1.首先添加两个带分组的用户
ocpasswd -c /etc/ocserv/ocpasswd -g gruop1 user1
ocpasswd -c /etc/ocserv/ocpasswd -g gruop2 user2
2.添加创建路由表组
mkdir /etc/ocserv/group
echo -e "route = 10.10.0.0/255.255.255.0" >> /etc/ocserv/group/group1
echo -e "no-route = 211.80.0.0/255.240.0.0" >> /etc/ocserv/group/group2
以上连个路由表是演示group1和group2随便写的 请自行添加路由规则
此外路由表里还可以写DNS 短线时间的参数
3.添加新的命令到ocserv.conf
config-per-group = /etc/ocserv/group/
default-group-config = /etc/ocserv/group/group1 #如果创建用户的时候不分组 group1就是默认分组 用的就是group1的路由表
default-select-group = group1 #如果创建用户的时候不分组 group1就是默认分组 用的就是group1的路由表
auto-select-group = false
4.重启
/etc/init.d/ocserv stop
/etc/init.d/ocserv start
自己用的配置
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
# listen-host = [IP|HOSTNAME]
tcp-port = 56789
udp-port = 56789
run-as-user = nobody
run-as-group = daemon
config-per-group = /etc/ocserv/group/
default-group-config = /etc/ocserv/group/yq
default-select-group = yq
auto-select-group = false
socket-file = /var/run/ocserv-socket
server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem
isolate-workers = true
banner = "Welcome Banalala"
max-clients = 0
max-same-clients = 100
rate-limit-ms = 0
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
mtu=2000
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
idle-timeout = 86400
mobile-idle-timeout = 86400
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = true
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
net-priority = 6
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
#tunnel-all-dns = true
dns = 8.8.8.8
dns = 223.5.5.5
ping-leases = true
#route = 10.10.0.0/255.255.255.0
#route = 0.0.0.0/0.0.0.0
cisco-client-compat = true
dtls-legacy = true