├── 20181213005045.jpg ├── ocserv-down.sh ├── stop-ocserv-sysctl.sh ├── mandrill.md ├── samiptables ├── vars_ocservauto ├── Speeder_reload.sh ├── ocserv.service ├── Speeder_reload.md ├── ocservautofordebian.sh ├── sum-ca-ocserv.conf ├── plain-ca-group.md ├── mandrill.sh ├── start-ocserv-sysctl.sh ├── ocserv-up.sh ├── README.md ├── ocserv_debian ├── Route ├── routerulers ├── ocserv.conf └── ocservauto.sh /20181213005045.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/HEAD/20181213005045.jpg -------------------------------------------------------------------------------- /ocserv-down.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # uncomment if you want to turn off IP forwarding 4 | # sysctl -w net.ipv4.ip_forward=0 5 | 6 | #del iptables 7 | 8 | iptables-save | grep 'ocserv' | sed 's/^-A P/iptables -t nat -D P/' | sed 's/^-A FORWARD -p/iptables -t mangle -D FORWARD -p/' | sed 's/^-A/iptables -D/' | bash 9 | -------------------------------------------------------------------------------- /stop-ocserv-sysctl.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | 4 | # uncomment if you want to turn off IP forwarding 5 | # sysctl -w net.ipv4.ip_forward=0 6 | 7 | #del iptables 8 | 9 | iptables-save | grep 'ocserv' | sed 's/^-A P/iptables -t nat -D P/' | sed 's/^-A FORWARD -p/iptables -t mangle -D FORWARD -p/' | sed 's/^-A/iptables -D/' | bash 10 | 11 | -------------------------------------------------------------------------------- /mandrill.md: -------------------------------------------------------------------------------- 1 | # Mandrill 2 | 3 | 请先注册mandrill帐号,然后获取api,绑定域名。将域名和有效api填写到脚本中。例如 4 | ``` 5 | API_KEY="123" 6 | DOMAIN="123.com" 7 | ``` 8 | 9 | 然后,将脚本和证书文件放到相同文件夹下,执行 10 | ``` 11 | bash mandrill.sh 'my.p12' 'my-email@abc.com' 12 | ``` 13 | 14 | # Mailgun 15 | 16 | 使用mailigun的请查阅https://blog.qmz.me/2014/%E5%9C%A8VPS%E4%B8%8A%E6%90%AD%E5%BB%BAAnyconnect-VPN%E6%9C%8D%E5%8A%A1%E5%99%A8/ 17 | -------------------------------------------------------------------------------- /samiptables: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1 3 | gw_intf_oc=`ip route show|sed -n 's/^default.* dev \([^ ]*\).*/\1/p'` 4 | iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o $gw_intf_oc -j MASQUERADE 5 | iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT 6 | iptables -A INPUT -p tcp --dport 999 -j ACCEPT 7 | iptables -A INPUT -p udp --dport 20 -j ACCEPT 8 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 9 | iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 10 | -------------------------------------------------------------------------------- /vars_ocservauto: -------------------------------------------------------------------------------- 1 | #这是一个用户名密码登录的配置。 2 | #是否自定义安装 3 | Custom_config_ocserv='y' 4 | #是否自签证书 5 | self_signed_ca='y' 6 | caname='ocvpn' 7 | ogname='ocvpn' 8 | coname='ocvpn' 9 | #tcp端口选择 10 | ocserv_tcpport_set='999' 11 | #是否只采用tcp模式 关闭udp端口 12 | only_tcp_port='n' 13 | #if only tcp,udp dose not work 14 | ocserv_udpport_set='1999' 15 | #是否开机自起 16 | ocserv_boot_start='y' 17 | #证书登录,否则用户名密码登录 18 | ca_login='n' 19 | #安装版本 20 | oc_version='0.10.8' 21 | #是否保存本配置文件 22 | save_user_vars='y' 23 | #初始用户名密码 24 | username='test' 25 | password='test' 26 | #域名 27 | fqdnname='oc.abc.com' 28 | -------------------------------------------------------------------------------- /Speeder_reload.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ps -ef | grep -v grep | grep -v ps | grep -i '/serverspeeder/' > /dev/null 2>&1 3 | Ruisu_status=$? 4 | [ "$Ruisu_status" = "0" ] || exit 0 5 | OC_CONFIG="/etc/ocserv/ocserv.conf" 6 | device=`sed -n 's/^device.*=[ \t]*//p' $OC_CONFIG` 7 | wanif=`ip a|awk '{print $NF}'|grep $device|sed ':a;N;s/\n/ /;ba;'` 8 | [ "$wanif" = "" ] || wanif=" $wanif" 9 | gwif=`ip route show|sed -n 's/^default.* dev \([^ ]*\).*/\1/p'` 10 | sed -i "s/^accif=.*/accif=\"${gwif}${wanif}\"/" /serverspeeder/etc/config 11 | sleep 1 12 | /serverspeeder/bin/serverSpeeder.sh reload 13 | -------------------------------------------------------------------------------- /ocserv.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenConnect SSL VPN server 3 | Documentation=man:ocserv(8) 4 | After=network-online.target 5 | After=dbus.service 6 | 7 | [Service] 8 | PrivateTmp=true 9 | PIDFile=/var/run/ocserv/ocserv.pid 10 | ExecStartPre=/bin/mkdir /var/run/ocserv 11 | ExecStartPre=/bin/bash /etc/ocserv/ocserv-up.sh 12 | ExecStart=/usr/sbin/ocserv --foreground --pid-file /var/run/ocserv/ocserv.pid --config /etc/ocserv/ocserv.conf 13 | ExecStopPost=/bin/bash /etc/ocserv/ocserv-down.sh 14 | ExecStopPost=/bin/rm -rf /var/run/ocserv 15 | ExecReload=/bin/kill -HUP $MAINPID 16 | 17 | [Install] 18 | WantedBy=multi-user.target 19 | -------------------------------------------------------------------------------- /Speeder_reload.md: -------------------------------------------------------------------------------- 1 | 使用说明 2 | ===================== 3 | 这是个锐速加速脚本。 4 | 5 | 前提是锐速开启并且加速默认的出口网卡,例如eth0。如果不清楚,可以用下面命令得知 6 | ``` 7 | ip route show|sed -n 's/^default.* dev \([^ ]*\).*/\1/p' 8 | ``` 9 | 编辑/etc/ocserv/ocserv.conf,取消ocserv.conf中下面一行的注释并修改为 10 | ``` 11 | connect-script = /etc/ocserv/Speeder_reload.sh 12 | #disconnect-script = /etc/ocserv/Speeder_reload.sh 13 | ``` 14 | 然后下载脚本,并加上可执行权限 15 | ``` 16 | wget https://raw.githubusercontent.com/fanyueciyuan/eazy-for-ss/master/ocservauto/Speeder_reload.sh -O /etc/ocserv/Speeder_reload.sh 17 | chmod +x /etc/ocserv/Speeder_reload.sh 18 | ``` 19 | 重启一下ocserv 20 | ``` 21 | /etc/init.d/ocserv restart 22 | ``` 23 | 24 | From https://www.v2ex.com/t/172292 25 | -------------------------------------------------------------------------------- /ocservautofordebian.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | NET_OC_CONF_DOC="https://raw.githubusercontent.com/fanyueciyuan/eazy-for-ss/master/ocservauto" 3 | rm -f ocservauto.sh 4 | wget -c --no-check-certificate http://git.io/p9r8 -O ocservauto.sh 5 | [ ! -d /etc/ocserv ] && mkdir /etc/ocserv 6 | cd /etc/ocserv 7 | [ -f /etc/init.d/ocserv ] && rm -f /etc/init.d/ocserv 8 | [ -f ocserv-up.sh ] && rm -f ocserv-up.sh 9 | [ -f ocserv-down.sh ] && rm -f ocserv-down.sh 10 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv -O /etc/init.d/ocserv 11 | chmod 755 /etc/init.d/ocserv 12 | pgrep systemd-journal > /dev/null 2>&1 && systemctl daemon-reload > /dev/null 2>&1 13 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv-up.sh 14 | chmod +x ocserv-up.sh 15 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv-down.sh 16 | chmod +x ocserv-down.sh 17 | /etc/init.d/ocserv restart 18 | -------------------------------------------------------------------------------- /sum-ca-ocserv.conf: -------------------------------------------------------------------------------- 1 | #sed '/^#/d;/^$/d' /etc/ocserv/ocserv.conf > sum-ca-ocserv.conf 2 | auth = "certificate" 3 | isolate-workers = false 4 | max-clients = 160 5 | #同帐号登录不限制 6 | max-same-clients = 0 7 | tcp-port = 999 8 | keepalive = 32400 9 | dpd = 90 10 | mobile-dpd = 600 11 | try-mtu-discovery = true 12 | server-cert = /etc/ocserv/server-cert.pem 13 | server-key = /etc/ocserv/server-key.pem 14 | ca-cert = /etc/ocserv/ca-cert.pem 15 | cert-user-oid = 2.5.4.3 16 | crl = /etc/ocserv/crl.pem 17 | compression = true 18 | tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" 19 | auth-timeout = 60 20 | idle-timeout = 1200 21 | mobile-idle-timeout = 2400 22 | cookie-timeout = 300 23 | deny-roaming = false 24 | rekey-time = 172800 25 | rekey-method = ssl 26 | use-utmp = true 27 | use-occtl = true 28 | pid-file = /var/run/ocserv.pid 29 | socket-file = /var/run/ocserv-socket 30 | run-as-user = nobody 31 | run-as-group = nogroup 32 | device = vpns 33 | predictable-ips = true 34 | #服务器域名或者ip 35 | default-domain = 1.2.3.4 36 | ipv4-network = 192.168.10.0 37 | ipv4-netmask = 255.255.255.0 38 | dns = 8.8.4.4 39 | dns = 8.8.8.8 40 | ping-leases = false 41 | cisco-client-compat = true 42 | -------------------------------------------------------------------------------- /plain-ca-group.md: -------------------------------------------------------------------------------- 1 | ## 开启分组模式 2 | 3 | 这里分为两组all和route,一个帐号可以选择全局模式(all)或国内外分流模式(route)。 4 | 5 | ===== 6 | 7 | ### 用户密码方式分组 8 | 9 | 在ocserv.conf文件中取消相应行的注释,并且修改为如下值 10 | 11 | ``` 12 | select-group = Route 13 | select-group = All 14 | auto-select-group = false 15 | config-per-group = /etc/ocserv/config-per-group 16 | ``` 17 | 18 | 需要注意的是,`select-group`这一项的值,是后面所讲的配置文件的`文件全名`。 19 | 20 | 修改或者创建组用户,下面的username是自定义的用户名 21 | 22 | ```shell 23 | ocpasswd -c /etc/ocserv/ocpasswd -g "Route,All" username 24 | ``` 25 | 如果您使用是该脚本进行安装,进行到此步骤即可重启服务器了。下面的文件夹和文件都已被脚本自动创建了。 26 | 27 | 如果没有相关文件和文件夹,请根据说明继续进行操作。 28 | 29 | 创建放置分流组配置文件的文件夹 30 | 31 | ```shell 32 | mkdir /etc/ocserv/config-per-group 33 | ``` 34 | 35 | 写入国内外分流路由规则(规则可以自定,只要写入/etc/ocserv/config-per-group/Route 文件中即可) 36 | 37 | 我们可以参考来自 https://github.com/humiaozuzu/ocserv-build 的一份优化好的路由表来完成分流,可以通过下面命令来配置 38 | 39 | ```shell 40 | wget https://raw.githubusercontent.com/fanyueciyuan/eazy-for-ss/master/ocservauto/Route -O /etc/ocserv/config-per-group/Route 41 | ``` 42 | 43 | 然后创建一个空的All文件 44 | 45 | ``` 46 | touch /etc/ocserv/config-per-group/All 47 | ``` 48 | 49 | 最后重启ocserv即可 50 | 51 | ```shell 52 | service ocserv restart 53 | ``` 54 | 55 | ==== 56 | 57 | ### 证书方式分组 58 | default-select-group = all 默认组的配置,无法载入,测试失败。 59 | 60 | -------------------------------------------------------------------------------- /mandrill.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #mandrill api curl 3 | #Fullfill api-key and domian 4 | #bash mandrill.sh 'my.p12' '123@123.com' 5 | 6 | API_KEY="" 7 | DOMAIN="" 8 | 9 | FILE_NAME="$1" 10 | EMAIL_AD="$2" 11 | FROM_NAME="Ocserv" 12 | SUBJECT="Ocserv-Clientcert" 13 | MIME_TYPE="application\/x-pkcs12" 14 | #MIME_TYPE="text\/plain" 15 | #MIME_TYPE="application\/x-openvpn-profile" 16 | FILE_BASE64=`base64 ${FILE_NAME}` 17 | USER_NAME=`echo ${EMAIL_AD}|cut -d@ -f1` 18 | HTML="

${USER_NAME}您好!


${FROM_NAME}为您生成了一份证书文件。

附件当中的${FILE_NAME}文件是为您生成的身份证书,用于您在使用服务时,提供给服务 19 | 器的身份凭据。


请将上面的证书导入您的终端。



请不要回复此邮件,谢谢!

