├── README.md
├── make-client.sh
└── ocserv.sh
/README.md:
--------------------------------------------------------------------------------
1 | EPEL已经提供二进制包,Debian、Fedoras也有二进制包,请使用二进制包安装。配置可以参考本脚本。
2 | Ocserv install script for CentOS&RHEL 7
3 | =======================================
4 | 这是 ocserv 在 CentOS 7 和 RHEL 7 的一键安装脚本,可以在最小化安装环境的 CentOS 7 和 RHEL 7 下一键部署 ocserv。
5 | 支持自动判断iptables安装与否。
6 |
7 | * 支持自动判断防火墙,无需手动安装;
8 | * 默认采用用户名密码验证,本安装脚本编译的 ocserv 也支持 pam 验证,只需要修改配置文件即可;
9 | * 默认配置文件在 /opt/ocserv/ 目录,可自行更改脚本里的参数;
10 | * 安装时会提示你输入端口、用户名、密码等信息,也可直接回车采用默认值,密码是随机生成的;
11 | * 安装脚本会关闭 SELINUX;
12 | * 自带路由表,只有路由表里的 IP 才会走 VPN,如果你有需要添加的路由表可自行添加,最多支持 200 条;
13 | * 如果你有证书机构颁发的证书,可以把证书放到脚本的同目录下,确保文件名和脚本里的匹配,安装脚本会使用你的证书,客户端连接时不会提示证书错误;
14 | * 配置文件修改为每个账号允许 2 个连接,全局 12 个连接,可修改脚本前面的变量。1024 个连接大约需要 2048 个 IP,所以虚拟接口的 IP 配置了 8 个 C 段。
15 |
16 | 安装脚本分为以下几大块,如果中间有错误,可以注释掉部分然后重新执行脚本,ConfigEnvironmentVariable 为必须,后面的脚本会使用这里的变量
17 |
18 | * ConfigEnvironmentVariable // 配置环境变量
19 | * PrintEnvironmentVariable // 打印环境变量
20 | * CompileOcserv $@ // 下载并编译 ocserv
21 | * ConfigOcserv // 配置 ocserv,包括修改 ocserv.conf,配置 ocserv.service
22 | * ConfigFirewall // 配置防火墙
23 | * ConfigSystem // 配置系统
24 | * PrintResult // 打印最后的安装结果和 VPN 账号等
25 |
--------------------------------------------------------------------------------
/make-client.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | serial=`date +%s%N`
3 | echo "Please input your username for your certificate:"
4 | read tmp1
5 | echo "Please input your user's email for your certificate:"
6 | read tmp2
7 |
8 | #certtool --generate-privkey --outfile $tmp1.key.pem
9 | openssl genrsa -out $tmp1.key.pem 4096
10 | sed -i "1ccn = ${tmp1}" user.tmpl
11 | sed -i "3cemail = ${tmp2}" user.tmpl
12 | sed -i "6cserial = ${serial}" user.tmpl
13 | certtool --generate-certificate --hash SHA256 --load-privkey $tmp1.key.pem --load-ca-certificate ../ca-cert.pem --load-ca-privkey ../ca-key.pem --template user.tmpl --outfile $tmp1.cert.pem
14 | #for移动客户端P12证书
15 | echo " "
16 | echo "****** P12 certificate for Mobile Client, remember the name and password you enter, copy **mobile.${tmp1}.p12** to your mobile phone and install ******"
17 | certtool --to-p12 --load-privkey $tmp1.key.pem --pkcs-cipher 3des-pkcs12 --load-certificate $tmp1.cert.pem --outfile mobile.$tmp1.p12 --outder
18 | openssl pkcs12 -export -inkey $tmp1.key.pem -in $tmp1.cert.pem -certfile ../ca-cert.pem -out mobile.openssl.$tmp1.p12
19 | #for Windows客户端P12证书
20 | echo " "
21 | echo "****** P12 certificate for Windows Client, remember the password you enter, copy **windows.${tmp1}.p12** to windows and install ******"
22 | echo " "
23 | openssl pkcs12 -export -inkey $tmp1.key.pem -in $tmp1.cert.pem -name "${tmp1}" -certfile ../ca-cert.pem -caname "Cisco CA" -out windows.$tmp1.p12
24 | exit 0
25 |
--------------------------------------------------------------------------------
/ocserv.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ####################################################
3 | # #
4 | # This is a ocserv installation for CentOS 7 #
5 | # Version: 1.2.7 20150120 #
6 | # Author: Monokoo #
7 | # Thanks for original author: Travis Lee #
8 | ####################################################
9 | # Version: 1.2.7 20150120
10 | # *更新ocserv的版本为0.10.11
11 | # *增加证书分组
12 |
13 | # Version: 1.2.6 20151229
14 | # *更新ocserv的版本为0.10.10
15 |
16 | # Version: 1.2.5 20151009
17 | # *源码下载改回作者的官方网站
18 | # *更新ocserv的版本为0.10.9
19 |
20 | # Version: 1.2.4 20150929
21 | # *源码下载改为从 github 下载,作者网站似乎挂了
22 | # *更新ocserv的版本为0.10.7
23 | # *更新libtasn1的版本为4.7
24 |
25 | # Version: 1.2.3 20150508
26 | # *更新libtasn1的版本为4.5
27 | # *更新ocserv的版本为0.10.4
28 |
29 | # Version: 1.2.2 20150402
30 | # *兼容CentOS 7.1,编译libtasn1-4.4替换系统的3.8版
31 | # *修正 修改src/vpn.h路由条数 的命令
32 |
33 | # +增加firewalld和iptables检测功能,使用systemctl is-active判断哪个防火墙在运行,请确保有一个防火墙自启动并加载默认配置
34 | # *把几个功能用function分隔,如果脚本运行遇到问题,可以注释已经完成的部分,修正后继续
35 |
36 |
37 | #检测是否是root用户
38 | if [[ $(id -u) != "0" ]]; then
