AnyLink is an enterprise-level remote office sslvpn software that can support multiple people using it online at the same time.
AnyLink is based on ietf-openconnect Protocol development, and draws on the development ideas of ocserv to make it compatible with the AnyConnect client at the same time.
AnyLink uses TLS/DTLS for data encryption, so an RSA or ECC certificate is required. You can apply for a free SSL certificate through Let's Encrypt and TrustAsia.
The AnyLink server is only tested on CentOS 7, CentOS 8, Ubuntu 18.04, Ubuntu 20.04 and Ubuntu 22.04. If it needs to be installed on other systems, the server needs to support the tun/tap function and ip setting command, iptables command.
People without programming foundation are recommended to download the release package directly and download anylink-deploy.tar.gz from the address below.
For the test environment, you can use vpn.xxx.com to bind the host for testing
For online environments, you must apply for a secure https certificate, and private certificate connections are not supported.
Server installation yum install iproute or apt-get install iproute2
Please use the version of the group shared file for the client. Other versions have not been tested and are not guaranteed to work properly.
Other questions Go to view
For first time use, please visit https://domain name:443 in the browser. After the browser prompts that it is safe, enter [domain name: 443] on the client.
Docker needs to be installed in advance
git clone https://github.com/cherts/anylink.git
# docker compilation reference software version (no installation required)
# go 1.22
# node v16.20.2
# yarn 1.22.19
cd anylink
# Compile front-end
bash build_web.sh
# Compile anylink-deploy release files
bash build.sh
# Make sure to run with root privileges
cd anylink-deploy
sudo ./anylink
# Default management background access address
# Note that the host is the internal network IP of anylink and cannot be the same as the IP requested by the client.
# https://host:8800
# Default account password
# admin 123456
- IP allocation (implementing persistence of IP and MAC mapping information)
- TLS-TCP tunnel
- DTLS-UDP channel
- Compatible with AnyConnect
- Compatible with OpenConnect
- Nat access mode based on tun device
- Bridged access mode based on tun device
- Bridged access mode based on macvtap device
- Support proxy protocol v1&v2 protocol
- User group support
- User group policy support
- Multi-user support
- User policy support
- TOTP token support
- TOTP token switch
- Traffic rate limit
- Backend management interface
- Access rights management
- User activity audit function
- IP access audit function
- Domain name dynamic split tunnel (domain name routing function)
- radius authentication support
- LDAP authentication support
- Automatically disconnect when idle link times out
- Traffic compression function
- Automatic release of egress IP
- Support configuration differentiation of multiple services
- Bridge access mode based on ipvtap device
There are detailed comments in the sample configuration file. Just fill in the configuration according to the comments.
# View help information
./anylink -h
# Generate admin password
./anylink tool -p 123456
# Generate JWT key
./anylink tool -s
# View all configuration items
./anylink tool -d
Database configuration example
Database table structure is automatically generated, no need to manually import (please grant DDL permission)
db_type | db_source |
---|---|
sqlite3 | ./conf/anylink.db |
mysql | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8 |
postgres | user:password@localhost/anylink?sslmode=verify-full |
Sample configuration file
Please back up the configuration file
conf
directory and database before upgrading, and stop the serviceReplace the old version with the new version of the
anylink
binaryAfter restarting the service, the upgrade can be completed
Server-side dependency installation:
centos: yum install iptables iproute
ubuntu: apt-get install iptables iproute2
One of the following parameters must be set
To select the network mode, you need to configure the link_mode
parameter, such as link_mode="tun"
, link_mode="macvtap"
, link_mode="tap"(not recommended)
and other parameters.
Different parameters require corresponding settings on the server.
It is recommended to choose tun mode first, followed by macvtap mode, because the client transmits IP layer data and does not need to perform data conversion. tap mode is done in user mode at the link layer to Data at the IP layer is converted to each other, and performance will be degraded. If you need to enable tap in the virtual machine mode, please confirm that the virtual machine's network card is enabled in promiscuous mode.
- Enable server forwarding
# The new version supports automatic setting of IP forwarding
# file: /etc/sysctl.conf
net.ipv4.ip_forward = 1
# Execute command
sysctl -w net.ipv4.ip_forward=1
# Check whether the settings take effect
cat /proc/sys/net/ipv4/ip_forward
2.1 Set nat forwarding rules (choose one of two)
systemctl stop firewalld.service
systemctl disable firewalld.service
# The new version supports automatic setting of NAT forwarding. If you have other needs, you can refer to the following command configuration.
# Please replace eth0 according to the server's internal network card
# iptables -t nat -A POSTROUTING -s 192.168.90.0/24 -o eth0 -j MASQUERADE
# If the first command does not take effect, you can continue to execute the following command
# iptables -A FORWARD -i eth0 -s 192.168.90.0/24 -j ACCEPT
# Check whether the settings take effect
# iptables -nL -t nat
2.2 Use global route forwarding (choose one of two)
# Assume the intranet IP of the server where anylink is located: 10.1.2.10
# First turn off the nat forwarding function
iptables_nat = false
# For traditional network architecture, add the following static routing rules to the H3C switch
ip route-static 192.168.90.0 255.255.255.0 10.1.2.10
# For switch commands of other brands, please refer to the following address
https://cloud.tencent.com/document/product/216/62007
# In a public cloud environment, you need to set up the routing table under vpc and add the following routing policy
Destination: 192.168.90.0/24
Next hop type: Cloud server
Next hop: 10.1.2.10
- Just connect using the AnyConnect client
- Set up the configuration file
macvtap setting is relatively simple, you only need to configure the corresponding parameters.
