self-hosted/dockerfiles
1
0
Fork 0
mirror of https://github.com/vimagick/dockerfiles.git synced 2025-04-21 12:07:00 +02:00
Code Issues Releases Activity

ocserv: enable-auth = "certificate"

Browse Source
This commit is contained in:
kev 2016-06-29 16:30:45 +08:00
parent b33593e7a8
commit eb1bcc0e5e
4 changed files with 45 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ocserv/Dockerfile
View File

@ -52,9 +52,12 @@ RUN set -xe \
&& make install \ && make install \
&& mkdir -p /etc/ocserv/certs \ && mkdir -p /etc/ocserv/certs \
&& cp ./doc/sample.config /etc/ocserv/ocserv.conf \ && cp ./doc/sample.config /etc/ocserv/ocserv.conf \
&& sed -i -e 's@../tests/@/etc/ocserv/certs/@' \ && cp ./doc/profile.xml /etc/ocserv/profile.xml \
&& sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \
-e 's@../tests/@/etc/ocserv/certs/@' \
-e 's@certs/ca.pem@certs/ca-cert.pem@' \ -e 's@certs/ca.pem@certs/ca-cert.pem@' \
-e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \ -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
-e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
-e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \ -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
-e 's@^dns =.*$@dns = 8.8.8.8@' \ -e 's@^dns =.*$@dns = 8.8.8.8@' \
-e 's@^route@#&@' \ -e 's@^route@#&@' \

9
ocserv/README.md
View File

@ -23,4 +23,13 @@ ocserv:
restart: always restart: always
``` ```
> :warning: Please choose a strong password to protect VPN service.
## up and running
```bash
$ docker-compose up -d
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
```
[1]: http://www.infradead.org/ocserv/ [1]: http://www.infradead.org/ocserv/

2
ocserv/docker-entrypoint.sh
View File

@ -10,4 +10,4 @@ fi
iptables -t nat -A POSTROUTING -s ${VPN_NETWORK}/${VPN_NETMASK} -j MASQUERADE iptables -t nat -A POSTROUTING -s ${VPN_NETWORK}/${VPN_NETMASK} -j MASQUERADE
exec ocserv -c /etc/ocserv/ocserv.conf -f $@ exec ocserv -c /etc/ocserv/ocserv.conf -f -d 1 "$@"

31
ocserv/init.sh
View File

@ -34,6 +34,16 @@ signing_key
tls_www_server tls_www_server
_EOF_ _EOF_
cat > client.tmpl <<_EOF_
cn = "client@${VPN_DOMAIN}"
uid = "client@${VPN_DOMAIN}"
unit = "ocserv"
expiration_days = 3650
signing_key
tls_www_client
_EOF_
# gen ca keys
certtool --generate-privkey \ certtool --generate-privkey \
--outfile ca-key.pem --outfile ca-key.pem
@ -42,6 +52,7 @@ certtool --generate-self-signed \
--template ca.tmpl \ --template ca.tmpl \
--outfile ca-cert.pem --outfile ca-cert.pem
# gen server keys
certtool --generate-privkey \ certtool --generate-privkey \
--outfile server-key.pem --outfile server-key.pem
@ -52,6 +63,26 @@ certtool --generate-certificate \
--template server.tmpl \ --template server.tmpl \
--outfile server-cert.pem --outfile server-cert.pem
# gen client keys
certtool --generate-privkey \
--outfile client-key.pem
certtool --generate-certificate \
--load-privkey client-key.pem \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template client.tmpl \
--outfile client-cert.pem
certtool --to-p12 \
--load-privkey client-key.pem \
--pkcs-cipher 3des-pkcs12 \
--load-certificate client-cert.pem \
--outfile client.p12 \
--outder \
--p12-name "${VPN_USERNAME}" \
--password "${VPN_PASSWORD}"
sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \ sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf