Accepting request 285939 from home:MargueriteSu

OBS-URL: https://build.opensuse.org/request/show/285939
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=1
This commit is contained in:
Tomáš Chvátal 2015-02-26 20:07:11 +00:00 committed by Git OBS Bridge
commit c5d48392d7
12 changed files with 466 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

126
README.SUSE Normal file
View File

@ -0,0 +1,126 @@
## Setup AnyConnect VPN w/ ocserv
### What is Cisco Anyconnect? What is ocserv?
Cisco Anyconnect is an enterprise VPN first launched by Cisco.
The open source technology behind is OpenConnect.
It uses UDP DTLS (Datagram Transport Layer Security) to encrypt traffic
during regular times, and uses TCP TLS for reconnect when offline.
So it's more stable then other types of VPN, and massively used by big multinational companys which make it unlikely to be overkilled. With its rare scale among individuals, it's less likely to attract blockage.
### Initialization
After getting ocserv installed through zypper/YaST, you need to edit
/etc/ocserv/certificates/server.tmpl.
Change:
cn = "Your hostname or IP"
to the real one. You can /sbin/ifconfig -a to check yours.
#### Generate Certificates
cd /etc/ocserv/certificates
sudo certtool --generate-privkey --outfile ca-key.pem
sudo certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
sudo certtool --generate-privkey --outfile server-key.pem
sudo certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
#### Generate passwd file
sudo ocpasswd -c /etc/ocserv/ocpasswd your_username_wanted
The later "your_username_wanted" is left for you.
Then log your chosen passwords twice.
#### Shutdown SUSEFirewall2 through YaST
Because I don't know how to convert iptables rules to SUSEFirewall2 ones.
If you can help me, please fork this package and submit back.
#### Set iptables rules
sudo /sbin/iptables -A INPUT -p tcp --dport 9000 -j ACCEPT
sudo /sbin/iptables -A INPUT -p udp --dport 9001 -j ACCEPT
sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
The 9000/9001 ports, IP range 192.168.1.0/24 are default ones,
you can change them in /etc/ocserv/ocserv.conf
Warning: Your eth0 may not exist, you can ifconfig -a to find yours.
#### Enable IP forward
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
It doesn't live after reboot.
#### Test
sudo /sbin/ocserv -f -d 1
#### Enable systemd services
sudo systemctl enable ocserv.service
sudo systemctl start ocserv.service
### Client Cert Login
sudo certtool --generate-privkey --outfile user-key.pem
sudo certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
#### Change ocserv.conf
Change:
#auth = "certificate"
auth = "plain[/etc/ocserv/ocpasswd]"
To:
auth = "certificate"
#auth = "plain[/etc/ocserv/ocpasswd]"
And comment:
#listen-clear-file = /var/run/ocserv-conn.socket
And uncomment:
ca-cert = /etc/ocserv/certificates/ca-cert.pem
Restart service:
sudo systemctl restart ocserv.service
#### Generate pk12 file for iOS
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12
### Client Connection
Remember to set the server address to xxx.xxx.xxx.xxx:your_port,
eg: opensuse.org:9000
#### iOS
Search "anyconnect" in App Store.
Either type username/password manually or import the pk12 file
(You can put the later on your download server)
#### Linux
Install NetworkManager-openconnect, also plasma-nm-openconnect if you're under KDE. Support certificate login only.
You need your ca-cert.pem, user-cert.pem and user-key.pem.
#### Android
Search "AnyConnect", "SmoothConnect" or "OpenConnect" in Google Play.

8
ca.tmpl Normal file
View File

@ -0,0 +1,8 @@
cn = "opensuse"
organization = "opensuse"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

3
ocserv-0.9.0.1.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6428e895b59ea412cd3ef3fff37c107a7d443616384a2fd911810458db80cf56
size 656716

View File

@ -0,0 +1,16 @@
Index: ocserv-0.9.0/configure.ac
===================================================================
--- ocserv-0.9.0.orig/configure.ac
+++ ocserv-0.9.0/configure.ac
@@ -319,11 +319,7 @@ AC_ARG_ENABLE(systemd,
if [ test "$systemd_enabled" = "yes" ];then
AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
- if [ test -z "$LIBSYSTEMD_DAEMON" ];then
- systemd_enabled="no"
- else
systemd_enabled="yes"
- fi
fi
AC_ARG_ENABLE(anyconnect-compat,

