Ocserv一键安装/升级脚本 CentOS-RHEL-7

说明

EPEL已经提供二进制包,Debian、Fedoras也有二进制包,请使用二进制包安装。配置可以参考本脚本。

脚本下载
Ocserv-install-script-for-CentOS-RHEL-7-master

Ocserv install script for CentOS&RHEL 7

这是 ocserv 在 CentOS 7 和 RHEL 7 的一键安装脚本,可以在最小化安装环境的 CentOS 7 和 RHEL 7 下一键部署 ocserv。
已知部分 64M 内存的 VPS 一次 yum 太多软件包会报错,可以修改脚本分多次安装。
支持自动判断 firewalld 和 iptables。

  • 支持自动判断防火墙,请确保 Firewalld 或者 iptables 其中一个是 active 状态;
  • 默认采用用户名密码验证,本安装脚本编译的 ocserv 也支持 pam 验证,只需要修改配置文件即可;
  • 默认配置文件在 /usr/local/etc/ocserv/ 目录,可自行更改脚本里的参数;
  • 安装时会提示你输入端口、用户名、密码等信息,也可直接回车采用默认值,密码是随机生成的;
  • 安装脚本会关闭 SELINUX;
  • 自带路由表,只有路由表里的 IP 才会走 VPN,如果你有需要添加的路由表可自行添加,最多支持 200 条;
  • 如果你有证书机构颁发的证书,可以把证书放到脚本的同目录下,确保文件名和脚本里的匹配,安装脚本会使用你的证书,客户端连接时不会提示证书错误;
  • 配置文件修改为每个账号允许 10 个连接,全局 1024 个连接,可修改脚本前面的变量。1024 个连接大约需要 2048 个 IP,所以虚拟接口的 IP 配置了 8 个 C 段。

安装脚本分为以下几大块,如果中间有错误,可以注释掉部分然后重新执行脚本,ConfigEnvironmentVariable 为必须,后面的脚本会使用这里的变量

  • ConfigEnvironmentVariable // 配置环境变量
  • PrintEnvironmentVariable // 打印环境变量
  • CompileOcserv $@ // 下载并编译 ocserv
  • ConfigOcserv // 配置 ocserv,包括修改 ocserv.conf,配置 ocserv.service
  • ConfigFirewall // 配置防火墙,会自动判断防火墙为 iptables 或 firewalld
  • ConfigSystem // 配置系统
  • PrintResult // 打印最后的安装结果和 VPN 账号等

安装

#!/bin/bash
####################################################
#                                                  #
# This is a ocserv installation for CentOS 7       #
# Version: 1.2.5 20151009                          #
# Author: Travis Lee                               #
# Website: https://www.stunnel.info                #
#                                                  #
####################################################
 
#  Version: 1.2.5 20151009
#  *源码下载改回作者的官方网站
#  *更新ocserv的版本为0.10.9
 
#  Version: 1.2.4 20150929
#  *源码下载改为从 github 下载,作者网站似乎挂了
#  *更新ocserv的版本为0.10.7
#  *更新libtasn1的版本为4.7
 
#  Version: 1.2.3 20150508
#  *更新libtasn1的版本为4.5
#  *更新ocserv的版本为0.10.4
 
#  Version: 1.2.2 20150402
#  *兼容CentOS 7.1,编译libtasn1-4.4替换系统的3.8版
#  *修正 修改src/vpn.h路由条数 的命令
 
#  +增加firewalld和iptables检测功能,使用systemctl is-active判断哪个防火墙在运行,请确保有一个防火墙自启动并加载默认配置
#  *把几个功能用function分隔,如果脚本运行遇到问题,可以注释已经完成的部分,修正后继续
 
 
#检测是否是root用户
if [[ $(id -u) != "0" ]]; then
    printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
    exit 1
fi
 
