统计
登录

在 CentOS 平台构建 AnyConnect 并使用 Radius 验证权限

Leo
2019-07-22
/
0 评论
/
938 阅读
/
未收录
07/22

测试在 Vultr 提供的 CentOS 7 X64 平台,需要你已经构建好 Radius 服务器。

较早期的 AnyConnect 只能运行在思科设备上,现在 AnyConnect 可以通过兼容 AnyConnect SSL VPN 的 ocserv (OpenConnect VPN Server) 实现。在 Fedora 维护的 EPEL 仓库中已经提供了 ocserv,所以只要安装 EPEL 源即可。

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -ivh epel-release-latest-7.noarch.rpm

然后安装 ocserv 软件,radcli 是对 Radius 的支持组件。

yum install -y radcli #radius客户端
yum install -y ocserv
yum install freeradius-utils #raduis工具

AnyConnect 在连接成功后交换内容数据采用 UDP 的 DTLS,在断线重连时采用 TCP 的 TLS 来保证安全,所以需要提供 TLS 证书。自建 CA 会导致客户端在连接服务器时提示证书不信任,可以申请 SSL 证书来避免这个问题并跳过自己生成证书的步骤,对于多台 AnyConnect 服务器可以申请泛域名证书来避免每台服务器生成一张证书。我们在这里使用自建 CA,AnyConnect 所用证书可以用 GunTLS 提供的 certtool 生成,下面的命令构造了一个 RSA 算法的 2048 位私钥,请注意不要生成 AnyConnect 不支持的 ECC 证书。

certtool --generate-privkey --outfile ca.pem

这样就生成了 CA 所需的私钥 ca.pem 文件,生成 CA 的证书需要填写一些模版信息,保存到 ca.tmpl。

echo -e 'cn = "your vpn name"
organization = "your org"
serial = 1
expiration_days = 365
ca
signing_key
cert_signing_key
crl_signing_key' > ca.tmpl

这样我们就可以生成 CA 的证书了。

certtool --generate-self-signed --load-privkey ca.pem --template ca.tmpl --outfile ca.crt

自建完成 CA 后需要生成一张供 AnyConnect 使用的终端证书。

certtool --generate-privkey --outfile anyconnect.pem

生成公钥需要填写一些模版信息,保存到 anyconnect.tmpl

echo -e 'cn="你的域名 / 服务器 IP"
unit="anyconnect"
serial = 1
expiration_days=365
signing_key
tls_www_client' > anyconnect.tmpl

随后我们创建公钥

certtool --generate-certificate --load-privkey anyconnect.pem --load-ca-certificate ca.crt --load-ca-privkey ca.pem --template anyconnect.tmpl --outfile anyconnect.crt

在客户端需要使用 p12 格式的证书,会提示输入密码与验证密码,如果输入了密码在使用时也会要求输入密码,可以留空。

openssl pkcs12 -export -inkey anyconnect.pem -in anyconnect.crt -certfile ca.crt -out user.p12

我们成功生成了两张证书,一张是我们自建的 CA 证书 ca.crt,一张是我们生成的 AnyConnect 使用的证书 anyconnect.crt。AnyConnect 服务器在此作为的是 Radius 的客户端,编辑 /etc/radcli/servers 中输入你的 radius 服务器地址与通信密钥,例如如下格式。
radius.example.com testing123
然后编辑 Radius Client 的配置文件件/etc/radcli/radiusclient.conf。

authserver radius.example.com
acctserver radius.example.com

编辑 /etc/ocserv/ocserv.conf 文件,找到 auth = "pam" 注释掉。并启用 auth = "auth = "radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]"

然后主要修改以下部分:

# 启用认证
acct = "radius[config=/etc/radcli/radiusclient.conf]"

# 超时时间
stats-report-time = 360

server-cert = /etc/ocserv/anyconnect.crt
server-key = /etc/ocserv/anyconnect.pem

#最大用户数量
max-clients = 16

#同一个用户最多同时登陆数
max-same-clients = 4

#tcp和udp端口
tcp-port = 443
udp-port = 443

#运行用户和组
run-as-user = ocserv
run-as-group = ocserv

#分配给VPN客户端的IP段
ipv4-network = 10.12.0.0
ipv4-netmask = 255.255.255.0

#DNS
dns = 8.8.8.8
dns = 8.8.4.4

注释掉所有的 no-route 和 route 表示所有流量均通过 AnyConnect 发送,配置防火墙。

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # 自动调整 MTU
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # NAT 转发,注意网卡名是否是eth0
iptables -I INPUT -p tcp --dport 443 -j ACCEPT # 开启 443 端口的 TCP
iptables -I INPUT -p udp --dport 443 -j ACCEPT # 开启 443 端口的 UDP

随后编辑 /etc/sysctl.conf 文件存入以下内容并保存。
net.ipv4.ip_forward = 1
执行
sysctl -p

在某些情况下可能 iptables 会无法使用,可以尝试 iptables -F 清除所有的条目后再执行以上条目。
或者你也可以选择弃用 firewalld 而改用 iptables。

systemctl stop firewalld
systemctl mask firewalld
yum install iptables-services -y
systemctl enable iptables

把刚刚的iptables规则加到开机启动

/usr/libexec/iptables/iptables.init save

下面再测试一下radius认证服务器是否正常连接()
radtest [user] [password] [radius_server] 1812 testing123

最后我们需要运行下面这个命令来测试 ocserv 是否没有问题了,可以尝试使用anyconnect连接是否正常。

ocserv -c /etc/ocserv/ocserv.conf -f -d 1
# 如果没有问题,那么我们就按 Ctrl + C 键退出。

最后开启 ocserv 服务端

systemctl start ocserv.service  #启动服务
systemctl enable ocserv.service
systemctl status ocserv.service #查看状态

但是,如果想做本地认证怎么办??
编辑配置文件 vi /etc/ocserv/ocserv.conf
修改如下:

auth = "plain[/etc/ocserv/ocpasswd]"

创建本地用户

sudo ocpasswd -c /etc/ocserv/ocpasswd username
#username为你要添加的用户名

下发路由

我想这个功能是最激动人心的,因为我们手机如果长期连接,那么肯定是某些服务走 VPN,而国内的网站可以走手机自己的网络体验最好。

但是这里的一个问题是,AnyConnect 有下发路由表的 200 条数限制。

所以我们只能保证下某几个常用的服务是可用的,比如 Google Facebook 以及 Twitter

编辑配置文件

sudo vim /etc/ocserv/ocserv.conf
找到 route = 的字段

路由表

于ocserv默认是全局,可以通过配置/etc/ocserv/ocserv.conf的方式来指定国内流量直连,国外流量走ocserv。但是这种方法并不总是有效的。
moeclub.org大佬的路由表,使用 no-route 方式.
须将 $YourIP 替换为服务器地址,否则将会连不上服务器.

## No Route List
no-route = $YourIP/255.255.255.255
no-route = 192.168.0.0/255.255.0.0 
no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.0.0/255.255.0.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 164.52.0.0/255.255.128.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 216.250.108.0/255.255.252.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0
版权属于:

Leo

本文链接:

http://gee.im/index.php/archives/22/(转载时请注明本文出处及文章链接)

评论 (0)