Страница 1 из 1
ocserv
Добавлено: 14 дек 2024, 07:15
ya
Настройка ocserv
https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced
Загрузить страну в формате CIDR
https://www.ip2location.com/free/visitor-blocker
Преобразовать список сетей в полный формат
преобразования списка подсетей IPv4 из краткого формата (CIDR) в полный формат
Отредактировать полученный файл (не маршрутизировать данную страну)
После этого добавить полученные записи в конфиг ocserv
/etc/ocserv/ocserv.conf
Код: Выделить всё
config-per-user = /etc/ocserv/config-per-user/
config-per-group = /etc/ocserv/config-per-group/
Создаём каталоги для пользователей и групп пользователей, создаём символическую ссылку для группы пользователей default
Код: Выделить всё
mkdir /etc/ocserv/config-per-user/
mkdir /etc/ocserv/config-per-group/
ln -s /etc/ocserv/ip2localtion.txt /etc/ocserv/config-per-group/default
Проверить правильность конфига ocserv
Если всё правильно, перезапустить
Add user
sudo ocpasswd -c /etc/ocserv/ocpasswd [username]
Add user to group
sudo ocpasswd -c /etc/ocserv/ocpasswd -g [GroupName] [UserName]
Lock user
sudo ocpasswd -c /etc/ocserv/ocpasswd -l [username]
Unlock user
sudo ocpasswd -c /etc/ocserv/ocpasswd -u [username]
Delete/Remove user
sudo ocpasswd -c /etc/ocserv/ocpasswd -d [username]
Посмотреть список подключенных пользователей
Re: ocserv
Добавлено: 19 дек 2024, 13:16
ya
правильность конфига
логи
Re: ocserv
Добавлено: 19 дек 2024, 14:19
ya
выполните следующие две команды, чтобы включить алгоритм TCP BBR для увеличения скорости TCP.
Код: Выделить всё
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.forwarding=1" >> /etc/sysctl.conf
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
Re: ocserv
Добавлено: 19 дек 2024, 15:12
ya
Код: Выделить всё
sudo apt install dh-autoreconf ipcalc ipcalc-ng gettext autopoint
Код: Выделить всё
sudo apt install geoip-database geoip-bin libgeoip-dev libgeoip1
Код: Выделить всё
node-llhttp - HTTP client sources for Node.js
репозиторий из сырцов
https://gitlab.com/openconnect/ocserv
https://www.infradead.org/ocserv/download/
если никаких ошибок нет, тогда можно
версия:
Re: ocserv
Добавлено: 20 дек 2024, 08:35
ya
Re: ocserv
Добавлено: 21 окт 2025, 15:39
ya
/etc/ocserv/ocserv.conf
Код: Выделить всё
auth = "plain[passwd=/etc/ocserv/passwd]"
listen-host = 127.0.0.1
tcp-port = 443
#udp-port = 443
run-as-user = www-data
run-as-group = daemon
socket-file = run/ocserv-socket
chroot-dir = /var/lib/ocserv
server-cert = /etc/letsencrypt/live/v.hardprivate.com/fullchain.pem
server-key = /etc/letsencrypt/live/v.hardprivate.com/privkey.pem
isolate-workers = true
max-clients = 1024
max-same-clients = 0
listen-proxy-proto = true
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = true
compression = false
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
#log-level = info
#log-file = /var/log/ocserv.log
device = vpns
predictable-ips = true
default-domain = v.hardprivate.com
ipv4-network = 172.20.20.0/23
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
#dns = 77.88.8.1
#dns = 77.88.8.8
dns = 1.1.1.1
dns = 1.0.0.1
ping-leases = true
mtu = 1412
#route = 192.168.0.0/255.255.254.0
cisco-client-compat = true
dtls-legacy = true
#client-bypass-protocol = true
#included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
#included-http-headers = X-Frame-Options: deny
#included-http-headers = X-Content-Type-Options: nosniff
#included-http-headers = Content-Security-Policy: default-src 'none'
#included-http-headers = X-Permitted-Cross-Domain-Policies: none
#included-http-headers = Referrer-Policy: no-referrer
#included-http-headers = Clear-Site-Data: "cache","cookies","storage"
#included-http-headers = Cross-Origin-Embedder-Policy: require-corp
