1. Anyconnect介绍

ocserv(OpenConnect Server) 是一个用于虚拟私人网络（VPN）连接的开源客户端软件。它最初是为了连接到 Cisco AnyConnect VPN 服务器而开发的，但现在已经发展成为一个支持多种 VPN 协议的通用客户端，包括 Windows、macOS、Linux 和 Android。

OpenConnect 的优点之一是它的灵活性。它可以通过命令行或图形用户界面进行配置，并且可以与各种 VPN 服务器兼容，包括 Cisco AnyConnect、Juniper SSL VPN 和 Palo Alto Networks GlobalProtect 等。

1.安装

官方文档，http://ocserv.gitlab.io/www/manual.html

http://ocserv.gitlab.io/www/index.html

http://ocserv.gitlab.io/www/download.html

https://gitlab.com/openconnect/ocserv

客户端下载地址：

https://software.cisco.com/download/home/286281283/type/282364313/release/4.10.08029

Anyconnect特点

AnyConnect的VPN协议默认使用UDP作为数据传输，但如果有什么网络问题导致UDP传输出现问题，它会利用最初建立的TCP TLS通道作为备份通道，降低VPN断开的概率。
AnyConnect作为Cisco新一代的VPN解决方案，被用于许多大型企业

检查PPP/TUN环境

首先要检查VPS的TUN是否开启(OpenVZ虚拟化的服务器很可能默认关闭)。

cat /dev/net/tun
# 返回的必须是：
cat: /dev/net/tun: File descriptor in bad state

cat /dev/net/tun
# 返回的必须是：
cat: /dev/net/tun: File descriptor in bad state

#iptables
#自动调整MTU
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#开启 NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -I INPUT -p tcp --dport 10028 -j ACCEPT # 端口应与ocserv配置中配置的端口对应
iptables -I INPUT -p udp --dport 10028 -j ACCEPT

---- test
firewall-cmd --permanent --add-port=10028/tcp
firewall-cmd --permanent --add-port=10028/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
----



#开启 IPv4 转发
sysctl -w net.ipv4.ip_forward=1
# 或修改配置文件
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1

iptables-save > /etc/iptables.rules



firewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#iptables
#自动调整MTU
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#开启 NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -I INPUT -p tcp --dport 10028 -j ACCEPT # 端口应与ocserv配置中配置的端口对应
iptables -I INPUT -p udp --dport 10028 -j ACCEPT

---- test
firewall-cmd --permanent --add-port=10028/tcp
firewall-cmd --permanent --add-port=10028/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
----



#开启 IPv4 转发
sysctl -w net.ipv4.ip_forward=1
# 或修改配置文件
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1

iptables-save > /etc/iptables.rules



firewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

安装结束，访问https://xxx.com

连接

win：



#链接正常之后，服务端显示结果
11: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1326 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.8.1 peer 192.168.8.242/32 scope global vpns0
       valid_lft forever preferred_lft forever
    inet6 fe80::b0ad:1e0f:6b17:e07d/64 scope link flags 800 
       valid_lft forever preferred_lft forever



#链接正常之后，服务端显示结果
11: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1326 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.8.1 peer 192.168.8.242/32 scope global vpns0
       valid_lft forever preferred_lft forever
    inet6 fe80::b0ad:1e0f:6b17:e07d/64 scope link flags 800 
       valid_lft forever preferred_lft forever

配置ocserv

Ocserv提供了多种认证登录方式.主要有:

pam本地系统账户
ocsrev创建的明文账户(需要指定passwd密码文件.下面我指定的是/etc/ocserv/ocpasswd)
certificate证书认证
redius认证

[root@openvpn anyconnect]$grep -A 5 "#auth" /etc/ocserv/ocserv.conf

#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

[root@openvpn anyconnect]$grep -A 5 "#auth" /etc/ocserv/ocserv.conf

#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

配置文件解析

#认证方式,这里使用了certificate证书认证  
auth = "certificate"  
#最大客户端连接数    
max-clients = 50   
#同一客户端最大同时连接数    
max-same-clients = 10    
#优化VPN速度和稳定性 
try-mtu-discovery = true  
#服务端证书路径  
server-cert = /etc/ocserv/server-cert.pem  
#服务端key路径 
server-key = /etc/ocserv/server-key.pem  
#ca证书路径,如果是证书验证则需要开启这个参数,如果是密码认证,则注释掉  
ca-cert = /etc/ocserv/ca-cert.pem  
# 确保服务器正确读取用户证书（后面会用到用户证书） 
cert-user-oid = 2.5.4.3  
#分发给VPN客户端的IP地址范围,DNS地址  
ipv4-network = 10.0.81.0  
ipv4-netmask = 255.255.255.0  
dns = 114.114.114.114  
#如果仅仅是访问以下内网地址则指定route参数,如果注释所有route参数则表示所有流量走VPN  
route = 10.0.0.0/255.255.255.0

#认证方式,这里使用了certificate证书认证  
auth = "certificate"  
#最大客户端连接数    
max-clients = 50   
#同一客户端最大同时连接数    
max-same-clients = 10    
#优化VPN速度和稳定性 
try-mtu-discovery = true  
#服务端证书路径  
server-cert = /etc/ocserv/server-cert.pem  
#服务端key路径 
server-key = /etc/ocserv/server-key.pem  
#ca证书路径,如果是证书验证则需要开启这个参数,如果是密码认证,则注释掉  
ca-cert = /etc/ocserv/ca-cert.pem  
# 确保服务器正确读取用户证书（后面会用到用户证书） 
cert-user-oid = 2.5.4.3  
#分发给VPN客户端的IP地址范围,DNS地址  
ipv4-network = 10.0.81.0  
ipv4-netmask = 255.255.255.0  
dns = 114.114.114.114  
#如果仅仅是访问以下内网地址则指定route参数,如果注释所有route参数则表示所有流量走VPN  
route = 10.0.0.0/255.255.255.0