13
ocserv-str_init.patch Normal file
View File

@ -0,0 +1,13 @@
Index: ocserv-0.9.0/src/main-ctl-dbus.c
===================================================================
--- ocserv-0.9.0.orig/src/main-ctl-dbus.c
+++ ocserv-0.9.0/src/main-ctl-dbus.c
@@ -946,7 +946,7 @@ static void method_introspect(main_serve
mslog(s, NULL, LOG_DEBUG, "ctl: introspect");
- str_init(&buf);
+ str_init(&buf, ctx);
ret = str_append_data(&buf, XML_HEAD, sizeof(XML_HEAD) - 1);
if (ret < 0) {

35
ocserv.changes Normal file
View File

@ -0,0 +1,35 @@
-------------------------------------------------------------------
Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su
- add user.tmpl, for certificate login
- tweak default config more
- add README.SUSE as setup instructions
-------------------------------------------------------------------
Mon Feb 2 10:04:45 UTC 2015 - i@marguerite.su
- initial version 0.9.0.1
* Added native support for radius. That adds the new auth
configuration option "radius", which has as parameters
the freeradius-client configuration file and optionally
the groupconfig option which instructs to read
configuration from radius; the stats-report-time option
enables interim-updates. That adds the dependency to
freeradius-client (see doc/README.radius).
* Reply using the same address that received UDP packets
are sent.
* Simplify the input of IPv6 network addresses.
* Use a separate IPC and PID namespace in Linux systems
for worker processes. That effectively puts each worker
process in a separate container. This can be enabled at
compile time using --enable-linux-namespaces.
* Configuration option 'use-seccomp' was replaced by
'isolate-workers', which in addition to seccomp it enables
the Linux namespaces restrictions.
* Added support for stateless compression using LZ4 and LZS.
This is disabled by default.
- disable dbus interface because currently it provides less
function than unix socket
- add patch: ocserv-str_init.patch
- add patch: ocserv-enable-systemd.patch
- add patch: ocserv.config.patch

93
ocserv.config.patch Normal file
View File

@ -0,0 +1,93 @@
Index: ocserv-0.9.0/doc/sample.config
===================================================================
--- ocserv-0.9.0.orig/doc/sample.config
+++ ocserv-0.9.0/doc/sample.config
@@ -34,7 +34,7 @@
#auth = "certificate[optional]"
#auth = "pam"
#auth = "pam[gid-min=1000]"
-auth = "plain[./sample.passwd]"
+auth = "plain[/etc/ocserv/ocpasswd]"
#auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
@@ -68,8 +68,8 @@ max-same-clients = 2
#listen-host-is-dyndns = true
# TCP and UDP port number
-tcp-port = 443
-udp-port = 443
+tcp-port = 9000
+udp-port = 9001
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
@@ -101,7 +101,7 @@ dpd = 90
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
-try-mtu-discovery = false
+try-mtu-discovery = true
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
@@ -113,8 +113,8 @@ try-mtu-discovery = false
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
-server-cert = ../tests/server-cert.pem
-server-key = ../tests/server-key.pem
+server-cert = /etc/ocserv/certificates/server-cert.pem
+server-key = /etc/ocserv/certificates/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
@@ -140,7 +140,7 @@ server-key = ../tests/server-key.pem
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
-#ca-cert = /path/to/ca.pem
+#ca-cert = /etc/ocserv/certificates/ca-cert.pem
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
@@ -236,8 +236,8 @@ rekey-method = ssl
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
# output from the tun device, and the duration of the session in seconds.
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
+#connect-script = /usr/bin/ocserv-script
+#disconnect-script = /usr/bin/ocserv-script
# UTMP
# Register the connected clients to utmp. This will allow viewing
@@ -302,7 +302,7 @@ ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
-dns = 192.168.1.2
+dns = 8.8.8.8
# The NBNS server (if any)
#nbns = 192.168.1.3
@@ -342,8 +342,8 @@ ping-leases = false
# comment out all routes from the server, or use the special keyword
# 'default'.
-route = 192.168.1.0/255.255.255.0
-route = 192.168.5.0/255.255.255.0
+#route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Groups that a client is allowed to select from.
@@ -411,7 +411,7 @@ route = 192.168.5.0/255.255.255.0
# for clients to present their certificate on every connection.
# That is they may resume a cookie without presenting a certificate
# (when certificate authentication is used).
-#cisco-client-compat = true
+cisco-client-compat = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.