" 20 | 21 | JSON="{\"key\":\"${API_KEY}\"" 22 | JSON="${JSON},\"message\":{\"html\":\"$HTML\"" 23 | JSON="${JSON},\"subject\":\"$SUBJECT\"" 24 | JSON="${JSON},\"from_email\":\"no-reply@${DOMAIN}\",\"from_name\":\"${FROM_NAME}\"" 25 | JSON="${JSON},\"to\":[{\"email\":\"${EMAIL_AD}\"" 26 | JSON="${JSON},\"name\":\"${USER_NAME}\",\"type\":\"to\"}]" 27 | JSON="${JSON},\"headers\":{\"Reply-To\":\"${EMAIL_AD}\"}" 28 | JSON="${JSON},\"merge\":true" 29 | JSON="${JSON},\"attachments\":[{\"type\":\"${MIME_TYPE}\"" 30 | JSON="${JSON},\"name\":\"${FILE_NAME}\"" 31 | JSON="${JSON},\"content\":\"${FILE_BASE64}\"}]}" 32 | JSON="${JSON},\"ip_pool\":\"Main Pool\"}" 33 | 34 | #保留json文件取消下一行注释 35 | #echo $JSON > ${USER_NAME}.json 36 | 37 | CMD="curl -A 'Mandrill-Curl/1.0' -d '${JSON}' 'https://mandrillapp.com/api/1.0/messages/send.json'" 38 | eval $CMD 39 | -------------------------------------------------------------------------------- /start-ocserv-sysctl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #vars 4 | OCSERV_CONFIG="/etc/ocserv/ocserv.conf" 5 | 6 | # turn on IP forwarding 7 | #sysctl -w net.ipv6.conf.all.forwarding=1 > /dev/null 2>&1 8 | sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1 9 | 10 | #get gateway and profiles 11 | gw_intf_oc=`ip route show|sed -n 's/^default.* dev \([^ ]*\).*/\1/p'` 12 | ocserv_tcpport=`sed -n 's/^tcp-.*=[ \t]*//p' $OCSERV_CONFIG` 13 | ocserv_udpport=`sed -n 's/^udp-.*=[ \t]*//p' $OCSERV_CONFIG` 14 | ocserv_ip4_work_mask=`sed -n 's/^ipv4-.*=[ \t]*//p' $OCSERV_CONFIG|sed 'N;s|\n|/|g'` 15 | 16 | 17 | # turn on NAT over default gateway and VPN 18 | if !(iptables-save -t nat | grep -q "$gw_intf_oc (ocserv)"); then 19 | iptables -t nat -A POSTROUTING -s $ocserv_ip4_work_mask -o $gw_intf_oc -m comment --comment "$gw_intf_oc (ocserv)" -j MASQUERADE 20 | fi 21 | 22 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv2)"); then 23 | iptables -A FORWARD -s $ocserv_ip4_work_mask -m comment --comment "$gw_intf_oc (ocserv2)" -j ACCEPT 24 | fi 25 | 26 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv3)"); then 27 | iptables -A INPUT -p tcp --dport $ocserv_tcpport -m comment --comment "$gw_intf_oc (ocserv3)" -j ACCEPT 28 | fi 29 | 30 | if [ "$ocserv_udpport" != "" ]; then 31 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv4)"); then 32 | iptables -A INPUT -p udp --dport $ocserv_udpport -m comment --comment "$gw_intf_oc (ocserv4)" -j ACCEPT 33 | fi 34 | fi 35 | 36 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv5)"); then 37 | iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "$gw_intf_oc (ocserv5)" -j ACCEPT 38 | fi 39 | 40 | # turn on MSS fix 41 | # MSS = MTU - TCP header - IP header 42 | if !(iptables-save -t mangle | grep -q "$gw_intf_oc (ocserv6)"); then 43 | iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "$gw_intf_oc (ocserv6)" -j TCPMSS --clamp-mss-to-pmtu 44 | fi 45 | -------------------------------------------------------------------------------- /ocserv-up.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #vars 4 | OCSERV_CONFIG="/etc/ocserv/ocserv.conf" 5 | 6 | # turn on IP forwarding 7 | #sysctl -w net.ipv6.conf.all.forwarding=1 > /dev/null 2>&1 8 | sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1 9 | 10 | #get gateway and profiles 11 | gw_intf_oc=`ip route show 0/0 | sort -k 7 | head -n 1 | sed -n 's/^default.* dev \([^ ]*\).*/\1/p'` 12 | ocserv_tcpport=`sed -n 's/^tcp-.*=[ \t]*//p' $OCSERV_CONFIG` 13 | ocserv_udpport=`sed -n 's/^udp-.*=[ \t]*//p' $OCSERV_CONFIG` 14 | ocserv_ip4_work_mask=`sed -n 's/^ipv4-.*=[ \t]*//p' $OCSERV_CONFIG|sed 'N;s|\n|/|g'` 15 | 16 | # turn on NAT over default gateway and VPN 17 | if !(iptables-save -t nat | grep -q "$gw_intf_oc (ocserv)"); then 18 | iptables -t nat -A POSTROUTING -s $ocserv_ip4_work_mask ! -d $ocserv_ip4_work_mask -m comment --comment "$gw_intf_oc (ocserv)" -j MASQUERADE 19 | fi 20 | 21 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv2)"); then 22 | iptables -A FORWARD -d $ocserv_ip4_work_mask -m comment --comment "$gw_intf_oc (ocserv2)" -j ACCEPT 23 | fi 24 | 25 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv3)"); then 26 | iptables -A INPUT -p tcp --dport $ocserv_tcpport -m comment --comment "$gw_intf_oc (ocserv3)" -j ACCEPT 27 | fi 28 | 29 | if [ "$ocserv_udpport" != "" ]; then 30 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv4)"); then 31 | iptables -A INPUT -p udp --dport $ocserv_udpport -m comment --comment "$gw_intf_oc (ocserv4)" -j ACCEPT 32 | fi 33 | fi 34 | 35 | if !(iptables-save -t filter | grep -q "$gw_intf_oc (ocserv5)"); then 36 | iptables -A FORWARD -s $ocserv_ip4_work_mask -m state --state RELATED,ESTABLISHED -m comment --comment "$gw_intf_oc (ocserv5)" -j ACCEPT 37 | fi 38 | 39 | # turn on MSS fix 40 | # MSS = MTU - TCP header - IP header 41 | if !(iptables-save -t mangle | grep -q "$gw_intf_oc (ocserv6)"); then 42 | iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "$gw_intf_oc (ocserv6)" -j TCPMSS --clamp-mss-to-pmtu 43 | fi 44 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Ocservauto For Debian 0.8 2 | 3 | This script may help you setup your own openconnect_server in debian(>=7),ubuntu(>=14.04). 4 | 5 | 这是一枚适用于deibian的openconnect_server安装脚本。中文详情 [戳这里](http://www.fanyueciyuan.info/fq/ocserv-debian.html) 6 | 7 | ============ 8 | 9 | ## USAGE 10 | ```shell 11 | apt-get update 12 | apt-get upgrade 13 | apt-get install wget 14 | wget -N --no-check-certificate "https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/master/ocservauto.sh" && chmod +x ocservauto.sh && bash ocservauto.sh 15 | bash ocservauto.sh 16 | ``` 17 | 18 | Profiles in /etc/ocserv/ 19 | 20 | When you change the profiles,restart the vpn server. 21 | ```shell 22 | /etc/init.d/ocserv restart 23 | ``` 24 | 25 | You can get help 26 | ```shell 27 | bash ocservauto.sh h 28 | ``` 29 | 30 | ![首页图片](https://github.com/user1121114685/Ocserv_for_Debian_Ubuntu/blob/master/20181213005045.jpg?raw=true "封面图片简介") 31 | 32 | ============ 33 | 34 | ## LICENCE 35 | Ocservauto For Debian Copyright (C) liyangyijie released under GNU GPLv2 36 | 37 | Ocservauto For Debian Is Based On SSLVPNauto v0.1-A1 38 | 39 | SSLVPNauto For Debian Copyright (C) Alex Fang frjalex@gmail.com released under GNU GPLv2 40 | 41 | 42 | 43 | Copyright (C) 2015 liyangyijie 44 | 45 | This program is free software; you can redistribute it and/or modify 46 | it under the terms of the GNU General Public License as published by 47 | the Free Software Foundation; either version 2 of the License, or 48 | (at your option) any later version. 49 | 50 | This program is distributed in the hope that it will be useful, 51 | but WITHOUT ANY WARRANTY; without even the implied warranty of 52 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 53 | GNU General Public License for more details. 54 | 55 | You should have received a copy of the GNU General Public License along 56 | with this program; if not, write to the Free Software Foundation, Inc., 57 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 58 | -------------------------------------------------------------------------------- /ocserv_debian: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin 3 | export PATH 4 | 5 | ### BEGIN INIT INFO 6 | # Provides: ocserv - OpenConnect VPN server 7 | # Required-Start: $network $local_fs $remote_fs 8 | # Required-Stop: $network $local_fs $remote_fs 9 | # Default-Start: 2 3 4 5 10 | # Default-Stop: 0 1 6 11 | # Short-Description: Openconnect VPN server (ocserv) is a VPN server compatible with the openconnect VPN client. 12 | # Description: Start or stop the ocserv 13 | ### END INIT INFO 14 | 15 | NAME="ocserv" 16 | CONFIG="/etc/ocserv/ocserv.conf" 17 | PID_FILE="/var/run/ocserv.pid" 18 | LOG="/tmp/ocserv.log" 19 | 20 | Green_font_prefix="\033[32m" && Red_font_prefix="\033[31m" && Green_background_prefix="\033[42;37m" && Red_background_prefix="\033[41;37m" && Font_color_suffix="\033[0m" 21 | Info="${Green_font_prefix}[信息]${Font_color_suffix}" 22 | Error="${Red_font_prefix}[错误]${Font_color_suffix}" 23 | RETVAL=0 24 | 25 | # check_running(){ 26 | # [[ ! -e ${PID_FILE} ]] && return 1 27 | # PID=$(cat ${PID_FILE}) 28 | # if [[ ! -z ${PID} ]]; then 29 | # return 0 30 | # else 31 | # return 1 32 | # fi 33 | # } 34 | check_running(){ 35 | PID=`ps -ef |grep "${NAME}" |grep -v "grep" | grep -v "ocservauto.sh"| grep -v "init.d" |grep -v "service" |awk '{print $2}'` 36 | if [[ ! -z ${PID} ]]; then 37 | return 0 38 | else 39 | return 1 40 | fi 41 | } 42 | do_start(){ 43 | check_running 44 | if [[ $? -eq 0 ]]; then 45 | echo -e "${Info} $NAME (PID ${PID}) 正在运行..." && exit 0 46 | else 47 | echo -e "${Info} $NAME 启动中..." 48 | ulimit -n 51200 49 | nohup ocserv -f -d 1 -c "${CONFIG}" 2>&1 & 50 | sleep 2s 51 | check_running 52 | if [[ $? -eq 0 ]]; then 53 | echo -e "${Info} $NAME 启动成功 !" 54 | else 55 | echo -e "${Error} $NAME 启动失败 !" 56 | fi 57 | fi 58 | } 59 | do_stop(){ 60 | check_running 61 | if [[ $? -eq 0 ]]; then 62 | kill -9 ${PID} 63 | RETVAL=$? 64 | if [[ $RETVAL -eq 0 ]]; then 65 | rm -f ${PID_FILE} 66 | echo -e "${Info} $NAME 停止成功 !" 67 | else 68 | echo -e "${Error} $NAME 停止失败 !" 69 | fi 70 | else 71 | echo -e "${Info} $NAME 未运行" 72 | RETVAL=1 73 | fi 74 | } 75 | do_status(){ 76 | check_running 77 | if [[ $? -eq 0 ]]; then 78 | echo -e "${Info} $NAME (PID $(echo ${PID})) 正在运行..." 79 | else 80 | echo -e "${Info} $NAME 未运行 !" 81 | RETVAL=1 82 | fi 83 | } 84 | do_restart(){ 85 | do_stop 86 | do_start 87 | } 88 | do_log(){ 89 | [[ ! -e ${LOG} ]] && echo -e "${Error} 日志文件不存在 !" && exit 0 90 | echo && echo -e " 按 ${Red_font_prefix}Ctrl+C${Font_color_suffix} 终止查看日志" && echo 91 | tail -f ${LOG} 92 | } 93 | do_test(){ 94 | check_running 95 | if [[ $? -eq 0 ]]; then 96 | echo -e "${Info} $NAME (PID ${PID}) 正在运行..." && exit 0 97 | fi 98 | echo && echo -e " 提示 note 的不影响使用,提示 Error 的才影响。" && echo 99 | ocserv -f -t -c ${CONFIG} 100 | } 101 | case "$1" in 102 | start|stop|restart|status|log|test) 103 | do_$1 104 | ;; 105 | *) 106 | echo "使用方法: $0 { start | stop | restart | status | log | test }" 107 | RETVAL=1 108 | ;; 109 | esac 110 | exit $RETVAL -------------------------------------------------------------------------------- /Route: -------------------------------------------------------------------------------- 1 | #FROM https://github.com/humiaozuzu/ocserv-build/tree/master/config 2 | no-route = 101.0.0.0/255.0.0.0 3 | no-route = 102.0.0.0/254.0.0.0 4 | no-route = 106.0.0.0/255.0.0.0 5 | no-route = 139.0.0.0/255.240.0.0 6 | no-route = 139.128.0.0/255.254.0.0 7 | no-route = 139.148.0.0/255.255.0.0 8 | no-route = 139.154.0.0/255.254.0.0 9 | no-route = 139.156.0.0/255.252.0.0 10 | no-route = 139.170.0.0/255.255.0.0 11 | no-route = 139.176.0.0/255.255.0.0 12 | no-route = 139.183.0.0/255.255.0.0 13 | no-route = 139.186.0.0/255.255.0.0 14 | no-route = 139.188.0.0/255.252.0.0 15 | no-route = 139.192.0.0/255.224.0.0 16 | no-route = 139.224.0.0/255.255.0.0 17 | no-route = 139.226.0.0/255.254.0.0 18 | no-route = 14.0.0.0/255.0.0.0 19 | no-route = 140.143.0.0/255.255.0.0 20 | no-route = 140.205.0.0/255.255.0.0 21 | no-route = 140.206.0.0/255.254.0.0 22 | no-route = 140.210.0.0/255.255.0.0 23 | no-route = 140.224.0.0/255.255.0.0 24 | no-route = 140.237.0.0/255.255.0.0 25 | no-route = 140.240.0.0/255.255.0.0 26 | no-route = 140.243.0.0/255.255.0.0 27 | no-route = 140.246.0.0/255.255.0.0 28 | no-route = 140.249.0.0/255.255.0.0 29 | no-route = 140.250.0.0/255.255.0.0 30 | no-route = 140.255.0.0/255.255.0.0 31 | no-route = 140.75.0.0/255.255.0.0 32 | no-route = 144.0.0.0/255.254.0.0 33 | no-route = 144.12.0.0/255.255.0.0 34 | no-route = 144.122.0.0/255.254.0.0 35 | no-route = 144.255.0.0/255.255.0.0 36 | no-route = 144.52.0.0/255.252.0.0 37 | no-route = 144.6.0.0/255.254.0.0 38 | no-route = 150.0.0.0/255.192.0.0 39 | no-route = 150.115.0.0/255.255.0.0 40 | no-route = 150.121.0.0/255.255.0.0 41 | no-route = 150.122.0.0/255.255.0.0 42 | no-route = 150.128.0.0/255.254.0.0 43 | no-route = 150.138.0.0/255.254.0.0 44 | no-route = 150.223.0.0/255.255.0.0 45 | no-route = 150.242.0.0/255.255.0.0 46 | no-route = 150.254.0.0/255.254.0.0 47 | no-route = 152.104.0.0/255.255.0.0 48 | no-route = 153.0.0.0/255.254.0.0 49 | no-route = 153.100.0.0/255.254.0.0 50 | no-route = 153.118.0.0/255.254.0.0 51 | no-route = 153.3.0.0/255.255.0.0 52 | no-route = 153.34.0.0/255.254.0.0 53 | no-route = 153.36.0.0/255.254.0.0 54 | no-route = 153.96.0.0/255.252.0.0 55 | no-route = 157.0.0.0/255.240.0.0 56 | no-route = 157.122.0.0/255.255.0.0 57 | no-route = 157.148.0.0/255.255.0.0 58 | no-route = 157.156.0.0/255.252.0.0 59 | no-route = 157.16.0.0/255.252.0.0 60 | no-route = 157.255.0.0/255.255.0.0 61 | no-route = 157.61.0.0/255.255.0.0 62 | no-route = 159.226.0.0/255.255.0.0 63 | no-route = 161.207.0.0/255.255.0.0 64 | no-route = 162.105.0.0/255.255.0.0 65 | no-route = 163.0.0.0/255.255.0.0 66 | no-route = 163.125.0.0/255.255.0.0 67 | no-route = 163.136.0.0/255.248.0.0 68 | no-route = 163.177.0.0/255.255.0.0 69 | no-route = 163.178.0.0/255.254.0.0 70 | no-route = 163.204.0.0/255.255.0.0 71 | no-route = 163.44.0.0/255.252.0.0 72 | no-route = 163.48.0.0/255.240.0.0 73 | no-route = 166.110.0.0/255.254.0.0 74 | no-route = 167.139.0.0/255.255.0.0 75 | no-route = 167.189.0.0/255.255.0.0 76 | no-route = 168.160.0.0/255.255.0.0 77 | no-route = 171.0.0.0/255.128.0.0 78 | no-route = 171.208.0.0/255.240.0.0 79 | no-route = 175.0.0.0/255.0.0.0 80 | no-route = 180.0.0.0/252.0.0.0 81 | no-route = 192.124.154.0/255.255.254.0 82 | no-route = 192.188.168.0/255.255.252.0 83 | no-route = 202.0.0.0/254.0.0.0 84 | no-route = 218.0.0.0/254.0.0.0 85 | no-route = 220.0.0.0/252.0.0.0 86 | no-route = 27.0.0.0/255.0.0.0 87 | no-route = 36.0.0.0/255.0.0.0 88 | no-route = 39.0.0.0/255.0.0.0 89 | no-route = 42.0.0.0/254.0.0.0 90 | no-route = 45.64.0.0/255.248.0.0 91 | no-route = 45.96.0.0/255.224.0.0 92 | no-route = 47.80.0.0/255.240.0.0 93 | no-route = 47.96.0.0/255.224.0.0 94 | no-route = 49.0.0.0/255.0.0.0 95 | no-route = 54.222.0.0/255.254.0.0 96 | no-route = 58.0.0.0/254.0.0.0 97 | no-route = 