优化

dpd = 900
mobile-dpd = 1800
output-buffer = 23000
idle-timeout = 3600
try-mtu-discovery = true
compression = true

dpd = 900
mobile-dpd = 1800
output-buffer = 23000
idle-timeout = 3600
try-mtu-discovery = true
compression = true

1.命令操作

查看版本

bash

#ocserv -v ocserv

ocserv 1.1.6

Compiled with: seccomp, tcp-wrappers, PKCS#11, AnyConnect
GnuTLS version: 3.5.18

#ocserv -v ocserv

ocserv 1.1.6

Compiled with: seccomp, tcp-wrappers, PKCS#11, AnyConnect
GnuTLS version: 3.5.18

1.1管理命令

查看服务状态

occtl -n show status

occtl -n show status

查看在线用户

occtl -n show users

occtl -n show users

剔除当前用户

occtl disconnect user username
occtl disconnect id userid

occtl disconnect user username
occtl disconnect id userid

1.2用户管理

创建用户

ocpasswd -c /etc/ocserv/ocpasswd username

ocpasswd -c /etc/ocserv/ocpasswd username

添加用户到组：

ocpasswd -c /etc/ocserv/ocpasswd -g groupname username

ocpasswd -c /etc/ocserv/ocpasswd -g groupname username

锁定用户

ocpasswd -c /etc/ocserv/ocpasswd -l username

ocpasswd -c /etc/ocserv/ocpasswd -l username

解锁用户

ocpasswd -c /etc/ocserv/ocpasswd -u username

ocpasswd -c /etc/ocserv/ocpasswd -u username

删除用户：

ocpasswd -c /etc/ocserv/ocpasswd -d username

ocpasswd -c /etc/ocserv/ocpasswd -d username

更多命令：

occtl --help

occtl --help

2.ubuntu18.04

/etc/init.d/ocserv start
# 启动 ocserv

/etc/init.d/ocserv stop
# 停止 ocserv

/etc/init.d/ocserv restart
# 重启 ocserv

/etc/init.d/ocserv status
# 查看 ocserv 运行状态

/etc/init.d/ocserv log
# 查看 ocserv 运行日志

/etc/init.d/ocserv test
# 测试 ocserv 配置文件是否正确


配置文件：/etc/ocserv/ocserv.conf

账号配置文件：/etc/ocserv/ocpasswd

日志文件：/tmp/ocserv.log

/etc/init.d/ocserv start
# 启动 ocserv

/etc/init.d/ocserv stop
# 停止 ocserv

/etc/init.d/ocserv restart
# 重启 ocserv

/etc/init.d/ocserv status
# 查看 ocserv 运行状态

/etc/init.d/ocserv log
# 查看 ocserv 运行日志

/etc/init.d/ocserv test
# 测试 ocserv 配置文件是否正确


配置文件：/etc/ocserv/ocserv.conf

账号配置文件：/etc/ocserv/ocpasswd

日志文件：/tmp/ocserv.log

3.线上配置文件

bash

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#listen-host = 127.0.0.1
tcp-port = 443
udp-port = 443
run-as-user = root
run-as-group = daemon
socket-file = /var/run/ocserv-socket



server-cert = /etc/ocserv/ssl/9495244_sike.freehan.ink.pem
server-key = /etc/ocserv/ssl/9495244_sike.freehan.ink.key.pem
#server-cert = /etc/ocserv/ssl/server-cert.pem
#server-key = /etc/ocserv/ssl/server-key.pem
#ca-cert = /etc/ocserv/ssl/ca-cert.pem


isolate-workers = true
#设置允许的最大客户端数。默认值为 16。设置为 0 表示无限制。
max-clients = 0

#设置用户可以同时使用的设备数量。默认值为 2。设置为 0 表示无限制。
max-same-clients = 2

rate-limit-ms = 0
server-stats-reset-time = 604800

#默认情况下，OpenConnect 每 9 小时（32400 秒）发送一次 keepalive 数据包。这个值太高了。将其设置为 60 秒，以减少 VPN 连接丢失的几率。
keepalive = 60

dpd = 900
mobile-dpd = 1900
switch-to-tcp-timeout = 25

#将try-mtu-discovery 的值更改为 true 以启用 MTU 发现。它可以优化 VPN 性能。
try-mtu-discovery = true
compression = true

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true

default-domain = sike.freehan.ink
#listen-proxy-proto = true
#proxy-url = https://sike.freehan.ink:443

#不要跟服务器及本地网段有冲突
ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64

# tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false

no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.0.0/255.255.0.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 164.52.0.0/255.255.128.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 195.78.82.0/255.255.254.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 216.250.108.0/255.255.252.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
cisco-client-compat = true
dtls-legacy = true

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#listen-host = 127.0.0.1
tcp-port = 443
udp-port = 443
run-as-user = root
run-as-group = daemon
socket-file = /var/run/ocserv-socket



server-cert = /etc/ocserv/ssl/9495244_sike.freehan.ink.pem
server-key = /etc/ocserv/ssl/9495244_sike.freehan.ink.key.pem
#server-cert = /etc/ocserv/ssl/server-cert.pem
#server-key = /etc/ocserv/ssl/server-key.pem
#ca-cert = /etc/ocserv/ssl/ca-cert.pem


isolate-workers = true
#设置允许的最大客户端数。默认值为 16。设置为 0 表示无限制。
max-clients = 0

#设置用户可以同时使用的设备数量。默认值为 2。设置为 0 表示无限制。
max-same-clients = 2

rate-limit-ms = 0
server-stats-reset-time = 604800

#默认情况下，OpenConnect 每 9 小时（32400 秒）发送一次 keepalive 数据包。这个值太高了。将其设置为 60 秒，以减少 VPN 连接丢失的几率。
keepalive = 60

dpd = 900
mobile-dpd = 1900
switch-to-tcp-timeout = 25

#将try-mtu-discovery 的值更改为 true 以启用 MTU 发现。它可以优化 VPN 性能。
try-mtu-discovery = true
compression = true

