 173.0.0.0/255.0.0.0
        route = 176.0.0.0/255.0.0.0
        route = 178.0.0.0/255.0.0.0
        route = 184.0.0.0/255.0.0.0
        route = 194.0.0.0/255.0.0.0
        route = 198.0.0.0/255.0.0.0
        route = 199.0.0.0/255.0.0.0
        route = 203.0.0.0/255.0.0.0
        route = 204.0.0.0/255.0.0.0
        route = 205.0.0.0/255.0.0.0
        route = 208.0.0.0/255.0.0.0
        route = 209.0.0.0/255.0.0.0
        route = 210.0.0.0/255.0.0.0
        route = 216.0.0.0/255.0.0.0
        route = 3.0.0.0/255.0.0.0
        route = 4.0.0.0/255.0.0.0
        route = 31.0.0.0/255.0.0.0
        route = 46.0.0.0/255.0.0.0
        route = 50.0.0.0/255.0.0.0
        route = 54.0.0.0/255.0.0.0
        route = 61.0.0.0/255.0.0.0
        route = 64.0.0.0/255.0.0.0
        route = 67.0.0.0/255.0.0.0
        route = 68.0.0.0/255.0.0.0
        route = 69.0.0.0/255.0.0.0
        route = 70.0.0.0/255.0.0.0
        route = 72.0.0.0/255.0.0.0
        route = 74.0.0.0/255.0.0.0
        route = 75.0.0.0/255.0.0.0
        route = 76.0.0.0/255.0.0.0
        route = 77.0.0.0/255.0.0.0
        route = 79.0.0.0/255.0.0.0
        route = 8.0.0.0/255.0.0.0
        route = 23.0.0.0/255.0.0.0
        route = 93.0.0.0/255.0.0.0
        route = 96.0.0.0/255.0.0.0
        route = 100.0.0.0/248.0.0.0
        route = 109.0.0.0/255.0.0.0
        route = 128.0.0.0/255.0.0.0
        route = 174.0.0.0/255.0.0.0
        route = 190.0.0.0/255.0.0.0
        route = 192.0.0.0/255.0.0.0

        OK，保存。

9、防火墙&系统配置

        echo 1 > /proc/sys/net/ipv4/ip_forward
        echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
        iptables -t nat -A POSTROUTING  -o eth0 -j MASQUERADE
        service iptables save

        10、运行 opserv
        ocserv -f -c /etc/ocserv/ocserv.conf

        可以连接了。此处不再赘述。

把这行加进 /etc/rc.local 就可以开机自启动了。

Jul 30 '18 13:07 aiastia

note note copied to clipboard

魔改后端Anyconnect

note
note copied to clipboard