SRE文档 | SRE文档

0.安装

Anyconnect特点

AnyConnect的VPN协议默认使用UDP作为数据传输，但如果有什么网络问题导致UDP传输出现问题，它会利用最初建立的TCP TLS通道作为备份通道，降低VPN断开的概率。
AnyConnect作为Cisco新一代的VPN解决方案，被用于许多大型企业

检查PPP/TUN环境

首先要检查VPS的TUN是否开启(OpenVZ虚拟化的服务器很可能默认关闭)。

cat /dev/net/tun
# 返回的必须是：
cat: /dev/net/tun: File descriptor in bad state

cat /dev/net/tun
# 返回的必须是：
cat: /dev/net/tun: File descriptor in bad state

#iptables
#自动调整MTU
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#开启 NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -I INPUT -p tcp --dport 10028 -j ACCEPT # 端口应与ocserv配置中配置的端口对应
iptables -I INPUT -p udp --dport 10028 -j ACCEPT

---- test
firewall-cmd --permanent --add-port=10028/tcp
firewall-cmd --permanent --add-port=10028/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
----



#开启 IPv4 转发
sysctl -w net.ipv4.ip_forward=1
# 或修改配置文件
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1

iptables-save > /etc/iptables.rules



firewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#iptables
#自动调整MTU
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#开启 NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -I INPUT -p tcp --dport 10028 -j ACCEPT # 端口应与ocserv配置中配置的端口对应
iptables -I INPUT -p udp --dport 10028 -j ACCEPT

---- test
firewall-cmd --permanent --add-port=10028/tcp
firewall-cmd --permanent --add-port=10028/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload
----



#开启 IPv4 转发
sysctl -w net.ipv4.ip_forward=1
# 或修改配置文件
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.proxy_arp = 1

iptables-save > /etc/iptables.rules



firewall-cmd --permanent --zone=public --add-port=2233/tcp
firewall-cmd --permanent --zone=public --add-port=2233/udp

firewall-cmd --permanent --add-masquerade
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -o eth0 -j MASQUERADE

安装结束，访问https://xxx.com

连接

win：



#链接正常之后，服务端显示结果
11: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1326 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.8.1 peer 192.168.8.242/32 scope global vpns0
       valid_lft forever preferred_lft forever
    inet6 fe80::b0ad:1e0f:6b17:e07d/64 scope link flags 800 
       valid_lft forever preferred_lft forever



#链接正常之后，服务端显示结果
11: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1326 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 192.168.8.1 peer 192.168.8.242/32 scope global vpns0
       valid_lft forever preferred_lft forever
    inet6 fe80::b0ad:1e0f:6b17:e07d/64 scope link flags 800 
       valid_lft forever preferred_lft forever

配置ocserv

Ocserv提供了多种认证登录方式.主要有:

pam本地系统账户
ocsrev创建的明文账户(需要指定passwd密码文件.下面我指定的是/etc/ocserv/ocpasswd)
certificate证书认证
redius认证

[root@openvpn anyconnect]$grep -A 5 "#auth" /etc/ocserv/ocserv.conf

#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

[root@openvpn anyconnect]$grep -A 5 "#auth" /etc/ocserv/ocserv.conf

#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

配置文件解析

#认证方式,这里使用了certificate证书认证  
auth = "certificate"  
#最大客户端连接数    
max-clients = 50   
#同一客户端最大同时连接数    
max-same-clients = 10    
#优化VPN速度和稳定性 
try-mtu-discovery = true  
#服务端证书路径  
server-cert = /etc/ocserv/server-cert.pem  
#服务端key路径 
server-key = /etc/ocserv/server-key.pem  
#ca证书路径,如果是证书验证则需要开启这个参数,如果是密码认证,则注释掉  
ca-cert = /etc/ocserv/ca-cert.pem  
# 确保服务器正确读取用户证书（后面会用到用户证书） 
cert-user-oid = 2.5.4.3  
#分发给VPN客户端的IP地址范围,DNS地址  
ipv4-network = 10.0.81.0  
ipv4-netmask = 255.255.255.0  
dns = 114.114.114.114  
#如果仅仅是访问以下内网地址则指定route参数,如果注释所有route参数则表示所有流量走VPN  
route = 10.0.0.0/255.255.255.0

