共计 2644 个字符,预计需要花费 7 分钟才能阅读完成。
本帖最后由 金关村村长 于 2024-3-2 01:08 编辑
version_check(){
version=`cat /etc/debian_version`
tmp=${version: 0: 1}
if [“$tmp” -gt “1”];then
echo $version
echo ‘only support debian_version >= 10’
exit
fi
}
install_ocserv(){
apt update -y
apt upgrade -y
apt install iptables -y
apt install ocserv -y
}
edit_conf(){
echo -n “Server Address ” > /etc/ocserv/server.address
echo -n $1 >> /etc/ocserv/server.address
echo “:3389(Port MUST Not Blocked)” >> /etc/ocserv/server.address
curl -o /etc/ocserv/ocserv.conf https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/ocserv.conf
}
edit_iptables(){
echo “net.core.default_qdisc=fq” >> /etc/sysctl.conf
echo “net.ipv4.tcp_congestion_control=bbr” >> /etc/sysctl.conf
echo “net.ipv4.ip_forward = 1” >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
}
do_mkcert(){
rm -f mkcert-v*-linux-amd64
curl -JLO “https://dl.filippo.io/mkcert/latest?for=linux/amd64”
chmod +x mkcert-v*-linux-amd64
sudo cp mkcert-v*-linux-amd64 /usr/local/bin/mkcert
mkcert -key-file /etc/ocserv/private.key -cert-file /etc/ocserv/public.crt $1
}
create_ca(){
rm -rf $1
mkdir $1
apt install gnutls-bin
curl -o $1/ca-cert.cfg https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/ca-cert.cfg
curl -o $1/client-cert.cfg https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/client-cert.cfg
certtool –generate-privkey –outfile $1/ca-privkey.pem
certtool –generate-self-signed –load-privkey $1/ca-privkey.pem –template $1/ca-cert.cfg –outfile $1/ca-cert.pem
certtool –generate-privkey –outfile $1/client-privkey.pem
certtool –generate-certificate –load-privkey $1/client-privkey.pem –load-ca-certificate $1/ca-cert.pem –load-ca-privkey $1/ca-privkey.pem –template $1/client-cert.cfg –outfile $1/client-cert.pem
}
create_client_p12(){
certtool –to-p12 –load-privkey $1/client-privkey.pem –load-certificate $1/client-cert.pem –pkcs-cipher 3des-pkcs12 –outfile $1/client.p12 –outder
}
version_check
ssl_dir=/etc/ocserv/ssl_dir
public_ip=`curl ipv4.icanhazip.com`
echo “Your Ipv4:”
echo -e “e[31m$public_ipe[0m”
install_ocserv
do_mkcert $public_ip
create_ca $ssl_dir
create_client_p12 $ssl_dir
edit_conf
edit_iptables
systemctl restart ocserv
systemctl status ocserv 复制代码
https://raw.githubusercontent.com/theshy2023/ocserv_one_key/main/login_with_self_sigh_cert.sh 复制代码
window11 证书管理可以搜索证书然后就会进入用户管理证书 然后在个人 证书下面复制代码
安装证书前把旧证书删除 并且退出 anyconnect client 或者安装完成之后重启 anyconnect client
将证书从 Linux 下载到本地
用 windows power shell 执行以下代码
scp [email protected]:/etc/ocserv/ssl_dir/client.p12 ./ 复制代码
将下载下来的 p12 证书也可以传输到 iPhone 手机上 比如通过邮件发送或者 qq 发送
iPhone 安装证书的时候要通过 share 给 anyconnect 去 import 不能直接安装