IT博客汇 | [原]The script to install openconnect vpn (by quqi99)

[原]The script to install openconnect vpn (by quqi99)

quqi99发表于 2016-07-28 20:10:35

作者：张华发表于：2016-07-28
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

http://blog.csdn.net/quqi99 )

#!/usr/bin/env bash

set -o xtrace

#Install openconnect packages
sudo apt-get -y install build-essential pkg-config libgnutls28-dev libreadline-dev libseccomp-dev libwrap0-dev libnl-nf-3-dev liblz4-dev gnutls-bin
cd /tmp
if [ ! -f "/tmp/ocserv-0.10.5.tar.xz" ]; then   
  curl -f --retry 6 --retry-delay 5 -O ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.5.tar.xz
  tar -xf ocserv-0.10.5.tar.xz
  #git clone https://gitlab.com/ocserv/ocserv.git
fi
cd /tmp/ocserv-0.10.5
./configure
make -j $(grep "cpu cores" /proc/cpuinfo|uniq|awk -F':' '{print $2}'|xargs)
sudo make install

#Create CA certificate
mkdir -p /tmp/cert && cd /tmp/cert
cat > /tmp/cert/ca.tmpl << EOF 
cn = "sts CA" 
organization = "sts CA" 
serial = 1 
expiration_days = 3650
ca 
signing_key 
cert_signing_key 
crl_signing_key
EOF
#Generate CA secret KEY: V2
certtool --generate-privkey --outfile CA.key
#Generate CA certifice: P2 signed by V2
certtool --generate-self-signed --load-privkey CA.key --template ca.tmpl --outfile CA.pem

#Create User certificate (here is for VPN server)
cat > /tmp/cert/vpnserver.tmpl << EOF
cn = "sts vpn server" 
organization = "sts" 
expiration_days = 3650
signing_key 
encryption_key
tls_www_server
EOF
#Generate User secret KEY: V1
certtool --generate-privkey --outfile vpnserver.key
#Generate User certificate: <P1 signed by V2>
certtool --generate-certificate --load-privkey vpnserver.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template vpnserver.tmpl --outfile vpnserver.pem

#CA.pem,vpnserver,pem,vpnserver.key need to be installed in vpnserver 
sudo cp CA.pem /etc/ssl/certs/CA.pem
sudo cp vpnserver.pem /etc/ssl/private/vpnserver.pem
sudo cp vpnserver.key /etc/ssl/private/vpnserver.key

#Configure and Start VPN Server
sudo mkdir -p /etc/ocserv
sudo bash -c 'cat > /etc/ocserv/ocserv.conf' <<EOF
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 100
max-same-clients = 5
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ssl/private/vpnserver.pem
server-key = /etc/ssl/private/vpnserver.key
ca-cert = /etc/ssl/certs/CA.pem
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
route = 0.0.0.0/128.0.0.0
route = 128.0.0.0/128.0.0.0
no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = true
EOF
#Configure iptable rules
sudo iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPT
sudo iptables -A FORWARD -j ACCEPT
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo sed -i '/net.ipv4.ip_forward/ s/\(.*= \).*/\11/' /etc/sysctl.conf
sudo sysctl -p
sudo sysctl -w net.ipv4.ip_forward=1

#[option] User certificate way
#configuration options in vpn server side
#auth = "certificate"
# #listen-clear-file = /var/run/ocserv-conn.socket
#ca-cert = /etc/ssl/certs/CA.pem
cat > /tmp/cert/user.tmpl <<EOF
cn = "sts_user"
unit = "sts"
expiration_days = 365
signing_key
tls_www_client
EOF
#Create user secret KEY
#certtool --generate-privkey --outfile user.key
#Create user certificate
#certtool --generate-certificate --load-privkey user.key --load-ca-certificate CA.pem --load-ca-privkey CA.key --template user.tmpl --outfile user.pem
#Transform to PKCS12 format: mykey/password
#certtool --to-p12 --load-privkey user.key --pkcs-cipher 3des-pkcs12 --load-certificate user.pem --outfile user.p12 --outder

#Start VPN Server
sudo cp /tmp/ocserv-0.10.5/doc/systemd/standalone/ocserv.service /lib/systemd/system/
sudo systemctl enable ocserv.service 
sudo ocserv -f -d 1

#Start VPN Client
echo "Usage:"
echo "sudo ocpasswd -c /etc/ocserv/ocpasswd test1"
echo 'echo "password" |sudo openconnect --no-cert-check -u test1 <VPN-Server>'

[原]The script to install openconnect vpn (by quqi99)

作者：张华 发表于：2016-07-28版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

http://blog.csdn.net/quqi99 )

作者：张华发表于：2016-07-28
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明