#检测是否是CentOS 7或者RHEL 7
if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
    printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
    printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
    exit 1
fi
 
basepath=$(dirname $0)
cd ${basepath}
 
function ConfigEnvironmentVariable {
    #ocserv版本
    ocserv_version="0.10.9"
    version=${1-${ocserv_version}}
    libtasn1_version=4.7
    #变量设置
    #单IP最大连接数,默认是2
    maxsameclients=10
    #最大连接数,默认是16
    maxclients=1024
    #服务器的证书和key文件,放在本脚本的同目录下,key文件的权限应该是600或者400
    servercert=${2-server-cert.pem}
    serverkey=${3-server-key.pem}
    #配置目录,你可更改为 /etc/ocserv 之类的
    confdir="/usr/local/etc/ocserv"
 
    #安装系统组件
    yum install -y -q net-tools bind-utils
    #获取网卡接口名称
    ethlist=$(ifconfig | grep ": flags" | cut -d ":" -f1)
    eth=$(printf "${ethlist}\n" | head -n 1)
    if [[ $(printf "${ethlist}\n" | wc -l) -gt 2 ]]; then
        echo ======================================
        echo "Network Interface list:"
        printf "\e[33m${ethlist}\e[0m\n"
        echo ======================================
        echo "Which network interface you want to listen for ocserv?"
        printf "Default network interface is \e[33m${eth}\e[0m, let it blank to use default network interface: "
        read ethtmp
        if [[ -n "${ethtmp}" ]]; then
            eth=${ethtmp}
        fi
    fi
 
    #端口,默认是10443
    port=10443
    echo "Please input the port ocserv listen to."
    printf "Default port is \e[33m${port}\e[0m, let it blank to use default port: "
    read porttmp
    if [[ -n "${porttmp}" ]]; then
        port=${porttmp}
    fi
 
    #用户名,默认是user
    username=user
    echo "Please input ocserv user name:"
    printf "Default user name is \e[33m${username}\e[0m, let it blank to use default user name: "
    read usernametmp
    if [[ -n "${usernametmp}" ]]; then
        username=${usernametmp}
    fi
 
    #随机密码
    randstr() {
        index=0
        str=""
        for i in {a..z}; do arr[index]=$i; index=$(expr ${index} + 1); done
        for i in {A..Z}; do arr[index]=$i; index=$(expr ${index} + 1); done
        for i in {0..9}; do arr[index]=$i; index=$(expr ${index} + 1); done
        for i in {1..10}; do str="$str${arr[$RANDOM%$index]}"; done
        echo ${str}
    }
    password=$(randstr)
    printf "Please input \e[33m${username}\e[0m's password:\n"
    printf "Default password is \e[33m${password}\e[0m, let it blank to use default password: "
    read passwordtmp
    if [[ -n "${passwordtmp}" ]]; then
        password=${passwordtmp}
    fi
}
 
function PrintEnvironmentVariable {
    #打印配置参数
    clear
    ipv4=$(ip -4 -f inet addr | grep "inet " | grep -v "lo:" | grep -v "127.0.0.1" | grep -o -P "\d+\.\d+\.\d+\.\d+\/\d+" | grep -o -P "\d+\.\d+\.\d+\.\d+")
    ipv6=$(ip -6 addr | grep "inet6" | grep -v "::1/128" | grep -o -P "([a-z\d]+:[a-z\d:]+\/\d+)" | grep -o -P "([a-z\d]+:[a-z\d:]+)")
    echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
    echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
    echo -e "Port:\t\t\e[34m${port}\e[0m"
    echo -e "Username:\t\e[34m${username}\e[0m"
    echo -e "Password:\t\e[34m${password}\e[0m"
    echo
    echo "Press any key to start install ocserv."
 
