ぐだメモ
検索
MENU
🛜 ネットワーク

OpenConnect を Ubuntuにインストール

2023.10.06
ネットワーク
Set Up OpenConnect VPN Server (ocserv) on Ubuntu 22.04 with Let's Encrypt This tutorial is going to show you how to install OpenConnect VPN server (ocserv) on Ubuntu 22.04 with trusted Let's Encrypt TLS certificate.
LinuxBabe

クライアント側で証明書不要

apache2 + nextcloud後に設定

Terminal window
apt install ocserv


systemctl status ocserv


sudo systemctl start ocserv

certbot (不要なら飛ばす)

nginx インストールしている場合はこれを使う

Terminal window
sudo apt install software-properties-common


sudo add-apt-repository ppa:certbot/certbot


sudo apt update


sudo apt install certbot

nginx 起動してるなら service nginx stopしておく

Terminal window
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email mail@gmail.com -d xxx.com
Terminal window
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email mail@gmail.com -d xxx.com

OpenConnect 設定

Terminal window
sudo nano /etc/ocserv/ocserv.conf

置き換え

Terminal window
auth = "plain[passwd=/etc/ocserv/ocpasswd]"


server-cert = /etc/letsencrypt/live/xxx.com/fullchain.pem
server-key = /etc/letsencrypt/live/xxx.com/privkey.pem

ほかのpemはいじらなくてOK この手順通り

Terminal window
default-domain = xxx.com


ipv4-network = 10.10.10.0


dns = 8.8.8.8

コメントアウト

Terminal window
route = 10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0
route = fef4:db8:1000:1001::/64


no-route = 192.168.5.0/255.255.255.0
Terminal window
sudo systemctl restart ocserv


sudo cp /lib/systemd/system/ocserv.service /etc/systemd/system/ocserv.service


sudo nano /etc/systemd/system/ocserv.service

コメントアウト

Terminal window
Requires=ocserv.socket


Also=ocserv.socket
Terminal window
sudo systemctl daemon-reload


sudo systemctl stop ocserv.socket


sudo systemctl disable ocserv.socket


sudo systemctl restart ocserv.service


systemctl status ocserv

ユーザー追加

Terminal window
sudo ocpasswd -c /etc/ocserv/ocpasswd 【USER】


sudo nano /etc/sysctl.conf

アンコメント

Terminal window
net.ipv4.ip_forward = 1


sudo sysctl -p

iptables 編集

ifconfig ens3 や eth 0を確認

Terminal window
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE


sudo iptables -t nat -L POSTROUTING


sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT


sudo iptables -I INPUT -p udp --dport 443 -j ACCEPT
Terminal window
iptables-save > /etc/iptables.rules
Terminal window
nano /etc/systemd/system/iptables-restore.service

新規追加

Terminal window
[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target


[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables.rules
RemainAfterExit=yes


[Install]
WantedBy=multi-user.target
Terminal window
sudo systemctl daemon-reload


sudo systemctl enable iptables-restore

必要ならアプリに合わせてポート開放

Terminal window
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 19090 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 53 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 32 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT


sudo iptables -I INPUT -p tcp --dport 7443 -j ACCEPT
sudo iptables -I INPUT -p tcp --dport 853 -j ACCEPT