OpenConnet Server(ocserv)是一个通过实现Cisco的AnyConnect协议,用DTLS作为主要的加密传输协议。AnyConnect作为Cisco新一代的VPN解决方案,被用于许多大型企业,这些企业依赖它提供正常的商业运作,这些正常运作对应的经济效益(读作GDP),是我们最好的伙伴。
相比原脚本,这个脚本只是更改了路由表。改成绕过国内IP,自动区分了国内外流量。
原脚本地址:https://github.com/travislee8964/ocserv-auto
路由表地址:https://github.com/CNMan/ocserv-cn-no-route
#!/bin/bash
####################################################
# #
# This is a ocserv installation for CentOS 7 #
# Version: 0.1.0 2016-03-22 #
# Author: Travis Lee #
# Website: https://www.stunnel.info #
# #
####################################################
# 检测是否是root用户
if [[ $(id -u) != "0" ]]; then
printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
exit 1
fi
# 检测是否是CentOS 7或者RHEL 7
if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
exit 1
fi
basepath=$(dirname $0)
cd ${basepath}
function ConfigEnvironmentVariable {
# 变量设置
# 单IP最大连接数,默认是2
maxsameclients=10
# 最大连接数,默认是16
maxclients=1024
# 服务器的证书和key文件,放在本脚本的同目录下,key文件的权限应该是600或者400
servercert=${1-server-cert.pem}
serverkey=${2-server-key.pem}
# VPN 内网 IP 段
vpnnetwork="192.168.8.0/21"
# DNS
dns1="8.8.8.8"
dns2="8.8.4.4"
# 配置目录
confdir="/etc/ocserv"
# 获取网卡接口名称
systemctl start NetworkManager.service
ethlist=$(nmcli --nocheck d | grep -v -E "(^(DEVICE|lo)|unavailable|^[^e])" | awk '{print $1}')
eth=$(printf "${ethlist}\n" | head -n 1)
if [[ $(printf "${ethlist}\n" | wc -l) -gt 1 ]]; then
echo ======================================
echo "Network Interface list:"
printf "\e[33m${ethlist}\e[0m\n"
echo ======================================
echo "Which network interface you want to listen for ocserv?"
printf "Default network interface is \e[33m${eth}\e[0m, let it blank to use this network interface: "
read ethtmp
if [[ -n "${ethtmp}" ]]; then
eth=${ethtmp}
fi
fi
# 端口,默认是443
port=443
echo -e "\nPlease input the port ocserv listen to."
printf "Default port is \e[33m${port}\e[0m, let it blank to use this port: "
read porttmp
if [[ -n "${porttmp}" ]]; then
port=${porttmp}
fi
# 用户名,默认是user
username=user
echo -e "\nPlease input ocserv user name."
printf "Default user name is \e[33m${username}\e[0m, let it blank to use this user name: "
read usernametmp
if [[ -n "${usernametmp}" ]]; then
username=${usernametmp}
fi
# 随机密码
randstr() {
index=0
str=""
for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done
for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done
for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done
for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
echo ${str}
}
password=$(randstr)
printf "\nPlease input \e[33m${username}\e[0m's password.\n"
printf "Random password is \e[33m${password}\e[0m, let it blank to use this password: "
read passwordtmp
if [[ -n "${passwordtmp}" ]]; then
password=${passwordtmp}
fi
}
function PrintEnvironmentVariable {
# 打印配置参数
clear
ipv4=$(ip -4 -f inet addr show ${eth} | grep 'inet' | sed 's/.*inet \([0-9\.]\+\).*/\1/')
ipv6=$(ip -6 -f inet6 addr show ${eth} | grep -v -P "(::1\/128|fe80)" | grep -o -P "([a-z\d]+:[a-z\d:]+)")
echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
if [ ! "$ipv6" = "" ]; then
echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
fi
echo -e "Port:\t\t\e[34m${port}\e[0m"
echo -e "Username:\t\e[34m${username}\e[0m"
echo -e "Password:\t\e[34m${password}\e[0m"
echo
echo "Press any key to start install ocserv."