39 | printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
40 | exit 1
41 | fi
42 |
43 | #检测是否是CentOS 7或者RHEL 7
44 | if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
45 | printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
46 | printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
47 | exit 1
48 | fi
49 | #check install 防止重复安装
50 | # [ -f /usr/sbin/ocserv ]
51 | # printf "Not installed ok"
52 |
53 | basepath=$(dirname $0)
54 | cd ${basepath}
55 |
56 | function ConfigEnvironmentVariable {
57 | #ocserv版本
58 | ocserv_version="0.10.11"
59 | version=${1-${ocserv_version}}
60 | libtasn1_version=4.7
61 | nettle_version=3.1
62 | gnutls_version=3.3.20
63 | #变量设置
64 | #单IP最大连接数,默认是2
65 | maxsameclients=2
66 | #最大连接数,默认是16
67 | maxclients=12
68 | #服务器的证书和key文件,放在本脚本的同目录下,key文件的权限应该是600或者400
69 | servercert=${2-server-cert.pem}
70 | serverkey=${3-server-key.pem}
71 | #配置目录,你可更改为 /etc/ocserv 之类的
72 | confdir="/opt/ocserv"
73 |
74 | #安装系统组件
75 | yum install -y -q net-tools bind-utils
76 | #获取网卡接口名称
77 | ethlist=$(ifconfig | grep ": flags" | cut -d ":" -f1)
78 | eth=$(printf "${ethlist}\n" | head -n 1)
79 | if [[ $(printf "${ethlist}\n" | wc -l) -gt 2 ]]; then
80 | echo ======================================
81 | echo "Network Interface list:"
82 | printf "\e[33m${ethlist}\e[0m\n"
83 | echo ======================================
84 | echo "Which network interface you want to listen for ocserv?"
85 | printf "Default network interface is \e[33m${eth}\e[0m, let it blank to use default network interface: "
86 | read ethtmp
87 | if [[ -n "${ethtmp}" ]]; then
88 | eth=${ethtmp}
89 | fi
90 | fi
91 |
92 | ipv4=$(ip -4 -f inet addr | grep "inet " | grep -v "lo:" | grep -v "127.0.0.1" | grep -o -P "\d+\.\d+\.\d+\.\d+\/\d+" | grep -o -P "\d+\.\d+\.\d+\.\d+")
93 |
94 | #端口,默认是10443
95 | port=10443
96 | echo "Please input the port ocserv listen to."
97 | printf "Default port is \e[33m${port}\e[0m, let it blank to use default port: "
98 | read porttmp
99 | if [[ -n "${porttmp}" ]]; then
100 | port=${porttmp}
101 | fi
102 |
103 | #设置证书CN名,默认是当前服务器IP地址
104 | cname=${ipv4}
105 | echo "Please input the cname for certificate. The default cname is your server's IP address"
106 | printf "Default cname is \e[33m${ipv4}\e[0m, let it blank to use default cname: "
107 | read cnametmp
108 | if [[ -n "${cnametmp}" ]]; then
109 | cname=${cnametmp}
110 | fi
111 |
112 | #用户名,默认是github
113 | username=github
114 | echo "Please input ocserv user name:"
115 | printf "Default user name is \e[33m${username}\e[0m, let it blank to use default user name: "
116 | read usernametmp
117 | if [[ -n "${usernametmp}" ]]; then
118 | username=${usernametmp}
119 | fi
120 |
121 | #随机密码
122 | randstr() {
123 | index=0
124 | str=""
125 | for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done
126 | for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done
127 | for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done
128 | for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
129 | echo ${str}
130 | }
131 | password=$(randstr)
132 | printf "Please input \e[33m${username}\e[0m's password:\n"
133 | printf "Default password is \e[33m${password}\e[0m, let it blank to use default password: "
134 | read passwordtmp
135 | if [[ -n "${passwordtmp}" ]]; then
136 | password=${passwordtmp}
137 | fi
138 | }
139 |
140 | function PrintEnvironmentVariable {
141 | #打印配置参数
142 | clear
143 | ipv4=$(ip -4 -f inet addr | grep "inet " | grep -v "lo:" | grep -v "127.0.0.1" | grep -o -P "\d+\.\d+\.\d+\.\d+\/\d+" | grep -o -P "\d+\.\d+\.\d+\.\d+")
144 | ipv6=$(ip -6 addr | grep "inet6" | grep -v "::1/128" | grep -o -P "([a-z\d]+:[a-z\d:]+\/\d+)" | grep -o -P "([a-z\d]+:[a-z\d:]+)")
145 | echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
146 | echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
147 | echo -e "Port:\t\t\e[34m${port}\e[0m"
148 | echo -e "Username:\t\e[34m${username}\e[0m"
149 | echo -e "Password:\t\e[34m${password}\e[0m"
150 | echo
151 | echo "Press any key to start install ocserv."
