OpenConnet Server(ocserv)是一个通过实现Cisco的AnyConnect协议,用DTLS作为主要的加密传输协议。AnyConnect作为Cisco新一代的VPN解决方案,被用于许多大型企业,这些企业依赖它提供正常的商业运作,这些正常运作对应的经济效益(读作GDP),是我们最好的伙伴。
相比原脚本,这个脚本只是更改了路由表。改成绕过国内IP,自动区分了国内外流量。
原脚本地址:https://github.com/travislee8964/ocserv-auto
路由表地址:https://github.com/CNMan/ocserv-cn-no-route
#!/bin/bash #################################################### # # # This is a ocserv installation for CentOS 7 # # Version: 0.1.0 2016-03-22 # # Author: Travis Lee # # Website: https://www.stunnel.info # # # #################################################### # 检测是否是root用户 if [[ $(id -u) != "0" ]]; then printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n" exit 1 fi # 检测是否是CentOS 7或者RHEL 7 if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n" printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n" exit 1 fi basepath=$(dirname $0) cd ${basepath} function ConfigEnvironmentVariable { # 变量设置 # 单IP最大连接数,默认是2 maxsameclients=10 # 最大连接数,默认是16 maxclients=1024 # 服务器的证书和key文件,放在本脚本的同目录下,key文件的权限应该是600或者400 servercert=${1-server-cert.pem} serverkey=${2-server-key.pem} # VPN 内网 IP 段 vpnnetwork="192.168.8.0/21" # DNS dns1="8.8.8.8" dns2="8.8.4.4" # 配置目录 confdir="/etc/ocserv" # 获取网卡接口名称 systemctl start NetworkManager.service ethlist=$(nmcli --nocheck d | grep -v -E "(^(DEVICE|lo)|unavailable|^[^e])" | awk '{print $1}') eth=$(printf "${ethlist}\n" | head -n 1) if [[ $(printf "${ethlist}\n" | wc -l) -gt 1 ]]; then echo ====================================== echo "Network Interface list:" printf "\e[33m${ethlist}\e[0m\n" echo ====================================== echo "Which network interface you want to listen for ocserv?" printf "Default network interface is \e[33m${eth}\e[0m, let it blank to use this network interface: " read ethtmp if [[ -n "${ethtmp}" ]]; then eth=${ethtmp} fi fi # 端口,默认是443 port=443 echo -e "\nPlease input the port ocserv listen to." printf "Default port is \e[33m${port}\e[0m, let it blank to use this port: " read porttmp if [[ -n "${porttmp}" ]]; then port=${porttmp} fi # 用户名,默认是user username=user echo -e "\nPlease input ocserv user name." printf "Default user name is \e[33m${username}\e[0m, let it blank to use this user name: " read usernametmp if [[ -n "${usernametmp}" ]]; then username=${usernametmp} fi # 随机密码 randstr() { index=0 str="" for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done echo ${str} } password=$(randstr) printf "\nPlease input \e[33m${username}\e[0m's password.\n" printf "Random password is \e[33m${password}\e[0m, let it blank to use this password: " read passwordtmp if [[ -n "${passwordtmp}" ]]; then password=${passwordtmp} fi } function PrintEnvironmentVariable { # 打印配置参数 clear ipv4=$(ip -4 -f inet addr show ${eth} | grep 'inet' | sed 's/.*inet \([0-9\.]\+\).