ocserv一键脚本(用证书登录)

金关村村长

1. version_check(){
   
2.         version=`cat /etc/debian_version`
   
3.         tmp=${version: 0: 1}
   
4.         if [ "$tmp" -gt "1" ];then
   
5.                 echo $version
   
6.                 echo 'only support debian_version >= 10'
   
7.                 exit
   
8.         fi
   
9. }
   
10. 
    
11. install_ocserv(){
    
12.         apt update -y
    
13.         apt upgrade -y
    
14.         apt install iptables -y
    
15.         apt install ocserv -y
    
16. }
    
17. 
    
18. edit_conf(){
    
19.         echo -n "Server Address " > /etc/ocserv/server.address
    
20.         echo -n $1 >> /etc/ocserv/server.address
    
21.         echo ":3389(Port MUST Not Blocked)" >> /etc/ocserv/server.address
    
22.         curl -o /etc/ocserv/ocserv.conf https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/ocserv.conf
    
23. }
    
24. 
    
25. edit_iptables(){
    
26.         echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
    
27.         echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
    
28.         echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    
29.         sysctl -p
    
30.         iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
    
31.         iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
    
32. }
    
33. 
    
34. do_mkcert(){
    
35.         rm -f mkcert-v*-linux-amd64
    
36.         curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
    
37.         chmod +x mkcert-v*-linux-amd64
    
38.         sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
    
39.         mkcert -key-file /etc/ocserv/private.key -cert-file /etc/ocserv/public.crt $1
    
40. }
    
41. 
    
42. create_ca(){
    
43.         rm -rf $1
    
44.         mkdir $1
    
45.         apt install gnutls-bin
    
46.         curl -o $1/ca-cert.cfg https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/ca-cert.cfg
    
47.         curl -o $1/client-cert.cfg https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/client-cert.cfg
    
48.         certtool --generate-privkey --outfile $1/ca-privkey.pem
    
49.         certtool --generate-self-signed --load-privkey $1/ca-privkey.pem --template $1/ca-cert.cfg --outfile $1/ca-cert.pem
    
50.         certtool --generate-privkey --outfile $1/client-privkey.pem
    
51.         certtool --generate-certificate --load-privkey $1/client-privkey.pem --load-ca-certificate $1/ca-cert.pem --load-ca-privkey $1/ca-privkey.pem --template $1/client-cert.cfg --outfile $1/client-cert.pem       
    
52. }
    
53. 
    
54. create_client_p12(){
    
55.         certtool --to-p12 --load-privkey $1/client-privkey.pem --load-certificate $1/client-cert.pem --pkcs-cipher 3des-pkcs12 --outfile $1/client.p12 --outder
    
56. }
    
57. 
    
58. version_check
    
59. ssl_dir=/etc/ocserv/ssl_dir
    
60. public_ip=`curl ipv4.icanhazip.com`
    
61. echo "Your Ipv4:"
    
62. echo -e "\e[31m$public_ip\e[0m"
    
63. install_ocserv
    
64. do_mkcert $public_ip
    
65. create_ca $ssl_dir
    
66. create_client_p12 $ssl_dir
    
67. edit_conf
    
68. edit_iptables
    
69. systemctl restart ocserv
    
70. systemctl status ocserv

复制代码

1. https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/login_with_self_sigh_cert.sh

复制代码

1. window11证书管理可以搜索证书然后就会进入用户管理证书 然后在个人 证书下面

复制代码

安装证书前把旧证书删除 并且退出anyconnect client或者安装完成之后重启anyconnect client

将证书从Linux下载到本地

用windows power shell执行以下代码

1. scp [email protected]:/etc/ocserv/ssl_dir/client.p12 ./

复制代码

将下载下来的p12证书也可以传输到iPhone手机上 比如通过邮件发送或者qq发送

iPhone安装证书的时候要通过share给anyconnect去import 不能直接安装

maxkvm

Centos的脚本呢？

hcyme

ocserv搭建

Lshe

没多大用处,分流IP只能一百条

而且不支持中转