    get_char() {
        SAVEDSTTY=$(stty -g)
        stty -echo
        stty cbreak
        dd if=/dev/tty bs=1 count=1 2> /dev/null
        stty -raw
        stty echo
        stty ${SAVEDSTTY}
    }
    char=$(get_char)
    clear
}
 
function CompileOcserv {
    #升级系统
    #yum update -y -q
    yum install -y -q epel-release
    #安装ocserv依赖组件
    yum install -y gnutls gnutls-utils gnutls-devel readline readline-devel \
    libnl-devel libtalloc libtalloc-devel libnl3-devel wget \
    pam pam-devel libtalloc-devel xz libseccomp-devel \
    tcp_wrappers-devel autogen autogen-libopts-devel tar \
    gcc pcre-devel openssl openssl-devel curl-devel \
    freeradius-client-devel freeradius-client lz4-devel lz4 \
    http-parser-devel http-parser protobuf-c-devel protobuf-c \
    pcllib-devel pcllib cyrus-sasl-gssapi dbus-devel policycoreutils gperf
 
:<ca.tmpl
cn = "stunnel.info VPN"
organization = "stunnel.info"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
 
        certtool --generate-self-signed --load-privkey ca-key.pem \
        --template ca.tmpl --outfile ca-cert.pem
        certtool --generate-privkey --outfile ${serverkey}
 
        cat << _EOF_ >server.tmpl
cn = "stunnel.info VPN"
o = "stunnel"
serial = 2
expiration_days = 3650
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
 
        certtool --generate-certificate --load-privkey ${serverkey} \
        --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
        --template server.tmpl --outfile ${servercert}
    fi
 
    #把证书复制到ocserv的配置目录
    cp "${servercert}" "${confdir}" && cp "${serverkey}" "${confdir}"
 
    #编辑配置文件
    (echo "${password}"; sleep 1; echo "${password}") | ocpasswd -c "${confdir}/ocpasswd" ${username}
 
    sed -i "s#./sample.passwd#${confdir}/ocpasswd#g" "${confdir}/ocserv.conf"
    sed -i "s#server-cert = ../tests/server-cert.pem#server-cert = ${confdir}/${servercert}#g" "${confdir}/ocserv.conf"
    sed -i "s#server-key = ../tests/server-key.pem#server-key = ${confdir}/${serverkey}#g" "${confdir}/ocserv.conf"
    sed -i "s/max-same-clients = 2/max-same-clients = ${maxsameclients}/g" "${confdir}/ocserv.conf"
    sed -i "s/max-clients = 16/max-clients = ${maxclients}/g" "${confdir}/ocserv.conf"
    sed -i "s/tcp-port = 443/tcp-port = ${port}/g" "${confdir}/ocserv.conf"
    sed -i "s/udp-port = 443/udp-port = ${port}/g" "${confdir}/ocserv.conf"
    sed -i "s/default-domain = example.com/#default-domain = example.com/g" "${confdir}/ocserv.conf"
    sed -i "s/ipv4-network = 192.168.1.0/ipv4-network = 192.168.8.0/g" "${confdir}/ocserv.conf"
    sed -i "s/ipv4-netmask = 255.255.255.0/ipv4-netmask = 255.255.248.0/g" "${confdir}/ocserv.conf"
    sed -i "s/dns = 192.168.1.2/dns = 8.8.8.8\ndns = 8.8.4.4/g" "${confdir}/ocserv.conf"
    sed -i "s/run-as-group = daemon/run-as-group = nobody/g" "${confdir}/ocserv.conf"
    sed -i "s/cookie-timeout = 300/cookie-timeout = 86400/g" "${confdir}/ocserv.conf"
    sed -i 's$route = 192.168.1.0/255.255.255.0$#route = 192.168.1.0/255.255.255.0$g' "${confdir}/ocserv.conf"
    sed -i 's$route = 192.168.5.0/255.255.255.0$#route = 192.168.5.0/255.255.255.0$g' "${confdir}/ocserv.conf"
 