#included-http-headers = Cross-Origin-Opener-Policy: same-origin
#included-http-headers = Cross-Origin-Resource-Policy: same-origin
#included-http-headers = X-XSS-Protection: 0
#included-http-headers = Pragma: no-cache
#included-http-headers = Cache-control: no-store, no-cache
#no-route = include:/etc/ocserv/2ip.full001.txt
#expose-iroutes = true
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
route = 1.0.0.0/248.0.0.0
route = 8.0.0.0/254.0.0.0
route = 11.0.0.0/255.0.0.0
route = 12.0.0.0/252.0.0.0
route = 16.0.0.0/240.0.0.0
route = 32.0.0.0/224.0.0.0
route = 64.0.0.0/224.0.0.0
route = 96.0.0.0/240.0.0.0
route = 112.0.0.0/248.0.0.0
route = 120.0.0.0/252.0.0.0
route = 124.0.0.0/254.0.0.0
route = 126.0.0.0/255.0.0.0
route = 128.0.0.0/224.0.0.0
route = 160.0.0.0/248.0.0.0
route = 168.0.0.0/252.0.0.0
route = 172.0.0.0/255.240.0.0
route = 172.32.0.0/255.224.0.0
route = 172.64.0.0/255.192.0.0
route = 172.128.0.0/255.128.0.0
route = 173.0.0.0/255.0.0.0
route = 174.0.0.0/254.0.0.0
route = 176.0.0.0/240.0.0.0
route = 192.0.0.0/255.128.0.0
route = 192.128.0.0/255.224.0.0
route = 192.160.0.0/255.248.0.0
route = 192.169.0.0/255.255.0.0
route = 192.170.0.0/255.254.0.0
route = 192.172.0.0/255.252.0.0
route = 192.176.0.0/255.240.0.0
route = 192.192.0.0/255.192.0.0
route = 193.0.0.0/255.0.0.0
route = 194.0.0.0/254.0.0.0
route = 196.0.0.0/252.0.0.0
route = 200.0.0.0/248.0.0.0
route = 208.0.0.0/240.0.0.0
route = 224.0.0.0/224.0.0.0
Re: ocserv
Добавлено: 26 окт 2025, 20:38
ya
проверить свободен ли порт 443
grep -v "#" /etc/ocserv/ocserv.conf
Код: Выделить всё
auth = "plain[passwd=/etc/ocserv/passwd]"
listen-host = 192.168.43.96
tcp-port = 443
run-as-user = gt
run-as-group = daemon
socket-file = run/ocserv-socket
chroot-dir = /var/lib/ocserv
server-cert = /etc/letsencrypt/live/1.hardprivate.com/fullchain.pem
server-key = /etc/letsencrypt/live/1.hardprivate.com/privkey.pem
isolate-workers = true
max-clients = 100
max-same-clients = 100
listen-proxy-proto = false
rate-limit-ms = 100
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
compression = false
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
device = vpns
predictable-ips = true
idle-timeout=3240
mobile-idle-timeout=2400
default-domain = 1.hardprivate.com
ipv4-network = 172.19.176.0/22
ipv4-netmask = 255.255.252.0
tunnel-all-dns = true
dns = 192.168.43.96
dns = 1.0.0.2
dns = 1.1.1.2
ping-leases = true
cisco-client-compat = false
dtls-legacy = false
client-bypass-protocol = none
route = 192.168.100.9/255.255.255.255
route = 192.168.100.2/255.255.255.255
route = 192.168.43.96/255.255.255.255
route = 192.168.43.75/255.255.255.255
route = 1.0.0.0/248.0.0.0
route = 8.0.0.0/254.0.0.0
route = 11.0.0.0/255.0.0.0
route = 12.0.0.0/252.0.0.0
route = 16.0.0.0/240.0.0.0
route = 32.0.0.0/224.0.0.0
route = 64.0.0.0/224.0.0.0
route = 96.0.0.0/240.0.0.0
route = 112.0.0.0/248.0.0.0
route = 120.0.0.0/252.0.0.0
route = 124.0.0.0/254.0.0.0
route = 126.0.0.0/255.0.0.0
route = 128.0.0.0/224.0.0.0
route = 160.0.0.0/248.0.0.0
route = 168.0.0.0/252.0.0.0
route = 172.0.0.0/255.240.0.0
route = 172.32.0.0/255.224.0.0
route = 172.64.0.0/255.192.0.0
route = 172.128.0.0/255.128.0.0
route = 173.0.0.0/255.0.0.0
route = 174.0.0.0/254.0.0.0
route = 176.0.0.0/240.0.0.0
route = 192.0.0.0/255.128.0.0
route = 192.128.0.0/255.224.0.0
route = 192.160.0.0/255.248.0.0
route = 192.169.0.0/255.255.0.0
route = 192.170.0.0/255.254.0.0
route = 192.172.0.0/255.252.0.0
route = 192.176.0.0/255.240.0.0
route = 192.192.0.0/255.192.0.0
route = 193.0.0.0/255.0.0.0
route = 194.0.0.0/254.0.0.0
route = 196.0.0.0/252.0.0.0
route = 200.0.0.0/248.0.0.0
route = 208.0.0.0/240.0.0.0
route = 224.0.0.0/224.0.0.0