1.安装ocserv
ocserv 已经在 epel 仓库中提供了,所以可以直接通过 yum 安装
$ yum install epel-release
$ yum install ocserv
2. 创建 CA
cd /etc/ocserv
mkdir CA cd CA
vim ca.tmpl
cn = "liuyuanzhen" organization = "bd" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key
CA 密钥
certtool --generate-privkey --outfile ca-key.pem
CA证书
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
vim server.tmpl
cn = "45.77.10.62" organization = "bd" expiration_days = 3650 signing_key encryption_key tls_www_server
Server 密钥
certtool --generate-privkey --outfile server-key.pem
Server 证书
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
证书路径(上述步骤创建):
/etc/ocserv/CA/ca-cert.pem /etc/ocserv/CA/server-cert.pem /etc/ocserv/CA/server-key.pem
vim /etc/ocserv/ocserv.conf
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
![](https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif)
# User authentication method. Could be set multiple times and in # that case all should succeed. To enable multiple methods use # multiple auth directives. Available options: certificate, # plain, pam, radius, gssapi. # # Note that authentication methods cannot be changed with reload. # certificate: # This indicates that all connecting users must present a certificate. # # pam[gid-min=1000]: # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" # One entry must be listed per line, and 'ocpasswd' should be used # to generate password entries. The 'otp' suboption allows to specify # an oath password file to be used for one time passwords; the format of # the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile # # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: # The radius option requires specifying freeradius-client configuration # file. If the groupconfig option is set, then config-per-user will be overriden, # and all configuration will be read from radius. The 'override-interim-updates' if set to # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. # # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] # The gssapi option allows to use authentication methods supported by GSSAPI, # such as Kerberos tickets with ocserv. It should be best used as an alternative # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with # tickets and without tickets to login. The default value for require-local-user-map # is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented # to have been issued within the provided number of seconds. That option is used to # restrict logins even if the KDC provides long time TGT tickets. auth = "plain[/etc/ocserv/ocpasswd]" #auth = "pam" #auth = "pam[gid-min=1000]" #auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" #auth = "certificate" #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled # will be sufficient to login. #enable-auth = "certificate" #enable-auth = "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" # Accounting methods available: # radius: can be combined with any authentication method, it provides # radius accounting to available users (see also stats-report-time). # # pam: can be combined with any authentication method, it provides # a validation of the connecting user's name using PAM. It is # superfluous to use this method when authentication is already # PAM. # # Only one accounting method can be specified. #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" # Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. #listen-host = [IP|HOSTNAME] # When the server has a dynamic DNS address (that may change), # should set that to true to ask the client to resolve again on # reconnects. #listen-host-is-dyndns = true # TCP and UDP port number tcp-port = 443 udp-port = 443 # Accept connections using a socket file. It accepts HTTP # connections (i.e., without SSL/TLS unlike its TCP counterpart), # and uses it as the primary channel. That option cannot be # combined with certificate authentication. #listen-clear-file = /var/run/ocserv-conn.socket # The user the worker processes will be run as. It should be # unique (no other services run as this user). run-as-user = ocserv run-as-group = ocserv # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. #occtl-socket-file = /var/run/occtl.socket # socket file used for server IPC (worker-main), will be appended with .PID # It must be accessible within the chroot environment (if any), so it is best # specified relatively to the chroot directory. socket-file = ocserv.sock # The default server directory. Does not require any devices present. chroot-dir = /var/lib/ocserv ### All configuration options below this line are reloaded on a SIGHUP. ### The options above, will remain unchanged. Note however, that the ### server-cert, server-key, dh-params and ca-cert options will be reloaded ### if the provided file changes, on server reload. That allows certificate ### rotation, but requires the server key to remain the same for seamless ### operation. If the server key changes on reload, there may be connection ### failures during the reloading tim