最新消息:

[转载]ocserv: 兼容Cisco Anyconnect的开源服务端 by 杂物仓库 Mk.II

VPN 林夕 5286浏览 0评论

ocserv: 兼容Cisco Anyconnect的开源服务端 by 杂物仓库 Mk.II
转载自:http://ttz.im/blog/2014/02/1131
ocserv(OpenConnect Server)是由GnuTLS的作者Nikos Mavrogiannopoulos开发的一个能够兼容Cisco Anyconnect的开源服务端(SSL VPN),支持*nix/BSD平台,最早是作为OpenConnect(Linux下的兼容Cisco ASA的开源客户端)对应的服务端,在后续版本(0.3.0开始)中加入了对Cisco Anyconnect客户端的支持。

由于这个软件还很新,没有进入各个发行版的repo里面,所以需要编译源码安装。

下载地址:http://www.infradead.org/ocserv/download.html,最新的版本是0.3.1。

ocserv使用GnuTLS作为SSL的library,所以编译时需要对应的dev包。Debian stable里面带的版本太老(2.12.20),而ocserv需要的包版本在2.15以上,所以需要从backports安装:

apt-get -t wheezy-backports install libgnutls28-dev

接着就可以编译了。

./configure --prefix=/usr --sysconfdir=/etc && make && make install

会编译并安装到/usr下。

由于是SSL VPN,首先要建立服务器端的证书。以下直接摘取ocserv网站上的内容:

生成CA证书

certtool --generate-privkey --outfile ca-key.pem
cat <<_EOF_> ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

生成本地服务器证书

certtool --generate-privkey --outfile server-key.pem
cat <<_EOF_> server.tmpl
cn = "www.example.com"
organization = "MyCompany"
serial = 2
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

生成之后把服务器证书放到/etc/ssl/certs,私钥放到/etc/ssl/private。

接下来是配置文件,建立/etc/ocserv并把doc/sample.config拷到该文件夹下,改名为ocserv.conf:

mkdir /etc/ocserv && cp doc/sample.config /etc/ocserv/ && mv /etc/ocserv/sample.config /etc/ocserv/ocserv.conf

接着修改该文件。因为我想用PAM连接到radius做认证,所以去掉auth = “pam”前面的注释并且注释掉auth = “plain[./sample.passwd]”。

首先安装PAM Radius:

apt-get install libpam0g-dev libpam-radius-auth

然后建立/etc/pam.d/ocserv:

# PAM Configuration for OpenConnect Server
# Created by tony, 11/13/13
# This is designed to work with RADIUS PAM Module
auth    required        /lib/security/pam_radius_auth.so

同时需要建立/etc/pam_radius_auth.conf:

#  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
#
#  For proper security, this file SHOULD have permissions 0600,
#  that is readable by root, and NO ONE else.  If anyone other than
#  root can read this file, then they can spoof responses from the server!
#
#  There are 3 fields per line in this file.  There may be multiple
#  lines.  Blank lines or lines beginning with '#' are treated as
#  comments, and are ignored.  The fields are:
#
#  server[:port] secret [timeout]
#
#  the port name or number is optional.  The default port name is
#  "radius", and is looked up from /etc/services The timeout field is
#  optional.  The default timeout is 3 seconds.
#
#  If multiple RADIUS server lines exist, they are tried in order.  The
#  first server to return success or failure causes the module to return
#  success or failure.  Only if a server fails to response is it skipped,
#  and the next server in turn is used.
#
#  The timeout field controls how many seconds the module waits before
#  deciding that the server has failed to respond.
#
# server[:port] shared_secret      timeout (s)
localhost       yourradiusserversecret  5

#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.

里面填写连接到radius服务器使用的secret。

server-cert和server-key分别指向之前生成的证书和服务器私钥。run-as-group改为nogroup。

ipv4-network为分配客户端的子网网段,比如ipv4-network=192.168.1.0即为192.168.1.1-255的子网。(配合子网掩码) dns为推送给客户端的dns。

route为推送给客户端的路由表,如果采用split-tunnel-policy tunnelall模式(所有流量通过VPN)的话删掉该行即可。

user-profile改为user-profile = /etc/ocserv/profile.xml,并且去掉cisco-client-compat = true的注释。

ocserv的配置文件到这里就算修改完毕了,然后是/etc/ocserv/profile.xml:

<?xmlversion="1.0"encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>

<ServerList>
<HostEntry>
<HostName>Server Profile Name</HostName>
<HostAddress>server.ip.address</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>

接下来是启动脚本,我用skeleton改写了一个很简单的放到/etc/init.d/ocserv:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          ocserv
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"

case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac

exit 0

update-rc.d ocserv defaults设成开机启动。DAEMON_ARGS中可以加入–http-debug -d来打开调试信息。

最后在iptables中打开tcp和udp的443端口即可。ocserv使用tcp的443端口认证,udp用于传输数据。

在Windows(3.0.11042)和iOS(3.0.09266)上测试AnyConnect客户端成功。

本文参考了ocserv的网站以及mailing list。

转载请注明:一秒钟的梦 » [转载]ocserv: 兼容Cisco Anyconnect的开源服务端 by 杂物仓库 Mk.II

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址