2016-06-28 22:35:26 +02:00
|
|
|
ocserv
|
|
|
|
======
|
|
|
|
|
2016-06-29 11:01:38 +02:00
|
|
|
![](https://badge.imagelayers.io/vimagick/ocserv:latest.svg)
|
|
|
|
|
2016-06-28 22:35:26 +02:00
|
|
|
[OpenConnect server][1] (ocserv) is an SSL VPN server. Its purpose is to be a
|
|
|
|
secure, small, fast and configurable VPN server.
|
|
|
|
|
|
|
|
## docker-compose.yml
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
ocserv:
|
|
|
|
image: vimagick/ocserv
|
|
|
|
ports:
|
|
|
|
- "4443:443/tcp"
|
|
|
|
- "4443:443/udp"
|
|
|
|
environment:
|
|
|
|
- VPN_DOMAIN=vpn.easypi.info
|
|
|
|
- VPN_NETWORK=10.20.30.0
|
|
|
|
- VPN_NETMASK=255.255.255.0
|
2016-06-29 18:03:46 +02:00
|
|
|
- LAN_NETWORK=192.168.0.0
|
|
|
|
- LAN_NETMASK=255.255.0.0
|
2016-06-28 22:35:26 +02:00
|
|
|
- VPN_USERNAME=username
|
|
|
|
- VPN_PASSWORD=password
|
|
|
|
cap_add:
|
|
|
|
- NET_ADMIN
|
|
|
|
restart: always
|
|
|
|
```
|
|
|
|
|
2016-06-29 11:01:38 +02:00
|
|
|
> - :warning: Please choose a strong password to protect VPN service.
|
|
|
|
> - These environment variables are used to generate config files/keys.
|
|
|
|
> - VPN accounts can be managed via [ocpasswd][2] command.
|
2016-06-29 21:26:48 +02:00
|
|
|
> - VPN status can be viewed via `occtl` command
|
2016-06-29 11:01:38 +02:00
|
|
|
> - You can edit the config file [/etc/ocserv/ocserv.conf][3], then restart service.
|
2016-06-29 10:30:45 +02:00
|
|
|
|
|
|
|
## up and running
|
|
|
|
|
|
|
|
```bash
|
|
|
|
$ docker-compose up -d
|
2016-06-29 11:01:38 +02:00
|
|
|
$ docker-compose exec ocserv bash
|
|
|
|
>>> cd /etc/ocserv/
|
2016-06-29 18:03:46 +02:00
|
|
|
>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf
|
|
|
|
>>> ocpasswd -c ocpasswd username
|
2016-06-29 11:01:38 +02:00
|
|
|
Enter password: ******
|
|
|
|
Re-enter password: ******
|
|
|
|
>>> exit
|
2016-06-29 18:03:46 +02:00
|
|
|
$ docker-compose restart
|
2016-06-29 10:30:45 +02:00
|
|
|
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
|
2016-06-29 14:28:13 +02:00
|
|
|
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
|
2016-06-29 11:01:38 +02:00
|
|
|
$ docker-compose logs -f
|
|
|
|
```
|
|
|
|
|
2016-06-29 18:03:46 +02:00
|
|
|
To remove the password protection of `client.p12`:
|
|
|
|
|
|
|
|
```bash
|
|
|
|
mv client.p12 client.p12.orig
|
|
|
|
openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
|
|
|
|
openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
|
|
|
|
rm tmp.pem
|
|
|
|
```
|
|
|
|
|
|
|
|
> :warning: Apple's Keychain Access will refuse to open it with no passphrase.
|
|
|
|
|
2016-06-29 11:24:13 +02:00
|
|
|
## mobile client
|
2016-06-29 11:01:38 +02:00
|
|
|
|
|
|
|
There are two auth types:
|
|
|
|
|
|
|
|
- :-1: passwd: type everytime
|
|
|
|
- :+1: certificate: import once
|
|
|
|
|
|
|
|
```
|
|
|
|
AnyConnect ->
|
|
|
|
Connection ->
|
|
|
|
Add New VPN Connection... ->
|
|
|
|
Advanced Preferences... ->
|
|
|
|
Certificate ->
|
|
|
|
Import ->
|
2016-06-29 11:24:13 +02:00
|
|
|
File System: client.p12
|
2016-06-29 10:30:45 +02:00
|
|
|
```
|
|
|
|
|
2016-06-29 18:03:46 +02:00
|
|
|
> :question: Android client show warning dialog: `Certificate is not yet valid.` ([WHY?][4])
|
2016-06-29 14:28:13 +02:00
|
|
|
|
2016-06-29 11:24:13 +02:00
|
|
|
## desktop client
|
|
|
|
|
|
|
|
[download](https://www.cellsystech.com/software/anyconnect/)
|
|
|
|
|
2016-06-29 14:28:13 +02:00
|
|
|
`client.p12` and `server-cert.pem` can be imported into keychain.
|
2016-06-29 11:24:13 +02:00
|
|
|
|
|
|
|
|
2016-06-28 22:35:26 +02:00
|
|
|
[1]: http://www.infradead.org/ocserv/
|
2016-06-29 11:01:38 +02:00
|
|
|
[2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html
|
|
|
|
[3]: http://www.infradead.org/ocserv/manual.html
|
2016-06-29 18:03:46 +02:00
|
|
|
[4]: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html
|