*/\1/') ipv6=$(ip -6 -f inet6 addr show ${eth} | grep -v -P "(::1\/128|fe80)" | grep -o -P "([a-z\d]+:[a-z\d:]+)") echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m" if [ ! "$ipv6" = "" ]; then echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m" fi echo -e "Port:\t\t\e[34m${port}\e[0m" echo -e "Username:\t\e[34m${username}\e[0m" echo -e "Password:\t\e[34m${password}\e[0m" echo echo "Press any key to start install ocserv." get_char() { SAVEDSTTY=$(stty -g) stty -echo stty cbreak dd if=/dev/tty bs=1 count=1 2> /dev/null stty -raw stty echo stty ${SAVEDSTTY} } char=$(get_char) clear } function InstallOcserv { # 升级系统 #yum update -y -q # 安装 epel-release if [ $(grep epel /etc/yum.repos.d/*.repo | wc -l) -eq 0 ]; then yum install -y -q epel-release && yum clean all && yum makecache fast fi # 安装ocserv yum install -y ocserv } function ConfigOcserv { # 检测是否有证书和 key 文件 if [[ ! -f "${servercert}" ]] || [[ ! -f "${serverkey}" ]]; then # 创建 ca 证书和服务器证书(参考http://www.infradead.org/ocserv/manual.html#heading5) certtool --generate-privkey --outfile ca-key.pem cat << _EOF_ >ca.tmpl cn = "ocserv VPN" organization = "ocserv" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key _EOF_ certtool --generate-self-signed --load-privkey ca-key.pem \ --template ca.tmpl --outfile ca-cert.pem certtool --generate-privkey --outfile ${serverkey} cat << _EOF_ >server.tmpl cn = "ocserv VPN" organization = "ocserv" serial = 2 expiration_days = 3650 signing_key encryption_key #only if the generated key is an RSA one tls_www_server _EOF_ certtool --generate-certificate --load-privkey ${serverkey} \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --template server.tmpl --outfile ${servercert} fi # 复制证书 cp "${servercert}" /etc/pki/ocserv/public/server.crt cp "${serverkey}" /etc/pki/ocserv/private/server.key # 编辑配置文件 (echo "${password}"; sleep 1; echo "${password}") | ocpasswd -c "${confdir}/ocpasswd" ${username} sed -i '[email protected] = "pam"@#auth = "pam"\nauth = "plain[/etc/ocserv/ocpasswd]"@g' "${confdir}/ocserv.conf" sed -i "s/max-same-clients = 2/max-same-clients = ${maxsameclients}/g" "${confdir}/ocserv.conf" sed -i "s/max-clients = 16/max-clients = ${maxclients}/g" "${confdir}/ocserv.conf" sed -i "s/tcp-port = 443/tcp-port = ${port}/g" "${confdir}/ocserv.conf" sed -i "s/udp-port = 443/udp-port = ${port}/g" "${confdir}/ocserv.conf" sed -i 's/^ca-cert = /#ca-cert = /g' "${confdir}/ocserv.conf" sed -i 's/^cert-user-oid = /#cert-user-oid = /g' "${confdir}/ocserv.conf" sed -i "s/default-domain = example.com/#default-domain = example.com/g" "${confdir}/ocserv.conf" sed -i "[email protected]#ipv4-network = 192.168.1.0/[email protected] = ${vpnnetwork}@g" "${confdir}/ocserv.conf" sed -i "s/#dns = 192.168.1.2/dns = ${dns1}\ndns = ${dns2}/g" "${confdir}/ocserv.conf" sed -i "s/cookie-timeout = 300/cookie-timeout = 86400/g" "${confdir}/ocserv.conf" sed -i 's/user-profile = profile.xml/#user-profile = profile.xml/g' "${confdir}/ocserv.conf" cat << _EOF_ >>${confdir}/ocserv.conf no-route = 1.0.0.0/255.192.0.0 no-route = 1.64.0.0/255.224.0.0 no-route = 1.112.0.0/255.248.0.0 no-route = 1.176.0.0/255.240.0.0 no-route = 1.192.0.0/255.240.0.0 no-route = 14.0.0.0/255.224.0.0 no-route = 14.96.0.0/255.224.0.0 no-route = 14.128.0.0/255.224.0.0 no-route = 14.192.0.0/255.224.0.0 no-route = 27.0.0.0/255.192.0.0 no-route = 27.96.0.0/255.224.0.0 