OpenConnect: Difference between revisions
Jump to navigation
Jump to search
| Line 83: | Line 83: | ||
auto-select-group = false | auto-select-group = false | ||
config-per-group = /etc/ocserv/config-per-group/ | config-per-group = /etc/ocserv/config-per-group/ | ||
== EXAMPLE CONFIG == | == EXAMPLE OCSERV CONFIG == | ||
<pre> | <pre> | ||
auth = "plain[passwd=/etc/ocserv/ocpasswd]" | auth = "plain[passwd=/etc/ocserv/ocpasswd]" | ||
| Line 130: | Line 130: | ||
dtls-legacy = true | dtls-legacy = true | ||
</pre> | </pre> | ||
== EXAMPLE HAPROXY CONFIG == | |||
<pre> | |||
frontend HTTPS-IN | |||
bind 0.0.0.0:443 name 0.0.0.0:443 | |||
mode tcp | |||
log global | |||
option log-separate-errors | |||
option tcplog | |||
timeout client 30000 | |||
tcp-request inspect-delay 5s | |||
tcp-request content accept if { req.ssl_hello_type 1 } | |||
acl host_areus req_ssl_sni -i host.domain.com | |||
use_backend AREUS-HTTPS_ipvANY if host_areus | |||
default_backend OCSERV-SSL_ipvANY | |||
backend AREUS-HTTPS_ipvANY | |||
mode tcp | |||
id 107 | |||
log global | |||
timeout connect 30000 | |||
timeout server 30000 | |||
retries 3 | |||
server AREUS-HTTPS 192.168.0.254:443 id 108 | |||
backend OCSERV-SSL_ipvANY | |||
mode tcp | |||
id 105 | |||
log global | |||
timeout connect 30000 | |||
timeout server 30000 | |||
retries 3 | |||
option ssl-hello-chk | |||
server AREUS-OCSERV 192.168.0.254:4443 id 106 send-proxy-v2 | |||
</pre> | |||
[[Category:Linux]] | [[Category:Linux]] | ||
Latest revision as of 22:18, 19 February 2019
Run commands as root/sudo
apt-get install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot
certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld}
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv
- /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true
ocpasswd -c /etc/ocserv/ocpasswd MYUSER
systemctl restart ocserv
iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP) iptables -t nat -A POSTROUTING -j MASQUERADE
apt-get install iptables-persistent
/etc/init.d/netfilter-persistent reload
- /etc/sysctl.conf
net.ipv4.ip_forward=1
sysctl -p
- Auto renew update
Edit /etc/cron.d/certbot and append this to the end of the certbot command
--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
or add to crontab as root
@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
Build It
cd /opt wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz
apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \ libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev
./configure make
SNIPROXY
- /etc/sniproxy.conf
listener 0.0.0.0:443 {
protocol tls
table TableName
#we set fallback to be ocserv as older versions of openconnect
#don't advertise the hostname they connect to.
fallback 127.0.0.1:4443
}
table TableName {
# Match exact request hostnames
vpn.example.com 127.0.0.1:4443
www.example.com 127.0.0.1:4444
.*\\.com 127.0.0.1:4444
}
GROUPS
ocpasswd -c /path/to/passwd/file -g "full,split" username echo "route = default" > /etc/ocserv/config-per-group/full echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split
Edit ocserv.conf
select-group = split select-group = full[full] auto-select-group = false config-per-group = /etc/ocserv/config-per-group/
EXAMPLE OCSERV CONFIG
auth = "plain[passwd=/etc/ocserv/ocpasswd]" tcp-port = 4443 udp-port = 4443 run-as-user = nobody run-as-group = daemon socket-file = /var/run/ocserv-socket server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem server-key = /etc/letsencrypt/live/domain.com/privkey.pem ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem isolate-workers = true max-clients = 16 max-same-clients = 2 listen-proxy-proto = true keepalive = 32400 dpd = 90 mobile-dpd = 1800 try-mtu-discovery = true cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" auth-timeout = 240 min-reauth-time = 3 max-ban-score = 0 ban-reset-time = 300 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-utmp = true use-occtl = true pid-file = /var/run/ocserv.pid device = vpns predictable-ips = true default-domain = domain.com ipv4-network = 192.168.91.0 ipv4-netmask = 255.255.255.0 dns = 192.168.0.1 ping-leases = false route = default select-group = split select-group = full[full] auto-select-group = false config-per-group = /etc/ocserv/config-per-group/ cisco-client-compat = true dtls-legacy = true
EXAMPLE HAPROXY CONFIG
frontend HTTPS-IN
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
log global
option log-separate-errors
option tcplog
timeout client 30000
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl host_areus req_ssl_sni -i host.domain.com
use_backend AREUS-HTTPS_ipvANY if host_areus
default_backend OCSERV-SSL_ipvANY
backend AREUS-HTTPS_ipvANY
mode tcp
id 107
log global
timeout connect 30000
timeout server 30000
retries 3
server AREUS-HTTPS 192.168.0.254:443 id 108
backend OCSERV-SSL_ipvANY
mode tcp
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
option ssl-hello-chk
server AREUS-OCSERV 192.168.0.254:4443 id 106 send-proxy-v2