#认证方式,这里使用了certificate证书认证  
auth = "certificate"  
#最大客户端连接数    
max-clients = 50   
#同一客户端最大同时连接数    
max-same-clients = 10    
#优化VPN速度和稳定性 
try-mtu-discovery = true  
#服务端证书路径  
server-cert = /etc/ocserv/server-cert.pem  
#服务端key路径 
server-key = /etc/ocserv/server-key.pem  
#ca证书路径,如果是证书验证则需要开启这个参数,如果是密码认证,则注释掉  
ca-cert = /etc/ocserv/ca-cert.pem  
# 确保服务器正确读取用户证书（后面会用到用户证书） 
cert-user-oid = 2.5.4.3  
#分发给VPN客户端的IP地址范围,DNS地址  
ipv4-network = 10.0.81.0  
ipv4-netmask = 255.255.255.0  
dns = 114.114.114.114  
#如果仅仅是访问以下内网地址则指定route参数,如果注释所有route参数则表示所有流量走VPN  
route = 10.0.0.0/255.255.255.0

优化

dpd = 900
mobile-dpd = 1800
output-buffer = 23000
idle-timeout = 3600
try-mtu-discovery = true
compression = true

dpd = 900
mobile-dpd = 1800
output-buffer = 23000
idle-timeout = 3600
try-mtu-discovery = true
compression = true

1.命令操作

查看版本

bash

#ocserv -v ocserv

ocserv 1.1.6

Compiled with: seccomp, tcp-wrappers, PKCS#11, AnyConnect
GnuTLS version: 3.5.18

#ocserv -v ocserv

ocserv 1.1.6

Compiled with: seccomp, tcp-wrappers, PKCS#11, AnyConnect
GnuTLS version: 3.5.18

1.1管理命令

查看服务状态

occtl -n show status

occtl -n show status

查看在线用户

occtl -n show users

occtl -n show users

剔除当前用户

occtl disconnect user username
occtl disconnect id userid

occtl disconnect user username
occtl disconnect id userid

1.2用户管理

创建用户

ocpasswd -c /etc/ocserv/ocpasswd username

ocpasswd -c /etc/ocserv/ocpasswd username

添加用户到组：

ocpasswd -c /etc/ocserv/ocpasswd -g groupname username

ocpasswd -c /etc/ocserv/ocpasswd -g groupname username

锁定用户

ocpasswd -c /etc/ocserv/ocpasswd -l username

ocpasswd -c /etc/ocserv/ocpasswd -l username

解锁用户

ocpasswd -c /etc/ocserv/ocpasswd -u username

ocpasswd -c /etc/ocserv/ocpasswd -u username

删除用户：

ocpasswd -c /etc/ocserv/ocpasswd -d username

ocpasswd -c /etc/ocserv/ocpasswd -d username

更多命令：

occtl --help

occtl --help

2.ubuntu18.04

/etc/init.d/ocserv start
# 启动 ocserv

/etc/init.d/ocserv stop
# 停止 ocserv

/etc/init.d/ocserv restart
# 重启 ocserv

/etc/init.d/ocserv status
# 查看 ocserv 运行状态

/etc/init.d/ocserv log
# 查看 ocserv 运行日志

/etc/init.d/ocserv test
# 测试 ocserv 配置文件是否正确


配置文件：/etc/ocserv/ocserv.conf

账号配置文件：/etc/ocserv/ocpasswd

日志文件：/tmp/ocserv.log

/etc/init.d/ocserv start
# 启动 ocserv

/etc/init.d/ocserv stop
# 停止 ocserv

/etc/init.d/ocserv restart
# 重启 ocserv

/etc/init.d/ocserv status
# 查看 ocserv 运行状态

/etc/init.d/ocserv log
# 查看 ocserv 运行日志

/etc/init.d/ocserv test
# 测试 ocserv 配置文件是否正确


配置文件：/etc/ocserv/ocserv.conf

账号配置文件：/etc/ocserv/ocpasswd

日志文件：/tmp/ocserv.log

3.线上配置文件

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#listen-host = 127.0.0.1
tcp-port = 443
udp-port = 443
run-as-user = root
run-as-group = daemon
socket-file = /var/run/ocserv-socket



server-cert = /etc/ocserv/ssl/9495244_sike.freehan.ink.pem
server-key = /etc/ocserv/ssl/9495244_sike.freehan.ink.key.pem
#server-cert = /etc/ocserv/ssl/server-cert.pem
#server-key = /etc/ocserv/ssl/server-key.pem
#ca-cert = /etc/ocserv/ssl/ca-cert.pem


isolate-workers = true
max-clients = 0
max-same-clients = 2
rate-limit-ms = 0
server-stats-reset-time = 604800
keepalive = 32400

dpd = 900
mobile-dpd = 1900
switch-to-tcp-timeout = 25
try-mtu-discovery = true
compression = true

