http://www.haiyun.me/archives/1071.html
根据这个教程衍生和记录而来。
Centos 6 x64 下进行。
1、依赖
yum install pam-devel readline-devel http-parser-devel unbound gmp-devel
yum install tar gzip xz wget gcc make autoconf
2、安装 nettle
cd
wget https://ftp.gnu.org/gnu/nettle/nettle-3.1.tar.gz
tar zxvf nettle-3.1.tar.gz
cd nettle-3.1/
./configure --prefix=/usr/local/nettle
make && make install
echo '/usr/local/nettle/lib64/' > /etc/ld.so.conf.d/nettle.conf
ldconfig
3、安装 gnutls
cd
export NETTLE_CFLAGS="-I/usr/local/nettle/include/"
export NETTLE_LIBS="-L/usr/local/nettle/lib64/ -lnettle"
export HOGWEED_LIBS="-L/usr/local/nettle/lib64/ -lhogweed"
export HOGWEED_CFLAGS="-I/usr/local/nettle/include"
wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.4/gnutls-3.4.7.tar.xz
tar xvf gnutls-3.4.7.tar.xz
cd gnutls-3.4.7
./configure --prefix=/usr/local/gnutls --with-included-libtasn1 --without-p11-kit
make && make install
ln -s /usr/local/gnutls/bin/certtool /usr/bin/certtool
echo '/usr/local/gnutls/lib/' > /etc/ld.so.conf.d/gnutls.conf
ldconfig
4、安装 libnl
cd
yum install bison flex
wget https://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
tar xvf libnl-3.2.25.tar.gz
cd libnl-3.2.25
./configure --prefix=/usr/local/libnl
make && make install
echo '/usr/local/libnl/lib/' > /etc/ld.so.conf.d/libnl.conf
ldconfig
5、安装 radius 相关
export LIBNL3_CFLAGS="-I/usr/local/libnl/include/libnl3"
export LIBNL3_LIBS="-L//usr/local/libnl/lib/ -lnl-3 -lnl-route-3"
export LIBGNUTLS_LIBS="-L/usr/local/gnutls/lib/ -lgnutls"
export LIBGNUTLS_CFLAGS="-I/usr/local/gnutls/include/"
wget https://github.com/radcli/radcli/releases/download/1.2.5/radcli-1.2.5.tar.gz
tar xvzf radcli-1.2.5.tar.gz
cd radcli-1.2.5
./configure --prefix=/usr/local/radcli
echo '/usr/local/radcli/lib/' > /etc/ld.so.conf.d/radcli.conf
make && make install
ldconfig
yum install freeradius-client -y
6、安装正宫–ocserv
export RADCLI_LIBS="-L/usr/local/radcli/lib/ -lradcli"
export RADCLI_CFLAGS="-I/usr/local/radcli/include/"
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz
tar xvf ocserv-0.10.9.tar.xz
cd ocserv-0.10.9
编辑 src/vpn.h
#define DEFAULT_CONFIG_ENTRIES 96
改成 200
./configure --prefix=/usr/local/ocserv
make && make install
echo 'export PATH=$PATH://usr/local/ocserv/sbin/:/usr/local/ocserv/bin/' >> $HOME/.bashrc
source $HOME/.bashrc
7、证书相关
这里因为我有个泛域名证书,所以就不生成了= =直接用。
mkdir /etc/ocserv/
编辑 /etc/ocserv/server-cert.pem ,把证书文件贴进去,记住只贴一个,就是颁发给你的证书= =你贴证书链后面会报错= =貌似是 CA 证书不科学的原因。
然后
chmod 600 /etc/ocserv/server-cert.pem
还有 server-key.pem ,也是一样的,密钥粘进去,权限设置好。
8、freeradius-client 的设置
我这里只做了登陆的验证。
编辑 /etc/radiusclient/radiusclient.conf
yourserveraddress 指代 radius 服务器地址。
authserver yourserveraddress:1812
acctserver yourserveraddress:1813
dictionary /etc/radiusclient/dictionary
同时记住 radius 服务器要添加好权限。
然后是编辑 /etc/radiusclient/servers ,
添加
