├── ocserv
├── radius
├── change_ prompt.txt
├── clearsession.sh
├── monthlytrafficcounter.conf
├── clear_online_user.sh
├── sqlcounter
├── change_ocserv_to_passwd_auth.sh
├── change_ocserv_to_radius_auth.sh
├── readme.md
├── ocserv_install.sh
├── radius_install.sh
└── daloradius1.3_install.sh
├── ocserv_radius_quickinstall.sh
├── ocserv_quick.sh
├── ssl
├── Symantec.txt
├── letsencrypt.sh
├── 常见错误解决.md
└── server_ssl_install.txt
├── profile
├── profile.new.xml
└── profile.bak.xml
├── connect-script
├── for_zhongzhuan
├── chnroutes
│ └── master
│ │ ├── custom.conf
│ │ └── chnroutes.py
├── checkstat.sh
├── transite_ON_udp2raw.sh
├── mutiUDP2raw.sh
├── checkpsw.sh
└── udp2raw
├── manual_install
├── profile.xml
└── ocserv1.1.6_install.sh
├── route.txt
├── certificate.txt
├── gen-client-cert.sh
├── check_sys.sh
├── client_download.txt
├── user_del.sh
├── paypal
└── readme.txt
├── user_add.sh
├── README.md
├── install_script.sh
├── no-route.txt
├── radius_for_ocserv.sh
└── ocserv.conf
/ocserv:
--------------------------------------------------------------------------------
1 | /var/log/ocserv.log {
2 | missingok
3 | daily
4 | copytruncate
5 | rotate 7
6 | notifempty
7 | }
8 |
--------------------------------------------------------------------------------
/radius/change_ prompt.txt:
--------------------------------------------------------------------------------
1 | 修改radius的返回提示属性
2 | 1、修改错误密码提示
3 | vi /etc/raddb/radiusd.conf
4 | You are already logged in - access denied
5 | 367行
6 |
--------------------------------------------------------------------------------
/radius/clearsession.sh:
--------------------------------------------------------------------------------
1 | 59 23 * * * /usr/bin/mysql -uradius -pp0radius_0p -e "DELETE FROM radius.radacct WHERE AcctStopTime='0000-00-00 00:00:00' OR AcctStopTime IS NULL;"
2 |
--------------------------------------------------------------------------------
/radius/monthlytrafficcounter.conf:
--------------------------------------------------------------------------------
1 | query = "SELECT SUM(acctinputoctets + acctoutputoctets) DIV 1048576 FROM radacct WHERE UserName='%{${key}}' AND UNIX_TIMESTAMP(AcctStartTime) > '%%b'"
2 |
--------------------------------------------------------------------------------
/ocserv_radius_quickinstall.sh:
--------------------------------------------------------------------------------
1 | sudo -i
2 | yum install wget -y
3 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/radius_for_ocserv.sh
4 | chmod +x radius_for_ocserv.sh
5 | ./radius_for_ocserv.sh
6 | #
7 |
--------------------------------------------------------------------------------
/radius/clear_online_user.sh:
--------------------------------------------------------------------------------
1 | Use crond to clear online user every night
2 | crontab -e
3 | add
4 | 59 23 * * * /usr/bin/mysql -uradius -pp0radius_0p -e "DELETE FROM radius.radacct WHERE AcctStopTime='0000-00-00 00:00:00' OR AcctStopTime IS NULL;"
5 | exit
6 | service crond restart
7 |
--------------------------------------------------------------------------------
/ocserv_quick.sh:
--------------------------------------------------------------------------------
1 | #复制下面的所有代码,粘贴到你的服务器进行安装,你的服务器必须是Centos7
2 | #Copy all the code below, paste it into your server to install, your server must be Centos7
3 | sudo -i
4 | yum install wget -y
5 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/install_script.sh
6 | chmod +x install_script.sh
7 | ./install_script.sh
8 | #
9 |
--------------------------------------------------------------------------------
/ssl/Symantec.txt:
--------------------------------------------------------------------------------
1 | 本说明讲述,如何使用Symantec的证书
2 | 通过阿里云可以免费申请1年的Symantec SSL 证书
3 | 申请成功后,下载证书文件,下载类型时选择 其他,会得到两个文件,其中yourdomain 是你的域名
4 | 2204333_yourdomain.key
5 | 2204333_yourdomain.pem
6 | 将两个文件拷贝到/etc/ocserv 下面
7 | 修改ocserv.conf 文件
8 | server-cert = /etc/ocserv/2204333_yourdomain.pem
9 | server-key = /etc/ocserv/2204333_yourdomain.key
10 | 重启ocserv 就可以了
11 |
--------------------------------------------------------------------------------
/profile/profile.new.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | jack
6 | vpnc.ml:4433
7 | vpnc.ml:4433
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/radius/sqlcounter:
--------------------------------------------------------------------------------
1 | sqlcounter monthlytrafficcounter {
2 | sql_module_instance = sql
3 | dialect = "mysql"
4 | counter_name = Monthly-Traffic
5 | check_name = Max-Monthly-Traffic
6 | reply_name = Monthly-Traffic-Limit
7 | key = User-Name
8 | reset = monthly
9 | $INCLUDE ${modconfdir}/sql/counter/${dialect}/${.:instance}.conf
10 | }
11 |
--------------------------------------------------------------------------------
/connect-script:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | export LOGFILE=/var/log/ocserv.conf
4 |
5 | #echo $USERNAME : $REASON : $DEVICE
6 | case "$REASON" in
7 | connect)
8 | echo `date` $USERNAME "connected" >> $LOGFILE
9 | echo `date` $REASON $USERNAME $DEVICE $IP_LOCAL $IP_REMOTE $IP_REAL >> $LOGFILE
10 | ;;
11 | disconnect)
12 | echo `date` $USERNAME "disconnected" >> $LOGFILE
13 | ;;
14 | esac
15 | exit 0
16 |
--------------------------------------------------------------------------------
/for_zhongzhuan/chnroutes/master/custom.conf:
--------------------------------------------------------------------------------
1 | #阻断网站访问,例如想阻断youtube 去掉下面一条的注释,并重启dnsmasq
2 | #address=/.youtube.com/127.0.0.1
3 |
4 | #以下是特殊需要加速的网站
5 | address=/github.global.ssl.fastly.net/151.101.13.194
6 | server=/.github.com/8.8.8.8
7 | server=/.github.io/8.8.8.8
8 | server=/.raw.githubusercontent.com/8.8.8.8
9 | server=/.apnic.net/8.8.8.8
10 | #for special site
11 | server=/.apple.com/114.114.114.114
12 | server=/.microsoft.com/114.114.114.114
13 |
--------------------------------------------------------------------------------
/for_zhongzhuan/checkstat.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 |
3 | #nap_count="`netstat -ano|grep 3333|grep -v 'grep'|wc -l`"
4 | nap_count="`ps aux|grep udp2raw|grep -v 'grep'|wc -l`"
5 | conf=/root/udp2raw/config.conf
6 | if [ $nap_count -gt 0 ]
7 | then
8 | #echo $nap_count
9 | echo "udp2raw is up and running...! `date`"
10 | else
11 | /etc/init.d/udp2raw start >>/var/log/udp2raw.log
12 | echo "udp2raw stopped,plz Start Nap! `date`" >>/var/log/udp2raw.log
13 | fi
14 |
--------------------------------------------------------------------------------
/for_zhongzhuan/transite_ON_udp2raw.sh:
--------------------------------------------------------------------------------
1 | #/bin/sh
2 | systemctl restart openvpn@server
3 | ps -ef | grep '127.0.0.1:1298' | grep -v grep | awk '{print $2}' | xargs kill -9
4 | /root/udp2raw/udp2raw_amd64 -s -l0.0.0.0:50000 -r 127.0.0.1:1298 --raw-mode faketcp -k your_passwd --fix-gro --cipher-mode xor --auth-mode simple &
5 | sleep 3
6 | iptables -D INPUT -p tcp -m tcp --dport 50000 -j DROP
7 | iptables -I INPUT -p tcp -m tcp --dport 50000 -j DROP
8 | /root/tc6M_tun100.sh
9 |
--------------------------------------------------------------------------------
/manual_install/profile.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | hostname
6 | hostname.com:4433
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/route.txt:
--------------------------------------------------------------------------------
1 | route = 8.0.0.0/8
2 | route = 162.0.0.0/8
3 | route = 149.154.160.0/20
4 | route = 91.108.56.0/22
5 | route = 18.194.0.0/15
6 | route = 54.80.0.0/14
7 | route = 35.156.0.0/14
8 | route = 34.224.0.0/12
9 | route = 52.58.0.0/15
10 | route = 3.208.0.0/12
11 | route = 169.60.64.0/18
12 | route = 54.156.0.0/14
13 | route = 64.223.160.0/19
14 | route = 172.217.0.0/16
15 | route = 216.58.192.0/19
16 | route = 125.209.208.0/20
17 | route = 52.81.0.0/16
18 | route = 27.0.236.0/22
19 | route = 211.231.64.0/18
20 | route = 113.29.128.0/17
21 |
--------------------------------------------------------------------------------
/certificate.txt:
--------------------------------------------------------------------------------
1 | #新增证书用户之前的服务器配置
2 | yum install httpd -y
3 | service httpd start
4 | iptables -I INPUT -p tcp --dport 80 -j ACCEPT
5 | echo 'iptables -A INPUT -p tcp --dport 80 -j ACCEPT' >> /etc/rc.local
6 | echo 'systemctl start httpd' >>/etc/rc.local
7 |
8 | #新增证书用户
9 | cd /root/anyconnect
10 | mkdir zhangsan
11 | cd zhangsan
12 | ../gen-client-cert.sh zhangsan /root/anyconnect
13 | cp zhangsan.p12 /var/www/html/
14 |
15 | #获取证书地址,下面的35.229.201.111要修改为你实际服务器的IP地址
16 | http://35.229.201.111/zhangsan.p12
17 |
18 |
19 | #新增密码登陆用户,其中zhangsan是用户名
20 | ocpasswd -c /etc/ocserv/ocpasswd zhangsan
21 |
--------------------------------------------------------------------------------
/radius/change_ocserv_to_passwd_auth.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | sed -i "s/auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/#auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/g" /etc/ocserv/ocserv.conf
3 | sed -i "s/acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/#acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/g" /etc/ocserv/ocserv.conf
4 | sed -i "s/#auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/g" /etc/ocserv/ocserv.conf
5 | systemctl restart ocserv
6 |
--------------------------------------------------------------------------------
/radius/change_ocserv_to_radius_auth.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | sed -i "s/#auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/g" /etc/ocserv/ocserv.conf
3 | sed -i "s/#acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/g" /etc/ocserv/ocserv.conf
4 | sed -i "s/auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/#auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/g" /etc/ocserv/ocserv.conf
5 | systemctl restart ocserv
6 |
--------------------------------------------------------------------------------
/gen-client-cert.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | USER=$1
3 | CA_DIR=$2
4 | SERIAL=`date +%s`
5 | certtool --generate-privkey --outfile $USER-key.pem
6 | cat << _EOF_ >user.tmpl
7 | cn = "$USER"
8 | unit = "users"
9 | serial = "$SERIAL"
10 | expiration_days = 9999
11 | signing_key
12 | tls_www_client
13 | _EOF_
14 | certtool --generate-certificate --load-privkey $USER-key.pem --load-ca-certificate $CA_DIR/ca-cert.pem --load-ca-privkey $CA_DIR/ca-key.pem --template user.tmpl --outfile $USER-cert.pem
15 | openssl pkcs12 -export -inkey $USER-key.pem -in $USER-cert.pem -name "$USER VPN Client Cert" -certfile $CA_DIR/ca-cert.pem -out $USER.p12
16 |
--------------------------------------------------------------------------------
/check_sys.sh:
--------------------------------------------------------------------------------
1 | check_sys(){
2 | if [[ -f /etc/redhat-release ]]; then
3 | release="centos"
4 | elif cat /etc/issue | grep -q -E -i "debian"; then
5 | release="debian"
6 | elif cat /etc/issue | grep -q -E -i "ubuntu"; then
7 | release="ubuntu"
8 | elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
9 | release="centos"
10 | elif cat /proc/version | grep -q -E -i "debian"; then
11 | release="debian"
12 | elif cat /proc/version | grep -q -E -i "ubuntu"; then
13 | release="ubuntu"
14 | elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
15 | release="centos"
