commit c5d48392d76b0ff52f556c3515eb436fc10d491d5c19df03566f7828757408dc Author: Tomáš Chvátal Date: Thu Feb 26 20:07:11 2015 +0000 Accepting request 285939 from home:MargueriteSu OBS-URL: https://build.opensuse.org/request/show/285939 OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..47cc70f --- /dev/null +++ b/README.SUSE @@ -0,0 +1,126 @@ +## Setup AnyConnect VPN w/ ocserv + +### What is Cisco Anyconnect? What is ocserv? + +Cisco Anyconnect is an enterprise VPN first launched by Cisco. + +The open source technology behind is OpenConnect. + +It uses UDP DTLS (Datagram Transport Layer Security) to encrypt traffic +during regular times, and uses TCP TLS for reconnect when offline. + +So it's more stable then other types of VPN, and massively used by big multinational companys which make it unlikely to be overkilled. With its rare scale among individuals, it's less likely to attract blockage. + +### Initialization + +After getting ocserv installed through zypper/YaST, you need to edit +/etc/ocserv/certificates/server.tmpl. + +Change: + +cn = "Your hostname or IP" + +to the real one. You can /sbin/ifconfig -a to check yours. + +#### Generate Certificates + +cd /etc/ocserv/certificates +sudo certtool --generate-privkey --outfile ca-key.pem +sudo certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem +sudo certtool --generate-privkey --outfile server-key.pem +sudo certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem + +#### Generate passwd file + +sudo ocpasswd -c /etc/ocserv/ocpasswd your_username_wanted + +The later "your_username_wanted" is left for you. + +Then log your chosen passwords twice. + +#### Shutdown SUSEFirewall2 through YaST + +Because I don't know how to convert iptables rules to SUSEFirewall2 ones. +If you can help me, please fork this package and submit back. + +#### Set iptables rules + +sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT +sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT +sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE +sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT + +The 9000/9001 ports, IP range 192.168.1.0/24 are default ones, +you can change them in /etc/ocserv/ocserv.conf + +Warning: Your eth0 may not exist, you can ifconfig -a to find yours. + +#### Enable IP forward + +sudo echo 1 > /proc/sys/net/ipv4/ip_forward + +It doesn't live after reboot. + +#### Test + +sudo /sbin/ocserv -f -d 1 + +#### Enable systemd services + +sudo systemctl enable ocserv.service +sudo systemctl start ocserv.service + +### Client Cert Login + +sudo certtool --generate-privkey --outfile user-key.pem +sudo certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem + +#### Change ocserv.conf + +Change: + + #auth = "certificate" + auth = "plain[/etc/ocserv/ocpasswd]" + +To: + + auth = "certificate" + #auth = "plain[/etc/ocserv/ocpasswd]" + +And comment: + + #listen-clear-file = /var/run/ocserv-conn.socket + +And uncomment: + + ca-cert = /etc/ocserv/certificates/ca-cert.pem + +Restart service: + + sudo systemctl restart ocserv.service + +#### Generate pk12 file for iOS + +openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12 + +### Client Connection + +Remember to set the server address to xxx.xxx.xxx.xxx:your_port, +eg: opensuse.org:9000 + +#### iOS + +Search "anyconnect" in App Store. + +Either type username/password manually or import the pk12 file +(You can put the later on your download server) + +#### Linux + +Install NetworkManager-openconnect, also plasma-nm-openconnect if you're under KDE. Support certificate login only. + +You need your ca-cert.pem, user-cert.pem and user-key.pem. + +#### Android + +Search "AnyConnect", "SmoothConnect" or "OpenConnect" in Google Play. diff --git a/ca.tmpl b/ca.tmpl new file mode 100644 index 0000000..bfa0631 --- /dev/null +++ b/ca.tmpl @@ -0,0 +1,8 @@ +cn = "opensuse" +organization = "opensuse" +serial = 1 +expiration_days = 3650 +ca +signing_key +cert_signing_key +crl_signing_key diff --git a/ocserv-0.9.0.1.tar.xz b/ocserv-0.9.0.1.tar.xz new file mode 100644 index 0000000..9518d72 --- /dev/null +++ b/ocserv-0.9.0.