152 |
153 | get_char() {
154 | SAVEDSTTY=$(stty -g)
155 | stty -echo
156 | stty cbreak
157 | dd if=/dev/tty bs=1 count=1 2> /dev/null
158 | stty -raw
159 | stty echo
160 | stty ${SAVEDSTTY}
161 | }
162 | char=$(get_char)
163 | clear
164 | }
165 |
166 | function CompileOcserv {
167 | #升级系统
168 | #yum update -y -q
169 | #yum install -y -q epel-release
170 | #安装ocserv依赖组件
171 | yum install -y gnutls gnutls-utils gnutls-devel readline readline-devel texinfo
172 | yum install -y libnl-devel libtalloc libtalloc-devel libnl3-devel wget libidn unbound
173 | yum install -y pam pam-devel libtalloc-devel xz libseccomp-devel liboath* zlib bison bison-devel
174 | yum install -y tcp_wrappers trousers-devel gmp-devel libn1-devel libtasn1-devel flex
175 | yum install -y tcp_wrappers-devel autogen autogen-libopts-devel tar gcc pcre-devel openssl openssl-devel curl-devel
176 | yum install -y freeradius-client-devel freeradius-client lz4-devel lz4 http-parser-devel http-parser
177 | yum install -y protobuf-c-devel protobuf-c pcllib-devel pcllib cyrus-sasl-gssapi dbus-devel policycoreutils gperf
178 |
179 | #下载ocserv并编译
180 | wget -t 0 -T 60 "ftp://ftp.infradead.org/pub/ocserv/ocserv-${version}.tar.xz"
181 | #wget -t 0 -T 60 "https://github.com/mtmiller/ocserv/archive/ocserv_${version}.tar.gz" -O "ocserv-${version}.tar.gz"
182 | tar axf ocserv-${version}.tar.xz
183 | cd ocserv-${version}
184 | sed -i 's/#define DEFAULT_CONFIG_ENTRIES.*/#define DEFAULT_CONFIG_ENTRIES 200/g' src/vpn.h
185 | ./configure && make && make install
186 |
187 | #复制配置文件样本
188 | mkdir -p "${confdir}"
189 | # cp "doc/profile.xml" "${confdir}/profile.xml"
190 | cp "doc/sample.config" "${confdir}/ocserv.conf"
191 | cp "doc/systemd/standalone/ocserv.service" "/usr/lib/systemd/system/ocserv.service"
192 | cd ${basepath}
193 | }
194 |
195 | function UpdateComponents {
196 | cd ${basepath}
197 | #import PKG_CONFIG_PATH
198 | PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/lib64/pkgconfig:/usr/local/lib/pkgconfig:/usr/lib/pkgconfig
199 |
200 | wget -t 0 -T 60 "http://ftp.gnu.org/gnu/libtasn1/libtasn1-${libtasn1_version}.tar.gz"
201 | tar axf libtasn1-${libtasn1_version}.tar.gz
202 | cd libtasn1-${libtasn1_version}
203 | ./configure --prefix=/usr --libdir=/usr/lib64 --includedir=/usr/include
204 | make && make install
205 | cd ..
206 |
207 | #增加libgnutls环境变量
208 | ##export LIBGNUTLS_CFLAGS="-I/usr/include/" LIBGNUTLS_LIBS="-L/usr/lib/ -lgnutls"
209 |
210 | #编译nettle
211 | wget -t 0 -T 60 "https://ftp.gnu.org/gnu/nettle/nettle-${nettle_version}.tar.gz" && tar -axf nettle-${nettle_version}.tar.gz && cd nettle-${nettle_version}
212 | ./configure --prefix=/usr --enable-shared
213 | make && make install
214 |
215 | #编译gnutls
216 | cd ..