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true

default-domain = sike.freehan.ink
#listen-proxy-proto = true
#proxy-url = https://sike.freehan.ink:443

#不要跟服务器及本地网段有冲突
ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64

# tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false

no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.0.0/255.255.0.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 164.52.0.0/255.255.128.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 195.78.82.0/255.255.254.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 216.250.108.0/255.255.252.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
cisco-client-compat = true
dtls-legacy = true

https://zzongbh.github.io/c99fb8e8/

https://www.linuxbabe.com/redhat/openconnect-vpn-server-ocserv-centos-8

https://www.cnblogs.com/yueping/p/15842948.html

https://holmesian.org/linode-vps-centos-anyconnect

流量分流

no-route配置可能需要根据自己的局域网配置调整。此外，对于国内网段，设置no-route可以避免国内流量通过vpn降低访问效率

4.证书方式

配置文件

[root@openvpn anyconnect]$sed -e '/^#/d' /etc/ocserv/ocserv.conf | sed '/^$/d'
auth = "certificate"
tcp-port = 4333
udp-port = 4333
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 50
max-same-clients = 10
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.0.81.0
ipv4-netmask = 255.255.255.0
dns = 114.114.114.114
ping-leases = false
route = 10.0.0.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

[root@openvpn anyconnect]$sed -e '/^#/d' /etc/ocserv/ocserv.conf | sed '/^$/d'
auth = "certificate"
tcp-port = 4333
udp-port = 4333
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 50
max-same-clients = 10
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.0.81.0
ipv4-netmask = 255.255.255.0
dns = 114.114.114.114
ping-leases = false
route = 10.0.0.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

4.1创建客户端证书

[root@openvpn anyconnect]$vim gen-client.sh

#!/bin/bash

USER=$1
CA_DIR=$2
SERIAL=`date +%s`

#生成客户端key
certtool --generate-privkey --outfile $USER-key.pem

#生成证书模板文件
cat << _EOF_ >user.tmpl
cn = "$USER"
unit = "users"
serial = "$SERIAL"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

#生成用户证书
certtool --generate-certificate --load-privkey $USER-key.pem --load-ca-certificate $CA_DIR/ca-cert.pem --load-ca-privkey $CA_DIR/ca-key.pem --template user.tmpl --outfile $USER-cert.pem

#将证书转换成p12格式,以便客户端导入证书
openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name "$USER VPN Client Cert" -certfile $CA_DIR/ca-cert.pem -out $USER.p12

[root@openvpn anyconnect]$vim gen-client.sh

#!/bin/bash

USER=$1
CA_DIR=$2
SERIAL=`date +%s`

#生成客户端key
certtool --generate-privkey --outfile $USER-key.pem

#生成证书模板文件
cat << _EOF_ >user.tmpl
cn = "$USER"
unit = "users"
serial = "$SERIAL"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

#生成用户证书
certtool --generate-certificate --load-privkey $USER-key.pem --load-ca-certificate $CA_DIR/ca-cert.pem --load-ca-privkey $CA_DIR/ca-key.pem --template user.tmpl --outfile $USER-cert.pem

#将证书转换成p12格式,以便客户端导入证书
openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name "$USER VPN Client Cert" -certfile $CA_DIR/ca-cert.pem -out $USER.p12

官网使用的是certtool命令将证书转换成p12格式:

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

创建用户文件.例如给我创建一个客户端证书

[root@openvpn anyconnect]$ mkdir han
[root@openvpn anyconnect]$cd han

#脚本的$1参数表示创建的用户名,$2参数表示ca证书位置.
#按提示给证书设置一个密码(建议).也可以空密码(MAC电脑不支持导入空密码证书).
[root@openvpn han]$../gen-client-cert.sh han ..


#脚本执行完成后,在用户文件夹可以看到证书文件:
[root@openvpn han]$ll
total 20
-rw-r--r--. 1 root root 1176 Jul 10 22:47 han-cert.pem
-rw-------. 1 root root 5826 Jul 10 22:47 han-key.pem
-rw-r--r--. 1 root root 3376 Jul 10 22:47 han.p12
-rw-r--r--. 1 root root  104 Jul 10 22:47 user.tmpl

[root@openvpn anyconnect]$ mkdir han
[root@openvpn anyconnect]$cd han

#脚本的$1参数表示创建的用户名,$2参数表示ca证书位置.
#按提示给证书设置一个密码(建议).也可以空密码(MAC电脑不支持导入空密码证书).
[root@openvpn han]$../gen-client-cert.sh han ..


#脚本执行完成后,在用户文件夹可以看到证书文件:
[root@openvpn han]$ll
total 20
-rw-r--r--. 1 root root 1176 Jul 10 22:47 han-cert.pem
-rw-------. 1 root root 5826 Jul 10 22:47 han-key.pem
-rw-r--r--. 1 root root 3376 Jul 10 22:47 han.p12
-rw-r--r--. 1 root root  104 Jul 10 22:47 user.tmpl

由于你的证书是自己签发，所以请在anyconnect软件关闭阻止不受信任的服务器选项

5.密码方式

[root@openvpn ocserv]$vim ocserv.conf

#注释证书认证方面的配置
#auth = "certificate"
#ca-cert = /etc/ocserv/ca-cert.pem

#开启密码认证.passwd指定ocpasswd文件路径
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

[root@openvpn ocserv]$vim ocserv.conf

#注释证书认证方面的配置
#auth = "certificate"
#ca-cert = /etc/ocserv/ca-cert.pem

#开启密码认证.passwd指定ocpasswd文件路径
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

其他方面配置和证书验证差不多.重启ocserv服务后,客户端就可以通过用户密码登录VPN

6.证书和密码认证

ocserv在登录认证方面功能非常强大也很人性化.可以同时支持多种认证方式.

