Published on

🛜OpenConnect を Ubuntuにインストール

featured_image

https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt

クライアント側で証明書不要

apache2 + nextcloud後に設定

apt install ocserv

systemctl status ocserv

sudo systemctl start ocserv

certbot (不要なら飛ばす)

nginx インストールしている場合はこれを使う

sudo apt install software-properties-common

sudo add-apt-repository ppa:certbot/certbot

sudo apt update

sudo apt install certbot

nginx 起動してるなら service nginx stopしておく

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d xxx.com

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d xxx.com

OpenConnect 設定

sudo nano /etc/ocserv/ocserv.conf

置き換え

auth = "plain[passwd=/etc/ocserv/ocpasswd]"

server-cert = /etc/letsencrypt/live/xxx.com/fullchain.pem
server-key = /etc/letsencrypt/live/xxx.com/privkey.pem

ほかのpemはいじらなくてOK この手順通り

default-domain = xxx.com

ipv4-network = 10.10.10.0

dns = 8.8.8.8

コメントアウト

route = 10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0
route = fef4:db8:1000:1001::/64

no-route = 192.168.5.0/255.255.255.0

sudo systemctl restart ocserv

sudo cp /lib/systemd/system/ocserv.service /etc/systemd/system/ocserv.service

sudo nano /etc/systemd/system/ocserv.service

コメントアウト

Requires=ocserv.socket

Also=ocserv.socket

sudo systemctl daemon-reload

sudo systemctl stop ocserv.socket

sudo systemctl disable ocserv.socket

sudo systemctl restart ocserv.service

systemctl status ocserv

ユーザー追加

sudo ocpasswd -c /etc/ocserv/ocpasswd 【USER
sudo nano /etc/sysctl.conf

アンコメント

net.ipv4.ip_forward = 1

sudo sysctl -p

iptables 編集

ifconfig ens3 や eth 0を確認

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

sudo iptables -t nat -L POSTROUTING

sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT

sudo iptables -I INPUT -p udp --dport 443 -j ACCEPT

iptables-save > /etc/iptables.rules

nano /etc/systemd/system/iptables-restore.service

新規追加

[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload

sudo systemctl enable iptables-restore

必要ならアプリに合わせてポート開放

sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 19090 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 32 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -I INPUT -p tcp --dport 7443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 853 -j ACCEPT
Discuss on TwitterView on GitHub