217 | wget -t 0 -T 60 "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.3/gnutls-${gnutls_version}.tar.xz" && tar -xaf gnutls-${gnutls_version}.tar.xz && cd gnutls-${gnutls_version}
218 | ./configure --prefix=/usr --enable-shared
219 | make && make install
220 | cd ${basepath}
221 | }
222 |
223 | function ConfigOcserv {
224 | ipv4=$(ip -4 -f inet addr | grep "inet " | grep -v "lo:" | grep -v "127.0.0.1" | grep -o -P "\d+\.\d+\.\d+\.\d+\/\d+" | grep -o -P "\d+\.\d+\.\d+\.\d+")
225 | #检测是否有证书和key文件
226 | if [[ ! -f "${servercert}" ]] || [[ ! -f "${serverkey}" ]]; then
227 | #创建ca证书和服务器证书(参考http://www.infradead.org/ocserv/manual.html#heading5)
228 | openssl genrsa -out ca-key.pem 4096
229 | cat << _EOF_ >ca.tmpl
230 | cn = "Cisco CA"
231 | state = "Shanghai"
232 | country = CN
233 | organization = "Cisco"
234 | serial = 1
235 | expiration_days = 1825
236 | email = "youremail@gmail.com"
237 | dns_name = ${cname}
238 | ca
239 | signing_key
240 | encryption_key
241 | cert_signing_key
242 | crl_signing_key
243 | _EOF_
244 |
245 | certtool --generate-self-signed --hash SHA256 --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
246 | # openssl req -new -newkey rsa:4096 -sha256 -nodes -out server.csr -keyout server-key.pem
247 | openssl genrsa -out ${serverkey} 4096
248 | cat << _EOF_ >server.tmpl
249 | cn = ${cname}
250 | o = "Cisco"
251 | email = "youremail@gmail.com"
252 | dns_name = ${cname}
253 | country = CN
254 | state = "Shanghai"
255 | serial = 2
256 | expiration_days = 1825
257 | signing_key
258 | encryption_key #only if the generated key is an RSA one
259 | tls_www_server
260 | _EOF_
261 |
262 | certtool --generate-certificate --hash SHA256 --load-privkey ${serverkey} --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-self-signed-cert.pem
263 | certtool --generate-request --hash SHA256 --load-privkey ${serverkey} --template server.tmpl --outfile server-cert.csr
264 | # openssl genrsa -out user-key.pem 2048
265 |
266 | cat << _EOF_ >user.tmpl
267 | cn = "AnyClient"
268 | unit = "Route"
269 | email = "youremail@gmail.com"
270 | dns_name = ${cname}
271 | country = CN
272 | serial = 3
273 | expiration_days = 365
274 | signing_key
275 | tls_www_client
276 | _EOF_
277 |
278 | # certtool --generate-certificate --hash SHA256 --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
279 |
280 | #for移动客户端P12证书
281 | # echo "****** P12 certificate for Mobile Client, remember the name and password you enter, copy **mobile.user.p12** to your mobile phone and install ******"
282 | # certtool --to-p12 --load-privkey user-key.pem --pkcs-cipher 3des-pkcs12 --load-certificate user-cert.pem --outfile mobile.user.p12 --outder
283 |
284 | #for Windows客户端P12证书
285 | # echo "****** P12 certificate for Windows Client, remember the password you enter, copy **windows.user.p12** to windows and install ******"
286 | # openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "winClient" -certfile ca-cert.pem -caname "Cisco CA" -out windows.user.p12
287 | fi
288 |
289 | #把证书复制到ocserv的配置目录
290 | cp server-cert.csr "${confdir}" && cp "${serverkey}" "${confdir}" && cp "ca-cert.pem" "${confdir}" && cp "ca-key.pem" "${confdir}" && cp server-self-signed-cert.pem "${confdir}"
291 | cp server-self-signed-cert.pem $confdir/server.cert.pem
292 |
293 | #copy the shell script to make the user's cert
294 | mkdir -p $confdir/usercert
295 | wget --no-check-certificate https://raw.githubusercontent.com/monokoo/Ocserv-install-script-for-CentOS-RHEL-7/master/make-client.sh && chmod +x make-client.sh
296 | cp make-client.sh $confdir/usercert/ && cp user.tmpl $confdir/usercert/
297 |
298 | #编辑配置文件
299 | (echo "${password}"; sleep 1; echo "${password}") | ocpasswd -g "All,Route,NoRoute" -c "${confdir}/ocpasswd" ${username}
300 |
301 | sed -i "s#./sample.passwd#${confdir}/ocpasswd#g" "${confdir}/ocserv.conf"
302 | sed -i 's/#enable-auth = "certificate"/enable-auth = "certificate"/g' "${confdir}/ocserv.conf"
303 | sed -i 's/try-mtu-discovery = false/try-mtu-discovery = true/g' "${confdir}/ocserv.conf"
304 | sed -i 's/cert-user-oid = 0.9.2342.19200300.100.1.1/cert-user-oid = 2.5.4.3/g' "${confdir}/ocserv.conf"
305 | sed -i 's/#cert-group-oid = 2.5.4.11/cert-group-oid = 2.5.4.11/g' "${confdir}/ocserv.conf"