比如我们想要同时使用密码或者证书登录

#开启首选验证机制为密码认证

#auth = "pam"
#auth = "pam[gid-min=1000]"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

# 开启证书备用认证"enable-auth"

# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login, irrespective of the main 'auth' entries.
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
enable-auth = "certificate"

#配置文件其他参数无需修改

#开启首选验证机制为密码认证

#auth = "pam"
#auth = "pam[gid-min=1000]"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

# 开启证书备用认证"enable-auth"

# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login, irrespective of the main 'auth' entries.
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
enable-auth = "certificate"

#配置文件其他参数无需修改

重启ocserv服务后,客户端在没有证书的情况下会要求输入用户密码登录VPN.如果有导入证书的情况下,不会要求输入用户密码.

7.客户端证书注销/账户

删除一个账户.密码

#ocpasswd命令提供了delete选项删除用户

[root@openvpn anyconnect]$ocpasswd --help
ocpasswd - OpenConnect server password utility
Usage:  ocpasswd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [username]

   -c, --passwd=file          Password file
   -g, --groupname=str        User's group name
   -d, --delete               Delete user
   -l, --lock                 Lock user
   -u, --unlock               Unlock user
   -v, --version              output version information and exit
   -h, --help                 display extended usage information and exit

# 删除我的账户

[root@openvpn anyconnect]$ocpasswd -c /etc/ocserv/ocpasswd -d han

#ocpasswd命令提供了delete选项删除用户

[root@openvpn anyconnect]$ocpasswd --help
ocpasswd - OpenConnect server password utility
Usage:  ocpasswd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [username]

   -c, --passwd=file          Password file
   -g, --groupname=str        User's group name
   -d, --delete               Delete user
   -l, --lock                 Lock user
   -u, --unlock               Unlock user
   -v, --version              output version information and exit
   -h, --help                 display extended usage information and exit

# 删除我的账户

[root@openvpn anyconnect]$ocpasswd -c /etc/ocserv/ocpasswd -d han

注销客户端证书

1.生成crl.tmpl模板文件

[root@openvpn anyconnect]$cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_

[root@openvpn anyconnect]$cat crl.tmpl
crl_next_update = 365
crl_number = 1

[root@openvpn anyconnect]$cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_

[root@openvpn anyconnect]$cat crl.tmpl
crl_next_update = 365
crl_number = 1

2.将要注销的证书文件拷贝一份到revoked.pem文件

[root@openvpn anyconnect]$cat huangyong/huangyong-cert.pem >> revoked.pem

[root@openvpn anyconnect]$cat huangyong/huangyong-cert.pem >> revoked.pem

3.生成crl.pem文件

certtool --generate-crl --load-ca-privkey ca-key.pem \
           --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
           --template crl.tmpl --outfile crl.pem

certtool --generate-crl --load-ca-privkey ca-key.pem \
           --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
           --template crl.tmpl --outfile crl.pem

4.修改配置文件

[root@openvpn anyconnect]$vim /etc/ocserv/ocserv.conf

#开启crl参数,并且制定crl.pem文件的路径
crl = /etc/anyconnect/crl.pem

[root@openvpn anyconnect]$vim /etc/ocserv/ocserv.conf

#开启crl参数,并且制定crl.pem文件的路径
crl = /etc/anyconnect/crl.pem

5.重启ocserv服务

8.配合DNSmasq

dnsmasq: DNS request timed out for machines in local network ，原来必须显式地设置 listen-address 监听接口，DNSmasq才会对外部客户端请求响应，否则只有本机（估计DNSmasq代码中检查客户端IP来判断是否是本机IP进行过滤）才提供服务，虽然端口已经监听

修改VPN服务器上 /etc/dnsmasq.conf 配置，添加

bash

listen-address=192.168.101.1
listen-address=VPN_SERVER_IP

listen-address=192.168.101.1
listen-address=VPN_SERVER_IP

然后重启dnsmasq就可以正常解析。

为了安全起见，实际我是只监听tun接口提供服务，这样只有VPN客户端可以访问DNS

9.密码文件+二次认证

文档，https://ocserv.gitlab.io/www/recipes-ocserv-2fa.html

https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile

Since version 0.10.9 it is possible to use ocserv’s password file for 2FA. It requires ocserv to be compiled with liboath

9.1创建otp文件

bash

echo "HOTP/T30 han - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >> /etc/ocserv/users.oath


#查看users.oath文件
cat users.oath 
HOTP/T30 han - d3856253575278b553d7e2217263e6ae

#install 
apt install oathtool

oathtool --totp -w 5 d3856253575278b553d7e2217263e6ae
625845
466831
507674
845042
611568
079778

#生成密钥，生成二维码 一般的otp工具可以进行扫描添加或者手动输入秘钥添加，这里进行二维码生成后便于直接扫描添加 使用以下命令将KEY转换为base32(在0x后面一样记得替换自己的KEY)
echo 0xd3856253575278b553d7e2217263e6ae | xxd -r -c 256 | base32
2OCWEU2XKJ4LKU6X4IQXEY7GVY======

#qrencode创建一个二维码
sudo apt-get install qrencode -y
echo "otpauth://totp/kay@example.com?secret=2OCWEU2XKJ4LKU6X4IQXEY7GVY&issuer=OpenConnect" | qrencode -o - -t UTF8

echo "HOTP/T30 han - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >> /etc/ocserv/users.oath


#查看users.oath文件
cat users.oath 
HOTP/T30 han - d3856253575278b553d7e2217263e6ae

#install 
apt install oathtool

oathtool --totp -w 5 d3856253575278b553d7e2217263e6ae
625845
466831
507674
845042
611568
079778

#生成密钥，生成二维码 一般的otp工具可以进行扫描添加或者手动输入秘钥添加，这里进行二维码生成后便于直接扫描添加 使用以下命令将KEY转换为base32(在0x后面一样记得替换自己的KEY)
echo 0xd3856253575278b553d7e2217263e6ae | xxd -r -c 256 | base32
2OCWEU2XKJ4LKU6X4IQXEY7GVY======

