安裝

apt-get install ocserv

添加賬號(hào)密碼

ocpasswd -c /etc/ocserv/ocpasswd guest

生成證書

// 安裝easy-rsa
sudo apt-get install easy-rsa

cd /usr/share/easy-rsa

// 配置vars，設(shè)置easy-rsa目錄，keys生成目錄
sudo vim vars

// 載入vars
source ./vars

// 生成cnf
sudo cp openssl-1.0.0.cnf openssl.cnf

// 生成ca證書
./build-ca

// 生成server證書，并設(shè)置common name
./build-key-server server

編輯配置

vim /etc/ocserv/ocserv.conf

參考配置，設(shè)置證書文件路徑

auth = "plain[/etc/ocserv/ocpasswd]"
listen-host-is-dyndns = true
tcp-port = 11130
udp-port = 11130
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/ocserv/ssl/server.crt
server-key = /etc/ocserv/ssl/server.key
ca-cert =  /etc/ocserv/ssl/ca.crt
isolate-workers = false
max-clients = 16
max-same-clients = 2
keepalive = 360000
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 10.12.0.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
#dns = 114.114.114.114
ping-leases = false
no-route = 192.168.1.0/255.255.255.0
cisco-client-compat = true
dtls-legacy = true

設(shè)置防火墻

iptables -I INPUT -p tcp --dport 11130 -j ACCEPT
iptables -I INPUT -p udp --dport 11130 -j ACCEPT
iptables -D INPUT -p tcp --dport 11130 -j ACCEPT
iptables -D INPUT -p udp --dport 11130 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.12.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.12.0.0/24 -j ACCEPT

設(shè)置流量轉(zhuǎn)發(fā)

sudo vim /etc/sysctl.conf

// 取消注釋
net.ipv4.ip_forward=1

// 加載修改
sysctl -p