306 | sed -i "s#server-cert = ../tests/server-cert.pem#server-cert = ${confdir}/server-cert.pem#g" "${confdir}/ocserv.conf"
307 | sed -i "s#server-key = ../tests/server-key.pem#server-key = ${confdir}/${serverkey}#g" "${confdir}/ocserv.conf"
308 | sed -i "s#ca-cert = ../tests/ca.pem#ca-cert = ${confdir}/ca-cert.pem#g" "${confdir}/ocserv.conf"
309 | sed -i "s/max-same-clients = 2/max-same-clients = ${maxsameclients}/g" "${confdir}/ocserv.conf"
310 | sed -i "s/max-clients = 16/max-clients = ${maxclients}/g" "${confdir}/ocserv.conf"
311 | sed -i 's/#compression = true/compression = true/g' "${confdir}/ocserv.conf"
312 | sed -i 's/#no-compress-limit = 256/no-compress-limit = 256/g' "${confdir}/ocserv.conf"
313 | sed -i 's/#ban-points-wrong-password = 10/ban-points-wrong-password = 10/g' "${confdir}/ocserv.conf"
314 | sed -i "s/tcp-port = 443/tcp-port = ${port}/g" "${confdir}/ocserv.conf"
315 | sed -i "s/udp-port = 443/udp-port = ${port}/g" "${confdir}/ocserv.conf"
316 | sed -i "s/#output-buffer = 10/output-buffer = 10000/g" "${confdir}/ocserv.conf"
317 | sed -i "s/mobile-dpd = 1800/mobile-dpd = 600/g" "${confdir}/ocserv.conf"
318 | sed -i "s/ipv4-network = 192.168.1.0/ipv4-network = 192.168.8.0/g" "${confdir}/ocserv.conf"
319 | sed -i "s/dns = 192.168.1.2/dns = 208.67.220.220\ndns = 8.8.8.8/g" "${confdir}/ocserv.conf"
320 | sed -i "s/isolate-workers = true/isolate-workers = false/g" "${confdir}/ocserv.conf"
321 | sed -i "s/cookie-timeout = 300/cookie-timeout = 86400/g" "${confdir}/ocserv.conf"
322 | sed -i 's/isolate-workers = true/isolate-workers = false/g' "${confdir}/ocserv.conf"
323 | sed -i "s#default-domain = example.com#default-domain = ${cname}#g" "${confdir}/ocserv.conf"
324 | sed -i 's$route = 10.10.10.0/255.255.255.0$#route = 10.10.10.0/255.255.255.0$g' "${confdir}/ocserv.conf"
325 | sed -i 's$route = 192.168.0.0/255.255.0.0$#route = 192.168.0.0/255.255.0.0$g' "${confdir}/ocserv.conf"
326 | sed -i 's$no-route = 192.168.5.0/255.255.255.0$#no-route = 192.168.5.0/255.255.255.0$' "${confdir}/ocserv.conf"
327 | sed -i 's/#select-group = group1/select-group = All/g' "${confdir}/ocserv.conf"
328 | sed -i 's/#select-group = group2\[My special group\]/select-group = Route/g' "${confdir}/ocserv.conf"
329 | sed -i '/select-group = Route/a\select-group = NoRoute' "${confdir}/ocserv.conf"
330 | sed -i 's/#default-select-group = DEFAULT/default-select-group = All/g' "${confdir}/ocserv.conf"
331 | sed -i 's/#auto-select-group = true/auto-select-group = false/g' "${confdir}/ocserv.conf"
332 | sed -i 's$#config-per-group = /etc/ocserv/config-per-group\/$config-per-group = /opt/ocserv/config-per-group$g' "${confdir}/ocserv.conf"
333 | sed -i 's$#default-group-config = /etc/ocserv/defaults/group.conf$default-group-config = /opt/ocserv/config-per-group/group.conf$' "${confdir}/ocserv.conf"
334 |
335 | mkdir -p ${confdir}/config-per-group
336 |
337 | cat << _EOF_ >>${confdir}/config-per-group/All
338 | route = 0.0.0.0/128.0.0.0
339 | route = 128.0.0.0/128.0.0.0
340 | _EOF_
341 |
342 | cp $confdir/config-per-group/All $confdir/config-per-group/group.conf
343 |
344 | cat << _EOF_ >>${confdir}/config-per-group/NoRoute
345 | no-route = 1.0.0.0/255.192.0.0
346 | no-route = 1.64.0.0/255.224.0.0
347 | no-route = 1.112.0.0/255.248.0.0
348 | no-route = 1.176.0.0/255.240.0.0
349 | no-route = 1.192.0.0/255.240.0.0
350 | no-route = 14.0.0.0/255.224.0.0
351 | no-route = 14.96.0.0/255.224.0.0
352 | no-route = 14.128.0.0/255.224.0.0
353 | no-route = 14.192.0.0/255.224.0.0
354 | no-route = 27.0.0.0/255.192.0.0
355 | no-route = 27.96.0.0/255.224.0.0
356 | no-route = 27.128.0.0/255.224.0.0
357 | no-route = 27.176.0.0/255.240.0.0
358 | no-route = 27.192.0.0/255.224.0.0
359 | no-route = 27.224.0.0/255.252.0.0
360 | no-route = 36.0.0.0/255.192.0.0
361 | no-route = 36.96.0.0/255.224.0.0
362 | no-route = 36.128.0.0/255.192.0.0
363 | no-route = 36.192.0.0/255.224.0.0
364 | no-route = 36.240.0.0/255.240.0.0
365 | no-route = 39.0.0.0/255.255.0.0
366 | no-route = 39.64.0.0/255.224.0.0
367 | no-route = 39.96.0.0/255.240.0.0
368 | no-route = 39.128.0.0/255.192.0.0
369 | no-route = 40.72.0.0/255.254.0.0
370 | no-route = 40.125.128.0/255.255.128.0
371 | no-route = 40.126.64.0/255.255.192.0
372 | no-route = 42.0.0.0/255.248.0.0
