OpenConnect VPN Server官方网站 http://www.infradead.org/ocserv/
官方安装指南 https://github.com/openconnect/recipes
已经在Debian packages上线,可以使用apt install ocserv安装,而不用自己编译。
因为是SSL VPN,需要一个SSL证书(可以使用自签名,不过有Cisco AnyConnect会有安全提示)openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 365 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CRTopenssl x509 -in cacert.pem -text -noout
CSR方式 openssl req -newkey rsa:2048 -nodes -keyout ssl.key -out ssl.req -subj "/C=CN/ST=GD/L=GZ/O=GFeng/OU=IT/CN=192.168.0.1/emailAddress=dev@gov.cn"
验证CSRopenssl req -in ssl.req -text -noout
生成DH算法文件,openssl dhparam -out dh.pem 1024
打开IPv4转发,net.ipv4.ip_forward = 1
用iptables做NAT转发

iptables -t nat-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
ip link set txqueuelen 10000 dev eth0
#配置文件: 
output-buffer = 23000 
try-mtu-discovery = true 

#服务器: 
net.core.rmem_max = 67108864 
net.core.wmem_max = 67108864 
net.ipv4.tcp_rmem = 4096 87380 33554432 
net.ipv4.tcp_wmem = 4096 65536 33554432 
net.core.netdev_max_backlog = 30000 
net.ipv4.tcp_mtu_probing=1 

支持IPv6只需打开转发即可net.ipv6.conf.all.forwarding = 1


occtl
重新载入配置 occtl reload

标签: Linux, OpenConnect, VPN, SSL VPN, AnyConnect

添加新评论