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true

default-domain = sike.freehan.ink
#listen-proxy-proto = true
#proxy-url = https://sike.freehan.ink:443

ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64

# tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false

no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.0.0/255.255.0.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 164.52.0.0/255.255.128.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 195.78.82.0/255.255.254.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 216.250.108.0/255.255.252.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
cisco-client-compat = true
dtls-legacy = true

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#listen-host = 127.0.0.1
tcp-port = 443
udp-port = 443
run-as-user = root
run-as-group = daemon
socket-file = /var/run/ocserv-socket



server-cert = /etc/ocserv/ssl/9495244_sike.freehan.ink.pem
server-key = /etc/ocserv/ssl/9495244_sike.freehan.ink.key.pem
#server-cert = /etc/ocserv/ssl/server-cert.pem
#server-key = /etc/ocserv/ssl/server-key.pem
#ca-cert = /etc/ocserv/ssl/ca-cert.pem


isolate-workers = true
max-clients = 0
max-same-clients = 2
rate-limit-ms = 0
server-stats-reset-time = 604800
keepalive = 32400

dpd = 900
mobile-dpd = 1900
switch-to-tcp-timeout = 25
try-mtu-discovery = true
compression = true

tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true

default-domain = sike.freehan.ink
#listen-proxy-proto = true
#proxy-url = https://sike.freehan.ink:443

ipv4-network = 192.168.8.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64

# tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false

no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.0.0/255.255.0.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 164.52.0.0/255.255.128.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 195.78.82.0/255.255.254.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 216.250.108.0/255.255.252.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
cisco-client-compat = true
dtls-legacy = true

https://zzongbh.github.io/c99fb8e8/

https://www.linuxbabe.com/redhat/openconnect-vpn-server-ocserv-centos-8

https://www.cnblogs.com/yueping/p/15842948.html

https://holmesian.org/linode-vps-centos-anyconnect

流量分流

no-route配置可能需要根据自己的局域网配置调整。此外，对于国内网段，设置no-route可以避免国内流量通过vpn降低访问效率

4.证书方式

配置文件

[root@openvpn anyconnect]$sed -e '/^#/d' /etc/ocserv/ocserv.conf | sed '/^$/d'
auth = "certificate"
tcp-port = 4333
udp-port = 4333
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 50
max-same-clients = 10
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.0.81.0
ipv4-netmask = 255.255.255.0
dns = 114.114.114.114
ping-leases = false
route = 10.0.0.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

[root@openvpn anyconnect]$sed -e '/^#/d' /etc/ocserv/ocserv.conf | sed '/^$/d'
auth = "certificate"
tcp-port = 4333
udp-port = 4333
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 50
max-same-clients = 10
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.0.81.0
ipv4-netmask = 255.255.255.0
dns = 114.114.114.114
ping-leases = false
route = 10.0.0.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml

4.1创建客户端证书

[root@openvpn anyconnect]$vim gen-client.sh

#!/bin/bash

USER=$1
CA_DIR=$2
SERIAL=`date +%s`

#生成客户端key
certtool --generate-privkey --outfile $USER-key.pem

#生成证书模板文件
cat << _EOF_ >user.tmpl
cn = "$USER"
unit = "users"
serial = "$SERIAL"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

#生成用户证书
certtool --generate-certificate --load-privkey $USER-key.pem --load-ca-certificate $CA_DIR/ca-cert.pem --load-ca-privkey $CA_DIR/ca-key.pem --template user.tmpl --outfile $USER-cert.pem

#将证书转换成p12格式,以便客户端导入证书
openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name "$USER VPN Client Cert" -certfile $CA_DIR/ca-cert.pem -out $USER.p12