16 | fi
17 | bit=`uname -m`
18 | }
19 | check_sys
20 | echo $release
21 |
--------------------------------------------------------------------------------
/client_download.txt:
--------------------------------------------------------------------------------
1 | #Anyconnect Client for windows system
2 | http://180.188.197.212/down/anyconnect/anyconnect-win-4.6.01098-core-vpn-predeploy-k9.msi
3 | #Anyconnect Client for osx
4 | http://180.188.197.212/down/anyconnect/anyconnect-macos-4.6.02074-predeploy-k9.dmg
5 | #Anyconnect Client for andriod
6 | http://180.188.197.212/down/anyconnect/anyconnect-v4.6.00143.apk
7 |
8 | 百度网盘客户端下载
9 | windows 客户端下载anyconnect-win-4.6.01098-core-vpn-predeploy-k9.msi
10 | 链接: https://pan.baidu.com/s/1gXPBVAb721UexRy2JHG0sA 提取码: yq25
11 |
12 | osx 客户端下载
13 | 链接: https://pan.baidu.com/s/1DeyauFpAXoaSvkc3kKaq_Q 提取码: ve14
14 |
15 | android客户端下载
16 | 链接: https://pan.baidu.com/s/1t6Lo5JMIAV1OY0yvR1Ge3w 提取码: bt9i
17 |
--------------------------------------------------------------------------------
/user_del.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #ocserv 删除用户及注销用户的证书的脚本文件
3 | function user_del() {
4 | read -p "Please enter the name of the user you want to delete !" user_name
5 | if [ ! -n "$user_name" ] ;then
6 | echo "You did not enter a username, please re-execute the program"
7 | else
8 | /usr/bin/ocpasswd -d $user_name
9 | echo "$user_name User deleted successfully"
10 | cat /root/anyconnect/$user_name/$user_name-cert.pem >> /root/anyconnect/revoked.pem
11 | certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem
12 | echo "$user_name User certificate is revoked"
13 | service ocserv restart
14 | fi
15 | }
16 | user_del
17 |
--------------------------------------------------------------------------------
/ssl/letsencrypt.sh:
--------------------------------------------------------------------------------
1 | #本脚本未做测试
2 | read -p "请输入VPN域名!(默认为example.com):" domain_name
3 | if [ -z "$domain_name" ];then
4 | domain_name=example.com
5 | read -p "请输入您的Email!(默认为user@qq.com):" mail_address
6 | if [ -z "$mail_address" ];then
7 | mail_address=user@qq.com
8 |
9 | yum install git -y
10 | git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
11 | cd /opt/letsencrypt
12 | #安装证书
13 | expect<<-END
14 | spawn ./letsencrypt-auto certonly -d $domain_name
15 | expect "Select the appropriate number"
16 | send "3\r"
17 | expect "Enter email address (used for urgent renewal and security notices) "
18 | send "$mail_address\r"
19 | expect "(A)gree"
20 | send "A\r"
21 | expect "(Y)es"
22 | send "Y\r"
23 | expect "Input the webroot for"
24 | send "/var/www/html/\r"
25 | expect eof
26 | exit
27 | END
28 | #证书安装完成后需要修改配置文件,如下,替换服务器中的 server-cert 和 server-key 配置的地方,最后重启服务器
29 | #vi /etc/ocserv/ocserv.conf
30 | #server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
31 | #server-key = /etc/letsencrypt/live/example.com/privkey.pem
32 | #service ocserv restart
33 |
--------------------------------------------------------------------------------
/for_zhongzhuan/mutiUDP2raw.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
3 | sleep 1
4 | #
5 | server1='Change_to_your_abord_serverip'
6 | OLDGW=$(ip route show 0/0 | sed -e 's/^default//')
7 | #------------------------------------------------------------------------------------
8 | #udp2raw需要做的
9 | ServerList=("$server1")
10 | for p in "${ServerList[@]}"
11 | do
12 | iptables -D INPUT -s $p -p tcp -m tcp --sport 50000 -j DROP
13 | iptables -I INPUT -s $p -p tcp -m tcp --sport 50000 -j DROP
14 | done
15 | echo '停止udp2raw 和openvpn客户端'
16 | ps -ef | grep udp2raw_amd64 | grep -v grep | awk '{print $2}' | xargs kill -9
17 | ps -ef | grep openvpn | grep -v grep | awk '{print $2}' | xargs kill -9
18 | #------------------------------------------------------------------------------------
19 | echo '增加服务器去往国内路由到table 5'
20 | ip route add $server1 $OLDGW table 5
21 | #ip route add $server2 $OLDGW table 5
22 | echo '启动第一阶段udp2raw'
23 | /root/udp2raw/udp2raw_amd64 -c -r$server1:50000 -l 127.0.0.1:1198 --raw-mode faketcp -k udp2rawpassword --fix-gro &
24 | echo '启动openvpn客户端'
25 | /usr/sbin/openvpn /etc/openvpn/client/client.ovpn >/dev/null &
26 | #
27 | echo '执行完成'
28 | echo "`date` 重新启动了mutiUDP2raw.sh " >> /var/log/udp2raw.log
29 |
--------------------------------------------------------------------------------
/paypal/readme.txt:
--------------------------------------------------------------------------------
1 | 第一步:
2 | 1、制作一个index.php 页面,包含支付信息
3 | 2、登录Paypal创建一个支付button
4 | 2.1 选择 tools -> paypal buttons -> Create new button
5 | 2.2、Button 设置
6 | Choose a button type "Buy Now"
7 | 输入Item name 和 Item id
8 | 输入Price
9 | 去掉 "Save button at PayPal" 的勾选
10 | Can you custome add special intructions in a message to you ?
11 | 选择no
12 | Do you need your customer's shipping address
13 | 选择no
14 | Add advanced variables
15 | 输入URL的listener.php页面地址notify_url=http://yourweb/PayPalGateway/listener.php
16 | 最后点击Create Button
17 | 会获取到一段Button的代码
18 | 3、把获取到的代码放到你的支付页面,预览后将出现一个button
19 |
20 | 第二步:
21 | 1、进入 https://developer.paypal.com
22 | 2、点击 IPN Simulator
23 | 3、配置
24 | IPN handler url 输入
25 | http://yourweb/PayPalGateway/listener.php
26 | Transation type
27 | 选择web Accept
28 | Payment_status
29 | 选择Completed
30 | business
31 | 输入你组织的名称
32 | receiver_email 输入能接收邮件的Email
33 | item_name
34 | 输入你支付项目的名称
35 | item_number
36 | 输入你支付项目的名称
37 | shipping 与tax 下面的内容删除
38 | mc_gross下面输入你的销售金额
39 | 删除mc_gross_1
40 | 在Advanced and Custom Information下
41 | 删除 custom 和 invoice 下面的内容
42 |
43 | 最后点击 Send IPN 按钮
44 | 会收到提示 IPN was sent and the handshake was verified
45 | 第三步: 创建listener.php文件
46 |
47 | 第四步:验证
48 | 进入第三部,点击 Send IPN 按钮,
49 | 打开http://yourweb/PayPalGateway/test.txt,当出现VERIFIED时候,可以进行下一步
50 | 第五步:
51 |
--------------------------------------------------------------------------------
/manual_install/ocserv1.1.6_install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | ######################################################################################################
3 | yum install -y gnutls-devel libev-devel
4 | yum install -y pam-devel lz4-devel libseccomp-devel readline-devel \
5 | libnl3-devel krb5-devel radcli-devel libcurl-devel cjose-devel \
6 | jansson-devel protobuf-c-devel libtalloc-devel http-parser-devel \
7 | protobuf-c gperf nuttcp lcov uid_wrapper pam_wrapper nss_wrapper \
8 | socket_wrapper gssntlmssp haproxy iputils gawk \
9 | gnutls-utils iproute yajl
10 | wget https://www.infradead.org/ocserv/download/ocserv-1.1.6.tar.xz --no-check-certificate
11 | tar xf ocserv-1.1.6.tar.xz
12 | cd ocserv-1.1.6
13 | ./configure && make && make install
14 | mv /var/lib/ocserv/profile.xml.rpmsave /var/lib/ocserv/profile.xml
15 | cp /etc/ocserv/ocserv.conf.rpmsave /etc/ocserv/ocserv.conf
16 | sed -i 's@enable-auth = "certificate"@#enable-auth = "certificate"@g' /etc/ocserv/ocserv.conf
17 | cp "doc/systemd/standalone/ocserv.service" "/usr/lib/systemd/system/ocserv.service"
18 | sed -i 's@/usr/sbin/ocserv@/usr/local/sbin/ocserv@g' /usr/lib/systemd/system/ocserv.service
19 | mkdir /var/lib/ocserv/
20 | wget -P /var/lib/ocserv/ https://raw.githubusercontent.com/chendong12/ocserv/master/manual_install/profile.xml
21 | systemctl daemon-reload
22 | systemctl start ocserv
23 |
--------------------------------------------------------------------------------
/for_zhongzhuan/checkpsw.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | ###########################################################
3 | # checkpsw.sh (C) 2004 Mathias Sundman
4 | #
5 | # This script will authenticate OpenVPN users against
6 | # a plain text file. The passfile should simply contain
7 | # one row per user with the username first followed by
8 | # one or more space(s) or tab(s) and then the password.
9 |
10 | PASSFILE="/etc/openvpn/psw-file"
11 | LOG_FILE="/var/log/openvpn-password.log"
12 | TIME_STAMP=`date "+%Y-%m-%d %T"`
13 |
14 | ###########################################################
15 |
16 | if [ ! -r "${PASSFILE}" ]; then
17 | echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
18 | exit 1
19 | fi
20 | echo "user:${username} psw:${password}"
21 |
22 | CORRECT_PASSWORD=`awk '($1=="'${username}'")&&($3==1) {print $2}' ${PASSFILE}`
23 | echo ${CORRECT_PASSWORD}
24 |
25 | if [ "${CORRECT_PASSWORD}" = "" ]; then
26 | echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
27 | exit 1
28 | fi
29 |
30 | if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
31 | echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
32 | exit 0
33 | fi
34 |
35 | echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
36 | exit 1
37 |
--------------------------------------------------------------------------------
/profile/profile.bak.xml:
--------------------------------------------------------------------------------
1 | ?xml version="1.0" encoding="UTF-8"?>
2 |
3 |
4 |
5 | false
6 | false
7 | false
8 | IPSec
9 | true
10 | AllowRemoteUsers
11 | pinAllowed
12 |
13 |
14 | Digital_Signature
15 |
16 |
17 | ClientAuth
18 |
19 |
20 |
21 |
22 | localhost
23 |
24 |
25 |
26 |
27 |
28 | VPN Server
29 | localhost
30 |
31 |
32 |
33 |
--------------------------------------------------------------------------------
/user_add.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #This script is add vpn user and user's certificate at the same time
3 | function input_user() {
4 | public_ip=`lynx --source www.monip.org | sed -nre 's/^.* (([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p'`
5 | read -p "Input your vpn username:" user_name
6 | if [ ! -n "$user_name" ] ;then
7 | echo "You did not enter a username, please re-execute the program"
8 | else
9 | read -p "Input your password:" user_pass
10 | fi
11 | if [ ! -n "$user_pass" ] ;then
12 | echo "You did not enter your password, please re-execute the program"
13 | else
14 | user_add
15 | cert_add
16 | fi
17 |
18 | }
19 | function user_add(){
20 | expect<<-END
21 | spawn ocpasswd -c /etc/ocserv/ocpasswd $user_name
22 | expect "Enter password:"
23 | send "$user_pass\r"
24 | expect "Re-enter password:"
25 | send "$user_pass\r"
26 | expect eof
27 | exit
28 | END
29 | }
30 | #增加证书用户函数
31 | function cert_add() {
32 | cd /root/anyconnect
33 | mkdir $user_name
34 | cd $user_name
35 | expect<<-END
36 | spawn ../gen-client-cert.sh $user_name /root/anyconnect
37 | expect "Enter Export Password:"
38 | send "$user_pass\r"
39 | expect "Verifying - Enter Export Password:"
40 | send "$user_pass\r"
41 | expect eof
42 | exit
43 | END
44 | cp /root/anyconnect/$user_name/$user_name.p12 /var/www/html/
45 | echo "$user_name The user is successfully created and the password is $user_pass"
46 | echo "$user_name The user's certificate was created successfully. Click the following link to download."
47 | echo "http://$public_ip/$user_name.p12"
48 | echo "The import password for the certificate is $user_pass"
49 | echo "VPN address and port is $public_ip:4433"
50 | }
51 | function shell_install() {
52 | input_user
53 | }
54 | shell_install
55 |
--------------------------------------------------------------------------------
/ssl/常见错误解决.md:
--------------------------------------------------------------------------------
1 | ### 当出现如下错误提示的时候 ###
2 | [root@localhost letsencrypt]# ./letsencrypt-auto certonly -d vpn01.rexen.net
3 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
4 |
5 | How would you like to authenticate with the ACME CA?
