现在为数不多的可用VPN。
环境搭建
安装
修改配置
修改配置 vi /etc/ocserv/ocserv.conf。修改前先做个备份。
主要改动如下:
- auth 改为简单密码认证
- 设置监听端口 tcp-port 和 udp-port
- 设置dns
最终配置示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
| auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
tunnel-all-dns = true #接管DNS请求
#
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.1.0/24
dns = 114.114.114.114
dns = 8.8.8.8
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
user-profile = profile.xml
|
准备密码
1
| ocpasswd -c /etc/ocserv/ocpasswd user1
|
设置转发
开启系统转发
1
2
| echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
|
设置 iptables 转发
1
| iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
|
如果需要开放443端口
1
2
| iptables -I INPUT -p tcp –dport 443 -j ACCEPT
iptables -I INPUT -p udp –dport 443 -j ACCEPT
|
启动
1
2
| systemctl enable --now ocserv
systemctl restart ocserv
|
客户端连接
需要取消勾选 Block connections to untrusted servers
输入ip:port 输入用户名密码即可
参考