[root@openvpn anyconnect]$vim gen-client.sh

#!/bin/bash

USER=$1
CA_DIR=$2
SERIAL=`date +%s`

#生成客户端key
certtool --generate-privkey --outfile $USER-key.pem

#生成证书模板文件
cat << _EOF_ >user.tmpl
cn = "$USER"
unit = "users"
serial = "$SERIAL"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

#生成用户证书
certtool --generate-certificate --load-privkey $USER-key.pem --load-ca-certificate $CA_DIR/ca-cert.pem --load-ca-privkey $CA_DIR/ca-key.pem --template user.tmpl --outfile $USER-cert.pem

#将证书转换成p12格式,以便客户端导入证书
openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name "$USER VPN Client Cert" -certfile $CA_DIR/ca-cert.pem -out $USER.p12

官网使用的是certtool命令将证书转换成p12格式:

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile user.p12 --outder

创建用户文件.例如给我创建一个客户端证书

[root@openvpn anyconnect]$ mkdir han
[root@openvpn anyconnect]$cd han

#脚本的$1参数表示创建的用户名,$2参数表示ca证书位置.
#按提示给证书设置一个密码(建议).也可以空密码(MAC电脑不支持导入空密码证书).
[root@openvpn han]$../gen-client-cert.sh han ..


#脚本执行完成后,在用户文件夹可以看到证书文件:
[root@openvpn han]$ll
total 20
-rw-r--r--. 1 root root 1176 Jul 10 22:47 han-cert.pem
-rw-------. 1 root root 5826 Jul 10 22:47 han-key.pem
-rw-r--r--. 1 root root 3376 Jul 10 22:47 han.p12
-rw-r--r--. 1 root root  104 Jul 10 22:47 user.tmpl

[root@openvpn anyconnect]$ mkdir han
[root@openvpn anyconnect]$cd han

#脚本的$1参数表示创建的用户名,$2参数表示ca证书位置.
#按提示给证书设置一个密码(建议).也可以空密码(MAC电脑不支持导入空密码证书).
[root@openvpn han]$../gen-client-cert.sh han ..


#脚本执行完成后,在用户文件夹可以看到证书文件:
[root@openvpn han]$ll
total 20
-rw-r--r--. 1 root root 1176 Jul 10 22:47 han-cert.pem
-rw-------. 1 root root 5826 Jul 10 22:47 han-key.pem
-rw-r--r--. 1 root root 3376 Jul 10 22:47 han.p12
-rw-r--r--. 1 root root  104 Jul 10 22:47 user.tmpl

由于你的证书是自己签发，所以请在anyconnect软件关闭阻止不受信任的服务器选项

5.密码方式

[root@openvpn ocserv]$vim ocserv.conf

#注释证书认证方面的配置
#auth = "certificate"
#ca-cert = /etc/ocserv/ca-cert.pem

#开启密码认证.passwd指定ocpasswd文件路径
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

[root@openvpn ocserv]$vim ocserv.conf

#注释证书认证方面的配置
#auth = "certificate"
#ca-cert = /etc/ocserv/ca-cert.pem

#开启密码认证.passwd指定ocpasswd文件路径
auth = "plain[passwd=/etc/ocserv/ocpasswd]"

其他方面配置和证书验证差不多.重启ocserv服务后,客户端就可以通过用户密码登录VPN

6.证书和密码认证

ocserv在登录认证方面功能非常强大也很人性化.可以同时支持多种认证方式.

比如我们想要同时使用密码或者证书登录

#开启首选验证机制为密码认证

#auth = "pam"
#auth = "pam[gid-min=1000]"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

# 开启证书备用认证"enable-auth"

# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login, irrespective of the main 'auth' entries.
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
enable-auth = "certificate"

#配置文件其他参数无需修改

#开启首选验证机制为密码认证

#auth = "pam"
#auth = "pam[gid-min=1000]"
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"

# 开启证书备用认证"enable-auth"

# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login, irrespective of the main 'auth' entries.
# When multiple options are present, they are OR composed (any of them
# succeeding allows login).
enable-auth = "certificate"

#配置文件其他参数无需修改

重启ocserv服务后,客户端在没有证书的情况下会要求输入用户密码登录VPN.如果有导入证书的情况下,不会要求输入用户密码.