    cat << _EOF_ >>${confdir}/ocserv.conf
# Apple
route = 17.0.0.0/255.0.0.0
route = 192.12.74.0/255.255.255.0
route = 192.42.249.0/255.255.255.0
#route = 204.79.190.0/255.255.255.0
#route = 63.92.224.0/255.255.224.0
# Dropbox
route = 108.160.160.0/255.255.240.0
route = 199.47.216.0/255.255.252.0
#route = 205.189.0.0/255.255.255.0
# Github
route = 192.30.252.0/255.255.252.0
# Google
route = 8.15.202.0/255.255.255.0
route = 8.34.208.0/255.255.240.0
route = 8.35.192.0/255.255.240.0
route = 8.6.48.0/255.255.248.0
route = 8.8.4.0/255.255.255.0
route = 8.8.8.0/255.255.255.0
route = 66.102.0.0/255.255.240.0
route = 66.249.64.0/255.255.224.0
route = 70.32.128.0/255.255.224.0
route = 72.14.192.0/255.255.192.0
route = 74.125.0.0/255.255.0.0
route = 104.128.0.0/255.192.0.0
route = 104.196.0.0/255.252.0.0
route = 107.167.160.0/255.255.224.0
route = 107.178.192.0/255.255.192.0
route = 108.170.192.0/255.255.192.0
route = 108.177.0.0/255.255.128.0
route = 108.59.80.0/255.255.240.0
route = 130.211.0.0/255.255.0.0
route = 142.250.0.0/255.254.0.0
route = 146.148.0.0/255.255.128.0
route = 162.216.148.0/255.255.252.0
route = 162.222.176.0/255.255.248.0
route = 172.217.0.0/255.255.0.0
route = 172.253.0.0/255.255.0.0
route = 173.194.0.0/255.255.0.0
route = 173.255.112.0/255.255.240.0
route = 192.158.28.0/255.255.252.0
route = 192.178.0.0/255.254.0.0
route = 216.239.32.0/255.255.224.0
route = 216.58.192.0/255.255.224.0
#route = 23.236.48.0/255.255.240.0
#route = 23.251.128.0/255.255.224.0
#route = 64.233.160.0/255.255.224.0
#route = 64.9.224.0/255.255.224.0
route = 199.192.112.0/255.255.252.0
route = 199.223.232.0/255.255.248.0
#route = 207.223.160.0/255.255.240.0
#route = 209.85.128.0/255.255.128.0
# Twitter
route = 8.25.192.0/255.255.252.0
route = 8.25.196.0/255.255.254.0
route = 192.133.76.0/255.255.252.0
route = 210.163.0.0/255.255.0.0
route = 199.16.156.0/255.255.252.0
route = 199.59.148.0/255.255.252.0
route = 199.96.56.0/255.255.248.0
# TW
route = 202.39.0.0/255.255.0.0
route = 220.130.0.0/255.255.0.0
# Amazon
route = 8.18.144.0/255.255.254.0
route = 46.137.0.0/255.255.0.0
route = 46.51.128.0/255.255.128.0
route = 50.112.0.0/255.255.0.0
route = 50.16.0.0/255.252.0.0
route = 54.0.0.0/255.0.0.0
#route = 54.160.0.0/255.224.0.0
#route = 54.192.0.0/255.192.0.0
route = 67.202.0.0/255.255.192.0
route = 72.21.192.0/255.255.224.0
route = 72.44.32.0/255.255.224.0
route = 75.101.128.0/255.255.128.0
route = 79.125.0.0/255.255.128.0
route = 87.238.80.0/255.255.248.0
#route = 96.127.0.0/255.255.128.0
route = 103.246.148.0/255.255.252.0
#instagram
route = 107.20.0.0/255.252.0.0
route = 122.248.192.0/255.255.192.0
route = 174.129.0.0/255.255.0.0
route = 176.32.64.0/255.255.224.0
route = 176.34.0.0/255.255.0.0
route = 178.236.0.0/255.255.240.0
route = 184.169.128.0/255.255.128.0
route = 184.72.0.0/255.254.0.0
route = 185.48.120.0/255.255.252.0
route = 203.83.220.0/255.255.252.0
route = 216.137.32.0/255.255.224.0
route = 216.182.224.0/255.255.240.0
route = 27.0.0.0/255.255.252.0
#route = 23.20.0.0/255.252.0.0
route = 199.127.232.0/255.255.252.0
route = 199.255.192.0/255.255.252.0
