Haruka.moe's Dream Cafe
文章 标签 分类
Haruka.moe's Dream Cafe

Contents

【sslvpn/anyconnect/openconnect】ubuntu 22.04 ocserv服务端安装/踩坑记录

 included in IT
   2431 words   5 minutes 

[sslvpn/anyconnect/openconnect]ubuntu 22.04 ocserv服务端安装/踩坑记录

缘起

conoha的新机器,新的Ubuntu22.04系统,apt install里的版本有点老,会有奇怪的内存对齐问题造成连不上的问题。遂回到原点,从官网下载最新版源码自己编译。

源代码

代码是托管在gitlab上的,最新版本是1.1.6。

https://gitlab.com/openconnect/ocserv

老样子放到了/usr/local/src下面。

$ autoreconf -fvi
$ ./configure && make

其实这里configure的时候发现缺东西,装依赖先apt-get install -y libgnutls28-dev libev-dev

安装好其实有3个东西。

  1. ocser(编译出来的东西)
  2. occtl 一个控制台(没用过)
  3. occpasswd 一个设置用户密码的东西

这里有个有趣的事情,我把低版本ocserv用apt remove命令删除时候他的自动允许服务脚本只是被mask了, 只要systemctl unmask一下就恢复了,仔细看了一下里面设定的路径,发现默认启动的是/usr/sbin/下面的ocserv,现在因为删除,这个文件没了,我就把/usr/local/src/ocserv/src/ocserv,ln到那个位置。我不用密码但是建了一个账号ocpasswd -c /etc/ocserv/ocpasswd username

