CentOS6.5 install ocserv

CentOS6.5 install ocserv

1. compile nettle
Install gmp
Yum install gmp-devel gmp
Wget http://ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
Tar zxf nettle-2.7.1.tar.gz & cd nettle-2.7.1
./Configure-prefix =/usr & make
Make install &&
Chmod-v 755/usr/lib/libhogweed. so.2.5/usr/lib/libnettle. so.4.7 &&
Install-v-m755-d/usr/share/doc/nettle-2.7.1 &&
Install-v-m644 nettle.html/usr/share/doc/nettle-2.7.1

2. compile unbound
Install expat-devel
Yum install expat-devel
Wget http://unbound.nlnetlabs.nl/downloads/unbound-1.4.22.tar.gz
Tar zxf unbound-1.4.22.tar.gz & cd unbound-1.4.22
./Configure & make install
Mkdir-p/etc/unbound & unbound-anchor-a "/etc/unbound/root. key"

3. compile gnutls
Wget ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/gnutls-3.2.12.1.tar.xz
Xz-c-d gnutls-3.2.12.1.tar.xz | tar x
Cd gnutls-3.2.12
./Configure-prefix =/usr & make install

4. compile ocserv
Wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
Xz-c-d ocserv-0.3.2.tar.xz | tar x
Cd ocserv-0.3.2
./Configure & make install
If nettle and gnutls are installed in the/usr/local directory, run the following command to set system variables and then run./configure. Add these commands to system startup.
32bit
Export LD_LIBRARY_PATH =/usr/local/lib /: /usr/local/lib64/NETTLE_CFLAGS = "-I/usr/local/include/" NETTLE_LIBS = "-L/usr/local/lib64/-lnettle" HOGWEED_CFLAGS = "-I /usr/local/include "HOGWEED_LIBS ="-L/usr/local/lib64/-lhogweed"
Export LD_LIBRARY_PATH =/usr/local/lib /: /usr/local/lib64/LIBGNUTLS_CFLAGS = "-I/usr/local/include/" LIBGNUTLS_LIBS = "-L/usr/local/lib/-lgnutls" LIBNL3_CFLAGS = "-I /usr/local/include "LIBNL3_LIBS ="-L/usr/local/lib/-lnl-3-lnl-route-3 ″

64bit
Export LD_LIBRARY_PATH =/usr/lib /: /usr/lib64/NETTLE_CFLAGS = "-I/usr/include/" NETTLE_LIBS = "-L/usr/lib64/-lnettle" HOGWEED_CFLAGS = "= "-L/usr/lib64/-lhogweed"
Export LD_LIBRARY_PATH =/usr/lib /: /usr/lib64/libraries = "-I/usr/include/" LIBGNUTLS_LIBS = "-L/usr/lib/-lgnutls" LIBNL3_CFLAGS = "-I/usr/include" LIBNL3_LIBS = "-L/usr/lib/-lnl-3-lnl-route-3 ″

5. configure ocserv
Create ca certificate and server certificate (see http://www.infradead.org/ocserv/manual.html#heading5)
Certtool-generate-privkey-outfile ca-key.pem
Cat <_ EOF _> ca. tmpl
Cn = "stunnel.info VPN"
Organization = "stunnel.info"
Serial = 1
Expiration_ days = 365
Ca
Signing_key
Cert_signing_key
Crl_signing_key
_ EOF _
Certtool-generate-self-signed-load-privkey ca-key.pem-template ca. tmpl-outfile ca-cert.pem

Certtool-generate-privkey-outfile server-key.pem
Cat <_ EOF _> server. tmpl
Cn = "stunnel.info VPN"
O = "stunnel"
Serial = 2
Expiration_ days = 365
Signing_key
Encryption_key # only if the generated key is an RSA one
Tls_www_server
_ EOF _
Certtool-generate-certificate-load-privkey server-key.pem-load-ca-certificate ca-cert.pem-load-ca-privkey ca-key.pem-template server. tmpl-outfile server-cert.pem

Copy the certificate to the ocserv configuration directory.
Mkdir-p/usr/local/etc/ocserv/; cp server-cert.pem/usr/local/etc/ocserv/& cp server-key.pem/usr/local/etc/ocserv/
Copy configuration file sample
cp doc/sample.config /usr/local/etc/ocserv/ocserv.conf
Edit configuration file
vim /usr/local/etc/ocserv/ocserv.conf

Modify as follows:
Auth = "plain [/usr/local/etc/ocserv/. passwd]"
# Ocserv supports multiple authentication methods, which are built-in password authentication. use ocpasswd to create a password file
# Ocserv also supports certificate Authentication. you can use radius and other Authentication methods through Pluggable Authentication Modules (PAM ).
Server-cert =/usr/local/etc/ocserv/server-cert.pem
Server-key =/usr/local/etc/ocserv/server-key.pem
# Certificate path
Max-same-clients = 10
# The maximum number of simultaneous logins for a single user
Run-as-group = nobody
The ipv4-network = 192.168.10.0
# IP address Segment allocated to the VPN client
Dns = 8.8.8.8
Dns = 8.8.4.4
# Route = 192.168.1.0/255.255.255.0
# Route = 192.168.5.0/255.255.255.0
# Comment out the two lines. If the route parameter is left blank, all traffic goes through the VPN.
# Ocserv can route the table to the client. For example, you can take the company's intranet IP segments and all foreign IP addresses out of the VPN.
# Default-domain = example.com
# Comment out this line.

Create user files for authentication
Ocpasswd-c/usr/local/etc/ocserv/. passwd

Modify system configuration to allow forwarding
Change the Nic interface name to the corresponding interface on your server.
Sed-I's/net. ipv4.ip _ forward = 0/net. ipv4.ip _ forward = 1/g'/etc/sysctl. conf
Sysctl-p
Iptables-t nat-a postrouting-s 192.168.10.0/24-o venet0-j MASQUERADE
Iptables-a forward-s 192.168.10.0/24-j ACCEPT
# Modify the IP address segment and the venet0 interface according to your own situation.

Finally run the service
/Usr/local/sbin/ocserv-c/usr/local/etc/ocserv. conf
Install Cisco AnyConnect on iOS to connect to the server.
Cisco AnyConnect (root required) is also available on Android, but there are too many options for Android. we recommend Shadowsocks.
Windows and mac OS also have Cisco official clients

Refer:
Http://www.infradead.org/ocserv/manual.html
Http://ttz.im/blog/2014/02/1131
Http://www.cisco.com/web/CN/solutions/trends/byod_smart_solution/pdf/at_a_glance_c45_578609.pdf
Http://botu.me/entry/install-ocserv-on-centos6.html