373 | no-route = 42.48.0.0/255.240.0.0
374 | no-route = 42.80.0.0/255.240.0.0
375 | no-route = 42.96.0.0/255.224.0.0
376 | no-route = 42.128.0.0/255.128.0.0
377 | no-route = 43.224.0.0/255.224.0.0
378 | no-route = 45.112.0.0/255.240.0.0
379 | no-route = 47.92.0.0/255.252.0.0
380 | no-route = 47.96.0.0/255.224.0.0
381 | no-route = 49.0.0.0/255.248.0.0
382 | no-route = 49.48.0.0/255.248.0.0
383 | no-route = 49.64.0.0/255.224.0.0
384 | no-route = 49.112.0.0/255.240.0.0
385 | no-route = 49.128.0.0/255.224.0.0
386 | no-route = 49.208.0.0/255.240.0.0
387 | no-route = 49.224.0.0/255.224.0.0
388 | no-route = 52.80.0.0/255.252.0.0
389 | no-route = 54.222.0.0/255.254.0.0
390 | no-route = 58.0.0.0/255.128.0.0
391 | no-route = 58.128.0.0/255.224.0.0
392 | no-route = 58.192.0.0/255.224.0.0
393 | no-route = 58.240.0.0/255.240.0.0
394 | no-route = 59.32.0.0/255.224.0.0
395 | no-route = 59.64.0.0/255.224.0.0
396 | no-route = 59.96.0.0/255.240.0.0
397 | no-route = 59.144.0.0/255.240.0.0
398 | no-route = 59.160.0.0/255.224.0.0
399 | no-route = 59.192.0.0/255.192.0.0
400 | no-route = 60.0.0.0/255.224.0.0
401 | no-route = 60.48.0.0/255.240.0.0
402 | no-route = 60.160.0.0/255.224.0.0
403 | no-route = 60.192.0.0/255.192.0.0
404 | no-route = 61.0.0.0/255.192.0.0
405 | no-route = 61.80.0.0/255.248.0.0
406 | no-route = 61.128.0.0/255.192.0.0
407 | no-route = 61.224.0.0/255.224.0.0
408 | no-route = 91.234.36.0/255.255.255.0
409 | no-route = 101.0.0.0/255.128.0.0
410 | no-route = 101.128.0.0/255.224.0.0
411 | no-route = 101.192.0.0/255.240.0.0
412 | no-route = 101.224.0.0/255.224.0.0
413 | no-route = 103.0.0.0/255.192.0.0
414 | no-route = 103.192.0.0/255.240.0.0
415 | no-route = 103.224.0.0/255.224.0.0
416 | no-route = 106.0.0.0/255.128.0.0
417 | no-route = 106.224.0.0/255.240.0.0
418 | no-route = 110.0.0.0/255.128.0.0
419 | no-route = 110.144.0.0/255.240.0.0
420 | no-route = 110.160.0.0/255.224.0.0
421 | no-route = 110.192.0.0/255.192.0.0
422 | no-route = 111.0.0.0/255.192.0.0
423 | no-route = 111.64.0.0/255.224.0.0
424 | no-route = 111.112.0.0/255.240.0.0
425 | no-route = 111.128.0.0/255.192.0.0
426 | no-route = 111.192.0.0/255.224.0.0
427 | no-route = 111.224.0.0/255.240.0.0
428 | no-route = 112.0.0.0/255.128.0.0
429 | no-route = 112.128.0.0/255.240.0.0
430 | no-route = 112.192.0.0/255.252.0.0
431 | no-route = 112.224.0.0/255.224.0.0
432 | no-route = 113.0.0.0/255.128.0.0
433 | no-route = 113.128.0.0/255.240.0.0
434 | no-route = 113.192.0.0/255.192.0.0
435 | no-route = 114.16.0.0/255.240.0.0
436 | no-route = 114.48.0.0/255.240.0.0
437 | no-route = 114.64.0.0/255.192.0.0
438 | no-route = 114.128.0.0/255.240.0.0
439 | no-route = 114.192.0.0/255.192.0.0
440 | no-route = 115.0.0.0/255.0.0.0
441 | no-route = 116.0.0.0/255.0.0.0
442 | no-route = 117.0.0.0/255.128.0.0
443 | no-route = 117.128.0.0/255.192.0.0
444 | no-route = 118.16.0.0/255.240.0.0
445 | no-route = 118.64.0.0/255.192.0.0
446 | no-route = 118.128.0.0/255.128.0.0
447 | no-route = 119.0.0.0/255.128.0.0
448 | no-route = 119.128.0.0/255.192.0.0
449 | no-route = 119.224.0.0/255.224.0.0
450 | no-route = 120.0.0.0/255.192.0.0
451 | no-route = 120.64.0.0/255.224.0.0
452 | no-route = 120.128.0.0/255.240.0.0
453 | no-route = 120.192.0.0/255.192.0.0
454 | no-route = 121.0.0.0/255.128.0.0
455 | no-route = 121.192.0.0/255.192.0.0
456 | no-route = 122.0.0.0/254.0.0.0
457 | no-route = 124.0.0.0/255.0.0.0
458 | no-route = 125.0.0.0/255.128.0.0
459 | no-route = 125.160.0.0/255.224.0.0
460 | no-route = 125.192.0.0/255.192.0.0
461 | no-route = 137.59.88.0/255.255.252.0
462 | no-route = 139.0.0.0/255.224.0.0
463 | no-route = 139.128.0.0/255.128.0.0
464 | no-route = 140.64.0.0/255.240.0.0
465 | no-route = 140.128.0.0/255.240.0.0
466 | no-route = 140.192.0.0/255.192.0.0
467 | no-route = 144.0.0.0/255.255.0.0
468 | no-route = 144.7.0.0/255.255.0.0
469 | no-route = 144.12.0.0/255.255.0.0
470 | no-route = 144.52.0.0/255.255.0.0
471 | no-route = 144.123.0.0/255.255.0.0
472 | no-route = 144.255.0.0/255.255.0.0
473 | no-route = 150.0.0.0/255.255.0.0
474 | no-route = 150.96.0.0/255.224.0.0
475 | no-route = 150.128.0.0/255.240.0.0
476 | no-route = 150.192.0.0/255.192.0.0
477 | no-route = 152.104.128.0/255.255.128.0
478 | no-route = 153.0.0.0/255.192.0.0