60.0.0.0/254.0.0.0 98 | -------------------------------------------------------------------------------- /routerulers: -------------------------------------------------------------------------------- 1 | #FROM https://github.com/humiaozuzu/ocserv-build/tree/master/config 2 | no-route = 101.0.0.0/255.0.0.0 3 | no-route = 102.0.0.0/254.0.0.0 4 | no-route = 106.0.0.0/255.0.0.0 5 | no-route = 139.0.0.0/255.240.0.0 6 | no-route = 139.128.0.0/255.254.0.0 7 | no-route = 139.148.0.0/255.255.0.0 8 | no-route = 139.154.0.0/255.254.0.0 9 | no-route = 139.156.0.0/255.252.0.0 10 | no-route = 139.170.0.0/255.255.0.0 11 | no-route = 139.176.0.0/255.255.0.0 12 | no-route = 139.183.0.0/255.255.0.0 13 | no-route = 139.186.0.0/255.255.0.0 14 | no-route = 139.188.0.0/255.252.0.0 15 | no-route = 139.192.0.0/255.224.0.0 16 | no-route = 139.224.0.0/255.255.0.0 17 | no-route = 139.226.0.0/255.254.0.0 18 | no-route = 14.0.0.0/255.0.0.0 19 | no-route = 140.143.0.0/255.255.0.0 20 | no-route = 140.205.0.0/255.255.0.0 21 | no-route = 140.206.0.0/255.254.0.0 22 | no-route = 140.210.0.0/255.255.0.0 23 | no-route = 140.224.0.0/255.255.0.0 24 | no-route = 140.237.0.0/255.255.0.0 25 | no-route = 140.240.0.0/255.255.0.0 26 | no-route = 140.243.0.0/255.255.0.0 27 | no-route = 140.246.0.0/255.255.0.0 28 | no-route = 140.249.0.0/255.255.0.0 29 | no-route = 140.250.0.0/255.255.0.0 30 | no-route = 140.255.0.0/255.255.0.0 31 | no-route = 140.75.0.0/255.255.0.0 32 | no-route = 144.0.0.0/255.254.0.0 33 | no-route = 144.12.0.0/255.255.0.0 34 | no-route = 144.122.0.0/255.254.0.0 35 | no-route = 144.255.0.0/255.255.0.0 36 | no-route = 144.52.0.0/255.252.0.0 37 | no-route = 144.6.0.0/255.254.0.0 38 | no-route = 150.0.0.0/255.192.0.0 39 | no-route = 150.115.0.0/255.255.0.0 40 | no-route = 150.121.0.0/255.255.0.0 41 | no-route = 150.122.0.0/255.255.0.0 42 | no-route = 150.128.0.0/255.254.0.0 43 | no-route = 150.138.0.0/255.254.0.0 44 | no-route = 150.223.0.0/255.255.0.0 45 | no-route = 150.242.0.0/255.255.0.0 46 | no-route = 150.254.0.0/255.254.0.0 47 | no-route = 152.104.0.0/255.255.0.0 48 | no-route = 153.0.0.0/255.254.0.0 49 | no-route = 153.100.0.0/255.254.0.0 50 | no-route = 153.118.0.0/255.254.0.0 51 | no-route = 153.3.0.0/255.255.0.0 52 | no-route = 153.34.0.0/255.254.0.0 53 | no-route = 153.36.0.0/255.254.0.0 54 | no-route = 153.96.0.0/255.252.0.0 55 | no-route = 157.0.0.0/255.240.0.0 56 | no-route = 157.122.0.0/255.255.0.0 57 | no-route = 157.148.0.0/255.255.0.0 58 | no-route = 157.156.0.0/255.252.0.0 59 | no-route = 157.16.0.0/255.252.0.0 60 | no-route = 157.255.0.0/255.255.0.0 61 | no-route = 157.61.0.0/255.255.0.0 62 | no-route = 159.226.0.0/255.255.0.0 63 | no-route = 161.207.0.0/255.255.0.0 64 | no-route = 162.105.0.0/255.255.0.0 65 | no-route = 163.0.0.0/255.255.0.0 66 | no-route = 163.125.0.0/255.255.0.0 67 | no-route = 163.136.0.0/255.248.0.0 68 | no-route = 163.177.0.0/255.255.0.0 69 | no-route = 163.178.0.0/255.254.0.0 70 | no-route = 163.204.0.0/255.255.0.0 71 | no-route = 163.44.0.0/255.252.0.0 72 | no-route = 163.48.0.0/255.240.0.0 73 | no-route = 166.110.0.0/255.254.0.0 74 | no-route = 167.139.0.0/255.255.0.0 75 | no-route = 167.189.0.0/255.255.0.0 76 | no-route = 168.160.0.0/255.255.0.0 77 | no-route = 171.0.0.0/255.128.0.0 78 | no-route = 171.208.0.0/255.240.0.0 79 | no-route = 175.0.0.0/255.0.0.0 80 | no-route = 180.0.0.0/252.0.0.0 81 | no-route = 192.124.154.0/255.255.254.0 82 | no-route = 192.188.168.0/255.255.252.0 83 | no-route = 202.0.0.0/254.0.0.0 84 | no-route = 218.0.0.0/254.0.0.0 85 | no-route = 220.0.0.0/252.0.0.0 86 | no-route = 27.0.0.0/255.0.0.0 87 | no-route = 36.0.0.0/255.0.0.0 88 | no-route = 39.0.0.0/255.0.0.0 89 | no-route = 42.0.0.0/254.0.0.0 90 | no-route = 45.64.0.0/255.248.0.0 91 | no-route = 45.96.0.0/255.224.0.0 92 | no-route = 47.80.0.0/255.240.0.0 93 | no-route = 47.96.0.0/255.224.0.0 94 | no-route = 49.0.0.0/255.0.0.0 95 | no-route = 54.222.0.0/255.254.0.0 96 | no-route = 58.0.0.0/254.0.0.0 97 | no-route = 60.0.0.0/254.0.0.0 98 | -------------------------------------------------------------------------------- /ocserv.conf: -------------------------------------------------------------------------------- 1 | # User authentication method. Could be set multiple times and in 2 | # that case all should succeed. To enable multiple methods use 3 | # multiple auth directives. Available options: certificate, 4 | # plain, pam, radius, gssapi. 5 | # 6 | # Note that authentication methods cannot be changed with reload. 7 | 8 | # certificate: 9 | # This indicates that all connecting users must present a certificate. 10 | # 11 | # pam[gid-min=1000]: 12 | # This enabled PAM authentication of the user. The gid-min option is used 13 | # by auto-select-group option, in order to select the minimum valid group ID. 14 | # 15 | # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] 16 | # The plain option requires specifying a password file which contains 17 | # entries of the following format. 18 | # "username:groupname1,groupname2:encoded-password" 19 | # One entry must be listed per line, and 'ocpasswd' should be used 20 | # to generate password entries. The 'otp' suboption allows to specify 21 | # an oath password file to be used for one time passwords; the format of 22 | # the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile 23 | # 24 | # radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]: 25 | # The radius option requires specifying freeradius-client configuration 26 | # file. If the groupconfig option is set, then config-per-user will be overriden, 27 | # and all configuration will be read from radius. The 'override-interim-updates' if set to 28 | # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered. 29 | # 30 | # gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] 31 | # The gssapi option allows to use authentication methods supported by GSSAPI, 32 | # such as Kerberos tickets with ocserv. It should be best used as an alternative 33 | # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with 34 | # tickets and without tickets to login. The default value for require-local-user-map 35 | # is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented 36 | # to have been issued within the provided number of seconds. That option is used to 37 | # restrict logins even if the KDC provides long time TGT tickets. 38 | 39 | #auth = "pam" 40 | #auth = "pam[gid-min=1000]" 41 | auth = "plain[passwd=/etc/ocserv/ocpasswd]" 42 | #auth = "certificate" 43 | #auth = "radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]" 44 | 45 | # Specify alternative authentication methods that are sufficient 46 | # for authentication. That is, if set, any of the methods enabled 47 | # will be sufficient to login. 48 | #enable-auth = certificate 49 | #enable-auth = gssapi 50 | #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" 51 | 52 | # Accounting methods available: 53 | # pam: can only be combined with PAM authentication method, it provides 54 | # a session opened using PAM. 55 | # 56 | # radius: can be combined with any authentication method, it provides 57 | # radius accounting to available users (see also stats-report-time). 58 | # 59 | # Only one accounting method can be specified. 60 | #acct = "pam" 61 | #acct = "radius[config=/etc/radcli/radiusclient.conf]" 62 | 63 | # Use listen-host to limit to specific IPs or to the IPs of a provided 64 | # hostname. 65 | #listen-host = [IP|HOSTNAME] 66 | 67 | # When the server has a dynamic DNS address (that may change), 68 | # should set that to true to ask the client to resolve again on 69 | # reconnects. 70 | #listen-host-is-dyndns = true 71 | 72 | # TCP and UDP port number 73 | tcp-port = 999 74 | udp-port = 1999 75 | 76 | # Accept connections using a socket file. It accepts HTTP 77 | # connections (i.e., without SSL/TLS unlike its TCP counterpart), 78 | # and uses it as the primary channel. That option cannot be 79 | # combined with certificate authentication. 80 | #listen-clear-file = /var/run/ocserv-conn.socket 81 | 82 | # The user the worker processes will be run as. It should be 83 | # unique (no other services run as this user). 84 | run-as-user = nobody 85 | run-as-group = nogroup 86 | 87 | # socket file used for IPC with occtl. You only need to set that, 88 | # if you use more than a single servers. 89 | #occtl-socket-file = /var/run/occtl.socket 90 | 91 | # socket file used for server IPC (worker-main), will be appended with .PID 92 | # It must be accessible within the chroot environment (if any), so it is best 93 | # specified relatively to the chroot directory. 94 | socket-file = /var/run/ocserv-socket 95 | 96 | # The default server directory. Does not require any devices present. 97 | #chroot-dir = /path/to/chroot 98 | 99 | 100 | ### All configuration options below this line are reloaded on a SIGHUP. 101 | ### The options above, will remain unchanged. Note however, that the 102 | ### server-cert, server-key, dh-params and ca-cert options will be reloaded 103 | ### if the provided file changes, on server reload. That allows certificate 104 | ### rotation, but requires the server key to remain the same for seamless 105 | ### operation. If the server key changes on reload, there may be connection 106 | ### failures during the reloading time. 107 | 108 | # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 109 | # system calls allowed to a worker process, in order to reduce damage from a 110 | # bug in the worker process. It is available on Linux systems at a performance cost. 111 | # The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). 112 | # Note however, that process isolation is restricted to the specific libc versions 113 | # the isolation was tested at. If you get random failures on worker processes, try 114 | # disabling that option and report the failures you, along with system and debugging 115 | # information at: https://gitlab.com/ocserv/ocserv/issues 116 | isolate-workers = false 117 | 118 | # A banner to be displayed on clients 119 | #banner = "Welcome" 120 | 121 | # Limit the number of clients. Unset or set to zero for unlimited. 122 | #max-clients = 1024 123 | max-clients = 160 124 | 125 | # Limit the number of identical clients (i.e., users connecting 126 | # multiple times). Unset or set to zero for unlimited. 127 | max-same-clients = 0 128 | 129 | # When the server has a dynamic DNS address (that may change), 130 | # should set that to true to ask the client to resolve again on 131 | # reconnects. 132 | #listen-host-is-dyndns = true 133 | 134 | # When the server receives connections from a proxy, like haproxy 135 | # which supports the proxy protocol, set this to obtain the correct 136 | # client addresses. The proxy protocol (v2) would then be expected in 137 | # the TCP or UNIX socket (not the UDP one). 138 | #listen-proxy-proto = true 139 | 140 | # Limit the number of client connections to one every X milliseconds 141 | # (X is the provided value). Set to zero for no limit. 142 | #rate-limit-ms = 100 143 | 144 | # Stats report time. The number of seconds after which each 145 | # worker process will report its usage statistics (number of 146 | # bytes transferred etc). This is useful when accounting like 147 | # radius is in use. 148 | #stats-report-time = 360 149 | 150 | # Keepalive in seconds 151 | keepalive = 32400 152 | 153 | # Dead peer detection in seconds. 154 | # Note that when the client is behind a NAT this value 155 | # needs to be short enough to prevent the NAT disassociating 156 | # his UDP session from the port number. Otherwise the client 157 | # could have his UDP connection stalled, for several minutes. 158 | dpd = 90 159 | 160 | # Dead peer detection for mobile clients. That needs to 161 | # be higher to prevent such clients being awaken too 162 | # often by the DPD messages, and save battery. 163 | # The mobile clients are distinguished from the header 164 | # 'X-AnyConnect-Identifier-DeviceType'. 165 | mobile-dpd = 1800 166 | 167 | # MTU discovery (DPD must be enabled) 168 | try-mtu-discovery = true 169 | 170 | # The key and the certificates of the server 171 | # The key may be a file, or any URL supported by GnuTLS (e.g., 172 | # tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user 173 | # or pkcs11:object=my-vpn-key;object-type=private) 174 | # 175 | # The server-cert file may contain a single certificate, or 176 | # a sorted certificate chain. 177 | # 178 | # There may be multiple server-cert and server-key directives, 179 | # but each key should correspond to the preceding certificate. 180 | server-cert = /etc/ocserv/server-cert.pem 181 | server-key = /etc/ocserv/server-key.pem 182 | 183 | # Diffie-Hellman parameters. Only needed if you require support 184 | # for the DHE ciphersuites (by default this server supports ECDHE). 185 | # Can be generated using: 186 | # certtool --generate-dh-params --outfile /path/to/dh.pem 187 | #dh-params = /etc/ocserv/dh.pem 188 | 189 | # If you have a certificate from a CA that provides an OCSP 190 | # service you may provide a fresh OCSP status response within 191 | # the TLS handshake. That will prevent the client from connecting 192 | # independently on the OCSP server. 193 | # You can update this response periodically using: 194 | # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response 195 | # Make sure that you replace the following file in an atomic way. 196 | #ocsp-response = /path/to/ocsp.der 197 | 198 | # In case PKCS #11 or TPM keys are used the PINs should be available 199 | # in files. The srk-pin-file is applicable to TPM keys only, and is the 200 | # storage root key. 201 | #pin-file = /path/to/pin.txt 202 | #srk-pin-file = /path/to/srkpin.txt 203 | 204 | # The password or PIN needed to unlock the key in server-key file. 205 | # Only needed if the file is encrypted or a PKCS #11 object. This 206 | # is an alternative method to pin-file. 207 | #key-pin = 1234 208 | 209 | # The SRK PIN for TPM. 210 | # This is an alternative method to srk-pin-file. 211 | #srk-pin = 1234 212 | 213 | # The Certificate Authority that will be used to verify 214 | # client certificates (public keys) if certificate authentication 215 | # is set. 216 | #ca-cert = /etc/ocserv/ca-cert.pem 217 | 218 | # The object identifier that will be used to read the user ID in the client 219 | # certificate. The object identifier should be part of the certificate's DN 220 | # Useful OIDs are: 221 | # CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 222 | #cert-user-oid = 2.5.4.3 223 | 224 | # The object identifier that will be used to read the user group in the 225 | # client certificate. The object identifier should be part of the certificate's 226 | # DN. Useful OIDs are: 227 | # OU (organizational unit) = 2.5.4.11 228 | #cert-group-oid = 2.5.4.11 229 | 230 | # The revocation list of the certificates issued by the 'ca-cert' above. 