7.客户端证书注销/账户

删除一个账户.密码

#ocpasswd命令提供了delete选项删除用户

[root@openvpn anyconnect]$ocpasswd --help
ocpasswd - OpenConnect server password utility
Usage:  ocpasswd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [username]

   -c, --passwd=file          Password file
   -g, --groupname=str        User's group name
   -d, --delete               Delete user
   -l, --lock                 Lock user
   -u, --unlock               Unlock user
   -v, --version              output version information and exit
   -h, --help                 display extended usage information and exit

# 删除我的账户

[root@openvpn anyconnect]$ocpasswd -c /etc/ocserv/ocpasswd -d han

#ocpasswd命令提供了delete选项删除用户

[root@openvpn anyconnect]$ocpasswd --help
ocpasswd - OpenConnect server password utility
Usage:  ocpasswd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [username]

   -c, --passwd=file          Password file
   -g, --groupname=str        User's group name
   -d, --delete               Delete user
   -l, --lock                 Lock user
   -u, --unlock               Unlock user
   -v, --version              output version information and exit
   -h, --help                 display extended usage information and exit

# 删除我的账户

[root@openvpn anyconnect]$ocpasswd -c /etc/ocserv/ocpasswd -d han

注销客户端证书

1.生成crl.tmpl模板文件

[root@openvpn anyconnect]$cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_

[root@openvpn anyconnect]$cat crl.tmpl
crl_next_update = 365
crl_number = 1

[root@openvpn anyconnect]$cat << _EOF_ >crl.tmpl
crl_next_update = 365
crl_number = 1
_EOF_

[root@openvpn anyconnect]$cat crl.tmpl
crl_next_update = 365
crl_number = 1

2.将要注销的证书文件拷贝一份到revoked.pem文件

[root@openvpn anyconnect]$cat huangyong/huangyong-cert.pem >> revoked.pem

[root@openvpn anyconnect]$cat huangyong/huangyong-cert.pem >> revoked.pem

3.生成crl.pem文件

certtool --generate-crl --load-ca-privkey ca-key.pem \
           --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
           --template crl.tmpl --outfile crl.pem

certtool --generate-crl --load-ca-privkey ca-key.pem \
           --load-ca-certificate ca-cert.pem --load-certificate revoked.pem \
           --template crl.tmpl --outfile crl.pem

4.修改配置文件

[root@openvpn anyconnect]$vim /etc/ocserv/ocserv.conf

#开启crl参数,并且制定crl.pem文件的路径
crl = /etc/anyconnect/crl.pem

[root@openvpn anyconnect]$vim /etc/ocserv/ocserv.conf

#开启crl参数,并且制定crl.pem文件的路径
crl = /etc/anyconnect/crl.pem

5.重启ocserv服务

8.配合DNSmasq

dnsmasq: DNS request timed out for machines in local network ，原来必须显式地设置 listen-address 监听接口，DNSmasq才会对外部客户端请求响应，否则只有本机（估计DNSmasq代码中检查客户端IP来判断是否是本机IP进行过滤）才提供服务，虽然端口已经监听

修改VPN服务器上 /etc/dnsmasq.conf 配置，添加

bash

listen-address=192.168.101.1
listen-address=VPN_SERVER_IP

listen-address=192.168.101.1
listen-address=VPN_SERVER_IP

然后重启dnsmasq就可以正常解析。

为了安全起见，实际我是只监听tun接口提供服务，这样只有VPN客户端可以访问DNS

9.密码文件+二次认证

文档，https://ocserv.gitlab.io/www/recipes-ocserv-2fa.html

https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile

Since version 0.10.9 it is possible to use ocserv’s password file for 2FA. It requires ocserv to be compiled with liboath

9.1创建otp文件

bash

echo "HOTP/T30 han - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >> /etc/ocserv/users.oath


#查看users.oath文件
cat users.oath 
HOTP/T30 han - d3856253575278b553d7e2217263e6ae

#install 
apt install oathtool

oathtool --totp -w 5 d3856253575278b553d7e2217263e6ae
625845
466831
507674
845042
611568
079778

#生成密钥，生成二维码 一般的otp工具可以进行扫描添加或者手动输入秘钥添加，这里进行二维码生成后便于直接扫描添加 使用以下命令将KEY转换为base32(在0x后面一样记得替换自己的KEY)
echo 0xd3856253575278b553d7e2217263e6ae | xxd -r -c 256 | base32
2OCWEU2XKJ4LKU6X4IQXEY7GVY======

