Ocserv (Openconnect server) in Debian to build a configuration tutorial

Why choose Ocserv, because Ocserv is a little bit simpler in configuration. Later there is time or a good collation of information on other configurations. Before installing the configuration, popularize the small knowledge first
Ocserv Introduction
Official Introduction: http://www.infradead.org/ocserv/index.html
Openconnect VPN server for short Ocserv, is a gnu/linux server that implements the AnyConnect SSL VPN protocol, compatible with Openconnect VPN clients. The goal is to become a compact, secure, and configurable VPN server that relies on similar TLS1.2 standard protocols and TLS datagrams. The AnyConnect SSL VPN protocol is the closest protocol to meet this standard.
Ocserv Environment
Ocserv uses GNUTLS as the SSL library, so we need to backports the source to install. Detailed later.
Join Backports Source
Shell

echo "Deb Http://ftp.debian.org/debian wheezy-backports main contrib non-free" >>/etc/apt/sources.list
Update source
Vim

Apt-get Update && Apt-get upgrade-y
Install dependent libraries
Shell

Apt-get-t wheezy-backports Install Gnutls-bin Libgnutls28-dev libseccomp-dev-y
Apt-get install OpenSSL autogen gperf pkg-config make gcc M4 build-essential libgmp3-dev libwrap0-dev Libpam0g-dev Libdbus -1-dev libnl-route-3-dev Libopts25-dev Libnl-nf-3-dev libreadline-dev Libpcl1-dev
Ocserv compilation
Download the installation and then compile Ocserv, where the latest version of the official selection is: 0.10.9, updated for October 30.
Shell

wget FTP://FTP.INFRADEAD.ORG/PUB/OCSERV/OCSERV-0.10.9.TAR.XZ
Tar jxvf ocserv-0.10.9.tar.xz
CD ocserv-0.10.9
./configure--prefix=/usr--sysconfdir=/etc--enable-static
Make && make install
Know the official hang up often,
Source image provided by this blog (12-hour update)
Shell

wget--no-check-certificate Https://ussoft.111cn.net/server/ocserv/ocserv-0.10.9.tar.xz
Tar jxvf ocserv-0.10.9.tar.xz
CD ocserv-0.10.9
./configure--prefix=/usr--sysconfdir=/etc--enable-static
Make && make install
Create a certificate/template
First, you need to create the relevant certificate files, personal feeling or unified placement, or can not find the bad
3.1 Creating a Folder
Shell

mkdir cert
CD cert
3.2.1 To create a build CA certificate
Creating Ca.tmpl Files
Shell

Vim Ca.tmpl
Add the following:
Vim

cn = "BXL"
organization = "BXL Me"
Serial = 1
Expiration_days = 3650
Ca
Signing_key
Cert_signing_key
Crl_signing_key
3.2.2 Generate keys and certificates
Shell

Certtool--generate-privkey--outfile Ca-key.pem
Certtool--generate-self-signed--load-privkey ca-key.pem--template ca.tmpl--outfile Ca-cert.pem
3.3.1 Build Server Certificate
Creating Server.tmpl Files
Shell

Vim Server.tmpl
Add the following: Here's what you need to be aware of: www.111cn.net, be sure to replace it with IP or domain name
Vim

cn = "Www.111cn.net"
organization = "BXL Me"
Serial = 2
Expiration_days = 3650
Encryption_key
Signing_key
Tls_www_server
3.3.2 Generate server keys and certificates
Shell

Certtool--generate-privkey--outfile Server-key.pem
Certtool--generate-certificate--load-privkey Server-key.pem--load-ca-certificate Ca-cert.pem Ca-key.pem--template Server.tmpl--outfile Server-cert.pem
The Certificate Generation section is complete, mainly from the visa book. So it will prompt for distrust and so on. The following supplements the settings for using the normal SSL certificate.
Below we need to save the relevant certificate file. Set up some folders for later use.
Shell

mkdir/etc/ssl/selfsigned
Mkdir/etc/ssl/selfsigned/certs
Mkdir/etc/ssl/selfsigned/private
CP Ca-cert.pem/etc/ssl/selfsigned/certs
CP Ca-key.pem/etc/ssl/selfsigned/private
CP Server-cert.pem/etc/ssl/selfsigned/certs
CP Server-key.pem/etc/ssl/selfsigned/private
Until the issue of the certificate is resolved, the following start configuration related work

Ocserv Configuration

Create directory, copy configuration file to/etc/ocserv, here I leave a backup, you can choose to copy directly
Shell

Mkdir/etc/ocserv
CP ~/ocserv-0.10.9/doc/sample.config/etc/ocserv/
Cp/etc/ocserv/sample.config/etc/ocserv/ocserv.conf
Do not leave any backup case can be selected directly.
Shell

Mkdir/etc/ocserv
CP ~/ocserv-0.10.9/doc/sample.config/etc/ocserv/ocserv.conf
Edit configuration file
Shell

