「Ocserv」:修訂間差異

出自Gea-Suan Lin's Wiki
跳至導覽 跳至搜尋
本頁面具有訪問限制。如果您看見此訊息,這代表您沒有訪問本頁面的權限。
無編輯摘要
行 10: 行 10:
== 設定 ==
== 設定 ==


[[Ubuntu]]預設的systemd設定會使得DTLS(UDP)無法使用,所以要修正:
在<code>/etc/oserv/ocserv.conf</code>內設定:
 
<syntaxhighlight lang="ini">
#
auth = "pam"
tcp-port = 8443
udp-port = 8443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/dehydrated/certs/vpn.example.com/fullchain.pem
server-key = /etc/dehydrated/certs/vpn.example.com/privkey.pem
ca-cert = /etc/ssl/certs/ca-certificates.crt
isolate-workers = true
max-clients = 240
max-same-clients = 32
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.254.0
ipv4-netmask = 255.255.255.0
ipv6-network = fda9:4efe:7e3b:03ea::/48
dns = 8.8.8.8
split-dns = example.com
split-dns = example.net
ping-leases = false
route = 10.0.0.0/8
cisco-client-compat = true
dtls-legacy = true
</syntaxhighlight>
 
另外,[[Ubuntu]]預設的systemd設定會使得DTLS(UDP)無法使用 ,只能使用TLS(TCP)而導致傳輸效率不佳 ,所以要修正:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">

於 2020年1月17日 (五) 02:51 的修訂

ocserv是一套支援Cisco AnyConnect協定的VPN伺服器軟體。

安裝

sudo apt install -y ocserv; sudo apt clean

設定

/etc/oserv/ocserv.conf內設定:

#
auth = "pam"
tcp-port = 8443
udp-port = 8443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/dehydrated/certs/vpn.example.com/fullchain.pem
server-key = /etc/dehydrated/certs/vpn.example.com/privkey.pem
ca-cert = /etc/ssl/certs/ca-certificates.crt
isolate-workers = true
max-clients = 240
max-same-clients = 32
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.254.0
ipv4-netmask = 255.255.255.0
ipv6-network = fda9:4efe:7e3b:03ea::/48
dns = 8.8.8.8
split-dns = example.com
split-dns = example.net
ping-leases = false
route = 10.0.0.0/8
cisco-client-compat = true
dtls-legacy = true

另外,Ubuntu預設的systemd設定會使得DTLS(UDP)無法使用,只能使用TLS(TCP)而導致傳輸效率不佳,所以要修正:

sudo sed -i -E -e 's/^(Requires=ocserv.socket)/#\1/' -e 's/^(Also=ocserv.socket)/#\1/' /lib/systemd/system/ocserv.service; sudo systemctl stop ocserv; sudo systemctl disable ocserv.service; sudo systemctl disable ocserv.socket; sudo systemctl daemon-reload; sudo systemctl start ocserv; sudo systemctl enable ocserv

外部連結