6 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 | 1: Apache Web Server plugin (apache)
8 | 2: Spin up a temporary webserver (standalone)
9 | 3: Place files in webroot directory (webroot)
10 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
11 | Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
12 | Plugins selected: Authenticator webroot, Installer None
13 | Obtaining a new certificate
14 | Performing the following challenges:
15 | http-01 challenge for vpn01.xxxx.net
16 | Input the webroot for vpn01.xxxx.net: (Enter 'c' to cancel): /var/www/html/
17 | Waiting for verification...
18 | Cleaning up challenges
19 | Failed authorization procedure. vpn01.xxxx.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn01.xxxx.net/.well-known/acme-challenge/EcK1ytD-ZkopGhlmvo7c8uXONHIrsbjMYqX_QGf4VnM: Connection refused
20 |
21 | IMPORTANT NOTES:
22 | - The following errors were reported by the server:
23 |
24 | Domain: vpn01.rexen.net
25 | Type: connection
26 | Detail: Fetching
27 | http://vpn01.xxxx.net/.well-known/acme-challenge/EcK1ytD-ZkopGhlmvo7c8uXONHIrsbjMYqX_QGf4VnM:
28 | Connection refused
29 |
30 | To fix these errors, please make sure that your domain name was
31 | entered correctly and the DNS A/AAAA record(s) for that domain
32 | contain(s) the right IP address. Additionally, please check that
33 | your computer has a publicly routable IP address and that no
34 | firewalls are preventing the server from communicating with the
35 | client. If you're using the webroot plugin, you should also verify
36 | that you are serving files from the webroot path you provided.
37 |
38 | ### 需要你首先能访问你的 vpn01.xxxx.net 网站 ###
39 | 如果是apache 需要启动apache,并且iptables中放行
40 | systemctl enable httpd
41 | iptables -I INPUT -p tcp --dport 80 -j ACCEPT
42 |
--------------------------------------------------------------------------------
/for_zhongzhuan/udp2raw:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # chkconfig: 2345 90 10
3 | # description: udp2raw, designed to bypass blocked udp.
4 |
5 | ### BEGIN INIT INFO
6 | # Provides: udp2raw
7 | # Required-Start: $network $syslog
8 | # Required-Stop: $network
9 | # Default-Start: 2 3 4 5
10 | # Default-Stop: 0 1 6
11 | # Short-Description: helps you bypass firewalls
12 | # Description: Start or stop the udp2raw
13 | ### END INIT INFO
14 |
15 | # Author: Alaa Elkhawaga v1.00
16 |
17 | NAME=udp2raw
18 | BIN=/root/udp2raw/udp2raw_amd64
19 | if [ -f /root/udp2raw/config.conf ]; then
20 | CONF=/root/udp2raw/config.conf
21 | fi
22 | #elif [ -f /etc/conf.conf
23 | # CONF=/etc/conf.conf
24 |
25 | RETVAL=0
26 |
27 | check_running(){
28 | PID=`ps -ef | grep -v grep | grep -i "${BIN}" | awk '{print $2}'`
29 | if [ ! -z "$PID" ]; then
30 | return 0
31 | else
32 | return 1
33 | fi
34 | }
35 |
36 | do_start(){
37 | check_running
38 | if [ $? -eq 0 ]; then
39 | echo "$NAME (pid $PID) is already running..."
40 | exit 0
41 | else
42 | $BIN --conf-file $CONF &
43 | RETVAL=$?
44 | if [ $RETVAL -eq 0 ]; then
45 | echo "Starting $NAME success"
46 | else
47 | echo "Starting $NAME failed"
48 | fi
49 | fi
50 | }
51 |
52 | do_stop(){
53 | check_running
54 | if [ $? -eq 0 ]; then
55 | kill $PID
56 | RETVAL=$?
57 | if [ $RETVAL -eq 0 ]; then
58 | echo "Stopping $NAME success"
59 | else
60 | echo "Stopping $NAME failed"
61 | fi
62 | else
63 | echo "$NAME is stopped"
64 | RETVAL=1
65 | fi
66 | }
67 |
68 | do_status(){
69 | check_running
70 | if [ $? -eq 0 ]; then
71 | echo "$NAME (pid $PID) is running..."
72 | else
73 | echo "$NAME is stopped"
74 | RETVAL=1
75 | fi
76 | }
77 |
78 | do_restart(){
79 | do_stop
80 | do_start
81 | }
82 |
83 | case "$1" in
84 | start|stop|restart|status)
85 | do_$1
86 | ;;
87 | *)
88 | echo "Usage: $0 { start | stop | restart | status }"
89 | RETVAL=1
90 | ;;
91 | esac
92 |
93 | exit $RETVAL
94 |
--------------------------------------------------------------------------------
/radius/readme.md:
--------------------------------------------------------------------------------
1 | 如果需要把 radius服务器 和 ocserv 服务器部署到不同的服务器,需要配置下的的文件
2 |
3 | ### 在radius 服务器上的配置 ###
4 | If you need to deploy the radius server and ocserv server to different servers, you need to configure the files.
5 | > * 1、在radius 服务器上开放radius 端口
6 | ```bash
7 | iptables -I INPUT -p tcp --dport 1812 -j ACCEPT
8 | iptables -I INPUT -p udp --dport 1812 -j ACCEPT
9 | iptables -I INPUT -p tcp --dport 1813 -j ACCEPT
10 | iptables -I INPUT -p udp --dport 1813 -j ACCEPT
11 | ```
12 | > * 2、修改radius服务器上的密码
13 | ```bash
14 | vim /etc/raddb/clients.conf
15 | Change below
16 | ipv4addr = *
17 | secret = testing123
18 | ```
19 | ## 在ocserv 服务器(radius 客户端)上的配置
20 | #以下内容是在ocserv 服务器(radius 客户端)上进行
21 | > * 1、安装 radicli
22 | ```bash
23 | yum install -y radcli-devel
24 | ```
25 |
26 | > * 2、配置 radiusclient
27 | ```bash
28 | vi /etc/radcli/radiusclient.conf
29 | #将authserver和acctserver 后面的地址,修改为你实际的radius服务器地址,假定你radius服务器地址为 1.2.3.4:
30 |
31 | authserver 1.2.3.4
32 | acctserver 1.2.3.4
33 | ```
34 |
35 | > * 3、增加服务器IP及radius连接密码
36 | ```bash
37 | vi /etc/radcli/servers
38 | #添加下面内容,其中1.2.3.4 位你的radius服务器IP地址,some-pass 为密码
39 |
40 | 1.2.3.4 testing123
41 | ```
42 | > * 4、修改ocserv 服务器配置,开启radius认证
43 | ```bash
44 | vi /etc/ocserv/ocserv.conf
45 | #注释密码认证,去掉radiusclient-ng 相关的两行内容,如下所示
46 | #auth = "plain[passwd=/etc/ocserv/ocpasswd]
47 | auth = "radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]"
48 | acct = "radius[config=/etc/radcli/radiusclient.conf]"
49 | ```
50 | 修改完成之后执行下面命令重启ocserv
51 | ```bash
52 | systemctl restart ocserv
53 | ```
54 | ## 修改phpmail乱码问题 ##
55 | ```bash
56 | #修改其中的public $CharSet = ‘iso-8859-1′; 改为 public $CharSet = ‘UTF-8′;
57 | vi /var/www/html/user_reg_new/mailer/class.phpmailer.php
58 | ```
59 |
60 | ## radius 客户端测试方法 ##
61 | ```bash
62 | radtest user user_pass testing123 1812 testing123
63 | ```
64 |
65 | ## 如何区分用户名的大小写 ##
66 | #默认情况下anyconnect 连接后用户名是不区分大小写的,例如 tom 和Tom 都会接受,但同时在线用户数的确认就失效了
67 | ```bash
68 | vi /etc/raddb/mods-config/sql/main/mysql/queries.conf
69 | #修改其中的用户查询认证为如下信息即可
70 | authorize_check_query = "\
71 | SELECT id, username, attribute, value, op \
72 | FROM ${authcheck_table} \
73 | WHERE username = BINARY '%{SQL-User-Name}' \
74 | ORDER BY id"
75 |
76 | authorize_reply_query = "\
77 | SELECT id, username, attribute, value, op \
78 | FROM ${authreply_table} \
79 | WHERE username = BINARY '%{SQL-User-Name}' \
80 | ORDER BY id"
81 |
82 | ```
83 |
84 |
--------------------------------------------------------------------------------
/ssl/server_ssl_install.txt:
--------------------------------------------------------------------------------
1 | #本文帮助大家OCSERV 服务器如何使用域名连接
2 | #首先你需要有一个域名,并且解析到你的服务器
3 | #其次你安装了我的服务器脚本文件,https://raw.githubusercontent.com/chendong12/ocserv/master/ocserv_quick.sh
4 | #假定你的域名为example.com
5 | #按照下面方法配置完成之后你就可以使用域名登陆,并且这个域名使用免费的ssl证书,不会提示不信任服务器的情况,注意免费ssl证书是有时效的
6 | yum install git -y
7 | git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
8 | cd /opt/letsencrypt
9 | ./letsencrypt-auto certonly -d example.com(这里修改为你的服务器域名)
10 |
11 |
12 | 出现下面提示的时候选择3
13 | How would you like to authenticate with the ACME CA?
14 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15 | 1: Apache Web Server plugin - Beta (apache)
16 | 2: Spin up a temporary webserver (standalone)
17 | 3: Place files in webroot directory (webroot)
18 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
19 | Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
20 |
21 |
22 | 出现下面提示的时候输入你的邮箱地址
23 | Enter email address (used for urgent renewal and security notices) (Enter 'c' to
24 | cancel): zcm8483@gmail.com
25 |
26 |
27 | 出现下面提示输入A
28 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
29 | Please read the Terms of Service at
30 | https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
31 | agree in order to register with the ACME server at
32 | https://acme-v02.api.letsencrypt.org/directory
33 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
34 | (A)gree/(C)ancel: A
35 |
36 |
37 | 出现下面提示输入Y
38 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
39 | Would you be willing to share your email address with the Electronic Frontier
40 | Foundation, a founding partner of the Let's Encrypt project and the non-profit
41 | organization that develops Certbot? We'd like to send you email about our work
42 | encrypting the web, EFF news, campaigns, and ways to support digital freedom.