#qrencode创建一个二维码
sudo apt-get install qrencode -y
echo "otpauth://totp/kay@example.com?secret=2OCWEU2XKJ4LKU6X4IQXEY7GVY&issuer=OpenConnect" | qrencode -o - -t UTF8

9.2ocserv配置

bash

auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]"

auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]"

10.限速

1）为userA新建配置文件

text

        # vi /usr/local/ocserv/etc/config-per-user/userA

        # vi /usr/local/ocserv/etc/config-per-user/userA

在上述文件添加下述信息：

text

        route = 192.168.11.0/24 #局部路由，userA需要路由的IP或者IP段
        rx-data-per-sec = 2000000 #实现接收限速配置
        tx-data-per-sec = 2000000  #实现发送限速配置

        route = 192.168.11.0/24 #局部路由，userA需要路由的IP或者IP段
        rx-data-per-sec = 2000000 #实现接收限速配置
        tx-data-per-sec = 2000000  #实现发送限速配置

（2）修改ocserv的配置文件sample.conf

text

        # vi /usr/local/ocserv/etc/sample.conf

        # vi /usr/local/ocserv/etc/sample.conf

在sample.conf配置文件中添加以下配置：

text

        config-per-user = /usr/local/ocserv/etc/config-per-user/

        config-per-user = /usr/local/ocserv/etc/config-per-user/

11.记录用户登录注销日志

配置文件修改：

bash

connect-script = /etc/ocserv/connect-script
disconnect-script = /etc/ocserv/connect-script

connect-script = /etc/ocserv/connect-script
disconnect-script = /etc/ocserv/connect-script

connect-script 文件内容

bash

#!/bin/bash

export LOGFILE=/etc/ocserv/login.log

#echo $USERNAME : $REASON : $DEVICE
case "$REASON" in
  connect)
echo `date` $USERNAME "connected" >> $LOGFILE
echo `date` $REASON $USERNAME $DEVICE $IP_LOCAL $IP_REMOTE $IP_REAL >> $LOGFILE
    ;;
  disconnect)
echo `date` $USERNAME "disconnected" >> $LOGFILE
    ;;
esac
exit 0

#!/bin/bash

export LOGFILE=/etc/ocserv/login.log

#echo $USERNAME : $REASON : $DEVICE
case "$REASON" in
  connect)
echo `date` $USERNAME "connected" >> $LOGFILE
echo `date` $REASON $USERNAME $DEVICE $IP_LOCAL $IP_REMOTE $IP_REAL >> $LOGFILE
    ;;
  disconnect)
echo `date` $USERNAME "disconnected" >> $LOGFILE
    ;;
esac
exit 0

⚠️ 一定要通过chmod +x connect-script给这个配置文件可执行权限，否则脚本无法执行同时用户登录会报错

用户登录、注销日志记录在 /etc/ocserv/login.log

12. 密码登录的用户按组别划分权限

修改配置文件

bash

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/ocserv/radiusclient.conf]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
#auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/ocserv/radiusclient.conf]"
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

config-per-group = /etc/ocserv/group/
#default-group-config = /etc/ocserv/group/users
#default-select-group = users
auto-select-group = false

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/ocserv/radiusclient.conf]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
#auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/ocserv/radiusclient.conf]"
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

config-per-group = /etc/ocserv/group/
#default-group-config = /etc/ocserv/group/users
#default-select-group = users
auto-select-group = false

在用户密码保存文件/etc/ocserv/ocpasswd中配置用户组,用户组配置在用户名和密码之间，中间用:分隔.组名可以自定义，和/etc/ocserv/group/里面的文件对应即可

user1:group1:$5$124fVO/ctAyf.azb$ZR4GUQNtScnL3lPdSJqVUaAKNGb7
user2:group2:$5$bINdojFGGgzv0G84$YkPB5P.fZIZnH1uWr7IjapI4A
user3:group3:$5$WHVrqmSibrwtIayE$6tM9DNm9fIfzrVYqi4.nPBBO7
user4:$5$WHVrqmSibrwtIayE$6tM9DNm9fIfzrVYqi4.nPBBO7

user1:group1:$5$124fVO/ctAyf.azb$ZR4GUQNtScnL3lPdSJqVUaAKNGb7
user2:group2:$5$bINdojFGGgzv0G84$YkPB5P.fZIZnH1uWr7IjapI4A
user3:group3:$5$WHVrqmSibrwtIayE$6tM9DNm9fIfzrVYqi4.nPBBO7
user4:$5$WHVrqmSibrwtIayE$6tM9DNm9fIfzrVYqi4.nPBBO7

user4没有分配至用户组，则默认按ocserv.conf配置文件里的路由

另外划分了三个组，分别为

group1
group2
group3

需要分别为这三个组赋予用户可访问的网络资源分别新建三个文件

/etc/ocserv/group/group1
/etc/ocserv/group/group2
/etc/ocserv/group/group3

/etc/ocserv/group/group1
/etc/ocserv/group/group2
/etc/ocserv/group/group3

group1 文件内容为:

route = 10.0.1.0/255.255.255.0
route = 10.0.0.0/255.255.255.0

route = 10.0.1.0/255.255.255.0
route = 10.0.0.0/255.255.255.0

则属于group1的用户可以访问10.0.0.0/24 和10.0.1.0/24的内容

group2 文件内空如下：

dns=223.5.5.5

dns=223.5.5.5

则属于group2的用户，所有流量都会转发至ocserv服务器

group3的文件内容如下

route = 10.0.0.2/255.255.255.255
route = 10.0.0.1/255.255.255.255
restrict-user-to-ports = "tcp(8080), tcp(80), udp(53), icmp()"

route = 10.0.0.2/255.255.255.255
route = 10.0.0.1/255.255.255.255
restrict-user-to-ports = "tcp(8080), tcp(80), udp(53), icmp()"