配置

/etc/ocserv/ocserv.conf这个配置文件是个大头,尾部的是防止路由的ip,用来避开一些国内ip。

auth = "certificate" #采用证书认证,怕账号密码被猜测
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /run/ocserv.socket
server-cert = /path/xxx-cert.pem #服务器cert
server-key = /path/xxx-key.pem  #服务器key
ca-cert = /path/ca-cert.pem #ca密钥
isolate-workers = true
max-clients = 128 #最大连接客户端数量
max-same-clients = 2 #同时连接数量
server-stats-reset-time = 604800
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 2.5.4.3 #这个东西和证书生成时候有瓜葛
compression = true
no-compress-limit = 256
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com #域名
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 1.1.1.1
ping-leases = false
cisco-client-compat = true #支持cisco客户端
dtls-legacy = true
no-route = 1.160.0.0/255.224.0.0
no-route = 1.192.0.0/255.224.0.0
no-route = 5.182.60.0/255.224.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.128.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.128.0.0
no-route = 39.0.0.0/255.224.0.0
no-route = 39.64.0.0/255.192.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.64.0.0/255.192.0.0
no-route = 42.0.0.0/255.0.0.0
no-route = 43.128.0.0/255.128.0.0
no-route = 45.0.0.0/255.128.0.0
no-route = 45.128.0.0/255.224.0.0
no-route = 45.224.0.0/255.224.0.0
no-route = 47.64.0.0/255.192.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.224.0.0
no-route = 52.130.0.0/255.224.0.0
no-route = 54.222.0.0/255.224.0.0
no-route = 57.176.0.0/255.224.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.192.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.192.0.0
no-route = 59.128.0.0/255.128.0.0
no-route = 60.0.0.0/255.192.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.64.0.0/255.224.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 62.0.0.0/255.224.0.0
no-route = 62.234.0.0/255.224.0.0
no-route = 65.111.0.0/255.224.0.0
no-route = 68.79.0.0/255.224.0.0
no-route = 69.224.0.0/255.224.0.0
no-route = 71.128.0.0/255.224.0.0
no-route = 81.68.0.0/255.224.0.0
no-route = 82.156.0.0/255.224.0.0
no-route = 85.209.40.0/255.224.0.0
no-route = 91.234.36.0/255.224.0.0
no-route = 94.191.0.0/255.224.0.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.192.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 104.160.0.0/255.224.0.0
no-route = 104.192.0.0/255.224.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.224.0.0
no-route = 109.224.0.0/255.224.0.0
no-route = 110.0.0.0/254.0.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.224.0.0
no-route = 112.192.0.0/255.192.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.224.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.0.0.0/255.128.0.0
no-route = 114.128.0.0/255.224.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.0.0.0/255.224.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.224.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 128.108.0.0/255.224.0.0
no-route = 129.28.0.0/255.224.0.0
no-route = 129.192.0.0/255.224.0.0
no-route = 132.232.0.0/255.224.0.0
no-route = 134.175.0.0/255.224.0.0
no-route = 137.32.0.0/255.224.0.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.75.0.0/255.224.0.0
no-route = 140.128.0.0/255.128.0.0
no-route = 142.64.0.0/255.224.0.0
no-route = 143.64.0.0/255.224.0.0
no-route = 144.0.0.0/255.192.0.0
no-route = 144.123.0.0/255.224.0.0
no-route = 144.255.0.0/255.224.0.0
no-route = 146.0.0.0/255.192.0.0
no-route = 146.192.0.0/255.224.0.0
no-route = 148.70.0.0/255.224.0.0
no-route = 149.41.0.0/255.224.0.0
no-route = 150.0.0.0/255.224.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.224.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.96.0.0/255.224.0.0
no-route = 152.128.0.0/255.224.0.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 154.8.128.0/255.224.0.0
no-route = 157.0.0.0/255.192.0.0
no-route = 157.96.0.0/255.224.0.0
no-route = 157.128.0.0/255.224.0.0
no-route = 157.255.0.0/255.224.0.0
no-route = 158.32.0.0/255.224.0.0
no-route = 158.64.0.0/255.224.0.0
no-route = 159.27.0.0/255.224.0.0
no-route = 159.75.0.0/255.224.0.0
no-route = 159.224.0.0/255.224.0.0
no-route = 160.0.0.0/255.224.0.0
no-route = 160.192.0.0/255.192.0.0
no-route = 161.120.0.0/255.224.0.0
no-route = 161.160.0.0/255.224.0.0
no-route = 161.192.0.0/255.224.0.0
no-route = 162.14.0.0/255.224.0.0
no-route = 162.105.0.0/255.224.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.128.0.0