43 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
44 | (Y)es/(N)o: Y
45 |
46 |
47 | (注意结尾一定要加/)提示这个时候输入/var/www/html/
48 | Input the webroot for example.com: (Enter 'c' to cancel): /var/www/html/
49 |
50 |
51 | #修改ocserv服务器的配置文件
52 | vi /etc/ocserv/ocserv.conf
53 | #增加下面两行内容
54 | server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
55 | server-key = /etc/letsencrypt/live/example.com/privkey.pem
56 | #注释掉原来的下面两行内容
57 | #server-cert = /etc/ocserv/server-cert.pem
58 | #server-key = /etc/ocserv/server-key.pem
59 |
60 | #重启服务器
61 | service ocserv restart
62 |
63 | #客户端使用example.com:4433 就可以连接到服务器了
64 | #记得把example.com 更换成你的域名
65 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Cisco anyconnect 服务器搭建(服务器软件采用ocserv)注意本项目是基于Centos7操作系统
2 | ### 安装步骤 ###
3 | > * 第一步:安装ocserv 服务器,请使用下面的脚本文件进行安装
4 | > * https://raw.githubusercontent.com/chendong12/ocserv/master/ocserv_quick.sh
5 | > * 第二步:(可以不安装)但如果想使用 Radius 来管理 ocserv 服务器中的账号,即OCSERV对接Radius,请使用这一步,注意,必须安装第一步,才能安装第二步
6 | > * https://github.com/chendong12/ocserv/blob/master/ocserv_radius_quickinstall.sh
7 | ## 服务器操作常用方法 ##
8 | > * 启动服务器方法: systemctl start ocserv
9 | > * 停止服务器方法: systemctl stop ocserv
10 | > * 重启服务器方法: systemctl restart ocserv
11 | ## 增加客户端账号的方法
12 | > * 方法一:/root/anyconnect/user_add.sh 通过脚本文件直接增加账号密码和证书文件
13 | > * 方法二:ocpasswd -c /etc/ocserv/ocpasswd user_name 增加用户名为user_name的账号,如果已经存在则修改其密码
14 | > * 方法三:cd /root/anyconnect ; mkdir user_name ; cd user_name ; ../gen-client-cert.sh user_name /root/anyconnect 只增加用户证书> * ocpasswd -d user_name 删除user_name账号
15 | ## 配置文件说明 ##
16 | > * ocserv_quick.sh - 快速安装anyconnect服务器的脚本文件
17 | > * ocserv.conf - 服务器主要配置文件
18 | > * install_script.sh - 服务器安装主要脚本文件
19 | > * ocserv_radius_quickinstall.sh - Ocserv 对接 Radius 快速安装脚本
20 | > * radius_for_ocserv.sh - Ocserv 对接 Radius 主要脚本文件
21 | > * user_add.sh - 快速生成anyconnect 客户端账号及客户端证书的脚本
22 | > * user_del.sh - 快速删除anyconnect 客户端账号及禁用改账号证书脚本
23 | > * client_download.txt - 不同类型的客户端下载地址
24 | > * certificate.txt - 单独新增证书用户说明
25 | > * /ssl/server_ssl_install.txt 服务器通过域名连接,并配置可信ssl的方法说明
26 |
27 |
28 | ## 修改 /var/lib/ocserv/profile.xml 文件中的内容可以将服务器的配置推送给客户端 ###
29 | ```bash
30 | vi /var/lib/ocserv/profile.xml
31 | ```
32 | ```xml
33 |
34 |
35 | 服务器描述1
36 | server1_ipaddress:port
37 |
38 |
39 | 服务器描述2
40 | server2_ipaddress:port
41 |
42 |
43 | ```
44 |
45 | ## ocserv 常见配置说明 ##
46 | #### 配置vpn客户端的速率 ###
47 | ```bash
48 | rx-data-per-sec =
49 | tx-data-per-sec =
50 | 如果要设置2Mbps带宽,清输入 262144,计算方法为: 2048(2*1024)*1024/8 = 262144
51 | 1M 131072
52 | 2M 262144
53 | 3M 393216
54 | 4M 524288
55 | 5M 655360
56 | ```
57 |
58 | ### 配置连接协议,禁止TLS1.0 和TLS1.1 ###
59 |
60 | ```bash
61 | tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
62 | ```
63 |
64 | ### 记录anyconnect连接断开的日志 ###
65 | 编辑 /etc/ocserv/ocserv.conf
66 | 增加如下内容
67 |
68 | ```bash
69 | connect-script = /etc/ocserv/connect-script
70 | disconnect-script = /etc/ocserv/connect-script
71 | ```
72 | 新建 connect-script 文件
73 | ```bash
74 | touch /etc/ocserv/connect-script
75 | chmod +x /etc/ocserv/connect-script
76 | ```
77 |
78 | /etc/ocserv/connect-script 文件内容如下
79 |
80 | ```bash
81 | #!/bin/bash
82 |
83 | export LOGFILE=/etc/ocserv/login.log
84 |
85 | #echo $USERNAME : $REASON : $DEVICE
86 | case "$REASON" in
87 | connect)
88 | echo `date` $USERNAME "connected" >> $LOGFILE
89 | echo `date` $REASON $USERNAME $DEVICE $IP_LOCAL $IP_REMOTE $IP_REAL >> $LOGFILE
90 | ;;
91 | disconnect)
92 | echo `date` $USERNAME "disconnected" >> $LOGFILE
93 | ;;
94 | esac
95 | exit 0
96 | ```
97 | 配置完成后重启 ocserv
98 |
99 |
100 | ```bash
101 | systemctl restart ocserv
102 | cat /etc/ocserv/login.log
103 | 2022年 08月 28日 星期日 11:23:56 CST test connected
104 | 2022年 08月 28日 星期日 11:23:56 CST connect jack vpns0 10.12.0.1 10.12.0.128 1.27.210.31
105 | 2022年 08月 28日 星期日 11:24:00 CST test disconnected
106 | ```
107 |
108 | ### 使用 let's encrypt 生成域名的证书 ###
109 |
110 | ```shell
111 | #准备工作:80 端口未被使用,并且防火墙上放行了80端口
112 |
113 | yum install epel-release
114 | yum install certbot
115 |
116 | #用下面命令生成证书,生成过程提示您输入邮箱地址,然后一路输入 y 确认
117 | certbot certonly --standalone -d your_domain
118 |
119 | #如果成功生成,会提示您证书存放路径,和证书的有效期,示例如下
120 |
121 | /etc/letsencrypt/live/your_domain/fullchain.pem
122 | /etc/letsencrypt/live/your_domain/privkey.pem
123 |
124 | #修改 ocserv 配置文件,使用证书
125 | server-cert = /etc/letsencrypt/live/your_domain/fullchain.pem
126 | server-key = /etc/letsencrypt/live/your_domain/privkey.pem
127 |
128 | #重启 ocserv 服务
129 | systemctl restart ocserv
130 |
131 | #自动更新证书
132 | #Let's Encrypt 证书的有效期是 90 天,并且官方推荐每 60 天 自动进行一次续期,以确保证书不会过期。
133 | #Certbot 内置了一个命令,用于每天自动检查证书是否即将过期。你可以使用以下 cron 任务来确保 Certbot 每天检查证书状态并续期
134 | #这个 cron 任务会每天午夜运行一次 certbot renew,但只有当证书剩余有效期少于 30 天时,Certbot 才会自动续期证书
135 |
136 | crontab -e
137 |
138 | 0 0 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl restart ocserv"
139 |
140 | ```
141 |
142 |
--------------------------------------------------------------------------------
/for_zhongzhuan/chnroutes/master/chnroutes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | import argparse
4 | import math
5 | import os
6 | import re
7 | import subprocess
8 | import sys
9 | import urllib2
10 |
11 | def generate_ovpn(_):
12 | results = fetch_ip_data()
13 |
14 | upscript_header = """\
15 | #!/bin/sh
16 |
17 | export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
18 | OLDGW=$(ip route show 0/0 | sed -e 's/^default//')
19 |
20 | ip -batch - < /tmp/vpn_oldgw
74 | fi
75 |
76 | ip -batch - < /tmp/pptp_oldgw
123 | fi
124 |
125 | dscacheutil -flushcache
126 | """
127 |
128 | downscript_header = """\
129 | #!/bin/sh
130 | export PATH="/bin:/sbin:/usr/sbin:/usr/bin"
131 |
132 | if [ ! -e /tmp/pptp_oldgw ]; then
133 | exit 0
134 | fi
135 |
136 | OLDGW=`cat /tmp/pptp_oldgw`
137 | """
138 |
139 | upfile = open('ip-up','w')
140 | downfile = open('ip-down','w')
141 |
142 | upfile.write(upscript_header)
143 | downfile.write(downscript_header)
144 |
145 | for ip, _, mask in results:
146 | upfile.write('route add %s/%s "${OLDGW}"\n' % (ip, mask))
147 | downfile.write('route delete %s/%s ${OLDGW}\n' % (ip, mask))
148 |
149 | downfile.write('\n\nrm /tmp/pptp_oldgw\n')
150 |
151 | upfile.close()
152 | downfile.close()
153 |
154 | os.chmod('ip-up', 00755)
155 | os.chmod('ip-down', 00755)
156 |
157 | def generate_win(metric):
158 | results = fetch_ip_data()
159 |
160 | upscript_header = """\
161 | @echo off
162 | for /F "tokens=3" %%* in ('route print ^| findstr "\\<0.0.0.0\\>"') do set "gw=%%*"
163 | """
164 |
165 | upfile = open('vpnup.bat','w')
166 | downfile = open('vpndown.bat','w')
167 |
168 | upfile.write(upscript_header)
169 | upfile.write('ipconfig /flushdns\n\n')
170 |
171 | downfile.write("@echo off")
172 | downfile.write('\n')
173 |
174 | for ip, mask, _ in results:
175 | upfile.write('route add %s mask %s %s metric %d\n' %
176 | (ip, mask, "%gw%", metric))
177 | downfile.write('route delete %s\n' % ip)
178 |
179 | upfile.close()
180 | downfile.close()
181 |
182 | def fetch_ip_data():
183 | url = 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest'
184 | try:
185 | data = subprocess.check_output(['wget', url, '-O-'])
186 | except (OSError, AttributeError):
187 | print >> sys.stderr, "Fetching data from apnic.net, "\
188 | "it might take a few minutes, please wait..."
189 | data = urllib2.urlopen(url).read()
190 |
191 | cnregex = re.compile(r'^apnic\|cn\|ipv4\|[\d\.]+\|\d+\|\d+\|a\w*$',
192 | re.I | re.M)
193 | cndata = cnregex.findall(data)
194 |
195 | results = []
196 |
197 | for item in cndata:
198 | unit_items = item.split('|')
199 | starting_ip = unit_items[3]
200 | num_ip = int(unit_items[4])
201 |
202 | imask = 0xffffffff ^ (num_ip - 1)
203 | imask = hex(imask)[2:]
204 |
205 | mask = [imask[i:i + 2] for i in xrange(0, 8, 2)]
206 | mask = '.'.join([str(int(i, 16)) for i in mask])
207 |
208 | cidr = 32 - int(math.log(num_ip, 2))
209 |
210 | results.append((starting_ip, mask, cidr))
211 |
212 | return results
213 |
214 | def main():
215 | parser = argparse.ArgumentParser(
216 | description="Generate routing rules for VPN users in China.")