则属于group3组的用户只能访问10.0.0.1、10.0.0.2两个IP的tcp8080、tcp80、udp53端口和icmp

13.证书认证

修改ocserv.conf

bash

#只启用证书认证
auth = "certificate"

#服务器ssl证书
server-cert = /opt/certs/server_cert/ssl-cert.pem
server-key = /opt/certs/server_cert/ssl-key.pem

#CA根证书
ca-cert = /opt/certs/ca_cert/ca-cert.pem

#证书用户识别
cert-user-oid = 2.5.4.3

#证书用户组识别，这个需要注释掉，否则思科客户端证书认证不成功。openconnect客户端正常
#cert-group-oid = 2.5.4.11

#兼容思科anyconnect 客户端
cisco-client-compat = true

#只启用证书认证
auth = "certificate"

#服务器ssl证书
server-cert = /opt/certs/server_cert/ssl-cert.pem
server-key = /opt/certs/server_cert/ssl-key.pem

#CA根证书
ca-cert = /opt/certs/ca_cert/ca-cert.pem

#证书用户识别
cert-user-oid = 2.5.4.3

#证书用户组识别，这个需要注释掉，否则思科客户端证书认证不成功。openconnect客户端正常
#cert-group-oid = 2.5.4.11

#兼容思科anyconnect 客户端
cisco-client-compat = true

以上为只启用证书认证的配置，若优先用户为密码认证，备用证书认证，则

bash

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
enable-auth = "certificate"

#auth = "radius[config=/etc/ocserv/radiusclient.conf]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
#auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/ocserv/radiusclient.conf]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
enable-auth = "certificate"

#auth = "radius[config=/etc/ocserv/radiusclient.conf]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
#auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=false]"
#acct = "radius [config=/etc/ocserv/radiusclient.conf]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"

1.证书生成

vim gen_cert.sh

bash

#!/bin/bash
function generate_ca() {
    # Generate a CA Private Key
    certtool --generate-privkey --rsa --bits 4096 --outfile ./ca_cert/ca-key.pem

    # Generate a CA Certificate
    cat > ca-temp.txt <<EOF
cn = "Root CA"
organization = "vpn.test.cn"
serial = 001
expiration_days = -1
ca
signing_key  
cert_signing_key  
crl_signing_key  
EOF

    certtool --generate-self-signed --load-privkey ./ca_cert/ca-key.pem --template ca-temp.txt --outfile ./ca_cert/ca-cert.pem
    rm ca-temp.txt
    exit 1
}

function generate_server_cert() {
    read -p "Enter Domain Name: " domain_name

    # Server Private Key
    certtool --generate-privkey --rsa --bits 4096  --outfile ./server_cert/$domain_name-key.pem

    # Server Certificate
    echo "organization = $domain_name" > server-temp.txt

    cat <<EOF >server-temp.txt
cn = $domain_name
organization = $domain_name
serial = 2
expiration_days = 360
signing_key
encryption_key 
tls_www_server
dns_name = $domain_name
EOF

    certtool --generate-certificate --hash SHA256 --load-privkey ./server_cert/$domain_name-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-ca-privkey ./ca_cert/ca-key.pem --template server-temp.txt --outfile ./server_cert/$domain_name-cert.pem
    rm server-temp.txt
    exit 1
}

function generate_user_cert() {
    read -p "Enter Username: " username
    read -p "Enter Group: " group

    # User Private Key
    certtool --generate-privkey --rsa --bits 4096 --outfile ./user_cert/$username-key.pem

    # User Certificate
    echo "cn = $username" > user-temp.txt
    #echo "uid = $username" >> user-temp.txt
    echo "organization = vpn.test.cn" >> user-temp.txt
    echo "unit = $group" >> user-temp.txt
    echo "signing_key" >> user-temp.txt
    echo "tls_www_client" >> user-temp.txt
    certtool --generate-certificate --hash SHA256 --load-privkey ./user_cert/$username-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-ca-privkey ./ca_cert/ca-key.pem --template user-temp.txt --outfile ./user_cert/$username-cert.pem
    rm user-temp.txt

    # User Certificate in PKCS#12 Format
    openssl pkcs12 -export -in ./user_cert/$username-cert.pem -inkey ./user_cert/$username-key.pem -certfile ./ca_cert/ca-cert.pem -out ./user_cert/$username.p12 -name "$username User Certificate"

    #certtool --to-p12 --load-privkey ./user_cert/$username-key.pem --load-certificate ./user_cert/$username-cert.pem --pkcs-cipher 3des-pkcs12 --outfile ./user_cert/$username-ios.p12 --outder

    exit 1
}

function revoke_user_cert() {
    read -p "Enter Username to Revoke: " username

    # Revoke Certificate
    echo "crl_next_update = 365" > revoke-temp.txt
    echo "crl_number = 1" >> revoke-temp.txt
    certtool --generate-crl --hash SHA256 --load-ca-privkey ./ca_cert/ca-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-certificate ./user_cert/$username-cert.pem --template revoke-temp.txt --outfile crl.pem
    rm revoke-temp.txt
    exit 1
}

dirs=("ca_cert" "server_cert" "user_cert")

# 遍历目录名
for dir in "${dirs[@]}"
do
    # 如果目录不存在，则创建它
    if [[ ! -d $dir ]]; then
        echo "Directory $dir does not exist. Creating now..."
        mkdir $dir
        echo "Directory $dir created."
    else
        echo "Directory $dir exists."
    fi
done


PS3='Please enter your choice: '

options=("Generate CA Certificate" "Generate Server Certificate" "Generate User Certificate" "Revoke User Certificate" "Quit")
select opt in "${options[@]}"
do
    case $opt in
        "Generate CA Certificate")
            generate_ca
            ;;
        "Generate Server Certificate")
            generate_server_cert
            ;;
        "Generate User Certificate")
            generate_user_cert
            ;;
        "Revoke User Certificate")
            revoke_user_cert
            ;;
        "Quit")
            break
            ;;
        *) echo "invalid option $REPLY";;
    esac
done

