安装

apt-get install ocserv

添加账号密码

ocpasswd -c /etc/ocserv/ocpasswd guest

生成证书

// 安装easy-rsa
sudo apt-get install easy-rsa

cd /usr/share/easy-rsa

// 配置vars，设置easy-rsa目录，keys生成目录
sudo vim vars

// 载入vars
source ./vars

// 生成cnf
sudo cp openssl-1.0.0.cnf openssl.cnf

// 生成ca证书
./build-ca

// 生成server证书，并设置common name
./build-key-server server

编辑配置

vim /etc/ocserv/ocserv.conf

参考配置，设置证书文件路径

auth = "plain[/etc/ocserv/ocpasswd]"
listen-host-is-dyndns = true
tcp-port = 11130
udp-port = 11130
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/ocserv/ssl/server.crt
server-key = /etc/ocserv/ssl/server.key
ca-cert =  /etc/ocserv/ssl/ca.crt
isolate-workers = false
max-clients = 16
max-same-clients = 2
keepalive = 360000
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.12.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
#dns = 114.114.114.114
ping-leases = false
no-route = 192.168.1.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true

设置防火墙

iptables -I INPUT -p tcp --dport 11130 -j ACCEPT
iptables -I INPUT -p udp --dport 11130 -j ACCEPT
iptables -D INPUT -p tcp --dport 11130 -j ACCEPT
iptables -D INPUT -p udp --dport 11130 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT

设置流量转发

sudo vim /etc/sysctl.conf

// 取消注释
net.ipv4.ip_forward=1

// 加载修改
sysctl -p