217 | parser.add_argument('-p',
218 | dest='platform',
219 | default='openvpn',
220 | nargs='?',
221 | choices=['openvpn', 'old', 'mac', 'linux', 'win'],
222 | help="target platform")
223 | parser.add_argument('-m',
224 | dest='metric',
225 | default=5,
226 | nargs='?',
227 | type=int,
228 | help="metric")
229 |
230 | args = parser.parse_args()
231 |
232 | if args.platform.lower() == 'openvpn':
233 | generate_ovpn(args.metric)
234 | elif args.platform.lower() == 'old':
235 | generate_old(args.metric)
236 | elif args.platform.lower() == 'linux':
237 | generate_linux(args.metric)
238 | elif args.platform.lower() == 'mac':
239 | generate_mac(args.metric)
240 | elif args.platform.lower() == 'win':
241 | generate_win(args.metric)
242 | else:
243 | exit(1)
244 |
245 | if __name__ == '__main__':
246 | main()
247 |
--------------------------------------------------------------------------------
/install_script.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #######################################################
3 | # #
4 | # This is a ocserv installation for CentOS 7 and 6 #
5 | # Version: 1.1.1 20181101 #
6 | # Website: https://github.com/chendong12/ocserv #
7 | # #
8 | ####################################################
9 | #
10 | #检测是否是root用户
11 | function check_root(){
12 | [[ $EUID != 0 ]] && echo -e "${Error} 当前账号非ROOT(或没有ROOT权限),无法继续操作,请使用${Green_background_prefix} sudo su ${Font_color_suffix}来获取临时ROOT权限(执行后会提示输入当前账号的密码)。" && exit 1
13 | }
14 | function check_sys(){
15 | if [[ -f /etc/redhat-release ]]; then
16 | release="centos"
17 | elif cat /etc/issue | grep -q -E -i "debian"; then
18 | release="debian"
19 | elif cat /etc/issue | grep -q -E -i "ubuntu"; then
20 | release="ubuntu"
21 | elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
22 | release="centos"
23 | elif cat /proc/version | grep -q -E -i "debian"; then
24 | release="debian"
25 | elif cat /proc/version | grep -q -E -i "ubuntu"; then
26 | release="ubuntu"
27 | elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
28 | release="centos"
29 | fi
30 | }
31 | function sys_clean(){
32 | yum remove ocserv httpd mariadb-server freeradius freeradius-mysql freeradius-utils -y
33 | rm -rf /var/www/html/*.p12
34 | rm -rf /root/anyconnect/
35 | rm -rf /tmp/crontab.back
36 | rm -rf /etc/ocserv/
37 | rm -rf /etc/raddb/
38 | rm -rf /var/www/html/daloradius
39 | rm -rf /etc/httpd/conf/httpd.conf
40 | rm -rf /root/info.txt
41 | rm -rf /opt/letsencrypt
42 | sed -i '/service ocserv start/d' /etc/rc.d/rc.local
43 | sed -i '/service iptables start/d' /etc/rc.d/rc.local
44 | sed -i '/service httpd start/d' /etc/rc.d/rc.local
45 | sed -i '/echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward/d' /etc/rc.d/rc.local
46 | sed -i '/iptables -F/d' /etc/rc.d/rc.local
47 | sed -i '/iptables -A INPUT -i lo -j ACCEPT/d' /etc/rc.d/rc.local
48 | sed -i '/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT/d' /etc/rc.d/rc.local
49 | sed -i '/iptables -A INPUT -p icmp -j ACCEPT/d' /etc/rc.d/rc.local
50 | sed -i '/iptables -A INPUT -p tcp --dport 22 -j ACCEPT/d' /etc/rc.d/rc.local
51 | sed -i '/iptables -I INPUT -p tcp --dport 80 -j ACCEPT/d' /etc/rc.d/rc.local
52 | sed -i '/iptables -A INPUT -p tcp --dport 4433 -j ACCEPT/d' /etc/rc.d/rc.local
53 | sed -i '/iptables -A INPUT -p udp --dport 4433 -j ACCEPT/d' /etc/rc.d/rc.local
54 | sed -i '/iptables -A INPUT -j DROP/d' /etc/rc.d/rc.local
55 | sed -i '/iptables -t nat -F/d' /etc/rc.d/rc.local
56 | sed -i '/iptables -t nat -A POSTROUTING -s 10.12.0.0\/24 -o eth0 -j MASQUERADE/d' /etc/rc.d/rc.local
57 | sed -i '/#自动调整mtu,ocserv服务器使用/d' /etc/rc.d/rc.local
58 | sed -i '/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu/d' /etc/rc.d/rc.local
59 | sed -i '/systemctl start mariadb/d' /etc/rc.d/rc.local
60 | sed -i '/systemctl start httpd/d' /etc/rc.d/rc.local
61 | sed -i '/systemctl start radiusd/d' /etc/rc.d/rc.local
62 | sed -i '/iptables -I INPUT -p tcp --dport 9090 -j ACCEPT/d' /etc/rc.d/rc.local
63 | }
64 | function centos1_ntp(){
65 | setenforce 0
66 | sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
67 | yum -y install ntp
68 | service ntpd restart
69 | cp -rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
70 | cd /root
71 | echo '0-59/10 * * * * /usr/sbin/ntpdate -u cn.pool.ntp.org' >> /tmp/crontab.back
72 | crontab /tmp/crontab.back
73 | systemctl restart crond
74 | yum install net-tools -y
75 | yum install epel-release -y
76 | systemctl stop firewalld
77 | systemctl disable firewalld
78 | yum install lynx wget expect iptables -y
79 | }
80 | function centos2_ocserv(){
81 | yum install epel-release wget -y
82 | yum install ocserv httpd -y
83 | mkdir /root/anyconnect
84 | cd /root/anyconnect
85 | #生成 CA 证书
86 | certtool --generate-privkey --outfile ca-key.pem
87 | cat >ca.tmpl <server.tmpl <crl.tmpl
120 | crl_next_update = 365
121 | crl_number = 1
122 | _EOF_
123 | certtool --generate-crl --load-ca-privkey ca-key.pem \
124 | --load-ca-certificate ca-cert.pem \
125 | --template crl.tmpl --outfile crl.pem
126 | cp crl.pem /etc/ocserv/
127 | #配置 ocserv
128 | cd /etc/ocserv/
129 | rm -rf ocserv.conf
130 | wget --no-check-certificate https://raw.githubusercontent.com/chendong12/ocserv/master/ocserv.conf
131 | #
132 | cd /root/anyconnect
133 | wget --no-check-certificate https://raw.githubusercontent.com/chendong12/ocserv/master/gen-client-cert.sh
134 | wget --no-check-certificate https://raw.githubusercontent.com/chendong12/ocserv/master/user_add.sh
135 | wget --no-check-certificate https://raw.githubusercontent.com/chendong12/ocserv/master/user_del.sh
136 | chmod +x gen-client-cert.sh
137 | chmod +x user_add.sh
138 | chmod +x user_del.sh
139 | }
140 | centos3_iptables(){
141 | echo 1 > /proc/sys/net/ipv4/ip_forward
142 | echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
143 | sysctl -p
144 | chmod +x /etc/rc.d/rc.local
145 | cat >> /etc/rc.d/rc.local < /proc/sys/net/ipv4/ip_forward
149 | iptables -F
150 | iptables -A INPUT -i lo -j ACCEPT
151 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
152 | iptables -A INPUT -p icmp -j ACCEPT
153 | iptables -A INPUT -p tcp --dport 22 -j ACCEPT
154 | iptables -I INPUT -p tcp --dport 80 -j ACCEPT
155 | iptables -A INPUT -p tcp --dport 4433 -j ACCEPT
156 | iptables -A INPUT -p udp --dport 4433 -j ACCEPT
157 | iptables -A INPUT -j DROP
158 | iptables -t nat -F
159 | iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
160 | #自动调整mtu,ocserv服务器使用
161 | iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
162 | EOF
163 | echo "Anyconnect服务器安装完成,服务准备重启,重启后即可正常使用"
164 | reboot
165 | }
166 | function centos_install(){
167 | sys_clean
168 | centos1_ntp
169 | centos2_ocserv
170 | centos3_iptables
171 | }
172 | function shell_install() {
173 | check_root
174 | check_sys
175 | if [[ ${release} == "centos" ]]; then
176 | centos_install
177 | else
178 | echo "您的操作系统不是Cenos,请更换操作系统之后再试" && exit 1
179 | fi
180 | }
181 | shell_install
182 |
--------------------------------------------------------------------------------
/radius/ocserv_install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #######################################################
3 | # #
4 | # This is a ocserv installation for CentOS 7 and 6 #
5 | # Version: 1.1.2 20190521 #
6 | # Author: haolong,zcm8483@gmail.com #
7 | # Website: https://github.com/chendong12/ocserv #
8 | # #
9 | ####################################################
10 | #
11 | #Check if it is root user
12 | function check_root(){
13 | [[ $EUID != 0 ]] && echo -e "${Error} The current account is not ROOT (or no ROOT permission). You cannot continue to operate. Please use ${Green_background_prefix} sudo su ${Font_color_suffix}To get ROOT permissions (you will be prompted to enter the current account password after execution)." && exit 1
14 | }
15 | function check_sys(){
16 | if [[ -f /etc/redhat-release ]]; then
17 | release="centos"
18 | elif cat /etc/issue | grep -q -E -i "debian"; then
19 | release="debian"
20 | elif cat /etc/issue | grep -q -E -i "ubuntu"; then
21 | release="ubuntu"
22 | elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
23 | release="centos"
24 | elif cat /proc/version | grep -q -E -i "debian"; then
25 | release="debian"
26 | elif cat /proc/version | grep -q -E -i "ubuntu"; then
27 | release="ubuntu"
28 | elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
29 | release="centos"
30 | fi
31 | }
32 | function sys_clean(){
33 | yum remove ocserv httpd mariadb-server freeradius freeradius-mysql freeradius-utils -y
34 | rm -rf /var/www/html/*.p12
35 | rm -rf /root/anyconnect/
36 | rm -rf /tmp/crontab.back
37 | rm -rf /etc/ocserv/
38 | rm -rf /etc/raddb/
39 | rm -rf /var/www/html/daloradius
40 | rm -rf /etc/httpd/conf/httpd.conf
41 | rm -rf /root/info.txt
42 | rm -rf /opt/letsencrypt
43 | sed -i '/service ocserv start/d' /etc/rc.d/rc.local
44 | sed -i '/service iptables start/d' /etc/rc.d/rc.local
45 | sed -i '/service httpd start/d' /etc/rc.d/rc.local
46 | sed -i '/echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward/d' /etc/rc.d/rc.local
47 | sed -i '/iptables -F/d' /etc/rc.d/rc.local
48 | sed -i '/iptables -A INPUT -i lo -j ACCEPT/d' /etc/rc.d/rc.local
49 | sed -i '/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT/d' /etc/rc.d/rc.local
50 | sed -i '/iptables -A INPUT -p icmp -j ACCEPT/d' /etc/rc.d/rc.local
51 | sed -i '/iptables -A INPUT -p tcp --dport 22 -j ACCEPT/d' /etc/rc.d/rc.local
52 | sed -i '/iptables -I INPUT -p tcp --dport 80 -j ACCEPT/d' /etc/rc.d/rc.local
53 | sed -i '/iptables -A INPUT -p tcp --dport 4433 -j ACCEPT/d' /etc/rc.d/rc.local
54 | sed -i '/iptables -A INPUT -p udp --dport 4433 -j ACCEPT/d' /etc/rc.d/rc.local
55 | sed -i '/iptables -A INPUT -j DROP/d' /etc/rc.d/rc.local
56 | sed -i '/iptables -t nat -F/d' /etc/rc.d/rc.local
57 | sed -i '/iptables -t nat -A POSTROUTING -s 10.12.0.0\/24 -o eth0 -j MASQUERADE/d' /etc/rc.d/rc.local
58 | sed -i '/#Automatically adjust mtu, ocserv server use/d' /etc/rc.d/rc.local
59 | sed -i '/iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu/d' /etc/rc.d/rc.local
60 | sed -i '/systemctl start mariadb/d' /etc/rc.d/rc.local
61 | sed -i '/systemctl start httpd/d' /etc/rc.d/rc.local
62 | sed -i '/systemctl start radiusd/d' /etc/rc.d/rc.local
63 | sed -i '/iptables -I INPUT -p tcp --dport 9090 -j ACCEPT/d' /etc/rc.d/rc.local
64 | }
65 | function centos1_ntp(){
66 | setenforce 0
67 | sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
68 | yum -y install ntp
69 | service ntpd restart
70 | cp -rf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
71 | cd /root
72 | echo '0-59/10 * * * * /usr/sbin/ntpdate -u cn.pool.ntp.org' >> /tmp/crontab.back
73 | crontab /tmp/crontab.back
74 | systemctl restart crond
75 | yum install net-tools -y
76 | yum install epel-release -y
77 | systemctl stop firewalld
78 | systemctl disable firewalld
79 | yum install lynx wget expect iptables -y
