「Ocserv」:修訂間差異
跳至導覽
跳至搜尋
無編輯摘要 |
|||
| (未顯示同一使用者於中間所作的 7 次修訂) | |||
| 第3行: | 第3行: | ||
== 安裝 == | == 安裝 == | ||
在[[Ubuntu]]上可以這樣安裝。 | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo apt install -y ocserv; sudo apt clean | sudo apt install -y ocserv; sudo apt clean | ||
</syntaxhighlight> | </syntaxhighlight> | ||
要注意的是Ubuntu 22.04內建的ocserv目前有不少問題(像是TLS 1.3連線的處理)。 | |||
== 設定 == | == 設定 == | ||
[[Ubuntu]]預設的systemd設定會使得DTLS(UDP)無法使用,所以要修正: | 安裝完後,在<code>/etc/oserv/ocserv.conf</code>內設定: | ||
<syntaxhighlight lang="ini"> | |||
# | |||
auth = "pam" | |||
tcp-port = 8443 | |||
udp-port = 8443 | |||
run-as-user = nobody | |||
run-as-group = daemon | |||
socket-file = /var/run/ocserv-socket | |||
server-cert = /etc/dehydrated/certs/vpn.example.com/fullchain.pem | |||
server-key = /etc/dehydrated/certs/vpn.example.com/privkey.pem | |||
ca-cert = /etc/ssl/certs/ca-certificates.crt | |||
isolate-workers = true | |||
max-clients = 120 | |||
max-same-clients = 32 | |||
keepalive = 32400 | |||
dpd = 90 | |||
mobile-dpd = 1800 | |||
try-mtu-discovery = true | |||
cert-user-oid = 0.9.2342.19200300.100.1.1 | |||
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" | |||
auth-timeout = 240 | |||
min-reauth-time = 3 | |||
max-ban-score = 50 | |||
ban-reset-time = 300 | |||
cookie-timeout = 300 | |||
deny-roaming = false | |||
rekey-time = 172800 | |||
rekey-method = ssl | |||
use-utmp = true | |||
use-occtl = true | |||
pid-file = /var/run/ocserv.pid | |||
device = vpns | |||
predictable-ips = true | |||
default-domain = example.com | |||
ipv4-network = 192.168.254.0 | |||
ipv4-netmask = 255.255.255.128 | |||
ipv6-network = fda9:4efe:7e3b:03ea::/48 | |||
dns = 8.8.8.8 | |||
split-dns = example.com | |||
split-dns = example.net | |||
ping-leases = false | |||
route = 10.10.0.0/16 | |||
route = 10.20.0.0/16 | |||
cisco-client-compat = true | |||
dtls-legacy = true | |||
</syntaxhighlight> | |||
其中: | |||
* 認證的部份是透過<code>pam</code>,需要另外往後裝對應的套件。 | |||
* <code>route</code>設為<code>default</code>表示全部,或是逐條設定想要導入的路由。 | |||
* <code>split-dns</code>主要用在內部網段(外部無法查詢的),不一定會用到。 | |||
=== NAT === | |||
上面的例子中我們需要將<code>192.168.254.0/25</code>設定NAT: | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/25 -o ens5 -j MASQUERADE | |||
</syntaxhighlight> | |||
然後用iptables-persistent套件提供的指令存入: | |||
<syntaxhighlight lang="bash"> | |||
sudo iptables-save | sudo tee /etc/iptables/rules.v4 | |||
</syntaxhighlight> | |||
=== 效率 === | |||
另外,[[Ubuntu]]預設的systemd設定會使得DTLS(UDP)無法使用,只能使用TLS(TCP)而導致傳輸效率不佳,所以要修正: | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
於 2024年1月11日 (四) 17:32 的最新修訂
ocserv是一套支援Cisco AnyConnect協定的VPN伺服器軟體。
安裝
在Ubuntu上可以這樣安裝。
sudo apt install -y ocserv; sudo apt clean
要注意的是Ubuntu 22.04內建的ocserv目前有不少問題(像是TLS 1.3連線的處理)。
設定
安裝完後,在/etc/oserv/ocserv.conf內設定:
#
auth = "pam"
tcp-port = 8443
udp-port = 8443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/dehydrated/certs/vpn.example.com/fullchain.pem
server-key = /etc/dehydrated/certs/vpn.example.com/privkey.pem
ca-cert = /etc/ssl/certs/ca-certificates.crt
isolate-workers = true
max-clients = 120
max-same-clients = 32
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.254.0
ipv4-netmask = 255.255.255.128
ipv6-network = fda9:4efe:7e3b:03ea::/48
dns = 8.8.8.8
split-dns = example.com
split-dns = example.net
ping-leases = false
route = 10.10.0.0/16
route = 10.20.0.0/16
cisco-client-compat = true
dtls-legacy = true
其中:
- 認證的部份是透過
pam,需要另外往後裝對應的套件。 route設為default表示全部,或是逐條設定想要導入的路由。split-dns主要用在內部網段(外部無法查詢的),不一定會用到。
NAT
上面的例子中我們需要將192.168.254.0/25設定NAT:
sudo iptables -t nat -A POSTROUTING -s 192.168.254.0/25 -o ens5 -j MASQUERADE
然後用iptables-persistent套件提供的指令存入:
sudo iptables-save | sudo tee /etc/iptables/rules.v4
效率
另外,Ubuntu預設的systemd設定會使得DTLS(UDP)無法使用,只能使用TLS(TCP)而導致傳輸效率不佳,所以要修正:
sudo sed -i -E -e 's/^(Requires=ocserv.socket)/#\1/' -e 's/^(Also=ocserv.socket)/#\1/' /lib/systemd/system/ocserv.service; sudo systemctl stop ocserv; sudo systemctl disable ocserv.service; sudo systemctl disable ocserv.socket; sudo systemctl daemon-reload; sudo systemctl start ocserv; sudo systemctl enable ocserv
外部連結
- 官方網站 (英文)