no-route = 27.128.0.0/255.224.0.0 no-route = 27.176.0.0/255.240.0.0 no-route = 27.192.0.0/255.224.0.0 no-route = 27.224.0.0/255.252.0.0 no-route = 36.0.0.0/255.192.0.0 no-route = 36.96.0.0/255.224.0.0 no-route = 36.128.0.0/255.192.0.0 no-route = 36.192.0.0/255.224.0.0 no-route = 36.240.0.0/255.240.0.0 no-route = 39.0.0.0/255.255.0.0 no-route = 39.64.0.0/255.224.0.0 no-route = 39.96.0.0/255.240.0.0 no-route = 39.128.0.0/255.192.0.0 no-route = 40.72.0.0/255.254.0.0 no-route = 40.125.128.0/255.255.128.0 no-route = 40.126.64.0/255.255.192.0 no-route = 42.0.0.0/255.248.0.0 no-route = 42.48.0.0/255.240.0.0 no-route = 42.80.0.0/255.240.0.0 no-route = 42.96.0.0/255.224.0.0 no-route = 42.128.0.0/255.128.0.0 no-route = 43.224.0.0/255.224.0.0 no-route = 45.65.16.0/255.255.240.0 no-route = 45.112.0.0/255.240.0.0 no-route = 47.92.0.0/255.252.0.0 no-route = 47.96.0.0/255.224.0.0 no-route = 49.0.0.0/255.248.0.0 no-route = 49.48.0.0/255.248.0.0 no-route = 49.64.0.0/255.224.0.0 no-route = 49.112.0.0/255.240.0.0 no-route = 49.128.0.0/255.224.0.0 no-route = 49.208.0.0/255.240.0.0 no-route = 49.224.0.0/255.224.0.0 no-route = 52.80.0.0/255.252.0.0 no-route = 54.222.0.0/255.254.0.0 no-route = 58.0.0.0/255.128.0.0 no-route = 58.128.0.0/255.224.0.0 no-route = 58.192.0.0/255.224.0.0 no-route = 58.240.0.0/255.240.0.0 no-route = 59.32.0.0/255.224.0.0 no-route = 59.64.0.0/255.224.0.0 no-route = 59.96.0.0/255.240.0.0 no-route = 59.144.0.0/255.240.0.0 no-route = 59.160.0.0/255.224.0.0 no-route = 59.192.0.0/255.192.0.0 no-route = 60.0.0.0/255.224.0.0 no-route = 60.48.0.0/255.240.0.0 no-route = 60.160.0.0/255.224.0.0 no-route = 60.192.0.0/255.192.0.0 no-route = 61.0.0.0/255.192.0.0 no-route = 61.80.0.0/255.248.0.0 no-route = 61.128.0.0/255.192.0.0 no-route = 61.224.0.0/255.224.0.0 no-route = 91.234.36.0/255.255.255.0 no-route = 101.0.0.0/255.128.0.0 no-route = 101.128.0.0/255.224.0.0 no-route = 101.192.0.0/255.240.0.0 no-route = 101.224.0.0/255.224.0.0 no-route = 103.0.0.0/255.0.0.0 no-route = 106.0.0.0/255.128.0.0 no-route = 106.224.0.0/255.240.0.0 no-route = 110.0.0.0/255.128.0.0 no-route = 110.144.0.0/255.240.0.0 no-route = 110.160.0.0/255.224.0.0 no-route = 110.192.0.0/255.192.0.0 no-route = 111.0.0.0/255.192.0.0 no-route = 111.64.0.0/255.224.0.0 no-route = 111.112.0.0/255.240.0.0 no-route = 111.128.0.0/255.192.0.0 no-route = 111.192.0.0/255.224.0.0 no-route = 111.224.0.0/255.240.0.0 no-route = 112.0.0.0/255.128.0.0 no-route = 112.128.0.0/255.240.0.0 no-route = 112.192.0.0/255.252.0.0 no-route = 112.224.0.0/255.224.0.0 no-route = 113.0.0.0/255.128.0.0 no-route = 113.128.0.0/255.240.0.0 no-route = 113.192.0.0/255.192.0.0 no-route = 114.16.0.0/255.240.0.0 no-route = 114.48.0.0/255.240.0.0 no-route = 114.64.0.0/255.192.0.0 no-route = 114.128.0.0/255.240.0.0 no-route = 114.192.0.0/255.192.0.0 no-route = 115.0.0.0/255.0.0.0 no-route = 116.0.0.0/255.0.0.0 no-route = 117.0.0.0/255.128.0.0 no-route = 117.128.0.0/255.192.0.0 no-route = 118.16.0.0/255.240.0.0 no-route = 118.64.0.0/255.192.0.0 no-route = 118.128.0.0/255.128.0.0 no-route = 