OpenConnect

From Hurlster Wiki
Revision as of 17:37, 19 February 2019 by Gqwill69 (talk | contribs) (→‎SNIPROXY)
Jump to navigation Jump to search

Run commands as root/sudo 

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld} 
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv
  • /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true

ocpasswd -c /etc/ocserv/ocpasswd MYUSER

systemctl restart ocserv

iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

apt-get install iptables-persistent

/etc/init.d/netfilter-persistent reload
  • /etc/sysctl.conf
net.ipv4.ip_forward=1

sysctl -p
  • Auto renew update

Edit /etc/cron.d/certbot and append this to the end of the certbot command 

--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

or add to crontab as root 

@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

Build It

cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz

apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev

./configure
make

SNIPROXY

  • /etc/sniproxy.conf
listener 0.0.0.0:443 {
   protocol tls
   table TableName

   #we set fallback to be ocserv as older versions of openconnect 
   #don't advertise the hostname they connect to.
   fallback 127.0.0.1:4443
}

table TableName {
   # Match exact request hostnames
   vpn.example.com 127.0.0.1:4443
   www.example.com 127.0.0.1:4444
   .*\\.com    127.0.0.1:4444
}

GROUPS

ocpasswd -c /path/to/passwd/file -g "full,split" username
echo "route = default" > /etc/ocserv/config-per-group/full
echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split

Edit ocserv.conf 

select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
Retrieved from "https://hurlster.com/wiki/index.php?title=OpenConnect&oldid=2676"