sudo apt update
sudo apt install -y libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper libsocket-wrapper gss-ntlmssp iputils-ping gawk gnutls-bin iproute2 yajl-tools tcpdump libgnutls28-dev libev-dev build-essential gcc automake autoconf git certbot nload iptables-persistent
git clone https://gitlab.com/openconnect/ocserv
cd ocserv
autoreconf -fvi
./configure
make
sudo make install
Add these lines to /etc/sysctl.conf using nano:
fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 65536
net.core.wmem_default = 65536
net.core.netdev_max_backlog = 4096
net.core.somaxconn = 4096
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1200
net.ipv4.ip_local_port_range = 10000 65000
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.tcp_mtu_probing = 1
net.ipv4.ip_forward=1
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
Then:
sudo sysctl -p
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d example.com
Insert your email and domain
Add these lines to /etc/iptables/rules.v4:
*nat
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
Replace eth0 with your internet interface name (you get a list of interfaces using ip a command)
To apply the rules run:
sudo iptables-restore < /etc/iptables/rules.v4
Make directories and files:
sudo mkdir /etc/ocserv/
sudo mkdir /var/lib/ocserv
sudo touch /etc/ocserv/ocpasswd
Make a file in /etc/ocserv/ocserv.conf with this contents:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = ocserv.socket
chroot-dir = /var/lib/ocserv
server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem
isolate-workers = true
max-clients = 200
max-same-clients = 2
server-stats-reset-time = 604800
keepalive = 300
dpd = 60
mobile-dpd = 300
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = false
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 120
min-reauth-time = 5
max-ban-score = 0
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
net-priority = 5
device = vpns
predictable-ips = true
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 8.8.8.8
dns = 1.1.1.1
ping-leases = false
no-route = 192.168.0.0/255.255.255.0
cisco-client-compat = true
dtls-psk = true
dtls-legacy = true
Replace your certificate path and customize other settings accordingly.
To add a user run this command and enter a password:
sudo ocpasswd username
Replace username with the desired username.
Create a file in /etc/systemd/system/trojan.service with this contents:
[Unit]
Description=ocserv
After=network.target network-online.target nss-lookup.target mysql.service mariadb.service mysqld.service
[Service]
Type=simple
StandardError=journal
User=root
Group=root
ExecStart=/usr/local/sbin/ocserv -c /etc/ocserv/ocserv.conf
ExecReload=/usr/local/bin/occtl reload
Restart=on-failure
RestartSec=1s
[Install]
WantedBy=multi-user.target
sudo systemctl start ocserv