479 | no-route = 153.96.0.0/255.224.0.0
480 | no-route = 157.0.0.0/255.255.0.0
481 | no-route = 157.18.0.0/255.255.0.0
482 | no-route = 157.61.0.0/255.255.0.0
483 | no-route = 157.122.0.0/255.255.0.0
484 | no-route = 157.148.0.0/255.255.0.0
485 | no-route = 157.156.0.0/255.255.0.0
486 | no-route = 157.255.0.0/255.255.0.0
487 | no-route = 159.226.0.0/255.255.0.0
488 | no-route = 161.207.0.0/255.255.0.0
489 | no-route = 162.105.0.0/255.255.0.0
490 | no-route = 163.0.0.0/255.192.0.0
491 | no-route = 163.96.0.0/255.224.0.0
492 | no-route = 163.128.0.0/255.192.0.0
493 | no-route = 163.192.0.0/255.224.0.0
494 | no-route = 166.111.0.0/255.255.0.0
495 | no-route = 167.139.0.0/255.255.0.0
496 | no-route = 167.189.0.0/255.255.0.0
497 | no-route = 167.220.244.0/255.255.252.0
498 | no-route = 168.160.0.0/255.255.0.0
499 | no-route = 171.0.0.0/255.128.0.0
500 | no-route = 171.192.0.0/255.224.0.0
501 | no-route = 175.0.0.0/255.128.0.0
502 | no-route = 175.128.0.0/255.192.0.0
503 | no-route = 180.64.0.0/255.192.0.0
504 | no-route = 180.128.0.0/255.128.0.0
505 | no-route = 182.0.0.0/255.0.0.0
506 | no-route = 183.0.0.0/255.192.0.0
507 | no-route = 183.64.0.0/255.224.0.0
508 | no-route = 183.128.0.0/255.128.0.0
509 | no-route = 192.124.154.0/255.255.255.0
510 | no-route = 192.188.170.0/255.255.255.0
511 | no-route = 202.0.0.0/255.128.0.0
512 | no-route = 202.128.0.0/255.192.0.0
513 | no-route = 202.192.0.0/255.224.0.0
514 | no-route = 203.0.0.0/255.128.0.0
515 | no-route = 203.128.0.0/255.192.0.0
516 | no-route = 203.192.0.0/255.224.0.0
517 | no-route = 210.0.0.0/255.192.0.0
518 | no-route = 210.64.0.0/255.224.0.0
519 | no-route = 210.160.0.0/255.224.0.0
520 | no-route = 210.192.0.0/255.224.0.0
521 | no-route = 211.64.0.0/255.248.0.0
522 | no-route = 211.80.0.0/255.240.0.0
523 | no-route = 211.96.0.0/255.248.0.0
524 | no-route = 211.136.0.0/255.248.0.0
525 | no-route = 211.144.0.0/255.240.0.0
526 | no-route = 211.160.0.0/255.248.0.0
527 | no-route = 218.0.0.0/255.128.0.0
528 | no-route = 218.160.0.0/255.224.0.0
529 | no-route = 218.192.0.0/255.192.0.0
530 | no-route = 219.64.0.0/255.224.0.0
531 | no-route = 219.128.0.0/255.224.0.0
532 | no-route = 219.192.0.0/255.192.0.0
533 | no-route = 220.96.0.0/255.224.0.0
534 | no-route = 220.128.0.0/255.128.0.0
535 | no-route = 221.0.0.0/255.224.0.0
536 | no-route = 221.96.0.0/255.224.0.0
537 | no-route = 221.128.0.0/255.128.0.0
538 | no-route = 222.0.0.0/255.0.0.0
539 | no-route = 223.0.0.0/255.224.0.0
540 | no-route = 223.64.0.0/255.192.0.0
541 | no-route = 223.128.0.0/255.128.0.0
542 | _EOF_
543 |
544 | cat << _EOF_ >>${confdir}/config-per-group/Route
545 | route = 8.0.0.0/252.0.0.0
546 | route = 16.0.0.0/248.0.0.0
547 | route = 23.0.0.0/255.0.0.0
548 | route = 31.13.64.0/255.255.192.0
549 | route = 50.0.0.0/255.0.0.0
550 | route = 54.0.0.0/255.128.0.0
551 | route = 54.128.0.0/255.192.0.0
552 | route = 66.220.144.0/255.255.240.0
553 | route = 69.0.0.0/255.0.0.0
554 | route = 72.0.0.0/255.0.0.0
555 | route = 73.0.0.0/255.0.0.0
556 | route = 74.0.0.0/255.0.0.0
557 | route = 78.0.0.0/255.0.0.0
558 | route = 92.0.0.0/255.0.0.0
559 | route = 93.0.0.0/255.0.0.0
560 | route = 96.0.0.0/255.0.0.0
561 | route = 97.0.0.0/255.0.0.0
562 | route = 104.0.0.0/248.0.0.0
563 | route = 109.0.0.0/255.0.0.0
564 | route = 128.0.0.0/255.0.0.0
565 | route = 141.0.0.0/255.0.0.0
566 | route = 173.0.0.0/255.0.0.0
567 | route = 174.0.0.0/255.0.0.0
568 | route = 176.0.0.0/255.0.0.0
569 | route = 190.0.0.0/255.0.0.0
570 | route = 192.0.0.0/255.0.0.0
571 | route = 198.0.0.0/255.0.0.0
572 | route = 199.0.0.0/255.0.0.0
573 | route = 205.0.0.0/255.0.0.0
574 | route = 206.0.0.0/255.0.0.0
575 | route = 208.0.0.0/255.0.0.0
576 | route = 210.128.0.0/255.192.0.0
577 | route = 216.0.0.0/255.0.0.0
578 | route = 220.128.0.0/255.128.0.0
579 | _EOF_
580 |
581 | #修改ocserv服务
582 | sed -i "s#/usr/sbin/ocserv#/usr/local/sbin/ocserv#g" "/usr/lib/systemd/system/ocserv.service"
583 | sed -i "s#/etc/ocserv/ocserv.conf#$confdir/ocserv.conf#g" "/usr/lib/systemd/system/ocserv.service"
584 | }
585 |
586 | function ConfigFirewall {
587 |
588 | iptablesisactive=$(systemctl is-active iptables.service)
589 |
590 | if [[ ${iptablesisactive} = 'active' ]]; then
591 | #添加防火墙允许列表
592 | echo "Adding firewall ports."