#route = 204.236.128.0/255.255.128.0
#route = 204.246.128.0/255.255.128.0
#route = 205.251.192.0/255.255.192.0
#route = 207.171.160.0/255.255.224.0
# bgp.he.net
#route = 72.52.94.234/255.255.255.255
# t66y
route = 184.154.128.0/255.255.255.0
# Wordpress
route = 66.155.8.0/255.255.248.0
#route = 76.74.248.0/255.255.248.0
route = 192.0.64.0/255.255.192.0
route = 198.181.116.0/255.255.252.0
route = 199.47.91.0/255.255.255.0
# Wikimedia
route = 91.198.174.0/255.255.255.0
route = 185.15.56.0/255.255.252.0
route = 198.35.26.0/255.255.254.0
route = 198.73.209.0/255.255.255.0
#route = 208.80.152.0/255.255.252.0
## Adobe
#route = 130.248.0.0/255.255.0.0
#route = 153.32.0.0/255.255.0.0
#route = 185.34.188.0/255.255.252.0
#route = 192.147.117.0/255.255.255.0
#route = 192.150.0.0/255.255.240.0
#route = 192.150.16.0/255.255.248.0
#route = 192.243.224.0/255.255.240.0
#route = 192.243.248.0/255.255.248.0
#route = 193.104.215.0/255.255.255.0
#route = 195.35.86.0/255.255.255.0
#route = 208.77.136.0/255.255.252.0
#route = 216.104.208.0/255.255.248.0
#route = 216.104.216.0/255.255.252.0
#route = 216.104.220.0/255.255.254.0
#route = 63.140.32.0/255.255.224.0
#route = 66.117.16.0/255.255.240.0
#route = 66.235.0.0/255.255.0.0
# Akamai
route = 23.0.0.0/255.128.0.0
route = 23.192.0.0/255.192.0.0
route = 60.254.128.0/255.255.192.0
route = 63.0.0.0/255.0.0.0
route = 64.0.0.0/254.0.0.0
route = 66.171.0.0/255.255.0.0
route = 66.198.8.0/255.255.255.0
route = 67.131.232.0/255.255.255.0
route = 69.192.0.0/255.255.0.0
route = 69.22.154.0/255.255.254.0
route = 69.31.0.0/255.255.0.0
route = 70.39.163.0/255.255.255.0
route = 70.39.178.0/255.255.254.0
route = 72.246.0.0/255.254.0.0
#route = 96.16.0.0/255.254.0.0
#route = 96.6.0.0/255.254.0.0
#route = 98.124.141.0/255.255.255.0
route = 104.64.0.0/255.192.0.0
route = 172.224.0.0/255.240.0.0
route = 184.24.0.0/255.248.0.0
route = 184.50.0.0/255.254.0.0
route = 184.84.0.0/255.252.0.0
route = 216.151.176.0/255.255.255.0
route = 216.151.187.0/255.255.255.0
route = 216.206.30.0/255.255.255.0
route = 216.246.122.0/255.255.255.0
route = 216.246.75.0/255.255.255.0
route = 216.246.87.0/255.255.255.0
route = 216.246.93.0/255.255.255.0
route = 173.222.0.0/255.254.0.0
route = 173.245.0.0/255.255.0.0
route = 198.144.0.0/255.255.0.0
route = 198.47.108.0/255.255.255.0
#route = 204.10.28.0/255.255.252.0
#route = 204.8.48.0/255.255.252.0
#route = 204.93.0.0/255.255.0.0
#route = 204.95.24.0/255.255.254.0
#route = 205.161.113.0/255.255.255.0
#route = 205.185.204.0/255.255.254.0
#route = 205.234.218.0/255.255.255.0
#route = 205.234.225.0/255.255.255.0
#route = 205.246.30.0/255.255.255.0
#route = 208.34.250.0/255.255.255.0
#route = 209.107.0.0/255.255.0.0
#route = 209.136.40.0/255.255.255.0
#route = 209.170.0.0/255.255.0.0
#route = 209.234.250.0/255.255.255.0
#route = 209.234.252.0/255.255.255.0
#route = 209.95.152.0/255.255.255.0
# Cloudflare
route = 104.16.0.0/255.240.0.0
route = 108.162.192.0/255.255.192.0
route = 162.158.0.0/255.254.0.0
#route = 173.245.48.0/255.255.240.0
route = 198.41.128.0/255.255.128.0
route = 199.27.128.0/255.255.248.0
#route = 204.93.177.0/255.255.255.0
