OpenConnect: Difference between revisions
Jump to navigation
Jump to search
(→GROUPS) |
|||
| Line 117: | Line 117: | ||
device = vpns | device = vpns | ||
predictable-ips = true | predictable-ips = true | ||
default-domain = | default-domain = domain.com | ||
ipv4-network = 192.168.91.0 | ipv4-network = 192.168.91.0 | ||
ipv4-netmask = 255.255.255.0 | ipv4-netmask = 255.255.255.0 | ||
Revision as of 22:15, 19 February 2019
Run commands as root/sudo
apt-get install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld}
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv
- /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true
ocpasswd -c /etc/ocserv/ocpasswd MYUSER
systemctl restart ocserv
iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP) iptables -t nat -A POSTROUTING -j MASQUERADE
apt-get install iptables-persistent
/etc/init.d/netfilter-persistent reload
- /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
- Auto renew update
Edit /etc/cron.d/certbot and append this to the end of the certbot command
--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
or add to crontab as root
@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
Build It
cd /opt wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz
apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \ libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev
./configure make
SNIPROXY
- /etc/sniproxy.conf
listener 0.0.0.0:443 {
protocol tls
table TableName
#we set fallback to be ocserv as older versions of openconnect
#don't advertise the hostname they connect to.
fallback 127.0.0.1:4443
}
table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.com 127.0.0.1:4444
}
GROUPS
ocpasswd -c /path/to/passwd/file -g "full,split" username echo "route = default" > /etc/ocserv/config-per-group/full echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split
Edit ocserv.conf
select-group = split select-group = full[full] auto-select-group = false config-per-group = /etc/ocserv/config-per-group/
EXAMPLE CONFIG
auth = "plain[passwd=/etc/ocserv/ocpasswd]" tcp-port = 4443 udp-port = 4443 run-as-user = nobody run-as-group = daemon socket-file = /var/run/ocserv-socket server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem server-key = /etc/letsencrypt/live/domain.com/privkey.pem ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem isolate-workers = true max-clients = 16 max-same-clients = 2 listen-proxy-proto = true keepalive = 32400 dpd = 90 mobile-dpd = 1800 try-mtu-discovery = true cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 3 max-ban-score = 0 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-utmp = true use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = domain.com ipv4-network = 192.168.91.0 ipv4-netmask = 255.255.255.0 dns = 192.168.0.1 ping-leases = false route = default select-group = split select-group = full[full] auto-select-group = false config-per-group = /etc/ocserv/config-per-group/ cisco-client-compat = true dtls-legacy = true