80 | }
81 | function centos2_ocserv(){
82 | yum install ocserv httpd -y
83 | mkdir /root/anyconnect
84 | cd /root/anyconnect
85 | #Generate a CA certificate
86 | certtool --generate-privkey --outfile ca-key.pem
87 | cat >ca.tmpl <server.tmpl <crl.tmpl
120 | crl_next_update = 365
121 | crl_number = 1
122 | _EOF_
123 | certtool --generate-crl --load-ca-privkey ca-key.pem \
124 | --load-ca-certificate ca-cert.pem \
125 | --template crl.tmpl --outfile crl.pem
126 | #Configuring ocserv
127 | cd /etc/ocserv/
128 | rm -rf ocserv.conf
129 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/ocserv.conf
130 | #
131 | cd /root/anyconnect
132 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/gen-client-cert.sh
133 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/user_add.sh
134 | wget https://raw.githubusercontent.com/chendong12/ocserv/master/user_del.sh
135 | chmod +x gen-client-cert.sh
136 | chmod +x user_add.sh
137 | chmod +x user_del.sh
138 | }
139 | centos3_iptables(){
140 | echo 1 > /proc/sys/net/ipv4/ip_forward
141 | echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
142 | sysctl -p
143 | service iptables start
144 | chmod +x /etc/rc.d/rc.local
145 | cat >> /etc/rc.d/rc.local < /proc/sys/net/ipv4/ip_forward
150 | iptables -F
151 | iptables -A INPUT -i lo -j ACCEPT
152 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
153 | iptables -A INPUT -p icmp -j ACCEPT
154 | iptables -A INPUT -p tcp --dport 22 -j ACCEPT
155 | iptables -I INPUT -p tcp --dport 80 -j ACCEPT
156 | iptables -A INPUT -p tcp --dport 4433 -j ACCEPT
157 | iptables -A INPUT -p udp --dport 4433 -j ACCEPT
158 | iptables -A INPUT -j DROP
159 | iptables -t nat -F
160 | iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
161 | #Automatically adjust mtu, ocserv server use
162 | iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
163 | EOF
164 | reboot
165 | }
166 | function centos_install(){
167 | sys_clean
168 | centos1_ntp
169 | centos2_ocserv
170 | centos3_iptables
171 | }
172 | function shell_install() {
173 | check_root
174 | check_sys
175 | if [[ ${release} == "centos" ]]; then
176 | centos_install
177 | else
178 | echo "Your operating system is not Cenos, please try again after replacing the operating system." && exit 1
179 | fi
180 | }
181 | shell_install
182 |
--------------------------------------------------------------------------------
/no-route.txt:
--------------------------------------------------------------------------------
1 | no-route = 192.168.0.0/16
2 | no-route = 172.16.0.0/12
3 | no-route = 10.0.0.0/8
4 | no-route = 1.0.0.0/255.192.0.0
5 | no-route = 1.64.0.0/255.224.0.0
6 | no-route = 1.112.0.0/255.248.0.0
7 | no-route = 1.176.0.0/255.240.0.0
8 | no-route = 1.192.0.0/255.240.0.0
9 | no-route = 14.0.0.0/255.224.0.0
10 | no-route = 14.96.0.0/255.224.0.0
11 | no-route = 14.128.0.0/255.224.0.0
12 | no-route = 14.192.0.0/255.224.0.0
13 | no-route = 27.0.0.0/255.192.0.0
14 | no-route = 27.96.0.0/255.224.0.0
15 | no-route = 27.128.0.0/255.224.0.0
16 | no-route = 27.176.0.0/255.240.0.0
17 | no-route = 27.192.0.0/255.224.0.0
18 | no-route = 27.224.0.0/255.252.0.0
19 | no-route = 36.0.0.0/255.192.0.0
20 | no-route = 36.96.0.0/255.224.0.0
21 | no-route = 36.128.0.0/255.192.0.0
22 | no-route = 36.192.0.0/255.224.0.0
23 | no-route = 36.240.0.0/255.240.0.0
24 | no-route = 39.0.0.0/255.255.0.0
25 | no-route = 39.64.0.0/255.224.0.0
26 | no-route = 39.96.0.0/255.240.0.0
27 | no-route = 39.128.0.0/255.192.0.0
28 | no-route = 40.72.0.0/255.254.0.0
29 | no-route = 40.124.0.0/255.252.0.0
30 | no-route = 42.0.0.0/255.248.0.0
31 | no-route = 42.48.0.0/255.240.0.0
32 | no-route = 42.80.0.0/255.240.0.0
33 | no-route = 42.96.0.0/255.224.0.0
34 | no-route = 42.128.0.0/255.128.0.0
35 | no-route = 43.224.0.0/255.224.0.0
36 | no-route = 45.65.16.0/255.255.240.0
37 | no-route = 45.112.0.0/255.240.0.0
38 | no-route = 45.248.0.0/255.248.0.0
39 | no-route = 47.92.0.0/255.252.0.0
40 | no-route = 47.96.0.0/255.224.0.0
41 | no-route = 49.0.0.0/255.128.0.0
42 | no-route = 49.128.0.0/255.224.0.0
43 | no-route = 49.192.0.0/255.192.0.0
44 | no-route = 52.80.0.0/255.252.0.0
45 | no-route = 54.222.0.0/255.254.0.0
46 | no-route = 58.0.0.0/255.128.0.0
47 | no-route = 58.128.0.0/255.224.0.0
48 | no-route = 58.192.0.0/255.224.0.0
49 | no-route = 58.240.0.0/255.240.0.0
50 | no-route = 59.32.0.0/255.224.0.0
51 | no-route = 59.64.0.0/255.224.0.0
52 | no-route = 59.96.0.0/255.240.0.0
53 | no-route = 59.144.0.0/255.240.0.0
54 | no-route = 59.160.0.0/255.224.0.0
55 | no-route = 59.192.0.0/255.192.0.0
56 | no-route = 60.0.0.0/255.224.0.0
57 | no-route = 60.48.0.0/255.240.0.0
58 | no-route = 60.160.0.0/255.224.0.0
59 | no-route = 60.192.0.0/255.192.0.0
60 | no-route = 61.0.0.0/255.192.0.0
61 | no-route = 61.80.0.0/255.248.0.0
62 | no-route = 61.128.0.0/255.192.0.0
63 | no-route = 61.224.0.0/255.224.0.0
64 | no-route = 91.234.36.0/255.255.255.0
65 | no-route = 101.0.0.0/255.128.0.0
66 | no-route = 101.128.0.0/255.224.0.0
67 | no-route = 101.192.0.0/255.240.0.0
68 | no-route = 101.224.0.0/255.224.0.0
69 | no-route = 103.0.0.0/255.0.0.0
70 | no-route = 106.0.0.0/255.128.0.0
71 | no-route = 106.224.0.0/255.240.0.0
72 | no-route = 110.0.0.0/255.128.0.0
73 | no-route = 110.144.0.0/255.240.0.0
74 | no-route = 110.160.0.0/255.224.0.0
75 | no-route = 110.192.0.0/255.192.0.0
76 | no-route = 111.0.0.0/255.192.0.0
77 | no-route = 111.64.0.0/255.224.0.0
78 | no-route = 111.112.0.0/255.240.0.0
79 | no-route = 111.128.0.0/255.192.0.0
80 | no-route = 111.192.0.0/255.224.0.0
81 | no-route = 111.224.0.0/255.240.0.0
82 | no-route = 112.0.0.0/255.128.0.0
83 | no-route = 112.128.0.0/255.240.0.0
84 | no-route = 112.192.0.0/255.252.0.0
85 | no-route = 112.224.0.0/255.224.0.0
86 | no-route = 113.0.0.0/255.128.0.0
87 | no-route = 113.128.0.0/255.240.0.0
88 | no-route = 113.192.0.0/255.192.0.0
89 | no-route = 114.16.0.0/255.240.0.0
90 | no-route = 114.48.0.0/255.240.0.0
91 | no-route = 114.64.0.0/255.192.0.0
92 | no-route = 114.128.0.0/255.240.0.0
93 | no-route = 114.192.0.0/255.192.0.0
94 | no-route = 115.0.0.0/255.0.0.0
95 | no-route = 116.0.0.0/255.0.0.0
96 | no-route = 117.0.0.0/255.128.0.0
97 | no-route = 117.128.0.0/255.192.0.0
98 | no-route = 118.16.0.0/255.240.0.0
99 | no-route = 118.64.0.0/255.192.0.0
100 | no-route = 118.128.0.0/255.128.0.0
101 | no-route = 119.0.0.0/255.128.0.0
102 | no-route = 119.128.0.0/255.192.0.0
103 | no-route = 119.224.0.0/255.224.0.0
104 | no-route = 120.0.0.0/255.192.0.0
105 | no-route = 120.64.0.0/255.224.0.0
106 | no-route = 120.128.0.0/255.240.0.0
107 | no-route = 120.192.0.0/255.192.0.0
108 | no-route = 121.0.0.0/255.128.0.0
109 | no-route = 121.192.0.0/255.192.0.0
110 | no-route = 122.0.0.0/254.0.0.0
111 | no-route = 124.0.0.0/255.0.0.0
112 | no-route = 125.0.0.0/255.128.0.0
113 | no-route = 125.160.0.0/255.224.0.0
114 | no-route = 125.192.0.0/255.192.0.0
115 | no-route = 137.59.88.0/255.255.252.0
116 | no-route = 139.0.0.0/255.224.0.0
117 | no-route = 139.128.0.0/255.128.0.0
118 | no-route = 140.64.0.0/255.240.0.0
119 | no-route = 140.128.0.0/255.240.0.0
120 | no-route = 140.192.0.0/255.192.0.0
121 | no-route = 144.0.0.0/255.248.0.0
122 | no-route = 144.12.0.0/255.255.0.0
123 | no-route = 144.48.0.0/255.248.0.0
124 | no-route = 144.123.0.0/255.255.0.0
125 | no-route = 144.255.0.0/255.255.0.0
126 | no-route = 146.196.0.0/255.255.128.0
127 | no-route = 150.0.0.0/255.255.0.0
128 | no-route = 150.96.0.0/255.224.0.0
129 | no-route = 150.128.0.0/255.240.0.0
130 | no-route = 150.192.0.0/255.192.0.0
131 | no-route = 152.104.128.0/255.255.128.0
132 | no-route = 153.0.0.0/255.192.0.0
133 | no-route = 153.96.0.0/255.224.0.0
134 | no-route = 157.0.0.0/255.255.0.0
135 | no-route = 157.18.0.0/255.255.0.0
136 | no-route = 157.61.0.0/255.255.0.0
137 | no-route = 157.112.0.0/255.240.0.0
138 | no-route = 157.144.0.0/255.240.0.0
139 | no-route = 157.255.0.0/255.255.0.0
140 | no-route = 159.226.0.0/255.255.0.0
141 | no-route = 160.19.0.0/255.255.0.0
142 | no-route = 160.20.48.0/255.255.252.0
143 | no-route = 160.202.0.0/255.255.0.0
144 | no-route = 160.238.64.0/255.255.252.0
145 | no-route = 161.207.0.0/255.255.0.0
146 | no-route = 162.105.0.0/255.255.0.0
147 | no-route = 163.0.0.0/255.192.0.0
148 | no-route = 163.96.0.0/255.224.0.0
149 | no-route = 163.128.0.0/255.192.0.0
150 | no-route = 163.192.0.0/255.224.0.0
151 | no-route = 164.52.0.0/255.255.128.0
152 | no-route = 166.111.0.0/255.255.0.0
153 | no-route = 167.139.0.0/255.255.0.0
154 | no-route = 167.189.0.0/255.255.0.0
155 | no-route = 167.220.244.0/255.255.252.0
156 | no-route = 168.160.0.0/255.255.0.0
157 | no-route = 170.179.0.0/255.255.0.0
158 | no-route = 171.0.0.0/255.128.0.0
159 | no-route = 171.192.0.0/255.224.0.0
160 | no-route = 175.0.0.0/255.128.0.0
161 | no-route = 175.128.0.0/255.192.0.0
162 | no-route = 180.64.0.0/255.192.0.0
163 | no-route = 180.128.0.0/255.128.0.0
164 | no-route = 182.0.0.0/255.0.0.0
165 | no-route = 183.0.0.0/255.192.0.0
166 | no-route = 183.64.0.0/255.224.0.0
167 | no-route = 183.128.0.0/255.128.0.0
168 | no-route = 192.124.154.0/255.255.255.0
169 | no-route = 192.140.128.0/255.255.128.0
170 | no-route = 195.78.82.0/255.255.254.0
171 | no-route = 202.0.0.0/255.128.0.0
172 | no-route = 202.128.0.0/255.192.0.0
173 | no-route = 202.192.0.0/255.224.0.0
174 | no-route = 203.0.0.0/255.0.0.0
175 | no-route = 210.0.0.0/255.192.0.0
176 | no-route = 210.64.0.0/255.224.0.0
177 | no-route = 210.160.0.0/255.224.0.0
178 | no-route = 210.192.0.0/255.224.0.0
179 | no-route = 211.64.0.0/255.248.0.0
180 | no-route = 211.80.0.0/255.240.0.0
181 | no-route = 211.96.0.0/255.248.0.0
182 | no-route = 211.136.0.0/255.248.0.0
183 | no-route = 211.144.0.0/255.240.0.0
184 | no-route = 211.160.0.0/255.248.0.0
185 | no-route = 216.250.108.0/255.255.252.0
186 | no-route = 218.0.0.0/255.128.0.0
187 | no-route = 218.160.0.0/255.224.0.0
188 | no-route = 218.192.0.0/255.192.0.0
189 | no-route = 219.64.0.0/255.224.0.0
190 | no-route = 219.128.0.0/255.224.0.0
191 | no-route = 219.192.0.0/255.192.0.0
192 | no-route = 220.96.0.0/255.224.0.0
193 | no-route = 220.128.0.0/255.128.0.0
194 | no-route = 221.0.0.0/255.224.0.0
195 | no-route = 221.96.0.0/255.224.0.0
196 | no-route = 221.128.0.0/255.128.0.0
197 | no-route = 222.0.0.0/255.0.0.0
198 | no-route = 223.0.0.0/255.224.0.0
199 | no-route = 223.64.0.0/255.192.0.0
200 | no-route = 223.128.0.0/255.128.0.0
201 |
--------------------------------------------------------------------------------
/radius/radius_install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | function set_shell_input1() {
3 | sqladmin=0p0o0i0900
4 | yum install lynx -y
5 | public_ip=`lynx --source www.monip.org | sed -nre 's/^.* (([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p'`
6 | #Solve the problem of slow ssh access, you can manually restart ssh after installing the script.
