http://www.haiyun.me/archives/1071.html
根据这个教程衍生和记录而来。
Centos 6 x64 下进行。
1、依赖
yum install pam-devel readline-devel http-parser-devel unbound gmp-devel yum install tar gzip xz wget gcc make autoconf
2、安装 nettle
cd wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz tar zxvf nettle-3.1.tar.gz cd nettle-3.1/ ./configure --prefix=/usr/local/nettle make && make install echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf ldconfig
3、安装 gnutls
cd export NETTLE_CFLAGS="-I/usr/local/nettle/include/" export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle" export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed" export HOGWEED_CFLAGS="-I/usr/local/nettle/include" wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.7.tar.xz tar xvf gnutls-3.4.7.tar.xz cd gnutls-3.4.7 ./configure --prefix=/usr/local/gnutls --with-included-libtasn1 --without-p11-kit make && make install ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf ldconfig
4、安装 libnl
cd yum install bison flex wget https://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz tar xvf libnl-3.2.25.tar.gz cd libnl-3.2.25 ./configure --prefix=/usr/local/libnl make && make install echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf ldconfig
5、安装 radius 相关
export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3" export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3" export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls" export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/" wget https://github.com/radcli/radcli/releases/download/1.2.5/radcli-1.2.5.tar.gz tar xvzf radcli-1.2.5.tar.gz cd radcli-1.2.5 ./configure --prefix=/usr/local/radcli echo '/usr/local/radcli/lib/' > /etc/ld.so.conf.d/radcli.conf make && make install ldconfig yum install freeradius-client -y
6、安装正宫–ocserv
export RADCLI_LIBS="-L/usr/local/radcli/lib/ -lradcli" export RADCLI_CFLAGS="-I/usr/local/radcli/include/" wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz tar xvf ocserv-0.10.9.tar.xz cd ocserv-0.10.9
编辑 src/vpn.h
#define DEFAULT_CONFIG_ENTRIES 96
改成 200
./configure --prefix=/usr/local/ocserv make && make install echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc source $HOME/.bashrc
7、证书相关
这里因为我有个泛域名证书,所以就不生成了= =直接用。
mkdir /etc/ocserv/
编辑 /etc/ocserv/server-cert.pem ,把证书文件贴进去,记住只贴一个,就是颁发给你的证书= =你贴证书链后面会报错= =貌似是 CA 证书不科学的原因。
然后
chmod 600 /etc/ocserv/server-cert.pem
还有 server-key.pem ,也是一样的,密钥粘进去,权限设置好。
8、freeradius-client 的设置
我这里只做了登陆的验证。
编辑 /etc/radiusclient/radiusclient.conf
yourserveraddress 指代 radius 服务器地址。
authserver yourserveraddress:1812 acctserver yourserveraddress:1813 dictionary /etc/radiusclient/dictionary
同时记住 radius 服务器要添加好权限。
然后是编辑 /etc/radiusclient/servers ,
添加
yourserveraddress 指代 radius 服务器地址。yourserversecret 指代 radius 服务器密钥。
youserveraddress yourserversecret
9、配置文件
配置文件的话,我们回到刚才编译 ocserv 的目录。
cd /root/ocserv-0.10.9 cp ./tests/docker-ocserv/ocserv-radius.conf /etc/ocserv/ocserv.conf
然后编辑 /etc/ocserv/ocserv.conf
主要修改以下几个
try-mtu-discovery = true cisco-client-compat = true server-cert = /etc/ocserv/server-cert.pem server-key = /etc/ocserv/server-key.pem max-clients = 50 max-same-clients = 10 tcp-port = 5444 udp-port = 5444 dns = 8.8.8.8 dns = 8.8.4.4 ipv4-network = 192.168.10.0 occtl-socket-file = /var/run/occtl.socket #ca-cert=。。。。 对没错注释掉
还有特别注意路由表,先把 no-route 和 route 都给注释了,然后添加以下配置。
route = 103.0.0.0/255.0.0.0 route = 106.0.0.0/255.0.0.0 route = 107.0.0.0/255.0.0.0 route = 108.0.0.0/255.0.0.0 route = 141.0.0.0/255.0.0.0 route = 153.0.0.0/255.0.0.0 route = 160.0.0.0/255.0.0.0 route = 166.0.0.0/255.0.0.0 route = 17.0.0.0/255.0.0.0 route = 173.0.0.0/255.0.0.0 route = 176.0.0.0/255.0.0.0 route = 178.0.0.0/255.0.0.0 route = 184.0.0.0/255.0.0.0 route = 194.0.0.0/255.0.0.0 route = 198.0.0.0/255.0.0.0 route = 199.0.0.0/255.0.0.0 route = 203.0.0.0/255.0.0.0 route = 204.0.0.0/255.0.0.0 route = 205.0.0.0/255.0.0.0 route = 208.0.0.0/255.0.0.0 route = 209.0.0.0/255.0.0.0 route = 210.0.0.0/255.0.0.0 route = 216.0.0.0/255.0.0.0 route = 3.0.0.0/255.0.0.0 route = 4.0.0.0/255.0.0.0 route = 31.0.0.0/255.0.0.0 route = 46.0.0.0/255.0.0.0 route = 50.0.0.0/255.0.0.0 route = 54.0.0.0/255.0.0.0 route = 61.0.0.0/255.0.0.0 route = 64.0.0.0/255.0.0.0 route = 67.0.0.0/255.0.0.0 route = 68.0.0.0/255.0.0.0 route = 69.0.0.0/255.0.0.0 route = 70.0.0.0/255.0.0.0 route = 72.0.0.0/255.0.0.0 route = 74.0.0.0/255.0.0.0 route = 75.0.0.0/255.0.0.0 route = 76.0.0.0/255.0.0.0 route = 77.0.0.0/255.0.0.0 route = 79.0.0.0/255.0.0.0 route = 8.0.0.0/255.0.0.0 route = 23.0.0.0/255.0.0.0 route = 93.0.0.0/255.0.0.0 route = 96.0.0.0/255.0.0.0 route = 100.0.0.0/248.0.0.0 route = 109.0.0.0/255.0.0.0 route = 128.0.0.0/255.0.0.0 route = 174.0.0.0/255.0.0.0 route = 190.0.0.0/255.0.0.0 route = 192.0.0.0/255.0.0.0
OK,保存。
9、防火墙&系统配置
echo 1 > /proc/sys/net/ipv4/ip_forward echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE service iptables save
10、运行 opserv
ocserv -f -c /etc/ocserv/ocserv.conf
可以连接了。此处不再赘述。
把这行加进 /etc/rc.local 就可以开机自启动了。
6 个评论
Kevin
其中一台服务器是NAT的,就是有一个外网IP,但是eth0上显示的是10.X.X.X的IP段,能认证成功,显示已连接,但是上不了网,该怎么设置呢?PPTP貌似也有这个情况
魔改版每种方式添加解析 – 赵
[…] 子节点搭建的话 参考这里 https://www.zhaoj.in/read-2904.html […]
Cool
Skipping unknown option ‘cookie-validity’
Setting ‘radius’ as primary authentication method
Enabling ‘certificate’ as authentication method
Setting ‘radius’ as accounting method
listening (TCP) on 0.0.0.0:5444…
listening (TCP) on [::]:5444…
listening (UDP) on 0.0.0.0:5444…
listening (UDP) on [::]:5444…
Segmentation fault
运行之后 显示这个 该怎样找出哪里错了?
glzjin
-d 9999 其他的自己研究
Anyconnect 服务器的搭建以及与 Radius 验证 – weix
[…] 转至 […]
魔改版添加节点的几种方式说明-蓑衣孤客
[…] 子节点搭建的话参考这里https://www.zhaoj.in/read-2904.html […]