119.0.0.0/255.128.0.0 no-route = 119.128.0.0/255.192.0.0 no-route = 119.224.0.0/255.224.0.0 no-route = 120.0.0.0/255.192.0.0 no-route = 120.64.0.0/255.224.0.0 no-route = 120.128.0.0/255.240.0.0 no-route = 120.192.0.0/255.192.0.0 no-route = 121.0.0.0/255.128.0.0 no-route = 121.192.0.0/255.192.0.0 no-route = 122.0.0.0/254.0.0.0 no-route = 124.0.0.0/255.0.0.0 no-route = 125.0.0.0/255.128.0.0 no-route = 125.160.0.0/255.224.0.0 no-route = 125.192.0.0/255.192.0.0 no-route = 137.59.88.0/255.255.252.0 no-route = 139.0.0.0/255.224.0.0 no-route = 139.128.0.0/255.128.0.0 no-route = 140.64.0.0/255.240.0.0 no-route = 140.128.0.0/255.240.0.0 no-route = 140.192.0.0/255.192.0.0 no-route = 144.0.0.0/255.248.0.0 no-route = 144.12.0.0/255.255.0.0 no-route = 144.48.0.0/255.255.0.0 no-route = 144.52.0.0/255.255.0.0 no-route = 144.123.0.0/255.255.0.0 no-route = 144.255.0.0/255.255.0.0 no-route = 146.196.0.0/255.255.0.0 no-route = 150.0.0.0/255.255.0.0 no-route = 150.96.0.0/255.224.0.0 no-route = 150.128.0.0/255.240.0.0 no-route = 150.192.0.0/255.192.0.0 no-route = 152.104.128.0/255.255.128.0 no-route = 153.0.0.0/255.192.0.0 no-route = 153.96.0.0/255.224.0.0 no-route = 157.0.0.0/255.255.0.0 no-route = 157.18.0.0/255.255.0.0 no-route = 157.61.0.0/255.255.0.0 no-route = 157.112.0.0/255.240.0.0 no-route = 157.144.0.0/255.240.0.0 no-route = 157.255.0.0/255.255.0.0 no-route = 159.226.0.0/255.255.0.0 no-route = 160.19.208.0/255.255.240.0 no-route = 160.20.48.0/255.255.252.0 no-route = 160.202.0.0/255.255.0.0 no-route = 160.238.64.0/255.255.252.0 no-route = 161.207.0.0/255.255.0.0 no-route = 162.105.0.0/255.255.0.0 no-route = 163.0.0.0/255.192.0.0 no-route = 163.96.0.0/255.224.0.0 no-route = 163.128.0.0/255.192.0.0 no-route = 163.192.0.0/255.224.0.0 no-route = 166.111.0.0/255.255.0.0 no-route = 167.139.0.0/255.255.0.0 no-route = 167.189.0.0/255.255.0.0 no-route = 167.220.244.0/255.255.252.0 no-route = 168.160.0.0/255.255.0.0 no-route = 170.179.0.0/255.255.0.0 no-route = 171.0.0.0/255.128.0.0 no-route = 171.192.0.0/255.224.0.0 no-route = 175.0.0.0/255.128.0.0 no-route = 175.128.0.0/255.192.0.0 no-route = 180.64.0.0/255.192.0.0 no-route = 180.128.0.0/255.128.0.0 no-route = 182.0.0.0/255.0.0.0 no-route = 183.0.0.0/255.192.0.0 no-route = 183.64.0.0/255.224.0.0 no-route = 183.128.0.0/255.128.0.0 no-route = 192.124.154.0/255.255.255.0 no-route = 192.140.0.0/255.255.0.0 no-route = 192.188.170.0/255.255.255.0 no-route = 202.0.0.0/255.128.0.0 no-route = 202.128.0.0/255.192.0.0 no-route = 202.192.0.0/255.224.0.0 no-route = 203.0.0.0/255.0.0.0 no-route = 210.0.0.0/255.192.0.0 no-route = 210.64.0.0/255.224.0.0 no-route = 210.160.0.0/255.224.0.0 no-route = 210.192.0.0/255.224.0.0 no-route = 211.64.0.0/255.248.0.0 no-route = 211.80.0.0/255.240.0.0 no-route = 211.96.0.0/255.248.0.0 no-route = 211.136.0.0/255.248.0.0 no-route = 211.144.0.0/255.240.0.0 no-route = 211.160.0.0/255.248.0.0 no-route = 218.0.0.0/255.128.0.0 no-route = 218.160.0.0/255.224.0.0 no-route = 218.192.0.0/255.192.0.0 no-route = 219.64.0.0/255.224.0.0 no-route = 219.128.0.0/255.224.0.0 