Go to file
2018-02-26 22:25:39 +00:00
.gitattributes Accepting request 285939 from home:MargueriteSu 2015-02-26 20:07:11 +00:00
.gitignore Accepting request 285939 from home:MargueriteSu 2015-02-26 20:07:11 +00:00
ca.tmpl Accepting request 285939 from home:MargueriteSu 2015-02-26 20:07:11 +00:00
ocserv-0.11.10.tar.xz Accepting request 580000 from home:MargueriteSu:branches:network:vpn 2018-02-26 02:10:00 +00:00
ocserv-enable-systemd.patch Accepting request 314133 from home:MargueriteSu 2015-06-28 05:23:02 +00:00
ocserv-LZ4_compress_default.patch Accepting request 580000 from home:MargueriteSu:branches:network:vpn 2018-02-26 02:10:00 +00:00
ocserv.changes Accepting request 580000 from home:MargueriteSu:branches:network:vpn 2018-02-26 02:10:00 +00:00
ocserv.config.patch Accepting request 580000 from home:MargueriteSu:branches:network:vpn 2018-02-26 02:10:00 +00:00
ocserv.spec Accepting request 580000 from home:MargueriteSu:branches:network:vpn 2018-02-26 02:10:00 +00:00
ocserv.SuSEfirewall Accepting request 361424 from home:MargueriteSu:branches:network:vpn 2016-02-25 14:38:11 +00:00
ocserv.sysctl Accepting request 361424 from home:MargueriteSu:branches:network:vpn 2016-02-25 14:38:11 +00:00
README.SUSE Accepting request 361424 from home:MargueriteSu:branches:network:vpn 2016-02-25 14:38:11 +00:00
server.tmpl Accepting request 285939 from home:MargueriteSu 2015-02-26 20:07:11 +00:00
user.tmpl Accepting request 285939 from home:MargueriteSu 2015-02-26 20:07:11 +00:00

## Setup AnyConnect VPN w/ ocserv

### What is Cisco Anyconnect? What is ocserv?

Cisco Anyconnect is an enterprise VPN first launched by Cisco.

The open source technology behind is OpenConnect.

It uses UDP DTLS (Datagram Transport Layer Security) to encrypt traffic 
during regular times, and uses TCP TLS for reconnect when offline.

So it's more stable then other types of VPN, and massively used by big multinational companys which make it unlikely to be overkilled. With its rare scale among individuals, it's less likely to attract blockage.

### Initialization 

After getting ocserv installed through zypper/YaST, you need to edit
/etc/ocserv/certificates/server.tmpl.

Change:

cn = "Your hostname or IP"

to the real one. You can /sbin/ifconfig -a to check yours.

#### Generate Certificates

cd /etc/ocserv/certificates
sudo certtool --generate-privkey --outfile ca-key.pem
sudo certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
sudo certtool --generate-privkey --outfile server-key.pem
sudo certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

#### Generate passwd file

sudo ocpasswd -c /etc/ocserv/ocpasswd your_username_wanted

The later "your_username_wanted" is left for you.

Then log your chosen passwords twice.

#### Shutdown SUSEFirewall2 through YaST

Because I don't know how to convert iptables rules to SUSEFirewall2 ones.
If you can help me, please fork this package and submit back.

#### Set iptables rules

sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT

The 9000/9001 ports, IP range 192.168.1.0/24 are default ones,
you can change them in /etc/ocserv/ocserv.conf

Warning: Your eth0 may not exist, you can ifconfig -a to find yours.

#### Test

sudo /sbin/ocserv -f -d 1

#### Enable systemd services

sudo systemctl enable ocserv.service
sudo systemctl start ocserv.service

### Client Cert Login

sudo certtool --generate-privkey --outfile user-key.pem
sudo certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

#### Change ocserv.conf

Change:

	#auth = "certificate"
	auth = "plain[/etc/ocserv/ocpasswd]"

To:

	auth = "certificate"
	#auth = "plain[/etc/ocserv/ocpasswd]"

And comment:

	#listen-clear-file = /var/run/ocserv-conn.socket

And uncomment:

	ca-cert = /etc/ocserv/certificates/ca-cert.pem

Restart service:

	sudo systemctl restart ocserv.service

#### Generate pk12 file for iOS

openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12

### Client Connection

Remember to set the server address to xxx.xxx.xxx.xxx:your_port,
eg: opensuse.org:9000

#### iOS

Search "anyconnect" in App Store. 

Either type username/password manually or import the pk12 file
(You can put the later on your download server)

#### Linux

Install NetworkManager-openconnect, also plasma-nm-openconnect if you're under KDE. Support certificate login only.

You need your ca-cert.pem, user-cert.pem and user-key.pem.

#### Android

Search "AnyConnect", "SmoothConnect" or "OpenConnect" in Google Play.