get_char() {
SAVEDSTTY=$(stty -g)
stty -echo
stty cbreak
dd if=/dev/tty bs=1 count=1 2> /dev/null
stty -raw
stty echo
stty ${SAVEDSTTY}
}
char=$(get_char)
clear
}
function InstallOcserv {
# 升级系统
#yum update -y -q
# 安装 epel-release
if [ $(grep epel /etc/yum.repos.d/*.repo | wc -l) -eq 0 ]; then
yum install -y -q epel-release && yum clean all && yum makecache fast
fi
# 安装ocserv
yum install -y ocserv
}
function ConfigOcserv {
# 检测是否有证书和 key 文件
if [[ ! -f "${servercert}" ]] || [[ ! -f "${serverkey}" ]]; then
# 创建 ca 证书和服务器证书(参考http://www.infradead.org/ocserv/manual.html#heading5)
certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ >ca.tmpl
cn = "ocserv VPN"
organization = "ocserv"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile ${serverkey}
cat << _EOF_ >server.tmpl
cn = "ocserv VPN"
organization = "ocserv"
serial = 2
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
certtool --generate-certificate --load-privkey ${serverkey} \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile ${servercert}
fi
# 复制证书
cp "${servercert}" /etc/pki/ocserv/public/server.crt
cp "${serverkey}" /etc/pki/ocserv/private/server.key
# 编辑配置文件
(echo "${password}"; sleep 1; echo "${password}") | ocpasswd -c "${confdir}/ocpasswd" ${username}
sed -i '[email protected] = "pam"@#auth = "pam"\nauth = "plain[/etc/ocserv/ocpasswd]"@g' "${confdir}/ocserv.conf"
sed -i "s/max-same-clients = 2/max-same-clients = ${maxsameclients}/g" "${confdir}/ocserv.conf"
sed -i "s/max-clients = 16/max-clients = ${maxclients}/g" "${confdir}/ocserv.conf"
sed -i "s/tcp-port = 443/tcp-port = ${port}/g" "${confdir}/ocserv.conf"
sed -i "s/udp-port = 443/udp-port = ${port}/g" "${confdir}/ocserv.conf"
sed -i 's/^ca-cert = /#ca-cert = /g' "${confdir}/ocserv.conf"
sed -i 's/^cert-user-oid = /#cert-user-oid = /g' "${confdir}/ocserv.conf"
sed -i "s/default-domain = example.com/#default-domain = example.com/g" "${confdir}/ocserv.conf"
sed -i "[email protected]#ipv4-network = 192.168.1.0/[email protected] = ${vpnnetwork}@g" "${confdir}/ocserv.conf"
sed -i "s/#dns = 192.168.1.2/dns = ${dns1}\ndns = ${dns2}/g" "${confdir}/ocserv.conf"
sed -i "s/cookie-timeout = 300/cookie-timeout = 86400/g" "${confdir}/ocserv.conf"
sed -i 's/user-profile = profile.xml/#user-profile = profile.xml/g' "${confdir}/ocserv.conf"
cat << _EOF_ >>${confdir}/ocserv.conf
no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.125.128.0/255.255.128.0
no-route = 40.126.64.0/255.255.192.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.248.0.0
no-route = 49.48.0.0/255.248.0.0
no-route = 49.64.0.0/255.224.0.0
no-route = 49.112.0.0/255.240.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.208.0.0/255.240.0.0
no-route = 49.224.0.0/255.224.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.255.0.0
no-route = 144.52.0.0/255.255.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.0.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.208.0/255.255.240.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.0.0/255.255.0.0
no-route = 192.188.170.0/255.255.255.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
_EOF_
}
function ConfigFirewall {
firewalldisactive=$(systemctl is-active firewalld.service)
iptablesisactive=$(systemctl is-active iptables.service)
# 添加防火墙允许列表
if [[ ${firewalldisactive} = 'active' ]]; then
echo "Adding firewall ports."
firewall-cmd --permanent --add-port=${port}/tcp
firewall-cmd --permanent --add-port=${port}/udp
echo "Allow firewall to forward."
firewall-cmd --permanent --add-masquerade
echo "Reload firewall configure."
firewall-cmd --reload
elif [[ ${iptablesisactive} = 'active' ]]; then
iptables -I INPUT -p tcp --dport ${port} -j ACCEPT
iptables -I INPUT -p udp --dport ${port} -j ACCEPT
iptables -I FORWARD -s ${vpnnetwork} -j ACCEPT
iptables -t nat -A POSTROUTING -s ${vpnnetwork} -o ${eth} -j MASQUERADE
#iptables -t nat -A POSTROUTING -j MASQUERADE
service iptables save
else
printf "\e[33mWARNING!!! Either firewalld or iptables is NOT Running! \e[0m\n"
fi
}
function ConfigSystem {
#关闭selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
#修改系统
echo "Enable IP forward."
sysctl -w net.ipv4.ip_forward=1
echo net.ipv4.ip_forward = 1 >> "/etc/sysctl.conf"
systemctl daemon-reload
echo "Enable ocserv service to start during bootup."
systemctl enable ocserv.service
#开启ocserv服务
systemctl start ocserv.service
echo
}
function PrintResult {
#检测防火墙和ocserv服务是否正常
clear
printf "\e[36mChenking Firewall status...\e[0m\n"
iptables -L -n | grep --color=auto -E "(${port}|${vpnnetwork})"
line=$(iptables -L -n | grep -c -E "(${port}|${vpnnetwork})")
if [[ ${line} -ge 2 ]]
then
printf "\e[34mFirewall is Fine! \e[0m\n"
else
printf "\e[33mWARNING!!! Firewall is Something Wrong! \e[0m\n"
fi
echo
printf "\e[36mChenking ocserv service status...\e[0m\n"
netstat -anptu | grep ":${port}" | grep ocserv-main | grep --color=auto -E "(${port}|ocserv-main|tcp|udp)"
linetcp=$(netstat -anp | grep ":${port}" | grep ocserv | grep tcp | wc -l)
lineudp=$(netstat -anp | grep ":${port}" | grep ocserv | grep udp | wc -l)
if [[ ${linetcp} -ge 1 && ${lineudp} -ge 1 ]]
then
printf "\e[34mocserv service is Fine! \e[0m\n"
else
printf "\e[33mWARNING!!! ocserv service is NOT Running! \e[0m\n"
fi
#打印VPN参数
printf "
if there are NO WARNING above, then you can connect to
your ocserv VPN Server with the user and password below:
======================================\n\n"
echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
if [ ! "$ipv6" = "" ]; then
echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
fi
echo -e "Port:\t\t\e[34m${port}\e[0m"
echo -e "Username:\t\e[34m${username}\e[0m"
echo -e "Password:\t\e[34m${password}\e[0m"
}
ConfigEnvironmentVariable [email protected]
PrintEnvironmentVariable
InstallOcserv
ConfigOcserv
ConfigFirewall
ConfigSystem
PrintResult
exit 0