OpenConnect

From Hurlster Wiki
Jump to navigation Jump to search

Run commands as root/sudo 

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld} 
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv
  • /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true

ocpasswd -c /etc/ocserv/ocpasswd MYUSER

systemctl restart ocserv

iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

apt-get install iptables-persistent

/etc/init.d/netfilter-persistent reload
  • /etc/sysctl.conf
net.ipv4.ip_forward=1

sysctl -p
  • Auto renew update

Edit /etc/cron.d/certbot and append this to the end of the certbot command 

--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

or add to crontab as root 

@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

Build It

cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz

apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev

./configure
make

SNIPROXY

  • /etc/sniproxy.conf
listener 0.0.0.0:443 {
   protocol tls
   table TableName

   #we set fallback to be ocserv as older versions of openconnect 
   #don't advertise the hostname they connect to.
   fallback 127.0.0.1:4443
}

table TableName {
   # Match exact request hostnames
   vpn.example.com 127.0.0.1:4443
   www.example.com 127.0.0.1:4444
   .*\\.com    127.0.0.1:4444
}

GROUPS

ocpasswd -c /path/to/passwd/file -g "full,split" username
echo "route = default" > /etc/ocserv/config-per-group/full
echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split

Edit ocserv.conf 

select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/

EXAMPLE OCSERV CONFIG

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 4443
udp-port = 4443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem
server-key = /etc/letsencrypt/live/domain.com/privkey.pem
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 0
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = domain.com
ipv4-network = 192.168.91.0
ipv4-netmask = 255.255.255.0
dns = 192.168.0.1
ping-leases = false
route = default
select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
cisco-client-compat = true
dtls-legacy = true

EXAMPLE HAPROXY CONFIG

frontend HTTPS-IN
        bind                    0.0.0.0:443 name 0.0.0.0:443   
        mode                    tcp
        log                     global
        option                  log-separate-errors
        option                  tcplog
        timeout client          30000
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }
        acl                     host_areus      req_ssl_sni -i host.domain.com
        use_backend AREUS-HTTPS_ipvANY  if  host_areus 
        default_backend OCSERV-SSL_ipvANY

backend AREUS-HTTPS_ipvANY
        mode                    tcp
        id                      107
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  AREUS-HTTPS 192.168.0.254:443 id 108  

backend OCSERV-SSL_ipvANY
        mode                    tcp
        id                      105
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option ssl-hello-chk
        server                  AREUS-OCSERV 192.168.0.254:4443 id 106  send-proxy-v2
Retrieved from "https://hurlster.com/wiki/index.php?title=OpenConnect&oldid=2679"