yourserveraddress 指代 radius 服务器地址。yourserversecret 指代 radius 服务器密钥。
youserveraddress yourserversecret
9、配置文件
配置文件的话,我们回到刚才编译 ocserv 的目录。
cd /root/ocserv-0.10.9
cp ./tests/docker-ocserv/ocserv-radius.conf /etc/ocserv/ocserv.conf
然后编辑 /etc/ocserv/ocserv.conf
主要修改以下几个
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
max-clients = 50
max-same-clients = 10
tcp-port = 5444
udp-port = 5444
dns = 8.8.8.8
dns = 8.8.4.4
ipv4-network = 192.168.10.0
occtl-socket-file = /var/run/occtl.socket
#ca-cert=。。。。 对没错注释掉
还有特别注意路由表,先把 no-route 和 route 都给注释了,然后添加以下配置。
route = 103.0.0.0/255.0.0.0
route = 106.0.0.0/255.0.0.0
route = 107.0.0.0/255.0.0.0
route = 108.0.0.0/255.0.0.0
route = 141.0.0.0/255.0.0.0
route = 153.0.0.0/255.0.0.0
route = 160.0.0.0/255.0.0.0
route = 166.0.0.0/255.0.0.0
route = 17.0.0.0/255.0.0.0
route = 173.0.0.0/255.0.0.0
route = 176.0.0.0/255.0.0.0
route = 178.0.0.0/255.0.0.0
route = 184.0.0.0/255.0.0.0
route = 194.0.0.0/255.0.0.0
route = 198.0.0.0/255.0.0.0
route = 199.0.0.0/255.0.0.0
route = 203.0.0.0/255.0.0.0
route = 204.0.0.0/255.0.0.0
route = 205.0.0.0/255.0.0.0
route = 208.0.0.0/255.0.0.0
route = 209.0.0.0/255.0.0.0
route = 210.0.0.0/255.0.0.0
route = 216.0.0.0/255.0.0.0
route = 3.0.0.0/255.0.0.0
route = 4.0.0.0/255.0.0.0
route = 31.0.0.0/255.0.0.0
route = 46.0.0.0/255.0.0.0
route = 50.0.0.0/255.0.0.0
route = 54.0.0.0/255.0.0.0
route = 61.0.0.0/255.0.0.0
route = 64.0.0.0/255.0.0.0
route = 67.0.0.0/255.0.0.0
route = 68.0.0.0/255.0.0.0
route = 69.0.0.0/255.0.0.0
route = 70.0.0.0/255.0.0.0
route = 72.0.0.0/255.0.0.0
route = 74.0.0.0/255.0.0.0
route = 75.0.0.0/255.0.0.0
route = 76.0.0.0/255.0.0.0
route = 77.0.0.0/255.0.0.0
route = 79.0.0.0/255.0.0.0
route = 8.0.0.0/255.0.0.0
route = 23.0.0.0/255.0.0.0
route = 93.0.0.0/255.0.0.0
route = 96.0.0.0/255.0.0.0
route = 100.0.0.0/248.0.0.0
route = 109.0.0.0/255.0.0.0
route = 128.0.0.0/255.0.0.0
route = 174.0.0.0/255.0.0.0
route = 190.0.0.0/255.0.0.0
route = 192.0.0.0/255.0.0.0
OK,保存。
9、防火墙&系统配置
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save
10、运行 opserv
ocserv -f -c /etc/ocserv/ocserv.conf
可以连接了。此处不再赘述。
把这行加进 /etc/rc.local 就可以开机自启动了。
6 个评论
Kevin
其中一台服务器是NAT的,就是有一个外网IP,但是eth0上显示的是10.X.X.X的IP段,能认证成功,显示已连接,但是上不了网,该怎么设置呢?PPTP貌似也有这个情况
魔改版每种方式添加解析 – 赵
[…] 子节点搭建的话 参考这里 https://www.zhaoj.in/read-2904.html […]
Cool
Skipping unknown option ‘cookie-validity’
Setting ‘radius’ as primary authentication method
Enabling ‘certificate’ as authentication method
Setting ‘radius’ as accounting method
listening (TCP) on 0.0.0.0:5444…
listening (TCP) on [::]:5444…
listening (UDP) on 0.0.0.0:5444…
listening (UDP) on [::]:5444…
Segmentation fault
运行之后 显示这个 该怎样找出哪里错了?
glzjin
-d 9999 其他的自己研究
Anyconnect 服务器的搭建以及与 Radius 验证 – weix
[…] 转至 […]
魔改版添加节点的几种方式说明-蓑衣孤客
[…] 子节点搭建的话参考这里https://www.zhaoj.in/read-2904.html […]