# E-hentai
route = 37.48.64.0/255.255.192.0
route = 85.17.0.0/255.255.0.0
route = 95.211.0.0/255.255.0.0
# Facebook
route = 31.13.24.0/255.255.248.0
route = 31.13.64.0/255.255.192.0
route = 66.220.144.0/255.255.240.0
route = 69.171.224.0/255.255.224.0
route = 69.63.176.0/255.255.240.0
route = 74.119.76.0/255.255.252.0
#route = 173.252.64.0/255.255.192.0
route = 199.201.64.0/255.255.252.0
#route = 204.15.20.0/255.255.252.0
# Fastly
#route = 23.235.32.0/255.255.240.0
#route = 104.156.80.0/255.255.240.0
route = 199.27.72.0/255.255.248.0
# Fc2
route = 199.116.176.0/255.255.252.0
#route = 208.71.104.0/255.255.252.0
# Mediafire
route = 199.91.152.0/255.255.248.0
#route = 205.196.120.0/255.255.252.0
# Ntt
route = 66.116.105.0/255.255.255.0
route = 128.121.0.0/255.255.0.0
route = 128.240.0.0/255.254.0.0
route = 128.242.0.0/255.255.0.0
route = 129.250.0.0/255.255.0.0
route = 130.94.0.0/255.255.0.0
route = 131.103.0.0/255.255.0.0
route = 140.174.0.0/255.255.0.0
route = 157.238.0.0/255.255.0.0
route = 161.58.0.0/255.255.0.0
route = 165.254.0.0/255.255.0.0
route = 168.143.0.0/255.255.0.0
route = 192.102.248.0/255.255.255.0
route = 192.147.160.0/255.255.248.0
route = 192.147.176.0/255.255.252.0
route = 192.204.0.0/255.255.0.0
route = 192.217.0.0/255.255.0.0
route = 192.220.0.0/255.255.0.0
route = 192.35.171.0/255.255.255.0
route = 192.67.14.0/255.255.255.0
route = 192.67.236.0/255.255.252.0
route = 192.80.12.0/255.255.252.0
#route = 198.0.0.0/255.0.0.0
#route = 199.0.0.0/255.0.0.0
route = 204.0.0.0/252.0.0.0
route = 208.0.0.0/254.0.0.0
route = 216.115.90.0/255.255.254.0
route = 216.167.0.0/255.255.128.0
route = 216.42.0.0/255.255.0.0
route = 216.44.0.0/255.255.0.0
# Timewarner
#route = 76.85.128.0/255.255.128.0
#route = 76.85.16.0/255.255.240.0
#route = 76.85.4.0/255.255.252.0
#route = 76.85.48.0/255.255.248.0
#route = 76.85.64.0/255.255.224.0
#route = 76.85.96.0/255.255.252.0
#route = 76.86.0.0/255.254.0.0
#route = 76.88.0.0/255.248.0.0
route = 76.0.0.0/255.0.0.0
route = 96.0.0.0/255.0.0.0
route = 97.0.0.0/255.0.0.0
route = 98.0.0.0/255.0.0.0
#route = 96.10.0.0/255.254.0.0
#route = 96.28.0.0/255.254.0.0
#route = 97.104.0.0/255.254.0.0
#route = 97.106.0.0/255.255.128.0
#route = 97.106.128.0/255.255.192.0
#route = 97.76.0.0/255.254.0.0
#route = 97.78.0.0/255.255.128.0
#route = 97.78.128.0/255.255.224.0
#route = 97.79.0.0/255.255.0.0
#route = 97.96.0.0/255.248.0.0
#route = 98.0.0.0/255.240.0.0
#route = 98.100.0.0/255.252.0.0
#route = 98.120.0.0/255.252.0.0
#route = 98.144.0.0/255.248.0.0
#route = 98.152.0.0/255.252.0.0
#route = 98.156.0.0/255.254.0.0
#route = 98.24.0.0/255.248.0.0
# 6park
route = 159.106.121.0/255.255.255.0
route = 198.11.0.0/255.255.0.0
route = 173.192.0.0/255.255.0.0
route = 50.22.0.0/255.255.0.0
# kakao.com
route = 110.76.141.0/255.255.255.0
# shadownsocks
route = 103.245.0.0/255.255.0.0
# softether.org
route = 27.121.46.0/255.255.255.0
# haproxy.org
route = 195.154.117.0/255.255.255.0
# openvpn.net
route = 189.163.17.5/255.255.255.255
# menuetos.net
route = 213.188.129.144/255.255.255.255
# gamer.com.tw
route = 60.199.217.0/255.255.255.0
_EOF_
 