7 | sed -i "s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g" /etc/ssh/sshd_config
8 | alias cp='cp'
9 | yum groupinstall "Development tools" -y
10 | yum install wget vim expect telnet net-tools httpd mariadb-server php php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel -y
11 | yum install freeradius freeradius-mysql freeradius-utils -y
12 | systemctl restart mariadb
13 | systemctl restart httpd
14 | }
15 | #Configuring the radius database and importing data
16 | function set_mysql2() {
17 | systemctl restart mariadb
18 | sleep 3
19 | mysqladmin -u root password ""${sqladmin}""
20 | mysql -uroot -p${sqladmin} -e "create database radius;"
21 | mysql -uroot -p${sqladmin} -e "grant all privileges on radius.* to radius@localhost identified by 'p0radius_0p';"
22 | mysql -uradius -p'p0radius_0p' radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
23 | systemctl restart mariadb
24 | }
25 |
26 | function set_freeradius3(){
27 | ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
28 | sed -i "s/auth = no/auth = yes/g" /etc/raddb/radiusd.conf
29 | sed -i "s/auth_badpass = no/auth_badpass = yes/g" /etc/raddb/radiusd.conf
30 | sed -i "s/auth_goodpass = no/auth_goodpass = yes/g" /etc/raddb/radiusd.conf
31 | sed -i "s/\-sql/sql/g" /etc/raddb/sites-available/default
32 | #Insert content after the found session {string
33 | sed -i '/session {/a\ sql' /etc/raddb/sites-available/default
34 | sed -i 's/driver = "rlm_sql_null"/driver = "rlm_sql_mysql"/g' /etc/raddb/mods-available/sql
35 | #Find the string and remove the comment with the first letter#
36 | sed -i '/read_clients = yes/s/^#//' /etc/raddb/mods-available/sql
37 | sed -i '/dialect = "sqlite"/s/^#//' /etc/raddb/mods-available/sql
38 | sed -i 's/dialect = "sqlite"/dialect = "mysql"/g' /etc/raddb/mods-available/sql
39 | sed -i '/server = "localhost"/s/^#//' /etc/raddb/mods-available/sql
40 | sed -i '/port = 3306/s/^#//' /etc/raddb/mods-available/sql
41 | sed -i '/login = "radius"/s/^#//' /etc/raddb/mods-available/sql
42 | sed -i '/password = "radpass"/s/^#//' /etc/raddb/mods-available/sql
43 | sed -i 's/password = "radpass"/password = "p0radius_0p"/g' /etc/raddb/mods-available/sql
44 | systemctl restart radiusd
45 | sleep 3
46 | }
47 | function set_daloradius4(){
48 | cd /var/www/html/
49 | wget http://180.188.197.212/down/daloradius-0.9-9.tar.gz --no-check-certificate >/dev/null 2>&1
50 | tar xzvf daloradius-0.9-9.tar.gz
51 | mv daloradius-0.9-9 daloradius
52 | chown -R apache:apache /var/www/html/daloradius/
53 | chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
54 | cd /var/www/html/daloradius/
55 | mysql -uradius -p'p0radius_0p' radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
56 | mysql -uradius -p'p0radius_0p' radius < contrib/db/mysql-daloradius.sql
57 | sleep 3
58 | sed -i "s/\['CONFIG_DB_USER'\] = 'root'/\['CONFIG_DB_USER'\] = 'radius'/g" /var/www/html/daloradius/library/daloradius.conf.php
59 | sed -i "s/\['CONFIG_DB_PASS'\] = ''/\['CONFIG_DB_PASS'\] = 'p0radius_0p'/g" /var/www/html/daloradius/library/daloradius.conf.php
60 | sed -i "s/mysql/mysqli/g" /var/www/html/daloradius/library/daloradius.conf.php
61 | yum -y install epel-release
62 | yum -y install php-pear-DB
63 | systemctl restart mariadb.service
64 | systemctl restart radiusd.service
65 | systemctl restart httpd
66 | chmod 644 /var/log/messages
67 | chmod 755 /var/log/radius/
68 | chmod 644 /var/log/radius/radius.log
69 | touch /tmp/daloradius.log
70 | chmod 644 /tmp/daloradius.log
71 | chown -R apache:apache /tmp/daloradius.log
72 | }
73 |
74 | function set_fix_radacct_table5(){
75 | cd /tmp
76 | sleep 3
77 | wget http://180.188.197.212/down/radacct_new.sql.tar.gz --no-check-certificate
78 | tar xzvf radacct_new.sql.tar.gz
79 | mysql -uradius -p'p0radius_0p' radius < /tmp/radacct_new.sql
80 | rm -rf radacct_new.sql.tar.gz
81 | rm -rf radacct_new.sql
82 | systemctl restart radiusd
83 | }
84 |
85 | function set_iptables6(){
86 | cat >> /etc/rc.local <
102 | DocumentRoot "/var/www/html/daloradius"
103 | ServerName daloradius
104 | ErrorLog "logs/daloradius-error.log"
105 | CustomLog "logs/daloradius-access.log" common
106 |
107 | " >> /etc/httpd/conf/httpd.conf
108 | cd /var/www/html/
109 | rm -rf *
110 | wget http://180.188.197.212/down/daloradius20180418.tar.gz --no-check-certificate
111 | tar xzvf daloradius20180418.tar.gz
112 | rm -rf daloradius20180418.tar.gz
113 | chown -R apache:apache /var/www/html/daloradius
114 | service httpd restart
115 | sed -i "s/mysql/mysqli/g" /var/www/html/daloradius/library/daloradius.conf.php
116 | mkdir /usr/mysys/
117 | cd /usr/mysys/
118 | wget http://180.188.197.212/down/dbback.tar.gz --no-check-certificate
119 | tar xzvf dbback.tar.gz
120 | rm -rf dbback.tar.gz
121 | echo 'mysql -uradius -pp0radius_0p -e "UPDATE radius.radacct SET acctstoptime = acctstarttime + acctsessiontime WHERE ((UNIX_TIMESTAMP(acctstarttime) + acctsessiontime + 240 - UNIX_TIMESTAMP())<0) AND acctstoptime IS NULL;"' >> /usr/mysys/clearsession.sh
122 | chmod +x /usr/mysys/clearsession.sh
123 | echo '0-59/10 * * * * /usr/mysys/clearsession.sh' >> /tmp/crontab.back
124 | echo '0 0 1 * * /usr/mysys/dbback/backup_radius_db.sh' >> /tmp/crontab.back
125 | crontab /tmp/crontab.back
126 | systemctl restart crond
127 | }
128 |
129 | function set_radiusclient8(){
130 | yum install radiusclient-ng -y
131 | echo "localhost testing123" >> /etc/radiusclient-ng/servers
132 | echo "==========================================================================
133 | Centos7 VPN installation is complete
134 |
135 | The following information will be automatically saved to the /root/info.txt file.
136 |
137 | mysql root password:0p0o0i0900
138 |
139 | VPN Account management address:http://$public_ip:9090
140 | Username:administrator Password:radius
141 |
142 | If you use radius authentication, you need to comment the following line in the /etc/ocserv/ocserv.conf file.
143 | auth = "plain[passwd=/etc/ocserv/ocpasswd]"
144 | #The following method is to use radius authentication. If using radius, please remove the following line comment#
145 | #auth = "radius[config=/etc/radiusclient-ng/radiusclient.conf,groupconfig=true]"
146 | #After remove the following line comment#, The manager can be seen online users in the daloradius.
147 | #acct = "radius[config=/etc/radiusclient-ng/radiusclient.conf]"
148 | After the modification is complete, execute the systemctl restart ocserv command to restart ocserv.
149 |
150 | ==========================================================================" > /root/info.txt
151 | cat /root/info.txt
152 | exit;
153 | }
154 |
155 | function shell_install() {
156 | set_shell_input1
157 | set_mysql2
158 | set_freeradius3
159 | set_daloradius4
160 | set_fix_radacct_table5
161 | set_iptables6
162 | set_web_config7
163 | set_radiusclient8
164 | }
165 | shell_install
166 |
--------------------------------------------------------------------------------
/radius_for_ocserv.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | function centos1_ntp(){
3 | setenforce 0
4 | sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
5 | yum -y install ntp
6 | service ntpd restart
7 | cd /root
8 | echo '0-59/10 * * * * /usr/sbin/ntpdate -u cn.pool.ntp.org' >> /tmp/crontab.back
9 | crontab /tmp/crontab.back
10 | systemctl restart crond
11 | yum install net-tools -y
12 | yum install epel-release -y
13 | systemctl stop firewalld
14 | systemctl disable firewalld
15 | yum install lynx wget expect iptables -y
16 | }
17 | function set_shell_input1() {
18 | sqladmin=0p0o0i0900
19 | yum install lynx -y
20 | public_ip=`lynx --source www.monip.org | sed -nre 's/^.* (([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p'`
21 | #解决ssh访问慢的问题,可以安装完脚本后手工重启ssh
22 | sed -i "s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g" /etc/ssh/sshd_config
23 | alias cp='cp'
24 | yum groupinstall "Development tools" -y
25 | yum install wget vim expect telnet net-tools httpd mariadb-server php php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel -y
26 | yum install freeradius freeradius-mysql freeradius-utils -y
27 | systemctl restart mariadb
28 | systemctl restart httpd
29 | }
30 | #配置radius数据库并导入数据
31 | function set_mysql2() {
32 | systemctl restart mariadb
33 | sleep 3
34 | mysqladmin -u root password ""${sqladmin}""
35 | mysql -uroot -p${sqladmin} -e "create database radius;"
36 | mysql -uroot -p${sqladmin} -e "grant all privileges on radius.* to radius@localhost identified by 'p0radius_0p';"
37 | mysql -uradius -p'p0radius_0p' radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
38 | systemctl restart mariadb
39 | }
40 |
41 | function set_freeradius3(){
42 | ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
43 | sed -i "s/auth = no/auth = yes/g" /etc/raddb/radiusd.conf
44 | sed -i "s/auth_badpass = no/auth_badpass = yes/g" /etc/raddb/radiusd.conf
45 | sed -i "s/auth_goodpass = no/auth_goodpass = yes/g" /etc/raddb/radiusd.conf
46 | sed -i "s/\-sql/sql/g" /etc/raddb/sites-available/default
47 | #在查找到的session {字符串后面插入内容
48 | sed -i '/session {/a\ sql' /etc/raddb/sites-available/default
49 | sed -i 's/driver = "rlm_sql_null"/driver = "rlm_sql_mysql"/g' /etc/raddb/mods-available/sql
50 | #查找到字符串,去掉首字母为的注释#
51 | sed -i '/read_clients = yes/s/^#//' /etc/raddb/mods-available/sql
52 | sed -i '/dialect = "sqlite"/s/^#//' /etc/raddb/mods-available/sql
53 | sed -i 's/dialect = "sqlite"/dialect = "mysql"/g' /etc/raddb/mods-available/sql
54 | sed -i '/server = "localhost"/s/^#//' /etc/raddb/mods-available/sql
55 | sed -i '/port = 3306/s/^#//' /etc/raddb/mods-available/sql
56 | sed -i '/login = "radius"/s/^#//' /etc/raddb/mods-available/sql
57 | sed -i '/password = "radpass"/s/^#//' /etc/raddb/mods-available/sql
58 | sed -i 's/password = "radpass"/password = "p0radius_0p"/g' /etc/raddb/mods-available/sql
59 | systemctl restart radiusd
60 | sleep 3
61 | }
62 | function set_daloradius4(){
63 | cd /var/www/html/
64 | wget http://180.188.197.212/down/daloradius-0.9-9.tar.gz >/dev/null 2>&1
65 | tar xzvf daloradius-0.9-9.tar.gz
66 | mv daloradius-0.9-9 daloradius
67 | chown -R apache:apache /var/www/html/daloradius/
68 | chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
69 | cd /var/www/html/daloradius/
70 | mysql -uradius -p'p0radius_0p' radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
71 | mysql -uradius -p'p0radius_0p' radius < contrib/db/mysql-daloradius.sql
72 | sleep 3
73 | sed -i "s/\['CONFIG_DB_USER'\] = 'root'/\['CONFIG_DB_USER'\] = 'radius'/g" /var/www/html/daloradius/library/daloradius.conf.php
74 | sed -i "s/\['CONFIG_DB_PASS'\] = ''/\['CONFIG_DB_PASS'\] = 'p0radius_0p'/g" /var/www/html/daloradius/library/daloradius.conf.php