no-route = 219.192.0.0/255.192.0.0 no-route = 220.96.0.0/255.224.0.0 no-route = 220.128.0.0/255.128.0.0 no-route = 221.0.0.0/255.224.0.0 no-route = 221.96.0.0/255.224.0.0 no-route = 221.128.0.0/255.128.0.0 no-route = 222.0.0.0/255.0.0.0 no-route = 223.0.0.0/255.224.0.0 no-route = 223.64.0.0/255.192.0.0 no-route = 223.128.0.0/255.128.0.0 _EOF_ } function ConfigFirewall { firewalldisactive=$(systemctl is-active firewalld.service) iptablesisactive=$(systemctl is-active iptables.service) # 添加防火墙允许列表 if [[ ${firewalldisactive} = 'active' ]]; then echo "Adding firewall ports." firewall-cmd --permanent --add-port=${port}/tcp firewall-cmd --permanent --add-port=${port}/udp echo "Allow firewall to forward." firewall-cmd --permanent --add-masquerade echo "Reload firewall configure." firewall-cmd --reload elif [[ ${iptablesisactive} = 'active' ]]; then iptables -I INPUT -p tcp --dport ${port} -j ACCEPT iptables -I INPUT -p udp --dport ${port} -j ACCEPT iptables -I FORWARD -s ${vpnnetwork} -j ACCEPT iptables -t nat -A POSTROUTING -s ${vpnnetwork} -o ${eth} -j MASQUERADE #iptables -t nat -A POSTROUTING -j MASQUERADE service iptables save else printf "\e[33mWARNING!!! Either firewalld or iptables is NOT Running! \e[0m\n" fi } function ConfigSystem { #关闭selinux sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config setenforce 0 #修改系统 echo "Enable IP forward." sysctl -w net.ipv4.ip_forward=1 echo net.ipv4.ip_forward = 1 >> "/etc/sysctl.conf" systemctl daemon-reload echo "Enable ocserv service to start during bootup." systemctl enable ocserv.service #开启ocserv服务 systemctl start ocserv.service echo } function PrintResult { #检测防火墙和ocserv服务是否正常 clear printf "\e[36mChenking Firewall status...\e[0m\n" iptables -L -n | grep --color=auto -E "(${port}|${vpnnetwork})" line=$(iptables -L -n | grep -c -E "(${port}|${vpnnetwork})") if [[ ${line} -ge 2 ]] then printf "\e[34mFirewall is Fine! \e[0m\n" else printf "\e[33mWARNING!!! Firewall is Something Wrong! \e[0m\n" fi echo printf "\e[36mChenking ocserv service status...\e[0m\n" netstat -anptu | grep ":${port}" | grep ocserv-main | grep --color=auto -E "(${port}|ocserv-main|tcp|udp)" linetcp=$(netstat -anp | grep ":${port}" | grep ocserv | grep tcp | wc -l) lineudp=$(netstat -anp | grep ":${port}" | grep ocserv | grep udp | wc -l) if [[ ${linetcp} -ge 1 && ${lineudp} -ge 1 ]] then printf "\e[34mocserv service is Fine! \e[0m\n" else printf "\e[33mWARNING!!! ocserv service is NOT Running! \e[0m\n" fi #打印VPN参数 printf " if there are NO WARNING above, then you can connect to your ocserv VPN Server with the user and password below: ======================================\n\n" echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m" if [ ! "$ipv6" = "" ]; then echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m" fi echo -e "Port:\t\t\e[34m${port}\e[0m" echo -e "Username:\t\e[34m${username}\e[0m" echo -e "Password:\t\e[34m${password}\e[0m" } ConfigEnvironmentVariable [email protected] PrintEnvironmentVariable InstallOcserv ConfigOcserv ConfigFirewall ConfigSystem PrintResult exit 0