    #修改ocserv服务
    #sed -i "s#^ExecStart=#ExecStartPre=/usr/bin/firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -s 192.168.8.0/21 -j ACCEPT\nExecStartPre=/usr/bin/firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 192.168.8.0/21 -o ${eth} -j MASQUERADE\nExecStart=#g" "/usr/lib/systemd/system/ocserv.service"
    sed -i "s#/usr/sbin/ocserv#/usr/local/sbin/ocserv#g" "/usr/lib/systemd/system/ocserv.service"
    sed -i "s#/etc/ocserv/ocserv.conf#$confdir/ocserv.conf#g" "/usr/lib/systemd/system/ocserv.service"
}
 
function ConfigFirewall {
 
firewalldisactive=$(systemctl is-active firewalld.service)
iptablesisactive=$(systemctl is-active iptables.service)
 
if [[ ${firewalldisactive} = 'active' ]]; then
    #添加防火墙允许列表
    echo "Adding firewall ports."
    firewall-cmd --permanent --add-port=${port}/tcp
    firewall-cmd --permanent --add-port=${port}/udp
    echo "Allow firewall to forward."
    firewall-cmd --permanent --add-masquerade
    echo "Reload firewall configure."
    firewall-cmd --reload
elif [[ ${iptablesisactive} = 'active' ]]; then
    iptables -I INPUT -p tcp --dport ${port} -j ACCEPT
    iptables -I INPUT -p udp --dport ${port} -j ACCEPT
    iptables -A FORWARD -s 192.168.8.0/21 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.8.0/21 -o ${eth} -j MASQUERADE
    service iptables save
else
    printf "\e[33mWARNING!!! Either firewalld or iptables is NOT Running! \e[0m\n"
fi
}
 
function ConfigSystem {
    #关闭selinux
    sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
    setenforce 0
    #修改系统
    echo "Enable IP forward."
    sysctl -w net.ipv4.ip_forward=1
    echo net.ipv4.ip_forward = 1 >> "/etc/sysctl.conf"
    systemctl daemon-reload
    echo "Enable ocserv service to start during bootup."
    systemctl enable ocserv.service
    #开启ocserv服务
    systemctl start ocserv.service
    echo
}
 
function PrintResult {
    #检测防火墙和ocserv服务是否正常
    clear
    printf "\e[36mChenking Firewall status...\e[0m\n"
    iptables -L -n | grep --color=auto -E "(${port}|192.168.8.0)"
    line=$(iptables -L -n | grep -c -E "(${port}|192.168.8.0)")
    if [[ ${line} -ge 2 ]]
    then
        printf "\e[34mFirewall is Fine! \e[0m\n"
    else
        printf "\e[33mWARNING!!! Firewall is Something Wrong! \e[0m\n"
    fi
 
