Loading... ##1.首先添加两个带分组的用户 ``` ocpasswd -c /etc/ocserv/ocpasswd -g gruop1 user1 ocpasswd -c /etc/ocserv/ocpasswd -g gruop2 user2 ``` ##2.添加创建路由表组 ``` mkdir /etc/ocserv/group echo -e "route = 10.10.0.0/255.255.255.0" >> /etc/ocserv/group/group1 echo -e "no-route = 211.80.0.0/255.240.0.0" >> /etc/ocserv/group/group2 ``` 以上连个路由表是演示group1和group2随便写的 请自行添加路由规则 此外路由表里还可以写DNS 短线时间的参数 ##3.添加新的命令到ocserv.conf ``` config-per-group = /etc/ocserv/group/ default-group-config = /etc/ocserv/group/group1 #如果创建用户的时候不分组 group1就是默认分组 用的就是group1的路由表 default-select-group = group1 #如果创建用户的时候不分组 group1就是默认分组 用的就是group1的路由表 auto-select-group = false ``` ##4.重启 ``` /etc/init.d/ocserv stop /etc/init.d/ocserv start ``` ##自己用的配置 ``` auth = "plain[passwd=/etc/ocserv/ocpasswd]" # listen-host = [IP|HOSTNAME] tcp-port = 56789 udp-port = 56789 run-as-user = nobody run-as-group = daemon config-per-group = /etc/ocserv/group/ default-group-config = /etc/ocserv/group/yq default-select-group = yq auto-select-group = false socket-file = /var/run/ocserv-socket server-cert = /etc/ocserv/ssl/server-cert.pem server-key = /etc/ocserv/ssl/server-key.pem ca-cert = /etc/ocserv/ssl/ca-cert.pem isolate-workers = true banner = "Welcome Banalala" max-clients = 0 max-same-clients = 100 rate-limit-ms = 0 server-stats-reset-time = 604800 keepalive = 32400 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = false mtu=2000 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 idle-timeout = 86400 mobile-idle-timeout = 86400 min-reauth-time = 300 max-ban-score = 80 ban-reset-time = 1200 cookie-timeout = 300 deny-roaming = true rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /var/run/ocserv.pid net-priority = 6 device = vpns predictable-ips = true default-domain = example.com ipv4-network = 10.10.0.0 ipv4-netmask = 255.255.255.0 # An alternative way of specifying the network: #ipv4-network = 192.168.1.0/24 # The IPv6 subnet that leases will be given from. #ipv6-network = fda9:4efe:7e3b:03ea::/48 # Specify the size of the network to provide to clients. It is # generally recommended to provide clients with a /64 network in # IPv6, but any subnet may be specified. To provide clients only # with a single IP use the prefix 128. #ipv6-subnet-prefix = 128 #ipv6-subnet-prefix = 64 #tunnel-all-dns = true dns = 8.8.8.8 dns = 223.5.5.5 ping-leases = true #route = 10.10.0.0/255.255.255.0 #route = 0.0.0.0/0.0.0.0 cisco-client-compat = true dtls-legacy = true ``` 最后修改:2019 年 04 月 14 日 © 允许规范转载 打赏 赞赏作者 赞 如果觉得我的文章对你有用,请随意赞赏
1 条评论
12