#qrencode创建一个二维码
sudo apt-get install qrencode -y
echo "otpauth://totp/kay@example.com?secret=2OCWEU2XKJ4LKU6X4IQXEY7GVY&issuer=OpenConnect" | qrencode -o - -t UTF8

echo "HOTP/T30 han - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >> /etc/ocserv/users.oath


#查看users.oath文件
cat users.oath 
HOTP/T30 han - d3856253575278b553d7e2217263e6ae

#install 
apt install oathtool

oathtool --totp -w 5 d3856253575278b553d7e2217263e6ae
625845
466831
507674
845042
611568
079778

#生成密钥，生成二维码 一般的otp工具可以进行扫描添加或者手动输入秘钥添加，这里进行二维码生成后便于直接扫描添加 使用以下命令将KEY转换为base32(在0x后面一样记得替换自己的KEY)
echo 0xd3856253575278b553d7e2217263e6ae | xxd -r -c 256 | base32
2OCWEU2XKJ4LKU6X4IQXEY7GVY======

#qrencode创建一个二维码
sudo apt-get install qrencode -y
echo "otpauth://totp/kay@example.com?secret=2OCWEU2XKJ4LKU6X4IQXEY7GVY&issuer=OpenConnect" | qrencode -o - -t UTF8

9.2ocserv配置

bash

auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]"

auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]"

10.限速

1）为userA新建配置文件

text

        # vi /usr/local/ocserv/etc/config-per-user/userA

        # vi /usr/local/ocserv/etc/config-per-user/userA

在上述文件添加下述信息：

text

        route = 192.168.11.0/24 #局部路由，userA需要路由的IP或者IP段
        rx-data-per-sec = 2000000 #实现接收限速配置
        tx-data-per-sec = 2000000  #实现发送限速配置

        route = 192.168.11.0/24 #局部路由，userA需要路由的IP或者IP段
        rx-data-per-sec = 2000000 #实现接收限速配置
        tx-data-per-sec = 2000000  #实现发送限速配置

（2）修改ocserv的配置文件sample.conf

text

        # vi /usr/local/ocserv/etc/sample.conf

        # vi /usr/local/ocserv/etc/sample.conf

在sample.conf配置文件中添加以下配置：

text

        config-per-user = /usr/local/ocserv/etc/config-per-user/

        config-per-user = /usr/local/ocserv/etc/config-per-user/

3-Docker

1.安装

4-Containerd

5-Swarm

6-KVM

2-资源对象

2-Pod

3-Deployment

4-Service

3-存储

1- 存储卷概念

2-NFS

备份

4-网络

OpenELB

6-安装

2.kubeadm安装

8-备份

9-常用操作

10-Yaml配置

12-CICD

13-Ingress

1-Ingress_nginx

2-Higress

14-云k8s

15-Kubernetes故障排查

1-Go

2-Go框架

3-Go编译

5-Go文档

6-Go日志

7-Web前端开发

4-vue

5-vue架构

FAQ

1-PG

0-体系结构

1-插件安装

2-安装

3-基础

4-用户管理

5-集群

6-备份和恢复

7-监控

8-优化

9-FAQ

4-Mongodb

1-安装

3-DDL

4-备份管理

5-集群管理

5-MQ

4-备份

5-集群

6-监控

6-Etcd

0-原理

1-DDL

2-用户管理

3-备份

4-集群

1-nginx

2-ssl证书

3-proxy

1-Service

2-DNS

3-VPN

4-Git

5-Gitlab

7-Ansible

9-GateWay

10-Storage

1-Minio

2-ZFS

11-Monitor

12-Logs

1-vector

13-环境变量

CMD

1-aliCloud

0.安装

Anyconnect特点

检查PPP/TUN环境

连接

win：

配置ocserv

配置文件解析

优化

1.命令操作

1.1管理命令

1.2用户管理

2.ubuntu18.04

3.线上配置文件

流量分流

4.证书方式

4.1创建客户端证书

5.密码方式

6.证书和密码认证

7.客户端证书注销/账户

删除一个账户.密码

注销客户端证书

1.生成crl.tmpl模板文件

8.配合DNSmasq

9.密码文件+二次认证

9.1创建otp文件

9.2ocserv配置

10.限速