#!/bin/bash
function generate_ca() {
    # Generate a CA Private Key
    certtool --generate-privkey --rsa --bits 4096 --outfile ./ca_cert/ca-key.pem

    # Generate a CA Certificate
    cat > ca-temp.txt <<EOF
cn = "Root CA"
organization = "vpn.test.cn"
serial = 001
expiration_days = -1
ca
signing_key  
cert_signing_key  
crl_signing_key  
EOF

    certtool --generate-self-signed --load-privkey ./ca_cert/ca-key.pem --template ca-temp.txt --outfile ./ca_cert/ca-cert.pem
    rm ca-temp.txt
    exit 1
}

function generate_server_cert() {
    read -p "Enter Domain Name: " domain_name

    # Server Private Key
    certtool --generate-privkey --rsa --bits 4096  --outfile ./server_cert/$domain_name-key.pem

    # Server Certificate
    echo "organization = $domain_name" > server-temp.txt

    cat <<EOF >server-temp.txt
cn = $domain_name
organization = $domain_name
serial = 2
expiration_days = 360
signing_key
encryption_key 
tls_www_server
dns_name = $domain_name
EOF

    certtool --generate-certificate --hash SHA256 --load-privkey ./server_cert/$domain_name-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-ca-privkey ./ca_cert/ca-key.pem --template server-temp.txt --outfile ./server_cert/$domain_name-cert.pem
    rm server-temp.txt
    exit 1
}

function generate_user_cert() {
    read -p "Enter Username: " username
    read -p "Enter Group: " group

    # User Private Key
    certtool --generate-privkey --rsa --bits 4096 --outfile ./user_cert/$username-key.pem

    # User Certificate
    echo "cn = $username" > user-temp.txt
    #echo "uid = $username" >> user-temp.txt
    echo "organization = vpn.test.cn" >> user-temp.txt
    echo "unit = $group" >> user-temp.txt
    echo "signing_key" >> user-temp.txt
    echo "tls_www_client" >> user-temp.txt
    certtool --generate-certificate --hash SHA256 --load-privkey ./user_cert/$username-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-ca-privkey ./ca_cert/ca-key.pem --template user-temp.txt --outfile ./user_cert/$username-cert.pem
    rm user-temp.txt

    # User Certificate in PKCS#12 Format
    openssl pkcs12 -export -in ./user_cert/$username-cert.pem -inkey ./user_cert/$username-key.pem -certfile ./ca_cert/ca-cert.pem -out ./user_cert/$username.p12 -name "$username User Certificate"

    #certtool --to-p12 --load-privkey ./user_cert/$username-key.pem --load-certificate ./user_cert/$username-cert.pem --pkcs-cipher 3des-pkcs12 --outfile ./user_cert/$username-ios.p12 --outder

    exit 1
}

function revoke_user_cert() {
    read -p "Enter Username to Revoke: " username

    # Revoke Certificate
    echo "crl_next_update = 365" > revoke-temp.txt
    echo "crl_number = 1" >> revoke-temp.txt
    certtool --generate-crl --hash SHA256 --load-ca-privkey ./ca_cert/ca-key.pem --load-ca-certificate ./ca_cert/ca-cert.pem --load-certificate ./user_cert/$username-cert.pem --template revoke-temp.txt --outfile crl.pem
    rm revoke-temp.txt
    exit 1
}

dirs=("ca_cert" "server_cert" "user_cert")

# 遍历目录名
for dir in "${dirs[@]}"
do
    # 如果目录不存在，则创建它
    if [[ ! -d $dir ]]; then
        echo "Directory $dir does not exist. Creating now..."
        mkdir $dir
        echo "Directory $dir created."
    else
        echo "Directory $dir exists."
    fi
done


PS3='Please enter your choice: '

options=("Generate CA Certificate" "Generate Server Certificate" "Generate User Certificate" "Revoke User Certificate" "Quit")
select opt in "${options[@]}"
do
    case $opt in
        "Generate CA Certificate")
            generate_ca
            ;;
        "Generate Server Certificate")
            generate_server_cert
            ;;
        "Generate User Certificate")
            generate_user_cert
            ;;
        "Revoke User Certificate")
            revoke_user_cert
            ;;
        "Quit")
            break
            ;;
        *) echo "invalid option $REPLY";;
    esac
done

2.证书认证分组配置

⚠️ 测试发现使用openconnect 客户端正常，但使用思科anyconnect客户端无法正常登录

若需要证书认证的同时用户能够根据不同的用户组分配权限.

生成的用户证书需要配置OU属性，服务器根据OU判断用户组

同时修改ocserv.conf

bash

#只启用证书认证
auth = "certificate"

#服务器ssl证书
server-cert = /opt/certs/server_cert/ssl-cert.pem
server-key = /opt/certs/server_cert/ssl-key.pem

#CA根证书
ca-cert = /opt/certs/ca_cert/ca-cert.pem

#证书用户识别
cert-user-oid = 2.5.4.3

#证书用户组识别，这个需要注释掉，否则思科客户端证书认证不成功
cert-group-oid = 2.5.4.11

#兼容思科anyconnect 客户端
cisco-client-compat = true

config-per-group = /etc/ocserv/group/
#default-group-config = /etc/ocserv/group/users
#default-select-group = users
auto-select-group = true

#只启用证书认证
auth = "certificate"

#服务器ssl证书
server-cert = /opt/certs/server_cert/ssl-cert.pem
server-key = /opt/certs/server_cert/ssl-key.pem

#CA根证书
ca-cert = /opt/certs/ca_cert/ca-cert.pem

#证书用户识别
cert-user-oid = 2.5.4.3

#证书用户组识别，这个需要注释掉，否则思科客户端证书认证不成功
cert-group-oid = 2.5.4.11

#兼容思科anyconnect 客户端
cisco-client-compat = true

config-per-group = /etc/ocserv/group/
#default-group-config = /etc/ocserv/group/users
#default-select-group = users
auto-select-group = true