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6428e895b59ea412cd3ef3fff37c107a7d443616384a2fd911810458db80cf56 +size 656716 diff --git a/ocserv-enable-systemd.patch b/ocserv-enable-systemd.patch new file mode 100644 index 0000000..713df1f --- /dev/null +++ b/ocserv-enable-systemd.patch @@ -0,0 +1,16 @@ +Index: ocserv-0.9.0/configure.ac +=================================================================== +--- ocserv-0.9.0.orig/configure.ac ++++ ocserv-0.9.0/configure.ac +@@ -319,11 +319,7 @@ AC_ARG_ENABLE(systemd, + + if [ test "$systemd_enabled" = "yes" ];then + AC_LIB_HAVE_LINKFLAGS(systemd,, [#include ], [sd_listen_fds(0);]) +- if [ test -z "$LIBSYSTEMD_DAEMON" ];then +- systemd_enabled="no" +- else + systemd_enabled="yes" +- fi + fi + + AC_ARG_ENABLE(anyconnect-compat, diff --git a/ocserv-str_init.patch b/ocserv-str_init.patch new file mode 100644 index 0000000..ef15034 --- /dev/null +++ b/ocserv-str_init.patch @@ -0,0 +1,13 @@ +Index: ocserv-0.9.0/src/main-ctl-dbus.c +=================================================================== +--- ocserv-0.9.0.orig/src/main-ctl-dbus.c ++++ ocserv-0.9.0/src/main-ctl-dbus.c +@@ -946,7 +946,7 @@ static void method_introspect(main_serve + + mslog(s, NULL, LOG_DEBUG, "ctl: introspect"); + +- str_init(&buf); ++ str_init(&buf, ctx); + + ret = str_append_data(&buf, XML_HEAD, sizeof(XML_HEAD) - 1); + if (ret < 0) { diff --git a/ocserv.changes b/ocserv.changes new file mode 100644 index 0000000..1604335 --- /dev/null +++ b/ocserv.changes @@ -0,0 +1,35 @@ +------------------------------------------------------------------- +Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su + +- add user.tmpl, for certificate login +- tweak default config more +- add README.SUSE as setup instructions + +------------------------------------------------------------------- +Mon Feb 2 10:04:45 UTC 2015 - i@marguerite.su + +- initial version 0.9.0.1 + * Added native support for radius. That adds the new auth + configuration option "radius", which has as parameters + the freeradius-client configuration file and optionally + the groupconfig option which instructs to read + configuration from radius; the stats-report-time option + enables interim-updates. That adds the dependency to + freeradius-client (see doc/README.radius). + * Reply using the same address that received UDP packets + are sent. + * Simplify the input of IPv6 network addresses. + * Use a separate IPC and PID namespace in Linux systems + for worker processes. That effectively puts each worker + process in a separate container. This can be enabled at + compile time using --enable-linux-namespaces. + * Configuration option 'use-seccomp' was replaced by + 'isolate-workers', which in addition to seccomp it enables + the Linux namespaces restrictions. + * Added support for stateless compression using LZ4 and LZS. + This is disabled by default. +- disable dbus interface because currently it provides less + function than unix socket +- add patch: ocserv-str_init.patch +- add patch: ocserv-enable-systemd.patch +- add patch: ocserv.config.patch diff --git a/ocserv.config.patch b/ocserv.config.patch new file mode 100644 index 0000000..9918e15 --- /dev/null +++ b/ocserv.config.patch @@ -0,0 +1,93 @@ +Index: ocserv-0.9.0/doc/sample.config +=================================================================== +--- ocserv-0.9.0.orig/doc/sample.config ++++ ocserv-0.9.0/doc/sample.config +@@ -34,7 +34,7 @@ + #auth = "certificate[optional]" + #auth = "pam" + #auth = "pam[gid-min=1000]" +-auth = "plain[./sample.passwd]" ++auth = "plain[/etc/ocserv/ocpasswd]" + #auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]" + + # Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +@@ -68,8 +68,8 @@ max-same-clients = 2 + #listen-host-is-dyndns = true + + # TCP and UDP port number +-tcp-port = 443 +-udp-port = 443 ++tcp-port = 9000 ++udp-port = 9001 + + # Accept connections using a socket file. It accepts HTTP + # connections (i.e., without SSL/TLS unlike its TCP counterpart), +@@ -101,7 +101,7 @@ dpd = 90 + mobile-dpd = 1800 + + # MTU discovery (DPD must be enabled) +-try-mtu-discovery = false ++try-mtu-discovery = true + + # The key and the certificates of the server + # The key may be a file, or any URL supported by GnuTLS (e.g., +@@ -113,8 +113,8 @@ try-mtu-discovery = false + # + # There may be multiple server-cert and server-key directives, + # but each key should correspond to the preceding certificate. +-server-cert = ../tests/server-cert.pem +-server-key = ../tests/server-key.pem ++server-cert = /etc/ocserv/certificates/server-cert.pem ++server-key = /etc/ocserv/certificates/server-key.pem + + # Diffie-Hellman parameters. Only needed if you require support + # for the DHE ciphersuites (by default this server supports ECDHE). +@@ -140,7 +140,7 @@ server-key = ../tests/server-key.pem + # The Certificate Authority that will be used to verify + # client certificates (public keys) if certificate authentication + # is set. +-#ca-cert = /path/to/ca.pem ++#ca-cert = /etc/ocserv/certificates/ca-cert.pem + + # The object identifier that will be used to read the user ID in the client + # certificate. The object identifier should be part of the certificate's DN +@@ -236,8 +236,8 @@ rekey-method = ssl + # STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes + # output from the tun device, and the duration of the session in seconds. + +-#connect-script = /usr/bin/myscript +-#disconnect-script = /usr/bin/myscript ++#connect-script = /usr/bin/ocserv-script ++#disconnect-script = /usr/bin/ocserv-script + + # UTMP + # Register the connected clients to utmp. This will allow viewing +@@ -302,7 +302,7 @@ ipv4-netmask = 255.255.255.0 + # The advertized DNS server. Use multiple lines for + # multiple servers. + # dns = fc00::4be0 +-dns = 192.168.1.2 ++dns = 8.8.8.8 + + # The NBNS server (if any) + #nbns = 192.168.1.3 +@@ -342,8 +342,8 @@ ping-leases = false + # comment out all routes from the server, or use the special keyword + # 'default'. + +-route = 192.168.1.0/255.255.255.0 +-route = 192.168.5.0/255.255.255.0 ++#route = 192.168.1.0/255.255.255.0 ++#route = 192.168.5.0/255.255.255.0 + #route = fef4:db8:1000:1001::/64 + + # Groups that a client is allowed to select from. +@@ -411,7 +411,7 @@ route = 192.168.5.0/255.255.255.0 + # for clients to present their certificate on every connection. + # That is they may resume a cookie without presenting a certificate + # (when certificate authentication is used). +-#cisco-client-compat = true ++cisco-client-compat = true + + # Client profile xml. A sample file exists in doc/profile.xml. + # It is required by some of the CISCO clients. diff --git a/ocserv.spec b/ocserv.spec new file mode 100644 index 0000000..b569d71 --- /dev/null +++ b/ocserv.spec @@ -0,0 +1,137 @@ +# +# spec file for package ocserv +# +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +Name: ocserv +Version: 0.9.0.1 +Release: 0 +License: GPL-2.0+ +Summary: OpenConnect VPN Server +Url: http://www.infradead.org/ocserv +Group: Productivity/Networking/Security +Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz +Source1: ca.tmpl +Source2: server.tmpl +Source3: user.tmpl +Source99: README.SUSE +#PATCH-FIX-UPSTREAM marguerite@opensuse.org str_init lacks a parameter +Patch: %{name}-str_init.patch +#PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE +Patch1: %{name}-enable-systemd.patch +#PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration +Patch2: %{name}.config.patch +BuildRequires: autogen +BuildRequires: libtool +BuildRequires: pkg-config +BuildRequires: libgnutls-devel >= 3.1.10 +BuildRequires: protobuf-devel +BuildRequires: libtalloc-devel +BuildRequires: libnl3-devel +BuildRequires: readline5-devel +BuildRequires: pam-devel +BuildRequires: freeradius-client-devel +BuildRequires: libseccomp-devel +BuildRequires: dbus-1-devel +BuildRequires: systemd-devel +%if 0%{?suse_version} > 1310 +BuildRequires: liblz4-devel +%endif +# /usr/bin/certtool for generating certificates +Requires: gnutls >= 3.1.10 +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%{?systemd_requires} + +%description +OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to +be a secure, small, fast and configurable VPN server. It implements +the OpenConnect SSL VPN protocol, and has also (currently experimental) +compatibility with clients using the AnyConnect SSL VPN protocol. +The OpenConnect protocol provides a dual TCP/UDP VPN channel, and +uses the standard IETF security protocols to secure it. The server +is implemented primarily for the GNU/Linux platform but its code +is designed to be portable to other UNIX variants as well. + +Ocserv's main features are security through privilege separation +and sandboxing, accounting, and resilience due to a combined use +of TCP and UDP. Authentication occurs in an isolated security +module process, and each user is assigned an unprivileged worker +process, and a networking (tun) device. That not only eases the +control of the resources of each user or group of users, but also +prevents data leak (e.g., heartbleed-style attacks), and privilege +escalation due to any bug on the VPN handling (worker) process. +A management interface allows for viewing and querying logged-in users. + +%prep +%setup -q -n %{name}-0.9.0 +%patch -p1 +%patch1 -p1 +%patch2 -p1 +autoreconf -fiv + +%build +%configure --enable-systemd \ + --enable-seccomp \ + --enable-linux-namespaces \ + --disable-rpath \ + --enable-local-libopts \ + --enable-libopts-install +make %{?_smp_mflags} + +%install +make install DESTDIR=%{buildroot} %{?_smp_mflags} + +install -d %{buildroot}%{_sysconfdir}/ocserv/certificates +install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ocserv/certificates +install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ocserv/certificates +install -m 0644 %{SOURCE99} %{buildroot}%{_sysconfdir}/ocserv/ +install -m 0644 doc/sample.config %{buildroot}%{_sysconfdir}/ocserv/ocserv.conf +install -m 0644 doc/sample.passwd %{buildroot}%{_sysconfdir}/ocserv/ocpasswd +install -m 0755 doc/scripts/ocserv-script %{buildroot}%{_bindir} + +install -d %{buildroot}%{_unitdir} +# if --with-dubs, here should be "standalone" +install -m 0644 doc/systemd/socket-activated/ocserv.socket %{buildroot}%{_unitdir} +install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitdir} + +%pre +%service_add_pre ocserv.service ocserv.socket + +%post +/sbin/ldconfig +%service_add_post ocserv.service ocserv.socket + +%preun +%service_del_preun ocserv.service ocserv.socket + +%postun +/sbin/ldconfig +%service_del_postun ocserv.service ocserv.socket + +%files +%defattr(-,root,root) +%doc AUTHORS ChangeLog LICENSE NEWS README COPYING TODO +%config %{_sysconfdir}/ocserv +%{_bindir}/occtl +%{_bindir}/ocpasswd +%{_bindir}/ocserv-script +%{_sbindir}/ocserv +%{_unitdir}/ocserv.service +%{_unitdir}/ocserv.socket +%{_mandir}/man8/occtl.8.gz +%{_mandir}/man8/ocpasswd.8.gz +%{_mandir}/man8/ocserv.8.gz + diff --git a/server.tmpl b/server.tmpl new file mode 100644 index 0000000..e8243b8 --- /dev/null +++ b/server.tmpl @@ -0,0 +1,6 @@ +cn = "Your hostname or IP" +organization = "opensuse" +expiration_days = 3650 +signing_key +encryption_key +tls_www_server diff --git a/user.tmpl b/user.tmpl new file mode 100644 index 0000000..9ba5e19 --- /dev/null +++ b/user.tmpl @@ -0,0 +1,5 @@ +cn = "opensuse" +unit = "opensuse" +expiration_days = 365 +signing_key +tls_www_client