Vim/etc/ocserv/ocserv.conf

Vim

# login mode, currently login with password
auth = "plain[/etc/ocserv/ocpasswd]"
 
# Allow simultaneous clients number
Max-clients = =
  ;
# Limit the number of concurrent landings for the same client
Max-same-clients = 0
 
# Service listening IP (server IP, not set)
Listen-host = 1.2.3.4
  # Service Listener tcp/udp port (select your favorite number)
Tcp-port = 443
Udp-port = 443
 
# automatically optimize network performance for VPN
Try-mtu-discovery = True
 
# ensures that the server reads the user certificate correctly (the user certificate will be used later)
Cert-user-oid = 2.5.4.3
 
# server certificate and key store
Server-cert =/etc/ssl/selfsigned/certs/server-cert.pem
Server-key =/etc/ssl/selfsigned/private/server-key.pem
 
# Client-attached DNS
DNS = 8.8.8.8
DNS = 8.8.4.4
 
# comment out all route, let all connections go to V server
#route = 192.168.1.0/ 255.255.255.0
&NBSP
# enable Cisco Client compatibility support
Cisco-client-compat = True
for specific profile descriptions, see this article. https:// Www.111cn.net/9203.html
If you do not change other items, you can download the configured files directly below

Cd/etc/ocserv
wget--no-check-certificate https://ussoft.111cn.net/server/ocserv/bxl-ocserv/0.10.9/ocserv.conf

Iptables settings
Generally, this is not necessary because the iptables is closed by default in debian6,7.
The first one is your TCP port, and the second is the UDP port.

Iptables-a input-p tcp-m state–state new–dport 443-j
Iptables-a input-p udp-m state–state new–dport 443-j
Turn on IPV4 forwarding
Shell

Sysctl-w net.ipv4.ip_forward=1
<span class= "title" >sysctl</span>–p
Turn on NAT
Need to note is to change the eth0 to their own network card name, OPENVZ architecture is generally: venet0

Iptables-t nat-a postrouting-o Eth0-j Masquerade
Auto-Adjust MTU
Shell

Iptables-i forward-p TCP--tcp-flags syn,rst syn-j TCPMSS
Ocserv Users
Users, there are detailed instructions in the configuration file, support password and certificate login, but also support the use of Freeradius for management. A more detailed explanation will be made later.
First say the user name password way to log in.
Create a user

OCPASSWD username
Username for the user you want to build, and then enter the password for the two times account.
If you are logged on with a self-signed SSL certificate. View the next article: updating.

Ocserv debugging
Use this command to temporarily enable debug mode

Ocserv-c/etc/ocserv/ocserv.conf-f-D 1
Ocserv optimization
Mainly on the management of some optimizations, followed by additional related optimizations.
Create as a service

Vim/etc/init.d/ocserv

Add the following:

#!/bin/sh
### BEGIN INIT INFO
# Provides:ocserv
# Required-start: $remote _fs $syslog
# required-stop: $remote _fs $syslog
# Default-start:2 3 4 5
# default-stop:0 1 6
### End INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL

Path=/bin:/usr/bin:/sbin:/usr/sbin
Daemon=/usr/sbin/ocserv
Pidfile=/var/run/ocserv.pid
Daemon_args= "-c/etc/ocserv/ocserv.conf"

Case "$" in
Start
if [!-R $PIDFILE]; Then
Echo-n "Starting Openconnect VPN Server Daemon:"
Start-stop-daemon--start--quiet--pidfile $PIDFILE--exec $DAEMON--
$DAEMON _args >/dev/null
echo "Ocserv."
Else
Echo-n "Openconnect VPN Server is already running.\n\r"
Exit 0
Fi
;;
Stop
Echo-n "Stopping Openconnect VPN Server Daemon:"
Start-stop-daemon--stop--quiet--pidfile $PIDFILE--exec $DAEMON
echo "Ocserv."
Rm-f $PIDFILE
;;
Force-reload|restart)
echo "Restarting Openconnect VPN Server:"
$ stop
Sleep 1
$ start
;;
Status
if [!-R $PIDFILE]; Then
# no PID file, process doesn ' t seem to be running correctly
Exit 3
Fi
Pid= ' Cat $PIDFILE | Sed ' s///g '
exe=/proc/$PID/exe
If [-X "$EXE"] &&
["' Ls-l \" $EXE \ "| cut-d ' > '-f2,2 | cut-d '-f2,2 '" = \
"$DAEMON"]; Then
# OK, process seems to be running
Exit 0
elif [R $PIDFILE]; Then
# process not running, but Pidfile exists
Exit 1
Else
# no lock file to check for, so simply return the stopped status
Exit 3
Fi
;;
*)
echo "Usage:/etc/init.d/ocserv {start|stop|restart|force-reload|status}"
Exit 1
;;
Esac

Exit 0

Register as a service and boot up

chmod 755/etc/init.d/ocserv
UPDATE-RC.D Ocserv Defaults

This allows you to manage with the following commands.

/etc/init.d/ocserv stop
/etc/init.d/ocserv start
/etc/init.d/ocserv restart
The installation and general debugging steps are basically complete. The following needs is the user's settings.