231 | # See the manual to generate an empty CRL initially. 232 | #crl = /etc/ocserv/crl.pem 233 | 234 | # Uncomment this to enable compression negotiation (LZS, LZ4). 235 | compression = true 236 | 237 | # Set the minimum size under which a packet will not be compressed. 238 | # That is to allow low-latency for VoIP packets. The default size 239 | # is 256 bytes. Modify it if the clients typically use compression 240 | # as well of VoIP with codecs that exceed the default value. 241 | #no-compress-limit = 256 242 | 243 | # GnuTLS priority string; note that SSL 3.0 is disabled by default 244 | # as there are no openconnect (and possibly anyconnect clients) using 245 | # that protocol. The string below does not enforce perfect forward 246 | # secrecy, in order to be compatible with legacy clients. 247 | # 248 | # Note that the most performant ciphersuites are the moment are the ones 249 | # involving AES-GCM. These are very fast in x86 and x86-64 hardware, and 250 | # in addition require no padding, thus taking full advantage of the MTU. 251 | # For that to be taken advantage of, the openconnect client must be 252 | # used, and the server must be compiled against GnuTLS 3.2.7 or later. 253 | # Use "gnutls-cli --benchmark-tls-ciphers", to see the performance 254 | # difference with AES_128_CBC_SHA1 (the default for anyconnect clients) 255 | # in your system. 256 | 257 | tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" 258 | 259 | # More combinations in priority strings are available, check 260 | # http://gnutls.org/manual/html_node/Priority-Strings.html 261 | # E.g., the string below enforces perfect forward secrecy (PFS) 262 | # on the main channel. 263 | #tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" 264 | 265 | # The time (in seconds) that a client is allowed to stay connected prior 266 | # to authentication 267 | auth-timeout = 40 268 | 269 | # The time (in seconds) that a client is allowed to stay idle (no traffic) 270 | # before being disconnected. Unset to disable. 271 | idle-timeout = 1200 272 | 273 | # The time (in seconds) that a mobile client is allowed to stay idle (no 274 | # traffic) before being disconnected. Unset to disable. 275 | mobile-idle-timeout = 2400 276 | 277 | # The time (in seconds) that a client is not allowed to reconnect after 278 | # a failed authentication attempt. 279 | #min-reauth-time = 300 280 | 281 | # Banning clients in ocserv works with a point system. IP addresses 282 | # that get a score over that configured number are banned for 283 | # min-reauth-time seconds. By default a wrong password attempt is 10 points, 284 | # a KKDCP POST is 1 point, and a connection is 1 point. Note that 285 | # due to difference processes being involved the count of points 286 | # will not be real-time precise. 287 | # 288 | # Score banning cannot be reliably used when receiving proxied connections 289 | # locally from an HTTP server (i.e., when listen-clear-file is used). 290 | # 291 | # Set to zero to disable. 292 | max-ban-score = 50 293 | 294 | # The time (in seconds) that all score kept for a client is reset. 295 | ban-reset-time = 300 296 | 297 | # In case you'd like to change the default points. 298 | #ban-points-wrong-password = 10 299 | #ban-points-connection = 1 300 | #ban-points-kkdcp = 1 301 | 302 | # Cookie timeout (in seconds) 303 | # Once a client is authenticated he's provided a cookie with 304 | # which he can reconnect. That cookie will be invalided if not 305 | # used within this timeout value. On a user disconnection, that 306 | # cookie will also be active for this time amount prior to be 307 | # invalid. That should allow a reasonable amount of time for roaming 308 | # between different networks. 309 | cookie-timeout = 86400 310 | 311 | # Cookie rekey time (in seconds) 312 | # The time after which the key used to encrypt cookies will be 313 | # refreshed. After this time the previous key will also be valid 314 | # for verification until the next rotation cycle. 315 | #cookie-rekey-time = 259200 316 | 317 | # If this is enabled (not recommended) the cookies will stay 318 | # valid even after a user manually disconnects, and until they 319 | # expire. This may improve roaming with some broken clients. 320 | #persistent-cookies = true 321 | 322 | # Whether roaming is allowed, i.e., if true a cookie is 323 | # restricted to a single IP address and cannot be re-used 324 | # from a different IP. 325 | deny-roaming = false 326 | 327 | # ReKey time (in seconds) 328 | # ocserv will ask the client to refresh keys periodically once 329 | # this amount of seconds is elapsed. Set to zero to disable (note 330 | # that, some clients fail if rekey is disabled). 331 | rekey-time = 172800 332 | 333 | # ReKey method 334 | # Valid options: ssl, new-tunnel 335 | # ssl: Will perform an efficient rehandshake on the channel allowing 336 | # a seamless connection during rekey. 337 | # new-tunnel: Will instruct the client to discard and re-establish the channel. 338 | # Use this option only if the connecting clients have issues with the ssl 339 | # option. 340 | rekey-method = ssl 341 | 342 | # Script to call when a client connects and obtains an IP. 343 | # The following parameters are passed on the environment. 344 | # REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 345 | # DEVICE, IP_REAL (the real IP of the client), IP_REAL_LOCAL (the local 346 | # interface IP the client connected), IP_LOCAL (the local IP 347 | # in the P-t-P connection), IP_REMOTE (the VPN IP of the client), 348 | # IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 349 | # assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and 350 | # ID (a unique numeric ID); REASON may be "connect" or "disconnect". 351 | # In addition the following variables OCSERV_ROUTES (the applied routes for this 352 | # client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), 353 | # will contain a space separated list of routes or DNS servers. A version 354 | # of these variables with the 4 or 6 suffix will contain only the IPv4 or 355 | # IPv6 values. 356 | 357 | # The disconnect script will receive the additional values: STATS_BYTES_IN, 358 | # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 359 | # output from the tun device, and the duration of the session in seconds. 360 | 361 | #connect-script = /etc/ocserv/myscript 362 | #disconnect-script = /etc/ocserv/myscript 363 | 364 | # UTMP 365 | # Register the connected clients to utmp. This will allow viewing 366 | # the connected clients using the command 'who'. 367 | use-utmp = true 368 | 369 | # Whether to enable support for the occtl tool (i.e., either through D-BUS, 370 | # or via a unix socket). 371 | use-occtl = true 372 | 373 | # PID file. It can be overriden in the command line. 374 | pid-file = /var/run/ocserv.pid 375 | 376 | # Set the protocol-defined priority (SO_PRIORITY) for packets to 377 | # be sent. That is a number from 0 to 6 with 0 being the lowest 378 | # priority. Alternatively this can be used to set the IP Type- 379 | # Of-Service, by setting it to a hexadecimal number (e.g., 0x20). 380 | # This can be set per user/group or globally. 381 | #net-priority = 3 382 | 383 | # Set the VPN worker process into a specific cgroup. This is Linux 384 | # specific and can be set per user/group or globally. 385 | #cgroup = "cpuset,cpu:test" 386 | 387 | # 388 | # Network settings 389 | # 390 | 391 | # The name to use for the tun device 392 | device = vpns 393 | 394 | # Whether the generated IPs will be predictable, i.e., IP stays the 395 | # same for the same user when possible. 396 | predictable-ips = true 397 | 398 | # The default domain to be advertised 399 | #default-domain = example.com 400 | 401 | # The pool of addresses that leases will be given from. If the leases 402 | # are given via Radius, or via the explicit-ip? per-user config option then 403 | # these network values should contain a network with at least a single 404 | # address that will remain under the full control of ocserv (that is 405 | # to be able to assign the local part of the tun device address). 406 | ipv4-network = 192.168.10.0 407 | ipv4-netmask = 255.255.255.0 408 | 409 | # An alternative way of specifying the network: 410 | #ipv4-network = 192.168.1.0/24 411 | 412 | # The IPv6 subnet that leases will be given from. 413 | #ipv6-network = fda9:4efe:7e3b:03ea::/64 414 | 415 | # Specify the size of the network to provide to clients. It is 416 | # generally recommended to provide clients with a /64 network in 417 | # IPv6, but any subnet may be specified. To provide clients only 418 | # with a single IP use the prefix 128. 419 | #ipv6-subnet-prefix = 128 420 | #ipv6-subnet-prefix = 64 421 | 422 | # Whether to tunnel all DNS queries via the VPN. This is the default 423 | # when a default route is set. 424 | #tunnel-all-dns = true 425 | 426 | # The advertized DNS server. Use multiple lines for 427 | # multiple servers. 428 | # dns = fc00::4be0 429 | dns = 8.8.4.4 430 | dns = 8.8.8.8 431 | 432 | # The NBNS server (if any) 433 | #nbns = 192.168.1.3 434 | 435 | # The domains over which the provided DNS should be used. Use 436 | # multiple lines for multiple domains. 437 | #split-dns = example.com 438 | 439 | # Prior to leasing any IP from the pool ping it to verify that 440 | # it is not in use by another (unrelated to this server) host. 441 | # Only set to true, if there can be occupied addresses in the 442 | # IP range for leases. 443 | ping-leases = false 444 | 445 | # Use this option to enforce an MTU value to the incoming 446 | # connections. Unset to use the default MTU of the TUN device. 447 | #mtu = 1420 448 | 449 | # Unset to enable bandwidth restrictions (in bytes/sec). The 450 | # setting here is global, but can also be set per user or per group. 451 | #rx-data-per-sec = 40000 452 | #tx-data-per-sec = 40000 453 | 454 | # The number of packets (of MTU size) that are available in 455 | # the output buffer. The default is low to improve latency. 456 | # Setting it higher will improve throughput. 457 | #output-buffer = 23000 458 | 459 | # Routes to be forwarded to the client. If you need the 460 | # client to forward routes to the server, you may use the 461 | # config-per-user/group or even connect and disconnect scripts. 462 | # 463 | # To set the server as the default gateway for the client just 464 | # comment out all routes from the server, or use the special keyword 465 | # 'default'. 466 | 467 | #route = 10.10.10.0/255.255.255.0 468 | #route = 192.168.0.0/255.255.0.0 469 | #route = fef4:db8:1000:1001::/64 470 | #route = default 471 | 472 | # Subsets of the routes above that will not be routed by 473 | # the server. 474 | 475 | #no-route = 192.168.5.0/255.255.255.0 476 | 477 | # Note the that following two firewalling options currently are available 478 | # in Linux systems with iptables software. 479 | 480 | # If set, the script /usr/bin/ocserv-fw will be called to restrict 481 | # the user to its allowed routes and prevent him from accessing 482 | # any other routes. In case of defaultroute, the no-routes are restricted. 483 | # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw 484 | # --removeall. This option can be set globally or in the per-user configuration. 485 | #restrict-user-to-routes = true 486 | 487 | # This option implies restrict-user-to-routes set to true. If set, the 488 | # script /usr/bin/ocserv-fw will be called to restrict the user to 489 | # access specific ports in the network. This option can be set globally 490 | # or in the per-user configuration. 491 | #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" 492 | 493 | # You could also use negation, i.e., block the user from accessing these ports only. 494 | #restrict-user-to-ports = "!(tcp(443), tcp(80))" 495 | 496 | # When set to true, all client's iroutes are made visible to all 497 | # connecting clients except for the ones offering them. This option 498 | # only makes sense if config-per-user is set. 499 | #expose-iroutes = true 500 | 501 | # Groups that a client is allowed to select from. 502 | # A client may belong in multiple groups, and in certain use-cases 503 | # it is needed to switch between them. For these cases the client can 504 | # select prior to authentication. Add multiple entries for multiple groups. 505 | # The group may be followed by a user-friendly name in brackets. 506 | #select-group = group1 507 | #select-group = group2[My special group] 508 | 509 | # The name of the (virtual) group that if selected it would assign the user 510 | # to its default group. 511 | #default-select-group = DEFAULT 512 | 513 | # Instead of specifying manually all the allowed groups, you may instruct 514 | # ocserv to scan all available groups and include the full list. 515 | #auto-select-group = true 516 | 517 | # Configuration files that will be applied per user connection or 518 | # per group. Each file name on these directories must match the username 519 | # or the groupname. 520 | # The options allowed in the configuration files are dns, nbns, 521 | # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, 522 | # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 523 | # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, 524 | # restrict-user-to-routes, user-profile, cgroup, stats-report-time, 525 | # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, 526 | # and session-timeout. 527 | # 528 | # Note that the 'iroute' option allows to add routes on the server 529 | # based on a user or group. The syntax depends on the input accepted 530 | # by the commands route-add-cmd and route-del-cmd (see below). The no-udp 531 | # is a boolean option (e.g., no-udp = true), and will prevent a UDP session 532 | # for that specific user or group. Note also, that, any DNS or NBNS servers 533 | # present will overwrite the global ones, while any routes or no-routes set 534 | # will be appended to the default set. 535 | 536 | #config-per-user = /etc/ocserv/config-per-user/ 537 | #config-per-group = /etc/ocserv/config-per-group/ 538 | 539 | # When config-per-xxx is specified and there is no group or user that 540 | # matches, then utilize the following configuration. 541 | #default-user-config = /etc/ocserv/defaults/user.conf 542 | #default-group-config = /etc/ocserv/defaults/group.conf 543 | 544 | # The system command to use to setup a route. %{R} will be replaced with the 545 | # route/mask and %{D} with the (tun) device. 546 | # 547 | # The following example is from linux systems. %R should be something 548 | # like 192.168.2.0/24 (the argument of iroute). 549 | 550 | #route-add-cmd = "ip route add %{R} dev %{D}" 551 | #route-del-cmd = "ip route delete %{R} dev %{D}" 552 | 553 | # This option allows to forward a proxy. The special keywords '%{U}' 554 | # and '%{G}', if present will be replaced by the username and group name. 555 | #proxy-url = http://example.com/ 556 | #proxy-url = http://example.com/%{U}/ 557 | 558 | # This option allows you to specify a URL location where a client can 559 | # post using MS-KKDCP, and the message will be forwarded to the provided 560 | # KDC server. That is a translation URL between HTTP and Kerberos. 561 | # In MIT kerberos you'll need to add in realms: 562 | # EXAMPLE.COM = { 563 | # kdc = https://ocserv.example.com/kerberos 564 | # http_anchors = FILE:/etc/ocserv-ca.pem 565 | # } 566 | # This option is available if ocserv is compiled with GSSAPI support. 567 | 568 | #kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT 569 | #kkdcp = /kerberos EXAMPLE.COM udp@127.0.0.1:88 570 | #kkdcp = /kerberos-tcp EXAMPLE.COM tcp@127.0.0.1:88 571 | 572 | # 573 | # The following options are for (experimental) AnyConnect client 574 | # compatibility. 575 | 576 | # This option must be set to true to support legacy CISCO clients. 577 | # A side effect of this option is that it will no longer be required 578 | # for clients to present their certificate on every connection. 579 | # That is they may resume a cookie without presenting a certificate 580 | # (when certificate authentication is used). 581 | cisco-client-compat = true 582 | 583 | # Client profile xml. A sample file exists in doc/profile.xml. 584 | # It is required by some of the CISCO clients. 585 | # This file must be accessible from inside the worker's chroot. 586 | #user-profile = /etc/ocserv/profile.xml 587 | 588 | # Binary files that may be downloaded by the CISCO client. Must 589 | # be within any chroot environment. Normally you don't need 590 | # to use this option. 591 | #binary-files = /path/to/binaries 592 | 593 | #Advanced options 594 | 595 | # Option to allow sending arbitrary custom headers to the client after 596 | # authentication and prior to VPN tunnel establishment. You shouldn't 597 | # need to use this option normally; if you do and you think that 598 | # this may help others, please send your settings and reason to 599 | # the openconnect mailing list. The special keywords '%{U}' 600 | # and '%{G}', if present will be replaced by the username and group name. 601 | #custom-header = "X-My-Header: hi there" 602 | -------------------------------------------------------------------------------- /ocservauto.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #=============================================================================================== 4 | # System Required: Debian 7+ 5 | # Description: Install OpenConnect VPN server for Debian 6 | # Ocservauto For Debian Copyright (C) liyangyijie released under GNU GPLv2 7 | # Ocservauto For Debian Is Based On SSLVPNauto v0.1-A1 8 | # SSLVPNauto v0.1-A1 For Debian Copyright (C) Alex Fang frjalex@gmail.com released under GNU GPLv2 9 | # Date: 2015-07-10 10 | # Thanks For 11 | # http://www.infradead.org/ocserv/ 12 | # https://www.stunnel.info Travis Lee 13 | # http://luoqkk.com/ luoqkk 14 | # http://ttz.im/ tony 15 | # http://blog.ltns.info/ LTNS 16 | # https://github.com/clowwindy/ShadowVPN (server up/down script) 17 | # http://imkevin.me/post/80157872840/anyconnect-iphone 18 | # http://bitinn.net/11084/ 19 | # http://zkxtom365.blogspot.jp/2015/02/centos-65ocservcisco-anyconnect.html 20 | # https://registry.hub.docker.com/u/tommylau/ocserv/dockerfile/ 21 | # https://www.v2ex.com/t/158768 22 | # https://www.v2ex.com/t/165541 23 | # https://www.v2ex.com/t/172292 24 | # https://www.v2ex.com/t/170472 25 | # https://sskaje.me/2014/02/openconnect-ubuntu/ 26 | # https://github.com/humiaozuzu/ocserv-build/tree/master/config 27 | # https://blog.qmz.me/zai-vpsshang-da-jian-anyconnect-vpnfu-wu-qi/ 28 | # http://www.gnutls.org/manual/gnutls.html#certtool-Invocation 29 | # Max Lv (server /etc/init.d/ocserv) 30 | #=============================================================================================== 31 | 32 | ################################################################################################################### 33 | #base-function # 34 | ################################################################################################################### 35 | 36 | 37 | 38 | Green_font_prefix="\033[32m" && Red_font_prefix="\033[31m" && Green_background_prefix="\033[42;37m" && Red_background_prefix="\033[41;37m" && Font_color_suffix="\033[0m" 39 | Info="${Green_font_prefix}[信息]${Font_color_suffix}" 40 | Error="${Red_font_prefix}[错误]${Font_color_suffix}" 41 | Tip="${Green_font_prefix}[注意]${Font_color_suffix}" 42 | 43 | 44 | sh_ver="1.0.5" 45 | 46 | #error and force-exit 47 | function die(){ 48 | echo -e "\033[33mERROR: $1 \033[0m" > /dev/null 1>&2 49 | exit 1 50 | } 51 | 52 | #info echo 53 | function print_info(){ 54 | echo -n -e '\e[1;36m' 55 | echo -n $1 56 | echo -e '\e[0m' 57 | } 58 | 59 | ##### echo 60 | function print_xxxx(){ 61 | xXxX="#############################" 62 | echo 63 | echo "$xXxX$xXxX$xXxX$xXxX" 64 | echo 65 | } 66 | 67 | #warn echo 68 | function print_warn(){ 69 | echo -n -e '\033[41;37m' 70 | echo -n $1 71 | echo -e '\033[0m' 72 | } 73 | 74 | #color line 75 | color_line(){ 76 | echo 77 | while read line 78 | do 79 | echo -e "\e[1;33m$line" 80 | echo 81 | done 82 | echo -en "\e[0m" 83 | } 84 | 85 | #get random word 获取$1位随机文本,剔除容易识别错误的字符例如0和O等等 86 | function get_random_word(){ 87 | D_Num_Random="8" 88 | Num_Random=${1:-$D_Num_Random} 89 | str=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c $Num_Random` 90 | echo $str 91 | } 92 | 93 | #Default_Ask "what's your name?" "li" "The_name" 94 | #echo $The_name 95 | function Default_Ask(){ 96 | echo 97 | Temp_question=$1 98 | Temp_default_var=$2 99 | Temp_var_name=$3 100 | if [ -f ${CONFIG_PATH_VARS} ]; then 101 | New_temp_default_var=`cat $CONFIG_PATH_VARS | grep "^$Temp_var_name=" | cut -d "'" -f 2` 102 | Temp_default_var=${New_temp_default_var:-$Temp_default_var} 103 | fi 104 | #if yes or no 105 | echo -e -n "\e[1;36m$Temp_question\e[0m""\033[31m(Default:$Temp_default_var)\033[0m" 106 | echo 107 | read Temp_var 108 | if [ "$Temp_default_var" = "y" ] || [ "$Temp_default_var" = "n" ]; then 109 | Temp_var=$(echo $Temp_var | sed 'y/YESNO0/yesnoo/') 110 | case $Temp_var in 111 | y|ye|yes) 112 | Temp_var=y 113 | ;; 114 | n|no) 115 | Temp_var=n 116 | ;; 117 | *) 118 | Temp_var=$Temp_default_var 119 | ;; 120 | esac 121 | else 122 | Temp_var=${Temp_var:-$Temp_default_var} 123 | fi 124 | Temp_cmd="$Temp_var_name='$Temp_var'" 125 | eval $Temp_cmd 126 | print_info "你输入的是: ${Temp_var}" 127 | echo 128 | print_xxxx 129 | } 130 | 131 | #Press any key to start 任意键开始 132 | function press_any_key(){ 133 | echo 134 | print_info "按任意键开始...或按Ctrl+C取消!" 135 | get_char_ffff(){ 136 | SAVEDSTTY=`stty -g` 137 | stty -echo 138 | stty cbreak 139 | dd if=/dev/tty bs=1 count=1 2> /dev/null 140 | stty -raw 141 | stty echo 142 | stty $SAVEDSTTY 143 | } 144 | get_char_fffff=`get_char_ffff` 145 | echo 146 | } 147 | 148 | function fast_Default_Ask(){ 149 | if [ "$fast_install" = "y" ]; then 150 | print_info "在快速模式下, $3 将从 $CONFIG_PATH_VARS" 151 | else 152 | Default_Ask "$1" "$2" "$3" 153 | [ -f ${CONFIG_PATH_VARS} ] && sed -i "/^${Temp_var_name}=/d" $CONFIG_PATH_VARS 154 | echo $Temp_cmd >> $CONFIG_PATH_VARS 155 | fi 156 | } 157 | 158 | #配置文件$1中是否含有$2 159 | function character_Test(){ 160 | sed 's/^[ \t]*//' "$1" | grep -v '^#' | grep "$2" > /dev/null 2>&1 161 | [ $? -eq 0 ] && return 0 162 | } 163 | 164 | #检测安装 165 | function check_install(){ 166 | exec_name="$1" 167 | deb_name="$2" 168 | Deb_N="" 169 | deb_name=`echo "$deb_name"|sed "s/^${Deb_N}[ \t]*\(.*\)/\1/"` 170 | for Exe_N in $exec_name 171 | do 172 | Deb_N=`echo "$deb_name"|sed 's/^\([^ ]*\).*/\1/'` 173 | deb_name=`echo "$deb_name"|sed "s/^${Deb_N}[ \t]*\(.*\)/\1/"` 174 | if (which "$Exe_N" > /dev/null 2>&1);then 175 | print_info "Check [ $Deb_N ] ok" 176 | else 177 | DEBIAN_FRONTEND=noninteractive apt-get -qq -y install "$Deb_N" > /dev/null 2>&1 178 | apt-get clean 179 | print_info "Install [ $Deb_N ] ok" 180 | fi 181 | done 182 | } 183 | 184 | ################################################################################################################### 185 | #core-function # 186 | ################################################################################################################### 187 | 188 | #多服务器共用一份客户端证书模式以及正常模式下,主服务器的安装主体 189 | function install_OpenConnect_VPN_server(){ 190 | #get base info and base tools 191 | check_Required 192 | #custom-configuration or not 自定义安装与否 193 | fast_Default_Ask "用自定义配置安装ocserv?【选Y使用证书模式】(y/n)" "n" "Custom_config_ocserv" 194 | clear && print_xxxx 195 | [ "$Custom_config_ocserv" = "y" ] && { 196 | print_info "使用自定义配置安装ocserv。" 197 | print_xxxx 198 | get_Custom_configuration 199 | } 200 | [ "$Custom_config_ocserv" = "n" ] && { 201 | print_info "自动安装,选择密码登陆." 202 | print_xxxx 203 | self_signed_ca="y" && ca_login="n" 204 | } 205 | #add a user 增加初始用户 206 | add_a_user 207 | #press any key to start 任意键开始 208 | press_any_key 209 | #install dependencies 安装依赖文件 210 | pre_install 211 | #install ocserv 编译安装软件 212 | tar_ocserv_install 213 | #make self-signd server-ca 制作服务器自签名证书 214 | [ "$self_signed_ca" = "y" ] && make_ocserv_ca 215 | #make a client cert 若证书登录则制作客户端证书 216 | [ "$ca_login" = "y" ] && { 217 | [ "$self_signed_ca" = "y" ] && { 218 | ca_login_clientcert 219 | } 220 | } 221 | #configuration 设定软件相关选项 222 | set_ocserv_conf 223 | #stop all 关闭所有正在运行的ocserv软件 224 | stop_ocserv 225 | #no certificate,no start 没有服务器证书则不启动 226 | [ "$self_signed_ca" = "y" ] && start_ocserv 227 | #show result 显示结果 228 | show_ocserv 229 | } 230 | 231 | #多服务器共用一份客户端证书模式,分服务器的安装主体 232 | function install_Oneclientcer(){ 233 | [ ! -f ${Script_Dir}/ca-cert.pem ] && die "${Script_Dir}/ca-cert.pem 没找到." 234 | [ -f ${Script_Dir}/crl.pem ] && CRL_ADD="y" 235 | self_signed_ca="y" && ca_login="y" 236 | check_Required 237 | Default_Ask "为ocserv输入您自己的域名." "$ocserv_hostname" "fqdnname" 238 | get_Custom_configuration_2 239 | press_any_key 240 | pre_install && tar_ocserv_install 241 | make_ocserv_ca 242 | cd ${Script_Dir} 243 | rm -rf /etc/ocserv/ca-cert.pem && rm -rf /etc/ocserv/CAforOC 244 | mv ${Script_Dir}/ca-cert.pem /etc/ocserv 245 | set_ocserv_conf 246 | [ "$CRL_ADD" = "y" ] || { 247 | sed -i 's|^crl =.*|#&|' ${LOC_OC_CONF} 248 | } 249 | [ "$CRL_ADD" = "y" ] && { 250 | mv ${Script_Dir}/crl.pem /etc/ocserv 251 | } 252 | stop_ocserv && start_ocserv 253 | ps cax | grep ocserv > /dev/null 2>&1 254 | if [ $? -eq 0 ]; then 255 | print_info "安装成功" 256 | else 257 | print_warn "启动失败,ocserv已经离线" 258 | print_info "请检查 ${Script_Dir}/ocinstall.log" 259 | fi 260 | } 261 | 262 | #环境检测以及基础工具检测安装 263 | function check_Required(){ 264 | #check root 265 | [ $EUID -ne 0 ] && die '请以root用户运行' 266 | print_info "Root权限通过!" 267 | #debian-based only 268 | [ ! -f /etc/debian_version ] && die "必须在基于Debian的系统上运行." 269 | print_info "基于Debian ok" 270 | #tun/tap 271 | [ ! -e /dev/net/tun ] && die "TUN/TAP不可用。" 272 | print_info "TUN/TAP OK" 273 | #check install 防止重复安装 274 | [ -f /usr/sbin/ocserv ] && die "Ocserv已经安装。" 275 | print_info "没有安装!" 276 | #install base-tools 277 | print_info "安装基础工具!" 278 | apt-get update -qq 279 | check_install "curl vim sudo gawk sed insserv nano" "curl vim sudo gawk sed insserv nano" 280 | check_install "dig lsb_release" "dnsutils lsb-release" 281 | insserv -s > /dev/null 2>&1 || ln -s /usr/lib/insserv/insserv /sbin/insserv 282 | print_info "基础工具安装成功" 283 | #only Debian 7+ 284 | surport_Syscodename || die "对不起,不支持你的系统" 285 | print_info "系统正常支持" 286 | #check systemd 287 | ocserv_systemd="n" 288 | pgrep systemd-journal > /dev/null 2>&1 && ocserv_systemd="y" 289 | print_info "系统状态 : $ocserv_systemd" 290 | #sources check 291 | source_wheezy_backports="y" && source_jessie="y" 292 | character_Test "/etc/apt/sources.list" "wheezy-backports" || source_wheezy_backports="n" 293 | character_Test "/etc/apt/sources.list" "jessie" || source_jessie="n" 294 | print_info "Sources check ok" 295 | #get info from net 从网络中获取信息 296 | print_info "获取信息中....." 297 | get_info_from_net 298 | print_info "获取成功" 299 | clear 300 | } 301 | 302 | function log_Start(){ 303 | echo "SYS INFO" >${Script_Dir}/ocinstall.log 304 | echo "" >>${Script_Dir}/ocinstall.log 305 | sed '/^$/d' /etc/issue >>${Script_Dir}/ocinstall.log 306 | uname -r >>${Script_Dir}/ocinstall.log 307 | echo "" >>${Script_Dir}/ocinstall.log 308 | echo "INSTALL INFO" >>${Script_Dir}/ocinstall.log 309 | echo "" >>${Script_Dir}/ocinstall.log 310 | } 311 | 312 | function get_info_from_net(){ 313 | ocserv_hostname=$(wget -qO- ipv4.icanhazip.com) 314 | if [ $? -ne 0 -o -z $ocserv_hostname ]; then 315 | ocserv_hostname=`dig +short +tcp myip.opendns.com @resolver1.opendns.com` 316 | fi 317 | OC_version_latest=$(curl -sL "http://ocserv.gitlab.io/www/download.html" | sed -n 's/^.*version is \(.*$\)/\1/p') 318 | } 319 | 320 | function get_Custom_configuration(){ 321 | #whether to use the certificate login 是否证书登录,默认为用户名密码登录 322 | fast_Default_Ask "是否选择证书登录?(y/n)" "n" "ca_login" 323 | #whether to generate a Self-signed CA 是否需要制作自签名证书 324 | fast_Default_Ask "为您的服务器生成自签名CA?(y/n)" "y" "self_signed_ca" 325 | if [ "$self_signed_ca" = "n" ]; then 326 | Default_Ask "为ocserv输入您自己的域名." "$ocserv_hostname" "fqdnname" 327 | else 328 | fast_Default_Ask "您的证书名字" "ocvpn" "caname" 329 | fast_Default_Ask "你的组织名称?" "ocvpn" "ogname" 330 | fast_Default_Ask "你的公司名称?" "ocvpn" "coname" 331 | Default_Ask "您的服务器的域名?" "$ocserv_hostname" "fqdnname" 332 | fi 333 | #question part 2 334 | get_Custom_configuration_2 335 | } 336 | 337 | function get_Custom_configuration_2(){ 338 | #Which ocserv version to install 安装哪个版本的ocserv 339 | [ "$OC_version_latest" = "" ] && { 340 | print_warn "无法连接到官方网站,请从github下载ocserv." 341 | print_xxxx 342 | } || { 343 | fast_Default_Ask "$OC_version_latest 是最新的版本,但是推荐默认版本。选择哪个?" "$Default_oc_version" "oc_version" 344 | } 345 | #which port to use for verification 选择验证端口 346 | fast_Default_Ask "使用哪个端口进行验证?(TCP端口)" "999" "ocserv_tcpport_set" 347 | #tcp-port only or not 是否仅仅使用tcp端口,即是否禁用udp 348 | fast_Default_Ask "是否只使用tcp端口?(y/n)" "n" "only_tcp_port" 349 | #which port to use for data transmission 选择udp端口 即专用数据传输的udp端口 350 | if [ "$only_tcp_port" = "n" ]; then 351 | fast_Default_Ask "数据传输使用哪个端口?(UDP端口)" "1999" "ocserv_udpport_set" 352 | fi 353 | #boot from the start 是否开机自起 354 | fast_Default_Ask "系统启动时启动ocserv?(y/n)" "y" "ocserv_boot_start" 355 | #Save user vars or not 是否保存脚本参数 以便于下次快速配置 356 | fast_Default_Ask "是否将vars保存为fast模式?" "n" "save_user_vars" 357 | } 358 | 359 | #add a user 增加一个初始用户 360 | function add_a_user(){ 361 | if [ "$ca_login" = "n" ]; then 362 | Default_Ask "输入用户名." "$(get_random_word 4)" "username" 363 | Default_Ask "输入密码." "$(get_random_word 6)" "password" 364 | fi 365 | if [ "$ca_login" = "y" ] && [ "$self_signed_ca" = "y" ]; then 366 | Default_Ask "输入一个名字给 p12证书文件." "$(get_random_word 4)" "name_user_ca" 367 | while [ -d /etc/ocserv/CAforOC/user-${name_user_ca} ]; do 368 | Default_Ask "名称已经存在,请更改一个!" "$(get_random_word 4)" "name_user_ca" 369 | done 370 | Default_Ask "输入您的p12证书文件的密码。" "$(get_random_word 4)" "password" 371 | #set expiration days for client p12-cert 设定客户端证书到期天数 372 | Default_Ask "输入p12证书文件的过期天数。" "7777" "oc_ex_days" 373 | fi 374 | } 375 | 376 | #dependencies onebyone 377 | function Dependencies_install_onebyone(){ 378 | for OC_DP in $oc_dependencies 379 | do 380 | print_info "安装 $OC_DP " 381 | DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $TEST_S $OC_DP 382 | if [ $? -eq 0 ]; then 383 | print_info "Install [ ${OC_DP} ] ok!" 384 | apt-get clean 385 | else 386 | print_warn "[ ${OC_DP} ] not be installed!" 387 | fi 388 | done 389 | } 390 | 391 | #lz4 from github 392 | function tar_lz4_install(){ 393 | print_info "从github安装lz4" 394 | DEBIAN_FRONTEND=noninteractive apt-get -y -qq remove --purge liblz4-dev 395 | mkdir lz4 396 | LZ4_VERSION=`curl -sL "https://github.com/Cyan4973/lz4/releases/latest" | sed -n 's/^.*tag\/\([^"]*\).*/\1/p' | head -n1` 397 | curl -SL "https://github.com/Cyan4973/lz4/archive/$LZ4_VERSION.tar.gz" -o lz4.tar.gz 398 | tar -xf lz4.tar.gz -C lz4 --strip-components=1 399 | rm lz4.tar.gz 400 | cd lz4 401 | make -j"$(nproc)" && make install 402 | cd .. 403 | rm -r lz4 404 | if [ `getconf WORD_BIT` = '32' ] && [ `getconf LONG_BIT` = '64' ]; then 405 | ln -sf /usr/local/lib/liblz4.* /usr/lib/x86_64-linux-gnu/ 406 | else 407 | ln -sf /usr/local/lib/liblz4.* /usr/lib/i386-linux-gnu/ 408 | fi 409 | print_info "[ lz4 ] ok" 410 | } 411 | 412 | #install freeradius-client 1.1.7 413 | function tar_freeradius_client_install(){ 414 | print_info "安装 freeradius-client-1.1.7" 415 | DEBIAN_FRONTEND=noninteractive apt-get -y -qq remove --purge freeradius-client* 416 | wget -c ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.7.tar.gz 417 | tar -zxf freeradius-client-1.1.7.tar.gz 418 | cd freeradius-client-1.1.7 419 | ./configure --prefix=/usr --sysconfdir=/etc 420 | make -j"$(nproc)" && make install 421 | cd .. 422 | rm -rf freeradius-client* 423 | print_info "[ freeradius-client ] ok" 424 | } 425 | 426 | function test_source_install(){ 427 | [ "$1" = "n" ] && { 428 | echo "deb http://ftp.debian.org/debian $2 main contrib non-free" >> /etc/apt/sources.list.d/ocserv.list 429 | apt-get update 430 | } 431 | oc_dependencies="$3" && TEST_S="-t $2 -f --force-yes" 432 | Dependencies_install_onebyone 433 | [ "$1" = "n" ] && { 434 | rm -rf /etc/apt/sources.list.d/ocserv.list 435 | apt-get update 436 | } 437 | } 438 | 439 | #install dependencies 安装依赖文件 440 | function pre_install(){ 441 | #keep kernel 防止某些情况下内核升级 442 | echo linux-image-`uname -r` hold | dpkg --set-selections > /dev/null 2>&1 443 | apt-get upgrade -y 444 | echo linux-image-`uname -r` install | dpkg --set-selections > /dev/null 2>&1 445 | #no upgrade from test sources 不升级不安装测试源其他包 446 | [ ! -d /etc/apt/preferences.d ] && mkdir /etc/apt/preferences.d 447 | [ ! -d /etc/apt/apt.conf.d ] && mkdir /etc/apt/apt.conf.d 448 | [ ! -d /etc/apt/sources.list.d ] && mkdir /etc/apt/sources.list.d 449 | cat > /etc/apt/preferences.d/my_ocserv_preferences<<'EOF' 450 | Package: * 451 | Pin: release wheezy 452 | Pin-Priority: 900 453 | Package: * 454 | Pin: release wheezy-backports 455 | Pin-Priority: 90 456 | EOF 457 | cat > /etc/apt/apt.conf.d/77ocserv<<'EOF' 458 | APT::Install-Recommends "false"; 459 | APT::Install-Suggests "false"; 460 | APT::Get::Install-Recommends "false"; 461 | APT::Get::Install-Suggests "false"; 462 | EOF 463 | #gnutls-bin(certtool) is too old on wheezy/trusty/utopic,bugs with only one OU etc 464 | #gnutls-bin(certtool)于wheezy/trusty/utopic太旧,OU只能一个的等等问题 465 | [ "$oc_D_V" = "wheezy" ] || { 466 | oc_add_dependencies="libgnutls28-dev libseccomp-dev libhttp-parser-dev libkrb5-dev" 467 | [ "$oc_D_V" = "trusty" ] || { 468 | oc_add_dependencies="$oc_add_dependencies libprotobuf-c-dev" 469 | [ "$oc_D_V" = "utopic" ] || { 470 | oc_add_dependencies="$oc_add_dependencies gnutls-bin" 471 | } 472 | } 473 | } 474 | oc_dependencies="openssl autogen gperf pkg-config make gcc m4 build-essential libgmp3-dev libwrap0-dev libpam0g-dev libdbus-1-dev libnl-route-3-dev libopts25-dev libnl-nf-3-dev libreadline-dev libpcl1-dev libtalloc-dev libev-dev liboath-dev $oc_add_dependencies" 475 | TEST_S="" 476 | Dependencies_install_onebyone 477 | #install dependencies from wheezy-backports for debian wheezy 478 | [ "$oc_D_V" = "wheezy" ] && { 479 | test_source_install "$source_wheezy_backports" "wheezy-backports" "gnutls-bin libgnutls28-dev libseccomp-dev" 480 | } 481 | #install dependencies from jessie for ubuntu 14.04 482 | [ "$oc_D_V" = "trusty" ] && { 483 | test_source_install "$source_jessie" "jessie" "gnutls-bin libtasn1-6-dev libtasn1-3-dev libtasn1-3-bin libtasn1-6-dbg libtasn1-bin libtasn1-doc" 484 | } 485 | #install dependencies from jessie for ubuntu 14.10 486 | [ "$oc_D_V" = "utopic" ] && { 487 | test_source_install "$source_jessie" "jessie" "gnutls-bin" 488 | } 489 | #install freeradius-client-1.1.7 490 | tar_freeradius_client_install 491 | #install lz4 492 | tar_lz4_install 493 | #clean 494 | apt-get autoremove -qq -y && apt-get clean 495 | rm -f /etc/apt/preferences.d/my_ocserv_preferences 496 | rm -f /etc/apt/apt.conf.d/77ocserv 497 | print_info "Dependencies ok" 498 | } 499 | 500 | #install ocserv 编译安装 501 | function tar_ocserv_install(){ 502 | cd ${Script_Dir} 503 | #default version 默认版本 504 | oc_version=${oc_version:-${Default_oc_version}} 505 | [ "$OC_version_latest" = "" ] && { 506 | #可以换成自己的下载地址 507 | oc_version='0.10.8' 508 | curl -SOL "https://github.com/fanyueciyuan/ocserv-backup/raw/master/ocserv-$oc_version.tar.xz" 509 | } || { 510 | wget -c ftp://ftp.infradead.org/pub/ocserv/ocserv-$oc_version.tar.xz 511 | } 512 | tar xvf ocserv-$oc_version.tar.xz 513 | rm -rf ocserv-$oc_version.tar.xz 514 | cd ocserv-$oc_version 515 | #0.10.6-fix 516 | [ "$oc_version" = "0.10.6" ] && { 517 | #http://git.infradead.org/ocserv.git/commitdiff/747346c7e6c56f91757b515dd20be6517a9e3b5c?hp=63fa6baa85b622ddabe60c147985280c54087332 518 | sed -i 's|#ifdef __linux__|#if defined(__linux__) \&\&!defined(IPV6_PATHMTU)|' src/worker-vpn.c 519 | sed -i '/\/\* for IPV6_PATHMTU \*\//d' src/worker-vpn.c 520 | sed -i 's|# include |# define IPV6_PATHMTU 61|' src/worker-vpn.c 521 | } 522 | ./configure --prefix=/usr --sysconfdir=/etc $Extra_Options 523 | make -j"$(nproc)" 524 | make install 525 | #check install 检测编译安装是否成功 526 | [ ! -f /usr/sbin/ocserv ] && { 527 | print_warn "Fail..." 528 | make clean 529 | die "Ocserv install failure,check ${Script_Dir}/ocinstall.log" 530 | } 531 | #mv files 532 | mkdir -p /etc/ocserv/CAforOC/revoke > /dev/null 2>&1 533 | mkdir /etc/ocserv/{config-per-group,defaults} > /dev/null 2>&1 534 | cp doc/profile.xml /etc/ocserv 535 | sed -i "s|localhost|$ocserv_hostname|" /etc/ocserv/profile.xml 536 | cd .. 537 | rm -rf ocserv-$oc_version 538 | #get or set config file 539 | cd /etc/ocserv 540 | [ ! -f /etc/init.d/ocserv ] && { 541 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv_debian -O /etc/init.d/ocserv 542 | chmod +x /etc/init.d/ocserv 543 | update-rc.d -f ocserv defaults 544 | } 545 | [ ! -f ocserv-up.sh ] && { 546 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv-up.sh 547 | chmod +x ocserv-up.sh 548 | } 549 | [ ! -f ocserv-down.sh ] && { 550 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv-down.sh 551 | chmod +x ocserv-down.sh 552 | } 553 | [ ! -f ocserv.conf ] && { 554 | wget -c --no-check-certificate $NET_OC_CONF_DOC/ocserv.conf 555 | } 556 | [ ! -f config-per-group/Route ] && { 557 | wget -c --no-check-certificate $NET_OC_CONF_DOC/Route -O config-per-group/Route 558 | } 559 | [ ! -f dh.pem ] && { 560 | print_info "也许生成DH参数需要一些时间,请稍候……" 561 | certtool --generate-dh-params --sec-param medium --outfile dh.pem 562 | } 563 | clear 564 | print_info "Ocserv 安装成功" 565 | } 566 | 567 | function make_ocserv_ca(){ 568 | print_info "生成自签名CA..." 569 | #all in one doc 570 | cd /etc/ocserv/CAforOC 571 | #Self-signed CA set 572 | #ca's name#organization name#company name#server's FQDN 573 | caname=${caname:-ocvpn} 574 | ogname=${ogname:-ocvpn} 575 | coname=${coname:-ocvpn} 576 | fqdnname=${fqdnname:-$ocserv_hostname} 577 | #generating the CA 制作自签证书授权中心 578 | #crl_dist_points ocserv并不支持在线crl吊销列表 579 | openssl genrsa -out ca-key.pem 4096 580 | cat << _EOF_ > ca.tmpl 581 | cn = "$caname" 582 | organization = "$ogname" 583 | serial = 1 584 | expiration_days = 7777 585 | ca 586 | signing_key 587 | cert_signing_key 588 | crl_signing_key 589 | # An URL that has CRLs (certificate revocation lists) 590 | # available. Needed in CA certificates. 591 | #crl_dist_points = "http://www.getcrl.crl/getcrl/" 592 | _EOF_ 593 | certtool --generate-self-signed --hash SHA256 --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem 594 | #generating a local server key-certificate pair 通过自签证书授权中心制作服务器的私钥与证书 595 | openssl genrsa -out server-key.pem 2048 596 | cat << _EOF_ > server.tmpl 597 | cn = "$fqdnname" 598 | organization = "$coname" 599 | serial = 2 600 | expiration_days = 7777 601 | signing_key 602 | encryption_key 603 | tls_www_server 604 | _EOF_ 605 | certtool --generate-certificate --hash SHA256 --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem 606 | [ ! -f server-cert.pem ] && die "server-cert.pem NOT Found , make failure!" 607 | [ ! -f server-key.pem ] && die "server-key.pem NOT Found , make failure!" 608 | #自签证书完善证书链 609 | cat ca-cert.pem >> server-cert.pem 610 | cp server-cert.pem /etc/ocserv && cp server-key.pem /etc/ocserv 611 | cp ca-cert.pem /etc/ocserv 612 | print_info "自签名证书成功" 613 | } 614 | 615 | function ca_login_clientcert(){ 616 | #generate a client cert 617 | print_info "生成客户端证书……" 618 | cd /etc/ocserv/CAforOC 619 | caname=`openssl x509 -noout -subject -in ca-cert.pem|sed -n 's/.*CN=\([^=]*\)\/.*/\1/p'` 620 | if [ "X${caname}" = "X" ]; then 621 | Default_Ask "告诉我你的CA的名字。" "ocvpn" "caname" 622 | fi 623 | name_user_ca=${name_user_ca:-$(get_random_word 4)} 624 | while [ -d user-${name_user_ca} ]; do 625 | name_user_ca=$(get_random_word 4) 626 | done 627 | mkdir user-${name_user_ca} 628 | oc_ex_days=${oc_ex_days:-7777} 629 | cat << _EOF_ > user-${name_user_ca}/user.tmpl 630 | cn = "${name_user_ca}" 631 | unit = "Route" 632 | #unit = "All" 633 | uid ="${name_user_ca}" 634 | expiration_days = ${oc_ex_days} 635 | signing_key 636 | tls_www_client 637 | _EOF_ 638 | #two group then two unit,but IOS anyconnect does not surport. 639 | [ "$open_two_group" = "y" ] && sed -i 's/^#//' user-${name_user_ca}/user.tmpl 640 | #user key 641 | openssl genrsa -out user-${name_user_ca}/user-${name_user_ca}-key.pem 2048 642 | #user cert 643 | certtool --generate-certificate --hash SHA256 --load-privkey user-${name_user_ca}/user-${name_user_ca}-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user-${name_user_ca}/user.tmpl --outfile user-${name_user_ca}/user-${name_user_ca}-cert.pem 644 | #p12 645 | openssl pkcs12 -export -inkey user-${name_user_ca}/user-${name_user_ca}-key.pem -in user-${name_user_ca}/user-${name_user_ca}-cert.pem -name "${name_user_ca}" -certfile ca-cert.pem -caname "$caname" -out user-${name_user_ca}/user-${name_user_ca}.p12 -passout pass:$password 646 | #cp to ${Script_Dir} 647 | cp user-${name_user_ca}/user-${name_user_ca}.p12 ${Script_Dir}/${name_user_ca}.p12 648 | empty_revocation_list 649 | print_info "生成客户端证书成功" 650 | } 651 | 652 | function empty_revocation_list(){ 653 | #generate a empty revocation list 654 | [ ! -f crl.tmpl ] && { 655 | cat << _EOF_ >crl.tmpl 656 | crl_next_update = 7777 657 | crl_number = 1 658 | _EOF_ 659 | certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --template crl.tmpl --outfile ../crl.pem 660 | } 661 | } 662 | 663 | #modify config file 设定相关参数 664 | function set_ocserv_conf(){ 665 | #default vars 666 | ocserv_tcpport_set=${ocserv_tcpport_set:-999} 667 | ocserv_udpport_set=${ocserv_udpport_set:-1999} 668 | save_user_vars=${save_user_vars:-n} 669 | ocserv_boot_start=${ocserv_boot_start:-y} 670 | only_tcp_port=${only_tcp_port:-n} 671 | #set port 672 | sed -i "s|\(tcp-port = \).*|\1$ocserv_tcpport_set|" ${LOC_OC_CONF} 673 | sed -i "s|\(udp-port = \).*|\1$ocserv_udpport_set|" ${LOC_OC_CONF} 674 | #default domain compression dh.pem 675 | sed -i "s|^[# \t]*\(default-domain = \).*|\1$fqdnname|" ${LOC_OC_CONF} 676 | sed -i "s|^[# \t]*\(compression = \).*|\1true|" ${LOC_OC_CONF} 677 | sed -i 's|^[# \t]*\(dh-params = \).*|\1/etc/ocserv/dh.pem|' ${LOC_OC_CONF} 678 | #2-group 增加组 bug 证书登录无法正常使用Default组 679 | [ "$open_two_group" = "y" ] && two_group_set 680 | echo "route = 0.0.0.0/128.0.0.0" > /etc/ocserv/defaults/group.conf 681 | echo "route = 128.0.0.0/128.0.0.0" >> /etc/ocserv/defaults/group.conf 682 | echo "route = 0.0.0.0/128.0.0.0" > /etc/ocserv/config-per-group/All 683 | echo "route = 128.0.0.0/128.0.0.0" >> /etc/ocserv/config-per-group/All 684 | #boot from the start 开机自启 685 | Service_ocserv 686 | # [ "$ocserv_boot_start" = "y" ] && { 687 | # print_info "Enable ocserv service to start during bootup." 688 | # [ "$ocserv_systemd" = "y" ] && { 689 | # systemctl enable ocserv > /dev/null 2>&1 || insserv ocserv > /dev/null 2>&1 690 | # } 691 | # [ "$ocserv_systemd" = "n" ] && insserv ocserv > /dev/null 2>&1 692 | # } 693 | #add a user ,the plain login 增加一个初始用户,用户密码方式下 694 | [ "$ca_login" = "n" ] && plain_login_set 695 | #only tcp-port 仅仅使用tcp端口 696 | [ "$only_tcp_port" = "y" ] && sed -i 's|^[ \t]*\(udp-port = \)|#\1|' ${LOC_OC_CONF} 697 | #setup the cert login 698 | [ "$ca_login" = "y" ] && { 699 | sed -i 's|^[ \t]*\(auth = "plain\)|#\1|' ${LOC_OC_CONF} 700 | sed -i 's|^[# \t]*\(auth = "certificate"\)|\1|' ${LOC_OC_CONF} 701 | ca_login_set 702 | } 703 | #save custom-configuration files or not 704 | [ "$save_user_vars" = "n" ] && rm -f $CONFIG_PATH_VARS 705 | print_info "Set ocserv ok" 706 | } 707 | 708 | function two_group_set(){ 709 | sed -i 's|^[# \t]*\(cert-group-oid = \).*|\12.5.4.11|' ${LOC_OC_CONF} 710 | sed -i 's|^[# \t]*\(select-group = \)group1.*|\1Route|' ${LOC_OC_CONF} 711 | sed -i 's|^[# \t]*\(select-group = \)group2.*|\1All|' ${LOC_OC_CONF} 712 | # sed -i 's|^[# \t]*\(default-select-group = \).*|\1Default|' ${LOC_OC_CONF} 713 | sed -i 's|^[# \t]*\(auto-select-group = \).*|\1false|' ${LOC_OC_CONF} 714 | sed -i 's|^[# \t]*\(config-per-group = \).*|\1/etc/ocserv/config-per-group|' ${LOC_OC_CONF} 715 | # sed -i 's|^[# \t]*\(default-group-config = \).*|\1/etc/ocserv/defaults/group.conf|' ${LOC_OC_CONF} 716 | } 717 | 718 | function plain_login_set(){ 719 | [ "$open_two_group" = "y" ] && group_name='-g "Route,All"' 720 | (echo "$password"; sleep 1; echo "$password") | ocpasswd -c /etc/ocserv/ocpasswd $group_name $username 721 | } 722 | 723 | function ca_login_set(){ 724 | sed -i 's|^[# \t]*\(ca-cert = \).*|\1/etc/ocserv/ca-cert.pem|' ${LOC_OC_CONF} 725 | sed -i 's|^[# \t]*\(crl = \).*|\1/etc/ocserv/crl.pem|' ${LOC_OC_CONF} 726 | #用客户端证书CN作为用户名来区分用户 727 | sed -i 's|^[# \t]*\(cert-user-oid = \).*|\12\.5\.4\.3|' ${LOC_OC_CONF} 728 | #用客户端证书UID作为用户名来区分用户 729 | # sed -i 's|^[# \t]*\(cert-user-oid = \).*|\10\.9\.2342\.19200300\.100\.1\.1|' ${LOC_OC_CONF} 730 | } 731 | 732 | function stop_ocserv(){ 733 | /etc/init.d/ocserv stop 734 | oc_pid=`pidof ocserv` 735 | if [ ! -z "$oc_pid" ]; then 736 | for pid in $oc_pid 737 | do 738 | kill -9 $pid > /dev/null 2>&1 739 | if [ $? -eq 0 ]; then 740 | echo "Ocserv进程[$pid]已终止" 741 | fi 742 | done 743 | fi 744 | } 745 | 746 | function start_ocserv(){ 747 | [ ! -f /etc/ocserv/server-cert.pem ] && die "server-cert.pem 没找到 !!!" 748 | [ ! -f /etc/ocserv/server-key.pem ] && die "server-key.pem 没找到!!!" 749 | /etc/init.d/ocserv start 750 | } 751 | 752 | function show_ocserv(){ 753 | ocserv_port=`sed -n 's/^[ \t]*tcp-port[ \t]*=[ \t]*//p' ${LOC_OC_CONF}` 754 | clear 755 | echo 756 | ps cax | grep ocserv > /dev/null 2>&1 757 | if [ $? -eq 0 ]; then 758 | echo -e "\033[41;37mYour Server Domain :\033[0m\t\t$fqdnname:$ocserv_port" 759 | if [ "$ca_login" = "y" ]; then 760 | get_new_userca_show 761 | else 762 | echo -e "\033[41;37mYour Username :\033[0m\t\t\t$username" 763 | echo -e "\033[41;37mYour Password :\033[0m\t\t\t$password" 764 | echo 765 | print_info "You could use ' sudo ocpasswd -c /etc/ocserv/ocpasswd username ' to add users. " 766 | fi 767 | print_info "You could stop ocserv by ' /etc/init.d/ocserv stop '!" 768 | print_info "Boot from the start or not, use ' sudo insserv ocserv ' or ' sudo insserv -r ocserv '." 769 | echo 770 | print_info "Enjoy it!" 771 | echo 772 | elif [ "$self_signed_ca" = "n" -a "$ca_login" = "n" ]; then 773 | echo -e "\033[41;37mYour Username :\033[0m\t\t\t$username" 774 | echo -e "\033[41;37mYour Password :\033[0m\t\t\t$password" 775 | echo 776 | print_info "1,You should change Server Certificate and Server Key's name to server-cert.pem and server-key.pem !" 777 | print_info "2,You should put them to /etc/ocserv !" 778 | print_info "3,You could start ocserv by ' /etc/init.d/ocserv start ' !" 779 | print_info "4,You could use ' sudo ocpasswd -c /etc/ocserv/ocpasswd username ' to add users." 780 | print_info "5,Boot from the start or not, use ' sudo insserv ocserv ' or ' sudo insserv -r ocserv '." 781 | echo 782 | elif [ "$self_signed_ca" = "n" -a "$ca_login" = "y" ]; then 783 | print_info "1,You should change your Server Certificate and Server Key's name to server-cert.pem and server-key.pem !" 784 | print_info "2,You should change your Certificate Authority Certificates and Certificate Authority Key's name to ca-cert.pem and ca-key.pem !" 785 | print_info "3,You should put server-cert.pem server-key.pem and ca-cert.pem to /etc/ocserv !" 786 | print_info "4,You should put ca-cert.pem and ca-key.pem to /etc/ocserv/CAforOC !" 787 | print_info "5,You could use ' bash `basename $0` gc ' to generate a new client-cert." 788 | print_info "6,You could start ocserv by ' /etc/init.d/ocserv start '." 789 | print_info "7,Boot from the start or not, use ' sudo insserv ocserv ' or ' sudo insserv -r ocserv '." 790 | echo 791 | else 792 | die "Ocserv start failure,check ${Script_Dir}/ocinstall.log" 793 | fi 794 | } 795 | 796 | function check_ca_cert(){ 797 | [ ! -f /usr/sbin/ocserv ] && die "Ocserv NOT Found !!!" 798 | [ ! -f /etc/ocserv/CAforOC/ca-key.pem ] && die "ca-key.pem NOT Found !!!" 799 | [ ! -f /etc/ocserv/CAforOC/ca-cert.pem ] && die "ca-cert.pem NOT Found !!!" 800 | } 801 | 802 | function get_new_userca(){ 803 | check_ca_cert 804 | ca_login="y" && self_signed_ca="y" 805 | add_a_user 806 | press_any_key 807 | ca_login_clientcert 808 | clear 809 | echo 810 | } 811 | 812 | function get_new_userca_show(){ 813 | echo -e "\033[41;37mClient-cert Password :\033[0m\t\t$password" 814 | echo -e "\033[41;37mClient-cert Expiration Days :\033[0m\t$oc_ex_days" 815 | echo 816 | print_info "You should import the client certificate to your device at first." 817 | print_info "You could get ${name_user_ca}.p12 from ${Script_Dir}." 818 | print_info "You could use ' bash `basename $0` gc ' to generate a new client-cert." 819 | print_info "You could use ' bash `basename $0` rc ' to revoke an old client-cert." 820 | } 821 | 822 | function Outdate_Autoclean(){ 823 | My_All_Ca=`ls -F|sed -n 's/\(user-.*\)\//\1/p'|sed ':a;N;s/\n/ /;ba;'` 824 | Today_Date=`date +%s` 825 | for My_One_Ca in ${My_All_Ca} 826 | do 827 | Client_EX_Date=`openssl x509 -noout -enddate -in ${My_One_Ca}/${My_One_Ca}-cert.pem | cut -d= -f2` 828 | Client_EX_Date=`date -d "${Client_EX_Date}" +%s` 829 | [ ${Client_EX_Date} -lt ${Today_Date} ] && { 830 | My_One_Ca_Now="${My_One_Ca}_${Today_Date}" 831 | mv ${My_One_Ca} ${My_One_Ca_Now} 832 | mv ${My_One_Ca_Now} -t revoke/ 833 | } 834 | done 835 | } 836 | 837 | function revoke_userca(){ 838 | check_ca_cert 839 | #input info 840 | cd /etc/ocserv/CAforOC 841 | Outdate_Autoclean 842 | clear 843 | print_xxxx 844 | print_info "The following is the user list..." 845 | echo 846 | ls -F|grep /|grep user|cut -d/ -f1|color_line 847 | print_xxxx 848 | print_info "Which user do you want to revoke?" 849 | echo 850 | read -p "Which: " -e -i user- revoke_ca 851 | if [ ! -f /etc/ocserv/CAforOC/$revoke_ca/$revoke_ca-cert.pem ] 852 | then 853 | die "$revoke_ca NOT Found !!!" 854 | fi 855 | echo 856 | print_warn "Okay,${revoke_ca} will be revoked." 857 | print_xxxx 858 | press_any_key 859 | #revoke 860 | cat ${revoke_ca}/${revoke_ca}-cert.pem >>revoked.pem 861 | certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca-cert.pem --load-certificate revoked.pem --template crl.tmpl --outfile ../crl.pem 862 | revoke_ca_now="${revoke_ca}_$(date +%s)" 863 | mv ${revoke_ca} ${revoke_ca_now} 864 | mv ${revoke_ca_now} revoke/ 865 | print_info "${revoke_ca} was revoked." 866 | echo 867 | } 868 | 869 | function reinstall_ocserv(){ 870 | stop_ocserv 871 | rm -rf /etc/ocserv 872 | rm -rf /usr/sbin/ocserv 873 | rm -rf /etc/init.d/ocserv 874 | rm -rf /usr/bin/occtl 875 | rm -rf /usr/bin/ocpasswd 876 | install_OpenConnect_VPN_server 877 | } 878 | function uninstall_ocserv(){ 879 | stop_ocserv 880 | rm -rf /etc/ocserv 881 | rm -rf /usr/sbin/ocserv 882 | rm -rf /etc/init.d/ocserv 883 | rm -rf /usr/bin/occtl 884 | rm -rf /usr/bin/ocpasswd 885 | } 886 | function upgrade_ocserv(){ 887 | get_info_from_net 888 | [ "$OC_version_latest" = "" ] && { 889 | die "Could not connect to the official website." 890 | } 891 | Default_Ask "The latest is ${OC_version_latest} ,Input the version you want to upgrade." "$OC_version_latest" "oc_version" 892 | press_any_key 893 | stop_ocserv 894 | rm -f /etc/ocserv/profile.xml 895 | rm -f /usr/sbin/ocserv 896 | tar_ocserv_install 897 | start_ocserv 898 | ps cax | grep ocserv > /dev/null 2>&1 899 | if [ $? -eq 0 ]; then 900 | print_info "Your ocserv upgrade was successful!" 901 | else 902 | print_warn "Ocserv start failure,ocserv is offline!" 903 | print_info "You could use ' bash `basename $0` ri' to forcibly upgrade your ocserv." 904 | fi 905 | } 906 | 907 | function enable_both_login(){ 908 | character_Test ${LOC_OC_CONF} 'auth = "plain' && { 909 | character_Test ${LOC_OC_CONF} 'enable-auth = certificate' && { 910 | die "You have enabled the plain and the certificate login." 911 | } 912 | enable_both_login_open_ca 913 | } 914 | character_Test ${LOC_OC_CONF} 'auth = "certificate"' && { 915 | enable_both_login_open_plain 916 | } 917 | } 918 | 919 | function enable_both_login_open_ca(){ 920 | get_new_userca 921 | sed -i 's|^[# \t]*\(enable-auth = certificate\)|\1|' ${LOC_OC_CONF} 922 | ca_login_set 923 | stop_ocserv 924 | start_ocserv 925 | clear 926 | echo 927 | print_info "The plain login and the certificate login are Okay~" 928 | print_info "The following is your certificate login info~" 929 | echo 930 | get_new_userca_show 931 | echo 932 | } 933 | 934 | function enable_both_login_open_plain(){ 935 | ca_login="n" 936 | add_a_user 937 | press_any_key 938 | plain_login_set 939 | sed -i 's|^[ \t]*\(auth = "certificate"\)|#\1|' ${LOC_OC_CONF} 940 | sed -i 's|^[# \t]*\(auth = "plain\)|\1|' ${LOC_OC_CONF} 941 | sed -i 's|^[# \t]*\(enable-auth = certificate\)|\1|' ${LOC_OC_CONF} 942 | stop_ocserv 943 | start_ocserv 944 | clear 945 | echo 946 | print_info "The plain login and the certificate login are Okay~" 947 | print_info "The following is your plain login info~" 948 | echo 949 | echo -e "\033[41;37mYour Username :\033[0m\t\t\t$username" 950 | echo -e "\033[41;37mYour Password :\033[0m\t\t\t$password" 951 | echo 952 | } 953 | 954 | function help_ocservauto(){ 955 | print_xxxx 956 | print_info "######################## Parameter Description ####################################" 957 | echo 958 | print_info " install ----------------------- Install ocserv for Debian 7+" 959 | echo 960 | print_info " fastmode or fm ---------------- Rapid installation for ocserv through $CONFIG_PATH_VARS" 961 | echo 962 | print_info " getuserca or gc --------------- Get a new client certificate" 963 | echo 964 | print_info " revokeuserca or rc ------------ Revoke a client certificate" 965 | echo 966 | print_info " upgrade or ug ----------------- Smoothly upgrade your ocserv" 967 | echo 968 | print_info " reinstall or ri --------------- Force to reinstall your ocserv(Destroy All Data)" 969 | echo 970 | print_info " pc ---------------------------- At the same time,enable the plain and the certificate login" 971 | echo 972 | print_info " occ --------------------------- Verify client certificates through a existing CA" 973 | echo 974 | print_info " help or h --------------------- Show this description" 975 | print_xxxx 976 | } 977 | 978 | ################################################################################################################# 979 | #surport system codename # 980 | ################################################################################################################# 981 | 982 | #已经测试过的系统 983 | function surport_Syscodename(){ 984 | oc_D_V=$(lsb_release -c -s) 985 | [ "$oc_D_V" = "wheezy" ] && return 0 986 | [ "$oc_D_V" = "jessie" ] && return 0 987 | [ "$oc_D_V" = "stretch" ] && return 0 988 | [ "$oc_D_V" = "trusty" ] && return 0 989 | [ "$oc_D_V" = "utopic" ] && return 0 990 | [ "$oc_D_V" = "vivid" ] && return 0 991 | [ "$oc_D_V" = "wily" ] && return 0 992 | [ "$oc_D_V" = "xenial" ] && return 0 993 | #TEST NEWER SYS 测试新系统,取消下面一行的注释。 