因为 SS 现在各种被识别被钦定,于是想了一招,Anyconnect!
Anyconnect 是 Cisco 的服务,开源的实现叫做 Openconnect/Ocserv.

首先我们需要一个环境…Linux,Debian 系或者 Archlinux 最好,用 vps 的用户需要注意的是因为这个是类似于 openvpn 的实现(tun)需要访问网卡,不能在 OpenVZ 上面搭建.(其实就是不能用 bandwagonhost 这种的便宜货)
首先是下载一堆堆东西…src 依赖什么的

lynx ftp://ftp.infradead.org/pub/ocserv/  //用lynx看一下最新版本,选中下载
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.9.tar.xz    //当然直接下载也可以

接下来把它解压到你喜欢的地方:

tar xf ocserv-0.10.9.tar.xz

然后我们安装gnutls和libnl

pacman -S gnutls libnl  //Arch
apt-get install libgnutls-dev libnl-3-dev   //Dpkg

接下来就是编译安装什么的…

cd ocserv
./configure
make
make install

OK!到了现在你已经完成一半了!深吸一口气,接下来我们要调整配置文件和证书.

我使用的是 startssl 的免费证书https://www.startssl.com/ 当然你也可以用其他的…比如 Wosign 和 Comodo 的,也可以到凤凰菊的店铺买个证书.

首先你需要准备你的已解密的私钥(key)和你的证书,对于 startssl 的话,分别是一开始的 key 和后面的证书.

如果你没有解密的话:

openssl rsa -in ssl.key -out ssl.key

接下来我们要创建证书链,这里要准备好你的证书和中间证书以及根证书.(这里假设你的证书是cert.crt)
注:感谢 V2EX 上的 flipphos 的教程

wget http://cert.startssl.com/certs/ca.pem
wget http://cert.startssl.com/certs/sub.class1.server.ca.pem
cat cert.crt sub.class1.server.ca.pem ca.pem > server-cert.pem

OK接下来就是写配置文件了,首先把默认文件复制过来

mkdir -p /etc/ocserv
cp doc/sample.config /etc/ocserv/ocserv.conf

配置文件请用带有搜索功能的编辑器来编辑

vim /etc/ocserv.conf

我们要修改验证方式和一堆东西…

auth = "plain[/etc/ocserv/passwd]"
max-clients = 16
max-same-clients = 2
tcp-port = 5551    //这里修改你的端口
udp-port = 5551    //这里修改你的端口
keepalive = 32400
try-mtu-discovery = true
cisco-client-compat = true
server-cert = /etc/ocserv/server-cert.pem    //合并完证书的地址
server-key = /etc/ocserv/ssl.key    //你的私钥
auth-timeout = 40
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = nobody
run-as-group = daemon
device = vpns
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
route = 192.168.1.0/255.255.255.0
route = 103.0.0.0/255.0.0.0
route = 106.0.0.0/255.0.0.0
route = 107.0.0.0/255.0.0.0
route = 108.0.0.0/255.0.0.0
route = 141.0.0.0/255.0.0.0
route = 153.0.0.0/255.0.0.0
route = 160.0.0.0/255.0.0.0
route = 166.0.0.0/255.0.0.0
route = 17.0.0.0/255.0.0.0
route = 173.0.0.0/255.0.0.0
route = 176.0.0.0/255.0.0.0
route = 178.0.0.0/255.0.0.0
route = 184.0.0.0/255.0.0.0
route = 194.0.0.0/255.0.0.0
route = 198.0.0.0/255.0.0.0
route = 199.0.0.0/255.0.0.0
route = 203.0.0.0/255.0.0.0
route = 204.0.0.0/255.0.0.0
route = 205.0.0.0/255.0.0.0
route = 208.0.0.0/255.0.0.0
route = 209.0.0.0/255.0.0.0
route = 210.0.0.0/255.0.0.0
route = 216.0.0.0/255.0.0.0
route = 3.0.0.0/255.0.0.0
route = 4.0.0.0/255.0.0.0
route = 31.0.0.0/255.0.0.0
route = 46.0.0.0/255.0.0.0
route = 50.0.0.0/255.0.0.0
route = 54.0.0.0/255.0.0.0
route = 61.0.0.0/255.0.0.0
route = 64.0.0.0/255.0.0.0
route = 67.0.0.0/255.0.0.0
route = 68.0.0.0/255.0.0.0
route = 69.0.0.0/255.0.0.0
route = 70.0.0.0/255.0.0.0
route = 72.0.0.0/255.0.0.0
route = 74.0.0.0/255.0.0.0

接下来打开转发:

echo 1 > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > /proc/sys/net/ipv4/ip_forward " >> /etc/sysctl.d/local.conf
sysctl --system

OK!你已经完成了配置,接下来是添加用户和最后的调试阶段了!

添加用户:

ocpasswd -c /etc/ocserv/passwd 用户名

打开ocserv,自己连接试试,观察log:

ocserv -f -d 1

没问题就可以启动啦!


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.