no-route = 164.52.0.0/255.224.0.0
no-route = 166.111.0.0/255.224.0.0
no-route = 167.128.0.0/255.192.0.0
no-route = 167.192.0.0/255.224.0.0
no-route = 168.160.0.0/255.224.0.0
no-route = 170.179.0.0/255.224.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.208.0.0/255.224.0.0
no-route = 172.81.192.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 176.116.4.0/255.224.0.0
no-route = 178.236.224.0/255.224.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 185.2.48.0/255.224.0.0
no-route = 185.145.244.0/255.224.0.0
no-route = 185.192.0.0/255.192.0.0
no-route = 188.131.128.0/255.224.0.0
no-route = 192.32.0.0/255.224.0.0
no-route = 192.96.0.0/255.224.0.0
no-route = 192.128.0.0/255.224.0.0
no-route = 192.197.113.0/255.224.0.0
no-route = 193.112.0.0/255.224.0.0
no-route = 193.224.0.0/255.224.0.0
no-route = 194.96.0.0/255.224.0.0
no-route = 194.246.40.0/255.224.0.0
no-route = 195.64.0.0/255.224.0.0
no-route = 198.175.100.0/255.224.0.0
no-route = 199.212.57.0/255.224.0.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.255.192.0
no-route = 203.0.64.0/255.255.224.0
no-route = 203.0.96.0/255.255.240.0
no-route = 203.0.112.0/255.255.255.0
no-route = 203.0.114.0/255.255.254.0
no-route = 203.0.116.0/255.255.252.0
no-route = 203.0.120.0/255.255.248.0
no-route = 203.0.128.0/255.255.128.0
no-route = 203.1.0.0/255.255.0.0
no-route = 203.2.0.0/255.254.0.0
no-route = 203.4.0.0/255.252.0.0
no-route = 203.8.0.0/255.248.0.0
no-route = 203.16.0.0/255.240.0.0
no-route = 203.32.0.0/255.224.0.0
no-route = 203.64.0.0/255.192.0.0
no-route = 203.128.0.0/255.192.0.0
no-route = 203.192.0.0/255.224.0.0
no-route = 204.52.191.0/255.224.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.192.0.0
no-route = 211.128.0.0/255.192.0.0
no-route = 212.64.0.0/255.224.0.0
no-route = 212.129.128.0/255.224.0.0
no-route = 213.139.232.0/255.224.0.0
no-route = 217.114.35.0/255.224.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
no-route = 0.0.0.0/255.0.0.0
no-route = 1.0.0.0/255.128.0.0
no-route = 1.160.0.0/255.224.0.0
no-route = 1.192.0.0/255.224.0.0
no-route = 5.182.60.0/255.224.0.0
no-route = 10.0.0.0/255.0.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.128.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.128.0.0
no-route = 39.0.0.0/255.224.0.0
no-route = 39.64.0.0/255.192.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.64.0.0/255.192.0.0
no-route = 42.0.0.0/255.0.0.0
no-route = 43.128.0.0/255.128.0.0
no-route = 45.0.0.0/255.128.0.0
no-route = 45.128.0.0/255.224.0.0
no-route = 45.224.0.0/255.224.0.0
no-route = 47.64.0.0/255.192.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.224.0.0
no-route = 52.130.0.0/255.224.0.0
no-route = 54.222.0.0/255.224.0.0
no-route = 57.176.0.0/255.224.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.192.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.192.0.0
no-route = 59.128.0.0/255.128.0.0
no-route = 60.0.0.0/255.192.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.64.0.0/255.224.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 62.0.0.0/255.224.0.0
no-route = 62.234.0.0/255.224.0.0
no-route = 65.111.0.0/255.224.0.0
no-route = 68.79.0.0/255.224.0.0
no-route = 69.224.0.0/255.224.0.0
no-route = 71.128.0.0/255.224.0.0
no-route = 81.68.0.0/255.224.0.0
no-route = 82.156.0.0/255.224.0.0
no-route = 85.209.40.0/255.224.0.0
no-route = 91.234.36.0/255.224.0.0
no-route = 94.191.0.0/255.224.0.0
no-route = 100.64.0.0/255.192.0.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.192.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 104.160.0.0/255.224.0.0
no-route = 104.192.0.0/255.224.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.224.0.0
no-route = 109.224.0.0/255.224.0.0
no-route = 110.0.0.0/254.0.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.224.0.0
no-route = 112.192.0.0/255.192.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.224.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.0.0.0/255.128.0.0
no-route = 114.128.0.0/255.224.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.0.0.0/255.224.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.224.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 127.0.0.0/255.0.0.0
no-route = 128.108.0.0/255.224.0.0
no-route = 129.28.0.0/255.224.0.0
no-route = 129.192.0.0/255.224.0.0
no-route = 132.232.0.0/255.224.0.0
no-route = 134.175.0.0/255.224.0.0
no-route = 137.32.0.0/255.224.0.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.75.0.0/255.224.0.0
no-route = 140.128.0.0/255.128.0.0
no-route = 142.64.0.0/255.224.0.0
no-route = 143.64.0.0/255.224.0.0
no-route = 144.0.0.0/255.192.0.0
no-route = 144.123.0.0/255.224.0.0
no-route = 144.255.0.0/255.224.0.0
no-route = 146.0.0.0/255.192.0.0
no-route = 146.192.0.0/255.224.0.0
no-route = 148.70.0.0/255.224.0.0
no-route = 149.41.0.0/255.224.0.0
no-route = 150.0.0.0/255.224.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.224.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.96.0.0/255.224.0.0
no-route = 152.128.0.0/255.224.0.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 154.8.128.0/255.224.0.0
no-route = 157.0.0.0/255.192.0.0
no-route = 157.96.0.0/255.224.0.0
no-route = 157.128.0.0/255.224.0.0
no-route = 157.255.0.0/255.224.0.0
no-route = 158.32.0.0/255.224.0.0
no-route = 158.64.0.0/255.224.0.0
no-route = 159.27.0.0/255.224.0.0
no-route = 159.75.0.0/255.224.0.0
no-route = 159.224.0.0/255.224.0.0
no-route = 160.0.0.0/255.224.0.0
no-route = 160.192.0.0/255.192.0.0
no-route = 161.120.0.0/255.224.0.0
no-route = 161.160.0.0/255.224.0.0
no-route = 161.192.0.0/255.224.0.0
no-route = 162.14.0.0/255.224.0.0
no-route = 162.105.0.0/255.224.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.128.0.0
no-route = 164.52.0.0/255.224.0.0
no-route = 166.111.0.0/255.224.0.0
no-route = 167.128.0.0/255.192.0.0
no-route = 167.192.0.0/255.224.0.0
no-route = 168.160.0.0/255.224.0.0
no-route = 169.254.0.0/255.255.0.0
no-route = 170.179.0.0/255.224.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.208.0.0/255.224.0.0
no-route = 172.16.0.0/255.240.0.0
no-route = 172.81.192.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 176.116.4.0/255.224.0.0
no-route = 178.236.224.0/255.224.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 185.2.48.0/255.224.0.0
no-route = 185.145.244.0/255.224.0.0
no-route = 185.192.0.0/255.192.0.0
no-route = 188.131.128.0/255.224.0.0
no-route = 192.0.0.0/255.255.255.0
no-route = 192.0.2.0/255.255.255.0
no-route = 192.32.0.0/255.224.0.0
no-route = 192.88.99.0/255.255.255.0
no-route = 192.96.0.0/255.224.0.0
no-route = 192.128.0.0/255.224.0.0
no-route = 192.168.0.0/255.255.255.0
no-route = 192.168.1.0/255.255.255.0
no-route = 192.168.2.0/255.255.254.0
no-route = 192.168.4.0/255.255.252.0
no-route = 192.168.8.0/255.255.248.0
no-route = 192.168.16.0/255.255.240.0
no-route = 192.168.32.0/255.255.224.0
no-route = 192.168.64.0/255.255.192.0
no-route = 192.168.128.0/255.255.128.0
no-route = 192.197.113.0/255.224.0.0
no-route = 193.112.0.0/255.224.0.0
no-route = 193.224.0.0/255.224.0.0
no-route = 194.96.0.0/255.224.0.0
no-route = 194.246.40.0/255.224.0.0
no-route = 195.64.0.0/255.224.0.0
no-route = 198.18.0.0/255.254.0.0
no-route = 198.51.100.0/255.255.255.0
no-route = 198.175.100.0/255.224.0.0
no-route = 199.212.57.0/255.224.0.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.128.0.0
no-route = 203.128.0.0/255.192.0.0
no-route = 203.192.0.0/255.224.0.0
no-route = 204.52.191.0/255.224.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.192.0.0
no-route = 211.128.0.0/255.192.0.0
no-route = 212.64.0.0/255.224.0.0
no-route = 212.129.128.0/255.224.0.0
no-route = 213.139.232.0/255.224.0.0
no-route = 217.114.35.0/255.224.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
no-route = 224.0.0.0/224.0.0.0

感恩 https://github.com/CNMan/ocserv-cn-no-route提供更新版本ip列表

转发和防火墙

配置转发设置

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p

在 /etc/default/ufw 里找到DEFAULT_FORWARD_POLICY=“DROP"变成ACCEPT 在/etc/ufw/before.rules添加(我的网卡是eth0,vpn网段是10.10.10.0/24)

-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT
...
COMMIT
...
# NAT table rules
 *nat
 :POSTROUTING ACCEPT [0:0]
 -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE

 # End each table with the 'COMMIT' line or these rules won't be processed
 COMMIT

修改完毕后

sudo ufw allow 443/tcp
sudo ufw allow 443/udp
systemctl restart ufw
systemctl start ocserv

因为我的密钥证书什么是上一回生成的,这里就没有赘述,官方的命令好像是 $ certtool –generate-privkey > ./test-key.pem $ certtool –generate-self-signed –load-privkey test-key.pem –outfile test-cert.pem

– 如果发现443端口被占用了,就去看看自己的nginx,apache啥的配置,弄掉就可以了。当然你可以换别端口。

以上。

Updated on 2023-03-24
 IT
Back | Home