3.用户组权限

配置三个用户组 user1 、 user2 、admin

在/etc/ocserv/group分别建立三个文件 user1 、user2 、 admin

user1: (DNS隧道分离)

bash

dns =223.5.5.5
dns =114.114.114.114
split-dns = wiki.test.cn
route = 10.0.1.0/255.255.255.0

dns =223.5.5.5
dns =114.114.114.114
split-dns = wiki.test.cn
route = 10.0.1.0/255.255.255.0

user2: (限制指定端口)

bash

dns =223.5.5.5
route = 10.0.0.2/255.255.255.255
route = 10.0.0.1/255.255.255.255
restrict-user-to-ports = "tcp(8080), tcp(445), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"

dns =223.5.5.5
route = 10.0.0.2/255.255.255.255
route = 10.0.0.1/255.255.255.255
restrict-user-to-ports = "tcp(8080), tcp(445), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"

admin: (所有流量都走VPN)

bash

dns=223.5.5.5

dns=223.5.5.5

2. ocserv结合dnsmasq

2.1 安装dnsmasq

Ubuntu 22.04 默认使用 systemd-resolved，它可能会绕过 dnsmasq。关闭 systemd-resolved：

systemctl stop systemd-resolved
systemctl disable systemd-resolved

systemctl stop systemd-resolved
systemctl disable systemd-resolved

bash

apt update
apt install dnsmasq -y

apt update
apt install dnsmasq -y

配置resolv.conf

bash

echo "nameserver 172.31.21.98" | sudo tee /etc/resolv.conf

echo "nameserver 172.31.21.98" | sudo tee /etc/resolv.conf

本地走dnsmasq

2.2 配置dnsmasq

创建

bash

mkdir /var/log/dnsmasq/
touch /var/log/dnsmasq/dnsmasq.log

mkdir /var/log/dnsmasq/
touch /var/log/dnsmasq/dnsmasq.log

配置dnsmasq，屏蔽特定网站

cat /etc/dnsmasq.conf

bash

server=8.8.8.8
server=8.8.4.4
no-poll
clear-on-reload
no-negcache
resolv-file=/etc/resolv.dnsmasq.conf
strict-order
interface=eth0
listen-address=172.31.21.98,127.0.0.1,192.168.8.1
addn-hosts=/etc/dnsmasq.hosts
cache-size=0 # 缓存条数
log-queries  # 记录查询日志
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig


address=/youtube.com/0.0.0.0
address=/googlevideo.com/0.0.0.0
address=/youtube.com/::
address=/googlevideo.com/::
no-resolv

server=8.8.8.8
server=8.8.4.4
no-poll
clear-on-reload
no-negcache
resolv-file=/etc/resolv.dnsmasq.conf
strict-order
interface=eth0
listen-address=172.31.21.98,127.0.0.1,192.168.8.1
addn-hosts=/etc/dnsmasq.hosts
cache-size=0 # 缓存条数
log-queries  # 记录查询日志
log-facility=/var/log/dnsmasq/dnsmasq.log
conf-dir=/etc/dnsmasq.d
conf-dir=/etc/dnsmasq.d,.bak
conf-dir=/etc/dnsmasq.d/,*.conf
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig


address=/youtube.com/0.0.0.0
address=/googlevideo.com/0.0.0.0
address=/youtube.com/::
address=/googlevideo.com/::
no-resolv

192.168.8.1--->ocserv分配的ip

2.3 重启服务

systemctl restart dnsmasq

systemctl restart dnsmasq

2.4 配置ocserv

修改dns走dnsmasq

bash

dns = 172.31.21.98

dns = 172.31.21.98

重启服务

bash

systemctl restart ocserv

systemctl restart ocserv

2.5 测试 DNS 解析

服务端测试

bash

$ nslookup www.youtube.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	www.youtube.com
Address: 0.0.0.0
Name:	www.youtube.com
Address: ::

#说明屏蔽成功

#如果你要检查 dnsmasq 是否缓存了查询结果
$ dig @172.31.21.98 youtube.com

$ nslookup www.youtube.com
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	www.youtube.com
Address: 0.0.0.0
Name:	www.youtube.com
Address: ::

#说明屏蔽成功

#如果你要检查 dnsmasq 是否缓存了查询结果
$ dig @172.31.21.98 youtube.com

ocserv 客户端测试

提示0.0.0.0，说明成功

2-Harbor

3-Docker

1.安装

🍎维护手册

4-Containerd

1.安装

3.镜像管理

4.构建镜像

5-Dockerfile

🍂 env案例

6-Docker-Compose

7-Swarm

8-KVM

2-资源对象

2-Pod

5-Deployment

6-StatefulSet

7-Service

9-Job

10-ConfigMap

11-Secret

13-CoreDns

17-发布

3-存储

1- 存储卷概念

2-NFS

4-Minio

1-安装

4-网络

1-Calico

2-Cilium

OpenELB

5-认证与授权

6-安装

1.二进制安装

2.kubeadm安装

7-监控

1-Prometheus

2-Alertmanager

3-PrometheusAlert

4-Grafana

5-VictoriaMetrics

8-备份

9-常用操作

10-Yaml配置

11-Helm

3-Helm语法

🍎 Helm项目

12-CICD

1-Jenkins

2-ArgoCD

13-Ingress

1-Ingress_nginx

2-Higress

15-Autoscaler

1-HPA

2-VPA

3-OpenKruise

1-Kruise

16-Scheduler

云k8s

1-AWS EKS

5-ingress-nginx

🍎维护手册

4-TKE

🍎维护手册

18-Kubernetes故障排查

19-Kubernetes排查手册

1-WireShark

20-Kubernetes维护手册

21-Kubernetes面试

22-Kubernetes发布

1-Go

2-Go框架

3-Go编译

5-Go文档

6-Go日志

10-Go模块

11-Web前端开发

vue