593 | sed -i '/INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp -m tcp --dport '$port' -j ACCEPT' /etc/sysconfig/iptables
594 | sed -i '/INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p udp -m udp --dport '$port' -j ACCEPT' /etc/sysconfig/iptables
595 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT' /etc/sysconfig/iptables
596 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -s 192.168.8.0/21 -j ACCEPT' /etc/sysconfig/iptables
597 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu' /etc/sysconfig/iptables
598 | service iptables restart
599 | iptables -t nat -A POSTROUTING -j MASQUERADE
600 | # iptables -P INPUT DROP
601 | # iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
602 | service iptables save
603 | else
604 | printf "\e[33mWARNING!!! Either firewalld or iptables is NOT Running! \e[0m\n"
605 | yum install iptables-services -y
606 | service iptables restart
607 | systemctl enable iptables
608 | sed -i '/INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp --dport '$port' -j ACCEPT' /etc/sysconfig/iptables
609 | sed -i '/INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p udp --dport '$port' -j ACCEPT' /etc/sysconfig/iptables
610 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT' /etc/sysconfig/iptables
611 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -s 192.168.8.0/21 -j ACCEPT' /etc/sysconfig/iptables
612 | sed -i '/FORWARD -j REJECT --reject-with icmp-host-prohibited/i\-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu' /etc/sysconfig/iptables
613 | service iptables restart
614 | iptables -t nat -A POSTROUTING -j MASQUERADE
615 | # iptables -P INPUT DROP
616 | # iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
617 | service iptables save
618 | fi
619 | }
620 |
621 | function ConfigSystem {
622 | #关闭selinux
623 | sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
624 | setenforce 0
625 | #修改系统
626 | echo "Enable IP forward."
627 | sysctl -w net.ipv4.ip_forward=1
628 | echo net.ipv4.ip_forward = 1 >> "/etc/sysctl.conf"
629 | systemctl daemon-reload
630 | echo "Enable ocserv service to start during bootup."
631 | systemctl enable ocserv.service
632 | #开启ocserv服务
633 | systemctl start ocserv.service
634 | echo
635 | source /etc/profile
636 | }
637 |
638 | function PrintResult {
639 | #检测防火墙和ocserv服务是否正常
640 | clear
641 | printf "\e[36mChenking Firewall status...\e[0m\n"
642 | iptables -L -n | grep --color=auto -E "(${port}|192.168.8.0)"
643 | line=$(iptables -L -n | grep -c -E "(${port}|192.168.8.0)")
644 | if [[ ${line} -ge 2 ]]
645 | then
646 | printf "\e[34mFirewall is Fine! \e[0m\n"
647 | else
648 | printf "\e[33mWARNING!!! Firewall is Something Wrong! \e[0m\n"
649 | fi
650 |
651 | echo
652 | printf "\e[36mChenking ocserv service status...\e[0m\n"
653 | netstat -anp | grep ":${port}" | grep --color=auto -E "(${port}|ocserv|tcp|udp)"
654 | linetcp=$(netstat -anp | grep ":${port}" | grep ocserv | grep tcp | wc -l)
655 | lineudp=$(netstat -anp | grep ":${port}" | grep ocserv | grep udp | wc -l)
656 | if [[ ${linetcp} -ge 1 && ${lineudp} -ge 1 ]]
657 | then
658 | printf "\e[34mocserv service is Fine! \e[0m\n"
659 | else
660 | printf "\e[33mWARNING!!! ocserv service is NOT Running! \e[0m\n"
661 | fi
662 | #rm -rf nettle*
663 | #rm -rf gnutls*
664 | #rm -rf libtasn1*
665 | #打印VPN参数
666 | printf "
667 | if there are \e[33mNO WARNING\e[0m above, then you can connect to
668 | your ocserv VPN Server with the default user/password below:
669 | ======================================\n"
670 | echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
671 | echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
672 | echo -e "Port:\t\t\e[34m${port}\e[0m"
673 | echo -e "Username:\t\e[34m${username}\e[0m"
674 | echo -e "Password:\t\e[34m${password}\e[0m"
675 | }
676 |
677 | ConfigEnvironmentVariable
678 | PrintEnvironmentVariable
679 | CompileOcserv $@
680 | ConfigOcserv
681 | #UpdateComponents
682 | ConfigFirewall
683 | ConfigSystem
684 | PrintResult
685 | exit 0
686 |
--------------------------------------------------------------------------------