办公网穿透公有云

Centos7 Ocserv安装

安装YUM扩展源

yum install -y epel-release

开启IP转发

vim /etc/sysctl.conf  
net.ipv4.ip_forward = 1

sysctl -p

安装ocserv

yum install -y ocserv

配置ocserv

# cd /etc/ocserv/
# cp ocserv.conf ocserv.conf.org

# vim ocserv.conf
auth = "plain[passwd=/etc/ocserv/ocpasswd]"  
tcp-port = 10543  
udp-port = 10542  
run-as-user = ocserv  
run-as-group = ocserv  
socket-file = ocserv.sock  
chroot-dir = /var/lib/ocserv  
isolate-workers = true  
max-clients = 1024  
max-same-clients = 10  
keepalive = 32400  
dpd = 90  
mobile-dpd = 1800  
switch-to-tcp-timeout = 25  
try-mtu-discovery = false  
server-cert = /etc/pki/ocserv/public/server.crt  
server-key = /etc/pki/ocserv/private/server.key  
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"  
auth-timeout = 240  
min-reauth-time = 300  
max-ban-score = 50  
ban-reset-time = 300  
cookie-timeout = 86400  
deny-roaming = false  
rekey-time = 172800  
rekey-method = ssl  
use-occtl = true  
pid-file = /var/run/ocserv.pid  
device = vpns  
predictable-ips = true  
ipv4-network = 172.16.88.0/24  
dns = 8.8.8.8  
dns = 8.8.4.4  
ping-leases = false  
cisco-client-compat = true  
dtls-legacy = true  
route = 17.0.0.0/255.0.0.0  
route = 192.12.74.0/255.255.255.0  
route = 192.42.249.0/255.255.255.0  
route = 108.160.160.0/255.255.240.0  
route = 199.47.216.0/255.255.252.0  
route = 192.30.252.0/255.255.252.0  
route = 8.15.202.0/255.255.255.0  
route = 8.34.208.0/255.255.240.0  
route = 8.35.192.0/255.255.240.0  
route = 8.6.48.0/255.255.248.0

添加客户端账号

# ocpasswd -c /etc/ocserv/ocpasswd vpnuser
Enter password: yourpass  
Re-enter password: yourpass

配置防火墙

#vim /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Mar  9 10:05:06 2022
*filter
:INPUT ACCEPT [28430785:14689347708]
:FORWARD ACCEPT [2297543:328253738]
:OUTPUT ACCEPT [36922478:9482793166]
COMMIT  
# Completed on Wed Mar  9 10:05:06 2022
# Generated by iptables-save v1.4.21 on Wed Mar  9 10:05:06 2022
*nat
:PREROUTING ACCEPT [12522014:624733803]
:INPUT ACCEPT [7842217:402668531]
:OUTPUT ACCEPT [131529:6942514]
:POSTROUTING ACCEPT [9936:753382]
#  192.168.0.183 ocserv ip
-A PREROUTING -d 192.168.0.183/32 -p tcp -m tcp --dport 3602 -j DNAT --to-destination 172.16.88.23   # tun client ip
-A POSTROUTING -d 172.16.88.23/32 -j SNAT --to-source 172.16.88.1  #tun network
COMMIT  
# Completed on Wed Mar  9 10:05:06 2022

启动ocserv

# systemctl enable ocserv
# systemctl restart ocserv

OpenConnect客户端安装

安装openconnect

# yum install -y epel-release
# yum install -y openconnect

使用密码连接

# cat vpn-conn.sh
#!/bin/bash
host="x.x.x.x:10543"  
user="vpnuser"  
pass="xxxxxx"  
cert="pin-sha256:odAQv6v6F0xxxx"  #第一次连接使用openconnect -u xxx --no-dtls --servercert 随便写 x.x.x.x  ；会有输出提示，复制过来下次就可以用了。若更换端口要修改此处密钥

if [ $1 = "start" ];then  
  while true
  do
    ps -ef|grep "openconnect -u ${user}"|grep -v grep
    if [ $? == 1 ];then
        echo "${pass}"|openconnect -u ${user} --no-dtls --servercert ${cert} ${host} &
        sleep 10
    else
        echo "connecting"
    sleep 10
    fi
  done

elif [ $1 = "stop" ];then  
    ps -ef|grep "openconnect -u ${user}"|grep -v grep|awk '{print $2}'|xargs kill -9
else  
    echo "please input start or stop"
fi

开机启动

cd /root && sh vpn.sh start > ./vpn.log 2>&1 &

办公网穿透公有云

2024-12-22 at 00:55

关于

认知

本站架构

博客历史

联系方式

打赏小博

Centos7 Ocserv安装

OpenConnect客户端安装

连接建立后，通过Nginx 四层做映射或NAT映射内外网