994 | #[ "$oc_D_V" = "$oc_D_V" ] && return 0 995 | ############################### 996 | # # 另一种实现方式 997 | # D_V=( wheezy jessie trusty utopic vivid ) 998 | # for DV in ${D_V[*]} 999 | # do 1000 | # [ "$oc_D_V" = "$DV" ] && return 0 1001 | # done 1002 | ############################### 1003 | } 1004 | 1005 | #此处请不要改变 1006 | Script_Dir="$(cd "$(dirname $0)"; pwd)" 1007 | #此处请不要改变 1008 | CONFIG_PATH_VARS="${Script_Dir}/vars_ocservauto" 1009 | #此处请不要改变 1010 | LOC_OC_CONF="/etc/ocserv/ocserv.conf" 1011 | 1012 | ################################################################################################################## 1013 | #main # 1014 | ################################################################################################################## 1015 | clear 1016 | echo "===============================================================================================" 1017 | echo 1018 | print_info " 系统要求:Debian 7+ Ubuntu 14.04 +" 1019 | echo 1020 | print_info " 描述: 安装 OpenConnect VPN 服务端" 1021 | echo 1022 | echo "===============================================================================================" 1023 | 1024 | #ocserv配置文件所在的网络文件夹位置 1025 | #如果fork的话,请修改为自己的网络地址 1026 | NET_OC_CONF_DOC="https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/master" 1027 | #推荐的默认版本 1028 | Default_oc_version="0.11.8" 1029 | #开启分组模式,每位用户都会分配到All组和Route组。 1030 | #All走全局,Route将会绕过大陆。 1031 | #证书以及用户名登录都会采取。 1032 | #证书分组模式下,ios下anyconnect客户端有bug,请不要使用。 1033 | #默认为n关闭,开启为y。 1034 | open_two_group="n" 1035 | #编译安装ocserv的额外选项 1036 | #例如Extra_Options="--with-local-talloc --enable-local-libopts --without-pcl-lib --without-http-parser --without-protobuf" 1037 | #详细请参考./configure --help 或ocserv官网 1038 | Extra_Options="" 1039 | 1040 | #Initialization step 1041 | # action=$1 1042 | # [ -z $1 ] && action=install 1043 | # case "$action" in 1044 | # install) 1045 | # log_Start 1046 | # install_OpenConnect_VPN_server | tee -a ${Script_Dir}/ocinstall.log 1047 | # ;; 1048 | # fastmode | fm) 1049 | # [ ! -f $CONFIG_PATH_VARS ] && die "$CONFIG_PATH_VARS Not Found !" 1050 | # fast_install="y" 1051 | # . $CONFIG_PATH_VARS 1052 | # log_Start 1053 | # install_OpenConnect_VPN_server | tee -a ${Script_Dir}/ocinstall.log 1054 | # ;; 1055 | # upgrade | ug) 1056 | # log_Start 1057 | # upgrade_ocserv | tee -a ${Script_Dir}/ocinstall.log 1058 | # ;; 1059 | # reinstall | ri) 1060 | # log_Start 1061 | # reinstall_ocserv | tee -a ${Script_Dir}/ocinstall.log 1062 | # ;; 1063 | # occ) 1064 | # log_Start 1065 | # install_Oneclientcer | tee -a ${Script_Dir}/ocinstall.log 1066 | # ;; 1067 | # getuserca | gc) 1068 | # character_Test ${LOC_OC_CONF} 'auth = "plain' && { 1069 | # character_Test ${LOC_OC_CONF} 'enable-auth = certificate' || { 1070 | # die "You have to enable the the certificate login at first." 1071 | # } 1072 | # } 1073 | # get_new_userca 1074 | # get_new_userca_show 1075 | # ;; 1076 | # revokeuserca | rc) 1077 | # revoke_userca 1078 | # ;; 1079 | # pc) 1080 | # enable_both_login 1081 | # ;; 1082 | # help | h) 1083 | # clear 1084 | # help_ocservauto 1085 | # ;; 1086 | # *) 1087 | # clear 1088 | # print_warn "Arguments error! [ ${action} ]" 1089 | # print_warn "Usage: bash `basename $0` {install|fm|gc|rc|ug|ri|pc|occ|help}" 1090 | # help_ocservauto 1091 | # ;; 1092 | # esac 1093 | # exit 0 1094 | over(){ 1095 | update-rc.d -f ocserv remove 1096 | rm -rf /etc/ocserv 1097 | rm -rf /usr/sbin/ocserv 1098 | rm -rf /etc/init.d/ocserv 1099 | rm -rf /usr/bin/occtl 1100 | rm -rf /usr/bin/ocpasswd 1101 | echo && echo "安装过程错误,ocserv 卸载完成 !" && echo 1102 | } 1103 | 1104 | PID_FILE="/var/run/ocserv.pid" 1105 | passwd_file="/etc/ocserv/ocpasswd" 1106 | 1107 | 1108 | List_User(){ 1109 | [[ ! -e ${passwd_file} ]] && echo -e "${Error} ocserv 账号配置文件不存在 !" && exit 1 1110 | User_text=$(cat ${passwd_file}) 1111 | if [[ ! -z ${User_text} ]]; then 1112 | User_num=$(echo -e "${User_text}"|wc -l) 1113 | user_list_all="" 1114 | for((integer = 1; integer <= ${User_num}; integer++)) 1115 | do 1116 | user_name=$(echo -e "${User_text}" | awk -F ':*:' '{print $1}' | sed -n "${integer}p") 1117 | user_status=$(echo -e "${User_text}" | awk -F ':*:' '{print $NF}' | sed -n "${integer}p"|cut -c 1) 1118 | if [[ ${user_status} == '!' ]]; then 1119 | user_status="禁用" 1120 | else 1121 | user_status="启用" 1122 | fi 1123 | user_list_all=${user_list_all}"用户名: "${user_name}" 账号状态: "${user_status}"\n" 1124 | done 1125 | echo && echo -e "用户总数 ${Green_font_prefix}"${User_num}"${Font_color_suffix}" 1126 | echo -e ${user_list_all} 1127 | fi 1128 | } 1129 | 1130 | Set_username(){ 1131 | echo "请输入 要添加的VPN账号 用户名" 1132 | read -e -p "(默认: admin):" username 1133 | [[ -z "${username}" ]] && username="admin" 1134 | echo && echo -e " 用户名 : ${Red_font_prefix}${username}${Font_color_suffix}" && echo 1135 | } 1136 | Set_passwd(){ 1137 | echo "请输入 要添加的VPN账号 密码" 1138 | read -e -p "(默认: admin8888):" userpass 1139 | [[ -z "${userpass}" ]] && userpass="admin8888" 1140 | echo && echo -e " 密码 : ${Red_font_prefix}${userpass}${Font_color_suffix}" && echo 1141 | } 1142 | 1143 | 1144 | Add_User(){ 1145 | Set_username 1146 | Set_passwd 1147 | user_status=$(cat "${passwd_file}"|grep "${username}"':*:') 1148 | [[ ! -z ${user_status} ]] && echo -e "${Error} 用户名已存在 ![ ${username} ]" && exit 1 1149 | echo -e "${userpass}\n${userpass}"|ocpasswd -c ${passwd_file} ${username} 1150 | user_status=$(cat "${passwd_file}"|grep "${username}"':*:') 1151 | if [[ ! -z ${user_status} ]]; then 1152 | echo -e "${Info} 账号添加成功 ![ ${username} ]" 1153 | else 1154 | echo -e "${Error} 账号添加失败 ![ ${username} ]" && exit 1 1155 | fi 1156 | } 1157 | Del_User(){ 1158 | List_User 1159 | [[ ${User_num} == 1 ]] && echo -e "${Error} 当前仅剩一个账号配置,无法删除 !" && exit 1 1160 | echo -e "请输入要删除的VPN账号的用户名" 1161 | read -e -p "(默认取消):" Del_username 1162 | [[ -z "${Del_username}" ]] && echo "已取消..." && exit 1 1163 | user_status=$(cat "${passwd_file}"|grep "${Del_username}"':*:') 1164 | [[ -z ${user_status} ]] && echo -e "${Error} 用户名不存在 ! [${Del_username}]" && exit 1 1165 | ocpasswd -c ${passwd_file} -d ${Del_username} 1166 | user_status=$(cat "${passwd_file}"|grep "${Del_username}"':*:') 1167 | if [[ -z ${user_status} ]]; then 1168 | echo -e "${Info} 删除成功 ! [${Del_username}]" 1169 | else 1170 | echo -e "${Error} 删除失败 ! [${Del_username}]" && exit 1 1171 | fi 1172 | } 1173 | Modify_User_disabled(){ 1174 | List_User 1175 | echo -e "请输入要启用/禁用的VPN账号的用户名" 1176 | read -e -p "(默认取消):" Modify_username 1177 | [[ -z "${Modify_username}" ]] && echo "已取消..." && exit 1 1178 | user_status=$(cat "${passwd_file}"|grep "${Modify_username}"':*:') 1179 | [[ -z ${user_status} ]] && echo -e "${Error} 用户名不存在 ! [${Modify_username}]" && exit 1 1180 | user_status=$(cat "${passwd_file}" | grep "${Modify_username}"':*:' | awk -F ':*:' '{print $NF}' |cut -c 1) 1181 | if [[ ${user_status} == '!' ]]; then 1182 | ocpasswd -c ${passwd_file} -u ${Modify_username} 1183 | user_status=$(cat "${passwd_file}" | grep "${Modify_username}"':*:' | awk -F ':*:' '{print $NF}' |cut -c 1) 1184 | if [[ ${user_status} != '!' ]]; then 1185 | echo -e "${Info} 启用成功 ! [${Modify_username}]" 1186 | else 1187 | echo -e "${Error} 启用失败 ! [${Modify_username}]" && exit 1 1188 | fi 1189 | else 1190 | ocpasswd -c ${passwd_file} -l ${Modify_username} 1191 | user_status=$(cat "${passwd_file}" | grep "${Modify_username}"':*:' | awk -F ':*:' '{print $NF}' |cut -c 1) 1192 | if [[ ${user_status} == '!' ]]; then 1193 | echo -e "${Info} 禁用成功 ! [${Modify_username}]" 1194 | else 1195 | echo -e "${Error} 禁用失败 ! [${Modify_username}]" && exit 1 1196 | fi 1197 | fi 1198 | } 1199 | Set_Pass(){ 1200 | check_installed_status 1201 | echo && echo -e " 你要做什么? 1202 | 1203 | ${Green_font_prefix} 0.${Font_color_suffix} 列出 账号配置 1204 | ———————— 1205 | ${Green_font_prefix} 1.${Font_color_suffix} 添加 账号配置 1206 | ${Green_font_prefix} 2.${Font_color_suffix} 删除 账号配置 1207 | ———————— 1208 | ${Green_font_prefix} 3.${Font_color_suffix} 启用/禁用 账号配置 1209 | 1210 | 注意:添加/修改/删除 账号配置后,VPN服务端会实时读取,无需重启服务端 !" && echo 1211 | read -e -p "(默认: 取消):" set_num 1212 | [[ -z "${set_num}" ]] && echo "已取消..." && exit 1 1213 | if [[ ${set_num} == "0" ]]; then 1214 | List_User 1215 | elif [[ ${set_num} == "1" ]]; then 1216 | Add_User 1217 | elif [[ ${set_num} == "2" ]]; then 1218 | Del_User 1219 | elif [[ ${set_num} == "3" ]]; then 1220 | Modify_User_disabled 1221 | else 1222 | echo -e "${Error} 请输入正确的数字[1-3]" && exit 1 1223 | fi 1224 | } 1225 | 1226 | 1227 | check_pid(){ 1228 | PID=`ps -ef |grep "${NAME}" |grep -v "grep" | grep -v "ocservauto.sh"| grep -v "init.d" |grep -v "service" |awk '{print $2}'` 1229 | } 1230 | 1231 | check_installed_status(){ 1232 | [[ ! -e /usr/sbin/ocserv ]] && echo -e "${Error} ocserv 没有安装,请检查 !" && exit 1 1233 | [[ ! -e ${LOC_OC_CONF} ]] && echo -e "${Error} ocserv 配置文件不存在,请检查 !" && [[ $1 != "un" ]] && exit 1 1234 | } 1235 | 1236 | 1237 | Start_ocserv(){ 1238 | check_installed_status 1239 | check_pid 1240 | [[ ! -z ${PID} ]] && echo -e "${Error} ocserv 正在运行,请检查 !" && exit 1 1241 | /etc/init.d/ocserv start 1242 | sleep 2s 1243 | check_pid 1244 | [[ ! -z ${PID} ]] && echo -e " ocserv 启动成功 !" 1245 | } 1246 | Stop_ocserv(){ 1247 | check_installed_status 1248 | check_pid 1249 | [[ -z ${PID} ]] && echo -e "${Error} ocserv 没有运行,请检查 !" && exit 1 1250 | /etc/init.d/ocserv stop 1251 | } 1252 | Restart_ocserv(){ 1253 | check_installed_status 1254 | check_pid 1255 | [[ ! -z ${PID} ]] && /etc/init.d/ocserv stop 1256 | /etc/init.d/ocserv start 1257 | sleep 2s 1258 | check_pid 1259 | [[ ! -z ${PID} ]] && echo -e " ocserv 启动成功 !" 1260 | } 1261 | 1262 | 1263 | Service_ocserv(){ 1264 | if ! wget --no-check-certificate https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/master/ocserv_debian -O /etc/init.d/ocserv; then 1265 | echo -e "${Error} ocserv 服务 管理脚本下载失败 !" && over 1266 | fi 1267 | chmod +x /etc/init.d/ocserv 1268 | update-rc.d -f ocserv defaults 1269 | echo -e "${Info} ocserv 服务 管理脚本下载完成 !" 1270 | } 1271 | 1272 | 1273 | Update_Shell(){ 1274 | sh_new_ver=$(wget --no-check-certificate -qO- -t1 -T3 "https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/master/ocservauto.sh"|grep 'sh_ver="'|awk -F "=" '{print $NF}'|sed 's/\"//g'|head -1) && sh_new_type="github" 1275 | [[ -z ${sh_new_ver} ]] && echo -e "${Error} 无法链接到 Github !" && exit 0 1276 | if [[ -e "/etc/init.d/ocserv" ]]; then 1277 | rm -rf /etc/init.d/ocserv 1278 | Service_ocserv 1279 | fi 1280 | wget -N --no-check-certificate "https://raw.githubusercontent.com/user1121114685/Ocserv_for_Debian_Ubuntu/master/ocservauto.sh" && chmod +x ocservauto.sh 1281 | echo -e "脚本已更新为最新版本[ ${sh_new_ver} ] !(注意:因为更新方式为直接覆盖当前运行的脚本,所以可能下面会提示一些报错,无视即可)" && exit 0 1282 | } 1283 | 1284 | 1285 | echo && echo -e " Ocserv 一键安装管理脚本 ${Red_font_prefix}[v${sh_ver}]${Font_color_suffix} 1286 | 1287 | 新建用户 ocpasswd -c /etc/ocserv/ocpasswd 用户名 1288 | 1289 | 新建证书用户 bash ocservauto.sh getuserca getuserca可用gc代替 1290 | 1291 | 吊销证书用户 bash ocservauto.sh revokeuserca revokeuserca可用rc代替 1292 | 1293 | =============================================================================================== 1294 | 1295 | ${Green_font_prefix}0.${Font_color_suffix} 升级脚本 1296 | ———————————— 1297 | ${Green_font_prefix}1.${Font_color_suffix} 安装 ocserv 1298 | ${Green_font_prefix}2.${Font_color_suffix} 卸载 ocserv 1299 | ———————————— 1300 | ${Green_font_prefix}3.${Font_color_suffix} 重装 ocserv 1301 | ${Green_font_prefix}4.${Font_color_suffix} 开启fast模式 1302 | ${Green_font_prefix}5.${Font_color_suffix} 更新 ocserv 1303 | ———————————— 1304 | ${Green_font_prefix}6.${Font_color_suffix} 证书验证 1305 | ${Green_font_prefix}7.${Font_color_suffix} 同时启用证书登陆和密码登陆 1306 | ${Green_font_prefix}8.${Font_color_suffix} 查看帮助 1307 | ———————————— 1308 | ${Green_font_prefix}9.${Font_color_suffix} 启动 ocserv 1309 | ${Green_font_prefix}10.${Font_color_suffix} 停止 ocserv 1310 | ${Green_font_prefix}11.${Font_color_suffix} 重启 ocserv 1311 | ———————————— 1312 | ${Green_font_prefix}12.${Font_color_suffix} 用户管理(账号密码) 1313 | ${Green_font_prefix}13.${Font_color_suffix} 新建证书用户 1314 | ${Green_font_prefix}14.${Font_color_suffix} 吊销证书用户 1315 | ————————————" && echo 1316 | if [[ -e /usr/sbin/ocserv ]]; then 1317 | check_pid 1318 | if [[ ! -z "${PID}" ]]; then 1319 | echo -e " 当前状态: ${Green_font_prefix}已安装${Font_color_suffix} 并 ${Green_font_prefix}已启动${Font_color_suffix}" 1320 | else 1321 | echo -e " 当前状态: ${Green_font_prefix}已安装${Font_color_suffix} 但 ${Red_font_prefix}未启动${Font_color_suffix}" 1322 | fi 1323 | else 1324 | echo -e " 当前状态: ${Red_font_prefix}未安装${Font_color_suffix}" 1325 | fi 1326 | echo 1327 | read -e -p " 请输入数字 [0-14]:" num 1328 | case "$num" in 1329 | 0) 1330 | Update_Shell 1331 | ;; 1332 | 1) 1333 | log_Start 1334 | install_OpenConnect_VPN_server | tee -a ${Script_Dir}/ocinstall.log 1335 | ;; 1336 | 2) 1337 | log_Start 1338 | uninstall_ocserv | tee -a ${Script_Dir}/ocinstall.log 1339 | ;; 1340 | 3) 1341 | log_Start 1342 | reinstall_ocserv | tee -a ${Script_Dir}/ocinstall.log 1343 | ;; 1344 | 4) 1345 | [ ! -f $CONFIG_PATH_VARS ] && die "$CONFIG_PATH_VARS Not Found !" 1346 | fast_install="y" 1347 | . $CONFIG_PATH_VARS 1348 | log_Start 1349 | install_OpenConnect_VPN_server | tee -a ${Script_Dir}/ocinstall.log 1350 | ;; 1351 | 5) 1352 | log_Start 1353 | upgrade_ocserv | tee -a ${Script_Dir}/ocinstall.log 1354 | ;; 1355 | 6) 1356 | log_Start 1357 | install_Oneclientcer | tee -a ${Script_Dir}/ocinstall.log 1358 | ;; 1359 | 7) 1360 | enable_both_login 1361 | ;; 1362 | 8) 1363 | clear 1364 | help_ocservauto 1365 | ;; 1366 | 9) 1367 | Start_ocserv 1368 | ;; 1369 | 10) 1370 | Stop_ocserv 1371 | ;; 1372 | 11) 1373 | Restart_ocserv 1374 | ;; 1375 | 12) 1376 | Set_Pass 1377 | ;; 1378 | 13) 1379 | character_Test ${LOC_OC_CONF} 'auth = "plain' && { 1380 | character_Test ${LOC_OC_CONF} 'enable-auth = certificate' || { 1381 | die "You have to enable the the certificate login at first." 1382 | } 1383 | } 1384 | get_new_userca 1385 | get_new_userca_show 1386 | ;; 1387 | 14) 1388 | revoke_userca 1389 | ;; 1390 | getuserca | gc) 1391 | character_Test ${LOC_OC_CONF} 'auth = "plain' && { 1392 | character_Test ${LOC_OC_CONF} 'enable-auth = certificate' || { 1393 | die "You have to enable the the certificate login at first." 1394 | } 1395 | } 1396 | get_new_userca 1397 | get_new_userca_show 1398 | ;; 1399 | revokeuserca | rc) 1400 | revoke_userca 1401 | ;; 1402 | *) 1403 | echo "请输入正确数字 [0-14]" 1404 | ;; 1405 | esac 1406 | 1407 | --------------------------------------------------------------------------------