Network requirements: The network needs to support ARP transmission, and ordinary intranet IP can be announced through ARP.
Network restrictions: cannot be used in cloud environment, cannot be used in network card mac plus white environment, cannot be used in 802.1x certified network
The following parameters can be viewed by executing
ip a
1.1 arp_proxy
# file: /etc/sysctl.conf
net.ipv4.conf.all.proxy_arp = 1
#Execute the following command
sysctl -w net.ipv4.conf.all.proxy_arp=1
Configuration file modification:
# First turn off the nat forwarding function
iptables_nat = false
link_mode = "tun"
#Internal network main network card name
ipv4_master = "eth0"
#The following network segments need to be set the same as the ipv4_master network card
ipv4_cidr = "10.1.2.0/24"
ipv4_gateway = "10.1.2.99"
ipv4_start = "10.1.2.100"
ipv4_end = "10.1.2.200"
1.2 macvtap
# Command line execution master network card needs to turn on promiscuous mode
ip link set dev eth0 promisc on
#=====================#
# Configuration file modification
# First turn off the nat forwarding function
iptables_nat = false
link_mode = "macvtap"
#Internal network main network card name
ipv4_master = "eth0"
#The following network segments need to be set the same as the ipv4_master network card
ipv4_cidr = "10.1.2.0/24"
ipv4_gateway = "10.1.2.1"
ipv4_start = "10.1.2.100"
ipv4_end = "10.1.2.200"
The deployment configuration file is placed in the
deploy
directory. Please modify the configuration file according to the actual situation.
-
Add anylink program
- Copy
anylink-deploy/anylink
binary to/usr/sbin/anylink
- Add execution permissions
chmod +x /usr/sbin/anylink
- Copy
-
Added config file
- Create config directory
/etc/anylink
- Copy file
anylink-deploy/conf/server-sample.toml
to/etc/anylink/server.toml
- Copy file
anylink-deploy/conf/profile.xml
,anylink-deploy/conf/vpn_cert.crt
,anylink-deploy/conf/vpn_cert.key
to/etc/anylink
- Create config directory
-
Added working file
- Create working directory
/var/lib/anylink
and/var/lib/anylink/files
- Copy file
anylink-deploy/conf/files/index.html
,anylink-deploy/conf/files/info.txt
to/var/lib/anylink/files
- Create working directory
-
Copy systemd unit file
anylink-deploy/systemd/anylink.service
to:- for CentOS:
/usr/lib/systemd/system/
- for Ubuntu:
/lib/systemd/system/
- and exec:
systemctl daemon-reload
- for CentOS:
-
Operation command:
- Start:
systemctl start anylink
- Stop:
systemctl stop anylink
- Start automatically at boot:
systemctl enable anylink
- Start:
- Enter the
deploy
directory - Execute
docker-compose up
- Enter the
deploy
directory - Execute
kubectl apply -f deployment.yaml
-
Get image
# Specific tags can be obtained from docker hub # https://hub.docker.com/r/cherts/anylink/tags docker pull cherts/anylink:latest
-
View command information
docker run -it --rm cherts/anylink -h
-
Generate password
docker run -it --rm cherts/anylink tool -p 123456 #Passwd:$2a$10$lCWTCcGmQdE/4Kb1wabbLelu4vY/cUwBwN64xIzvXcihFgRzUvH2a
-
Generate JWT secret
docker run -it --rm cherts/anylink tool -s #Secret:9qXoIhY01jqhWIeIluGliOS4O_rhcXGGGu422uRZ1JjZxIZmh17WwzW36woEbA
-
View all configuration items
docker run -it --rm cherts/anylink tool -d
-
Start container
# Start by default docker run -itd --name anylink --privileged \ -p 443:443 -p 8800:8800 -p 443:443/udp \ --restart=always \ cherts/anylink # Custom configuration directory # A configuration file will be automatically created on first startup # After the configuration file is initialized, the container will be forced to exit. Please restart the container. docker run -itd --name anylink --privileged \ -p 443:443 -p 8800:8800 -p 443:443/udp \ -v /home/myconf:/app/conf \ --restart=always \ cherts/anylink docker restart anylink
-
Start container with custom parameters
# Parameters can refer to ./anylink tool -d # You can use command line parameters or environment variables to configure docker run -itd --name anylink --privileged \ -e LINK_LOG_LEVEL=info \ -p 443:443 -p 8800:8800 -p 443:443/udp \ -v /home/myconf:/app/conf \ --restart=always \ cherts/anylink \ --ip_lease=1209600 # IP address lease length
-
Build the image (optional)
# Get the warehouse source code git clone https://github.com/cherts/anylink.git # Build image bash build_docker.sh or docker build -t anylink -f docker/Dockerfile .
Please go to question address for detailed information
Telegram: @cherts
- AnyConnect Secure Client (Can be downloaded through group files: Windows/macOS/Linux/Android/iOS)
- OpenConnect (Windows/macOS/Linux)
- Mikata AnyLink Secure Client (Windows/macOS/Linux)
- Third-party client download address (Windows/macOS/Linux/Android/iOS)
Welcome to submit PRs and Issues, and thank you for contributing to AnyLink.
Note that when creating a new PR, you need to submit it to the dev branch, and other branches will not be merged yet.
This project adopts the AGPL-3.0 open source license, and the complete authorization instructions have been placed in the LICENSE file.