    echo
    printf "\e[36mChenking ocserv service status...\e[0m\n"
    netstat -anp | grep ":${port}" | grep --color=auto -E "(${port}|ocserv|tcp|udp)"
    linetcp=$(netstat -anp | grep ":${port}" | grep ocserv | grep tcp | wc -l)
    lineudp=$(netstat -anp | grep ":${port}" | grep ocserv | grep udp | wc -l)
    if [[ ${linetcp} -ge 1 && ${lineudp} -ge 1 ]]
    then
        printf "\e[34mocserv service is Fine! \e[0m\n"
    else
        printf "\e[33mWARNING!!! ocserv service is NOT Running! \e[0m\n"
    fi
 
    #打印VPN参数
    printf "
    if there are \e[33mNO WARNING\e[0m above, then you can connect to
    your ocserv VPN Server with the default user/password below:
    ======================================\n"
    echo -e "IPv4:\t\t\e[34m$(echo ${ipv4})\e[0m"
    echo -e "IPv6:\t\t\e[34m$(echo ${ipv6})\e[0m"
    echo -e "Port:\t\t\e[34m${port}\e[0m"
    echo -e "Username:\t\e[34m${username}\e[0m"
    echo -e "Password:\t\e[34m${password}\e[0m"
}
 
ConfigEnvironmentVariable
PrintEnvironmentVariable
CompileOcserv $@
ConfigOcserv
ConfigFirewall
ConfigSystem
PrintResult
exit 0

升级

#!/bin/bash
 
ocserv_version=0.10.4
version=${1-${ocserv_version}}
libtasn1_version=4.5
filename="ocserv-${version}.tar.xz"
dirname="ocserv-${version}"
url="ftp://ftp.infradead.org/pub/ocserv/${filename}"
##export LIBGNUTLS_CFLAGS="-I/usr/include/" LIBGNUTLS_LIBS="-L/usr/lib/ -lgnutls"
 
#检测是否是root用户
if [[ $(id -u) != "0" ]]; then
    printf "\e[42m\e[31mError: You must be root to run this install script.\e[0m\n"
    exit 1
fi
 
#检测是否是CentOS 7或者RHEL 7
if [[ $(grep "release 7." /etc/redhat-release 2>/dev/null | wc -l) -eq 0 ]]; then
    printf "\e[42m\e[31mError: Your OS is NOT CentOS 7 or RHEL 7.\e[0m\n"
    printf "\e[42m\e[31mThis install script is ONLY for CentOS 7 and RHEL 7.\e[0m\n"
    exit 1
fi
 
function updatelibtasn1 {
    wget -t 0 -T 60 "http://ftp.gnu.org/gnu/libtasn1/libtasn1-${libtasn1_version}.tar.gz"
    tar axf libtasn1-${libtasn1_version}.tar.gz
    cd libtasn1-${libtasn1_version}
    ./configure --prefix=/usr --libdir=/usr/lib64 --includedir=/usr/include
    make && make install
    cd ..
}
 
case $1 in
   updatelibtasn1)
        updatelibtasn1
        ;;
esac
 
#下载ocserv并编译安装
if [ ! -f "${filename}" ]; then
    wget -t 0 -T 60 "${url}"
fi
rm -rf "${dirname}"
tar axf "${filename}"
cd "${dirname}"
 
sed -i 's/#define MAX_CONFIG_ENTRIES.*/#define MAX_CONFIG_ENTRIES 200/g' src/vpn.h
./configure
make && make install
 
exit 0

还没有评论,快来抢沙发!

发表评论

  • 😉
  • 😐
  • 😡
  • 😈
  • 🙂
  • 😯
  • 🙁
  • 🙄
  • 😛
  • 😳
  • 😮
  • emoji-mrgree
  • 😆
  • 💡
  • 😀
  • 👿
  • 😥
  • 😎
  • ➡
  • 😕
  • ❓
  • ❗
  • 66 queries in 0.387 seconds