75 | yum -y install epel-release
76 | yum -y install php-pear-DB
77 | systemctl restart mariadb.service
78 | systemctl restart radiusd.service
79 | systemctl restart httpd
80 | chmod 644 /var/log/messages
81 | chmod 755 /var/log/radius/
82 | chmod 644 /var/log/radius/radius.log
83 | touch /tmp/daloradius.log
84 | chmod 644 /tmp/daloradius.log
85 | chown -R apache:apache /tmp/daloradius.log
86 | }
87 |
88 | function set_fix_radacct_table5(){
89 | cd /tmp
90 | sleep 3
91 | wget http://180.188.197.212/down/radacct_new.sql.tar.gz
92 | tar xzvf radacct_new.sql.tar.gz
93 | mysql -uradius -p'p0radius_0p' radius < /tmp/radacct_new.sql
94 | rm -rf radacct_new.sql.tar.gz
95 | rm -rf radacct_new.sql
96 | systemctl restart radiusd
97 | }
98 |
99 | function set_iptables6(){
100 | cat >> /etc/rc.local <
116 | DocumentRoot "/var/www/html/daloradius"
117 | ServerName daloradius
118 | ErrorLog "logs/daloradius-error.log"
119 | CustomLog "logs/daloradius-access.log" common
120 |
121 | " >> /etc/httpd/conf/httpd.conf
122 | cd /var/www/html/
123 | rm -rf *
124 | wget http://180.188.197.212/down/daloradius20180418.tar.gz
125 | tar xzvf daloradius20180418.tar.gz
126 | rm -rf daloradius20180418.tar.gz
127 | chown -R apache:apache /var/www/html/daloradius
128 | service httpd restart
129 | mkdir /usr/mysys/
130 | cd /usr/mysys/
131 | wget http://180.188.197.212/down/dbback.tar.gz
132 | tar xzvf dbback.tar.gz
133 | rm -rf dbback.tar.gz
134 | echo 'mysql -uradius -pp0radius_0p -e "UPDATE radius.radacct SET acctstoptime = acctstarttime + acctsessiontime WHERE ((UNIX_TIMESTAMP(acctstarttime) + acctsessiontime + 240 - UNIX_TIMESTAMP())<0) AND acctstoptime IS NULL;"' >> /usr/mysys/clearsession.sh
135 | chmod +x /usr/mysys/clearsession.sh
136 | echo '0-59/10 * * * * /usr/mysys/clearsession.sh' >> /tmp/crontab.back
137 | echo '0 0 1 * * /usr/mysys/dbback/backup_radius_db.sh' >> /tmp/crontab.back
138 | crontab /tmp/crontab.back
139 | systemctl restart crond
140 | }
141 |
142 | function set_radiusclient8(){
143 | yum install radiusclient-ng -y
144 | echo "localhost testing123" >> /etc/radiusclient-ng/servers
145 | echo "switch auth to radius"
146 | sed -i "s/#auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/auth = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf,groupconfig=true\]\"/g" /etc/ocserv/ocserv.conf
147 | sed -i "s/#acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/acct = \"radius\[config=\/etc\/radiusclient-ng\/radiusclient.conf\]\"/g" /etc/ocserv/ocserv.conf
148 | sed -i "s/auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/#auth = \"plain\[passwd=\/etc\/ocserv\/ocpasswd\]\"/g" /etc/ocserv/ocserv.conf
149 | systemctl restart ocserv
150 | #
151 | echo "==========================================================================
152 | Centos7 VPN 安装完成
153 |
154 | 以下信息将自动保存到/root/info.txt文件中
155 |
156 | mysql root用户密码:0p0o0i0900
157 |
158 | VPN 账号管理后台地址:http://$public_ip:9090
159 | 账号:administrator 密码:radius
160 |
161 | 如果使用Raidus 认证需要修改ocserv.conf 配置文件,本脚本已经修改
162 | 修改过程如下:
163 | 1、需要注释/etc/ocserv/ocserv.conf文件中的下面行密码认证行
164 | auth = "plain[passwd=/etc/ocserv/ocpasswd]"
165 | #下面的方法是使用radius验证用户,如果使用radius,请注释上面的密码验证
166 | #auth = "radius[config=/etc/radiusclient-ng/radiusclient.conf,groupconfig=true]"
167 | #下面这句加上之后,daloradius在线用户中可以看到用户在线
168 | #acct = "radius[config=/etc/radiusclient-ng/radiusclient.conf]"
169 | 修改完成之后执行systemctl restart ocserv 命令重启ocserv
170 |
171 | ==========================================================================" > /root/info.txt
172 | cat /root/info.txt
173 | exit;
174 | }
175 |
176 | function shell_install() {
177 | centos1_ntp
178 | set_shell_input1
179 | set_mysql2
180 | set_freeradius3
181 | set_daloradius4
182 | set_fix_radacct_table5
183 | set_iptables6
184 | set_web_config7
185 | set_radiusclient8
186 | }
187 | shell_install
188 |
--------------------------------------------------------------------------------
/radius/daloradius1.3_install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | sqladmin=0p0o0i0900
3 | client_secret=testing123
4 | public_ip=`curl -s ifconfig.me`
5 | sed -i "s/GSSAPIAuthentication yes/GSSAPIAuthentication no/g" /etc/ssh/sshd_config
6 | alias cp='cp'
7 | yum install yum-utils -y
8 | yum remove httpd* php*
9 |
10 | #nginx + php install
11 | echo '[nginx-stable]
12 | name=nginx stable repo
13 | baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
14 | gpgcheck=1
15 | enabled=1
16 | gpgkey=https://nginx.org/keys/nginx_signing.key
17 | module_hotfixes=true
18 |
19 | [nginx-mainline]
20 | name=nginx mainline repo
21 | baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
22 | gpgcheck=1
23 | enabled=0
24 | gpgkey=https://nginx.org/keys/nginx_signing.key
25 | module_hotfixes=true' >/etc/yum.repos.d/nginx.repo
26 | yum install nginx -y
27 | #php 7.4 安装,不能安装php8 ,否则图标和一些信息不显示
28 | yum install epel-release yum-utils -y
29 | #
30 | yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y
31 | #列出可以用的php版本
32 | yum --disablerepo="*" --enablerepo="remi-safe" list php[7-9][0-9].x86_64
33 | #
34 | yum-config-manager --enable remi-php74
35 | #
36 | yum install php php-fpm php-mysql php-cli php-devel php-gd php-pecl-memcache php-pspell php-snmp php-xmlrpc php-xml php-pdo php-pgsql php-pecl-redis php-soap php-mbstring php-opcache php-json php-cli php-zip -y
37 |
38 | #php 7.4 修改配置
39 | sed -i 's@;date.timezone =@date.timezone = Asia/Shanghai@g' /etc/php.ini
40 | sed -i 's/user = apache/user = nginx/g' /etc/php-fpm.d/www.conf
41 | sed -i 's/group = apache/group = nginx/g' /etc/php-fpm.d/www.conf
42 |
43 | #将 php-fpm 调整问文件运行
44 | sed -i 's@listen = 127.0.0.1:9000@listen = /var/run/php-fpm/php-fpm.sock@g' /etc/php-fpm.d/www.conf
45 |
46 | #配置监控用户和组
47 | sed -i 's/;listen.owner = nobody/listen.owner = nginx/g' /etc/php-fpm.d/www.conf
48 | sed -i 's/;listen.group = nobody/listen.group = nginx/g' /etc/php-fpm.d/www.conf
49 | sed -i 's/;listen.mode = 0660/listen.mode = 0660/g' /etc/php-fpm.d/www.conf
50 |
51 | #用下面命令将 /etc/php.ini 将;cgi.fix_pathinfo=1修改为cgi.fix_pathinfo=0
52 | sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini
53 | #
54 | echo 'server {
55 | listen 9090;
56 | server_name localhost;
57 |
58 | root /var/www/html/daloradius;
59 | index index.php index.html index.htm;
60 |
61 | location / {
62 | try_files $uri $uri/ =404;
63 | }
64 | error_page 404 /404.html;
65 | error_page 500 502 503 504 /50x.html;
66 |
67 | location = /50x.html {
68 | root /usr/share/nginx/html;
69 | }
70 |
71 | location ~ \.php$ {
72 | try_files $uri =404;
73 | fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
74 | fastcgi_index index.php;
75 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
76 | include fastcgi_params;
77 | }
78 | }' >/etc/nginx/conf.d/daloradius.conf
79 |
80 | chown -R root:nginx /var/lib/php
81 |
82 | yum install wget expect telnet net-tools mariadb-server -y
83 | yum install freeradius freeradius-mysql freeradius-utils -y
84 |
85 | #freeradius 对接 sql
86 | ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
87 |
88 | ln -s /etc/raddb/mods-available/sqlippool /etc/raddb/mods-enabled/
89 | sed -i "s/auth = no/auth = yes/g" /etc/raddb/radiusd.conf
90 | sed -i "s/auth_badpass = no/auth_badpass = yes/g" /etc/raddb/radiusd.conf
91 | sed -i "s/auth_goodpass = no/auth_goodpass = yes/g" /etc/raddb/radiusd.conf
92 | sed -i "s/\-sql/sql/g" /etc/raddb/sites-available/default
93 | #Insert content after the found session {string
94 | sed -i '/session {/a\ sql' /etc/raddb/sites-available/default
95 | sed -i 's/driver = "rlm_sql_null"/driver = "rlm_sql_mysql"/g' /etc/raddb/mods-available/sql
96 | #Find the string and remove the comment with the first letter#
97 | sed -i '/read_clients = yes/s/^#//' /etc/raddb/mods-available/sql
98 | sed -i '/dialect = "sqlite"/s/^#//' /etc/raddb/mods-available/sql
99 | sed -i 's/dialect = "sqlite"/dialect = "mysql"/g' /etc/raddb/mods-available/sql
100 | sed -i '/server = "localhost"/s/^#//' /etc/raddb/mods-available/sql
101 | sed -i '/port = 3306/s/^#//' /etc/raddb/mods-available/sql
102 | sed -i '/login = "radius"/s/^#//' /etc/raddb/mods-available/sql
103 | sed -i '/password = "radpass"/s/^#//' /etc/raddb/mods-available/sql
104 | sed -i 's/password = "radpass"/password = "p0radius_0p"/g' /etc/raddb/mods-available/sql
105 | sed -i 's|dialect = ${modules.sql.dialect}|dialect = "mysql"|' /etc/raddb/mods-available/sqlcounter
106 | # Enable used tunnel for unifi
107 | sed -i 's|use_tunneled_reply = no|use_tunneled_reply = yes|' /etc/raddb/mods-available/eap
108 | # Enable status in freeadius
109 | ln -s /etc/raddb/sites-available/status /etc/raddb/sites-enabled/status
110 |
111 |
112 | #配置数据库
113 | systemctl restart mariadb
114 | sleep 3
115 | mysqladmin -u root password ""${sqladmin}""
116 | mysql -uroot -p${sqladmin} -e "create database radius;"
117 | mysql -uroot -p${sqladmin} -e "grant all privileges on radius.* to radius@localhost identified by 'p0radius_0p';"
118 | mysql -uradius -p'p0radius_0p' radius < /etc/raddb/mods-config/sql/main/mysql/schema.sql
119 | mysql -uradius -p'p0radius_0p' radius < /etc/raddb/mods-config/sql/ippool/mysql/schema.sql
120 |
121 | systemctl restart mariadb
122 | systemctl restart radiusd
123 |
124 | #daloradius 1.3 配置
125 |
126 | cd /var/www/html/
127 | wget https://180.188.197.212:/down/daloradius-1.3.tar.gz --no-check-certificate
128 | tar xzvf daloradius-1.3.tar.gz
129 | mv daloradius-1.3 daloradius
130 | cp /var/www/html/daloradius/library/daloradius.conf.php.sample /var/www/html/daloradius/library/daloradius.conf.php
131 | chown -R nginx:nginx /var/www/html/daloradius/
132 | chmod 664 /var/www/html/daloradius/library/daloradius.conf.php
133 | cd /var/www/html/daloradius/
134 | #mysql -uradius -p'p0radius_0p' radius < contrib/db/fr2-mysql-daloradius-and-freeradius.sql
135 | mysql -uradius -p'p0radius_0p' radius < /var/www/html/daloradius/contrib/db/mysql-daloradius.sql
136 | sleep 3
137 | sed -i "s/\['CONFIG_DB_USER'\] = 'root'/\['CONFIG_DB_USER'\] = 'radius'/g" /var/www/html/daloradius/library/daloradius.conf.php
138 | sed -i "s/\['CONFIG_DB_PASS'\] = ''/\['CONFIG_DB_PASS'\] = 'p0radius_0p'/g" /var/www/html/daloradius/library/daloradius.conf.php
139 | sed -i "s|/tmp/daloradius.log|/var/log/daloradius.log|g" /var/www/html/daloradius/library/daloradius.conf.php
140 | chmod 644 /var/log/messages
141 | chmod 755 /var/log/radius/
142 | chmod 644 /var/log/radius/radius.log
143 | touch /var/log/daloradius.log
144 | chown -R nginx:nginx /var/log/daloradius.log
145 | chown -R nginx:nginx /var/www/html/daloradius/
146 |
147 |
148 | #添加中文支持
149 | sed -i '/Russian/i\