137
ocserv.spec Normal file
View File

@ -0,0 +1,137 @@
#
# spec file for package ocserv
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: ocserv
Version: 0.9.0.1
Release: 0
License: GPL-2.0+
Summary: OpenConnect VPN Server
Url: http://www.infradead.org/ocserv
Group: Productivity/Networking/Security
Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
Source1: ca.tmpl
Source2: server.tmpl
Source3: user.tmpl
Source99: README.SUSE
#PATCH-FIX-UPSTREAM marguerite@opensuse.org str_init lacks a parameter
Patch: %{name}-str_init.patch
#PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
Patch1: %{name}-enable-systemd.patch
#PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
Patch2: %{name}.config.patch
BuildRequires: autogen
BuildRequires: libtool
BuildRequires: pkg-config
BuildRequires: libgnutls-devel >= 3.1.10
BuildRequires: protobuf-devel
BuildRequires: libtalloc-devel
BuildRequires: libnl3-devel
BuildRequires: readline5-devel
BuildRequires: pam-devel
BuildRequires: freeradius-client-devel
BuildRequires: libseccomp-devel
BuildRequires: dbus-1-devel
BuildRequires: systemd-devel
%if 0%{?suse_version} > 1310
BuildRequires: liblz4-devel
%endif
# /usr/bin/certtool for generating certificates
Requires: gnutls >= 3.1.10
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%{?systemd_requires}
%description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. The server
is implemented primarily for the GNU/Linux platform but its code
is designed to be portable to other UNIX variants as well.
Ocserv's main features are security through privilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP. Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process.
A management interface allows for viewing and querying logged-in users.
%prep
%setup -q -n %{name}-0.9.0
%patch -p1
%patch1 -p1
%patch2 -p1
autoreconf -fiv
%build
%configure --enable-systemd \
--enable-seccomp \
--enable-linux-namespaces \
--disable-rpath \
--enable-local-libopts \
--enable-libopts-install
make %{?_smp_mflags}
%install
make install DESTDIR=%{buildroot} %{?_smp_mflags}
install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE99} %{buildroot}%{_sysconfdir}/ocserv/
install -m 0644 doc/sample.config %{buildroot}%{_sysconfdir}/ocserv/ocserv.conf
install -m 0644 doc/sample.passwd %{buildroot}%{_sysconfdir}/ocserv/ocpasswd
install -m 0755 doc/scripts/ocserv-script %{buildroot}%{_bindir}
install -d %{buildroot}%{_unitdir}
# if --with-dubs, here should be "standalone"
install -m 0644 doc/systemd/socket-activated/ocserv.socket %{buildroot}%{_unitdir}
install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitdir}
%pre
%service_add_pre ocserv.service ocserv.socket
%post
/sbin/ldconfig
%service_add_post ocserv.service ocserv.socket
%preun
%service_del_preun ocserv.service ocserv.socket
%postun
/sbin/ldconfig
%service_del_postun ocserv.service ocserv.socket
%files
%defattr(-,root,root)
%doc AUTHORS ChangeLog LICENSE NEWS README COPYING TODO
%config %{_sysconfdir}/ocserv
%{_bindir}/occtl
%{_bindir}/ocpasswd
%{_bindir}/ocserv-script
%{_sbindir}/ocserv
%{_unitdir}/ocserv.service
%{_unitdir}/ocserv.socket
%{_mandir}/man8/occtl.8.gz
%{_mandir}/man8/ocpasswd.8.gz
%{_mandir}/man8/ocserv.8.gz

6
server.tmpl Normal file
View File

@ -0,0 +1,6 @@
cn = "Your hostname or IP"
organization = "opensuse"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

5
user.tmpl Normal file
View File

@ -0,0 +1,5 @@
cn = "opensuse"
unit = "opensuse"
expiration_days = 365
signing_key
tls_www_client