- A+
所属分类:网络加速
用于ocserv证书登录的配置文件.
- 配置CA证书,及DH交换密钥:
为了能正常使用以下配置文件请先请参照: 为ocserv配置证书登录
-
- 配置服务器证书:
如果要自签服务器证书,可以执行以下命令(需要第上一步配置完成):
- mkdir -p /etc/ocserv/template
- #需要将 $IP 修改为你服务器的IP地址或者域名.
- YourAddress="$IP"
- cat >/etc/ocserv/template/server.tmp<<EOF
- cn = "$YourAddress"
- organization = "Vicer"
- serial = 2
- expiration_days = 1825
- signing_key
- encryption_key
- tls_www_server
- EOF
- openssl genrsa -out /etc/ocserv/server.key.pem 2048
- certtool --generate-certificate --hash SHA256 --load-privkey /etc/ocserv/server.key.pem --load-ca-certificate /etc/ocserv/template/ca.cert.pem --load-ca-privkey /etc/ocserv/template/ca.key.pem --template /etc/ocserv/template/server.tmp --outfile /etc/ocserv/server.cert.pem
- cat /etc/ocserv/template/ca.cert.pem >>/etc/ocserv/server.cert.pem
特别注意: 客户端会弹出不信任.
-
- 如果需要使用免费的证书,可以参照:
-
- 将申请好的证书和生成的密钥分别重命名为
server.cert.pem
-
- 和
server.key.pem
-
- 并放置在
/etc/ocserv
-
- 目录中.
特别注意: 客户端不会弹出不信任,但需要补全证书链.
-
- 配置文件:
注意: 请配置私有地址池和私有DNS,避免解析到被污染的IP地址.
可以参照: 安装dnsmasq并配置私有地址池
- cat >/etc/ocserv/ocserv.conf<<EOF
- #auth = "plain[passwd=/etc/ocserv/ocpasswd]"
- auth = "certificate"
- # TCP and UDP port number
- tcp-port = 443
- #udp-port = 443
- server-cert = /etc/ocserv/server.cert.pem
- server-key = /etc/ocserv/server.key.pem
- ca-cert = /etc/ocserv/template/ca.cert.pem
- dh-params = /etc/ocserv/dh.pem
- socket-file = /var/run/ocserv.socket
- occtl-socket-file = /var/run/occtl.socket
- pid-file = /var/run/ocserv.pid
- run-as-user = nobody
- cert-user-oid = 2.5.4.3
- isolate-workers = false
- max-clients = 192
- max-same-clients = 192
- keepalive = 32400
- dpd = 300
- mobile-dpd = 1800
- #output-buffer = 1000
- try-mtu-discovery = true
- compression = true
- no-compress-limit = 256
- auth-timeout = 40
- idle-timeout = 1200
- mobile-idle-timeout = 1200
- cookie-timeout = 43200
- persistent-cookies = true
- deny-roaming = false
- rekey-time = 43200
- rekey-method = ssl
- use-utmp = true
- use-occtl = true
- device = ocserv
- predictable-ips = false
- ping-leases = false
- cisco-client-compat = true
- tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
- ipv4-network = 192.168.8.0
- ipv4-netmask = 255.255.255.0
- dns = 192.168.8.1
- EOF
-
- 配置路由表:
- Android:
- 配置路由表:
由于Android框架的限制,只支持路由表 route
方式.
Andriod使用的路由表请参照: Route list for ocserv
-
-
- 常规路由表:
-
支持路由表 no-route
方式.
详情请参照: no-route list for ocserv
注意: 路由表no-route
方式和route
方式,只能二选一.
将路由表粘贴至/etc/ocserv/ocserv.conf
文件的末尾.