rpm/ocserv
SHA256
1
0
Fork 0
forked from pool/ocserv
Code Pull Requests Activity

- BuildRequire /usr/bin/ronn instead of rubygem(ronn): there are

Browse Source 
alternatives around and the build does not care wich one is used.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=55
This commit is contained in:
Martin Hauke 2024-08-24 11:46:48 +00:00 committed by Git OBS Bridge
commit d2cc5d19f0
16 changed files with 1017 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.gitattributes vendored Normal file
View File

@ -0,0 +1,25 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text
## Specific LFS patterns
gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

118
README.SUSE Normal file
View File

@ -0,0 +1,118 @@
## Setup AnyConnect VPN w/ ocserv
### What is Cisco Anyconnect? What is ocserv?
Cisco Anyconnect is an enterprise VPN first launched by Cisco.
The open source technology behind is OpenConnect.
It uses UDP DTLS (Datagram Transport Layer Security) to encrypt traffic
during regular times, and uses TCP TLS for reconnect when offline.
So it's more stable then other types of VPN, and massively used by big multinational companys which make it unlikely to be overkilled. With its rare scale among individuals, it's less likely to attract blockage.
### Initialization
After getting ocserv installed through zypper/YaST, you need to edit
/etc/ocserv/certificates/server.tmpl.
Change:
cn = "Your hostname or IP"
to the real one. You can /sbin/ifconfig -a to check yours.
#### Generate Certificates
cd /etc/ocserv/certificates
sudo certtool --generate-privkey --outfile ca-key.pem
sudo certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
sudo certtool --generate-privkey --outfile server-key.pem
sudo certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
#### Generate passwd file
sudo ocpasswd -c /etc/ocserv/ocpasswd your_username_wanted
The later "your_username_wanted" is left for you.
Then log your chosen passwords twice.
#### Shutdown SUSEFirewall2 through YaST
Because I don't know how to convert iptables rules to SUSEFirewall2 ones.
If you can help me, please fork this package and submit back.
#### Set iptables rules
sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
The 9000/9001 ports, IP range 192.168.1.0/24 are default ones,
you can change them in /etc/ocserv/ocserv.conf
Warning: Your eth0 may not exist, you can ifconfig -a to find yours.
#### Test
sudo /sbin/ocserv -f -d 1
#### Enable systemd services
sudo systemctl enable ocserv.service
sudo systemctl start ocserv.service
### Client Cert Login
sudo certtool --generate-privkey --outfile user-key.pem
sudo certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
#### Change ocserv.conf
Change:
#auth = "certificate"
auth = "plain[/etc/ocserv/ocpasswd]"
To:
auth = "certificate"
#auth = "plain[/etc/ocserv/ocpasswd]"
And comment:
#listen-clear-file = /var/run/ocserv-conn.socket
And uncomment:
ca-cert = /etc/ocserv/certificates/ca-cert.pem
Restart service:
sudo systemctl restart ocserv.service
#### Generate pk12 file for iOS
openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12
### Client Connection
Remember to set the server address to xxx.xxx.xxx.xxx:your_port,
eg: opensuse.org:9000
#### iOS
Search "anyconnect" in App Store.
Either type username/password manually or import the pk12 file
(You can put the later on your download server)
#### Linux
Install NetworkManager-openconnect, also plasma-nm-openconnect if you're under KDE. Support certificate login only.
You need your ca-cert.pem, user-cert.pem and user-key.pem.
#### Android
Search "AnyConnect", "SmoothConnect" or "OpenConnect" in Google Play.

8
ca.tmpl Normal file
View File

@ -0,0 +1,8 @@
cn = "opensuse"
organization = "opensuse"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

3
gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b62b9380d3966fa4c8c676364bb43f94e955b46f5ac5b009ff53dd1a61dca56e
size 7416

3
ocserv-1.3.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5c562c3ea1032065ef43d6075e5722f94ce6a7a780d6a2b4c6d54c1ce3921965
size 770596

BIN
ocserv-1.3.0.tar.xz.sig Normal file
View File

Binary file not shown.

16
ocserv-LZ4_compress_default.patch Normal file
View File

@ -0,0 +1,16 @@
Index: ocserv-0.11.10/src/worker-http.c
===================================================================
--- ocserv-0.11.10.orig/src/worker-http.c
+++ ocserv-0.11.10/src/worker-http.c
@@ -137,7 +137,11 @@ int lz4_compress(void *dst, int dstlen,
{
/* we intentionally restrict output to srclen so that
* compression fails early for packets that expand. */
+#ifdef LZ4_COMPRESS_DEFAULT
return LZ4_compress_default(src, dst, srclen, srclen);
+#else
+ return LZ4_compress_limitedOutput(src, dst, srclen, srclen);
+#endif
}
#endif

16
ocserv-enable-systemd.patch Normal file
View File

@ -0,0 +1,16 @@
diff --git a/configure.ac b/configure.ac
index 2e4a0e8..81ac3bd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -423,11 +423,7 @@ AC_ARG_ENABLE(systemd,
if [ test "$systemd_enabled" = "yes" ];then
AC_LIB_HAVE_LINKFLAGS(systemd,, [#include <systemd/sd-daemon.h>], [sd_listen_fds(0);])
- if [ test -z "$LIBSYSTEMD" ];then
- systemd_enabled="no"
- else
systemd_enabled="yes"
- fi
fi
AC_ARG_ENABLE(namespaces,

89
ocserv-forwarding.sh Normal file
View File

@ -0,0 +1,89 @@
#!/bin/bash
set -o errexit
# This script enables IP forwarding only for the time of ocserv running
#
# The script should be run as a pre and post script via the systemd service
# unit.
#
# It only touches a sysctl if it doesn't have the required value and is able
# to restore it back to the original value by keeping track of changed
# settings in a state file.
STATEDIR="/run/ocserv"
STATEFILE="$STATEDIR/changed_sysctls"
# the sysctls that need to be at '1' for ocserv to work properly
CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding" "net.ipv6.conf.all.forwarding")
errecho() {
echo $* 1>&2
}
usage() {
errecho "Usage: $0 [--enable|--disable]"
errecho
errecho "--enable: enable IP forwarding kernel settings, if necessary"
errecho "--disable: restore IP forwarding kernel settings that have previously been changed via --enable"
errecho
errecho "This script temporarily enables IP forwarding while ocserv is running"
exit 1
}
# make sure we don't create anything world readable for other users
umask 077
if [ $# -ne 1 ]; then
usage
fi
SYSCTL=`which sysctl`
if [ -z "$SYSCTL" ]; then
errecho "Couldn't find 'sysctl'. You need to be root to run this script."
exit 1
fi
operation="$1"
if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
usage
elif [ "$operation" = "--enable" ]; then
changed=()
for control in ${CONTROLS[@]}; do
val=$($SYSCTL -n "$control")
if [ $? -ne 0 ]; then
errecho "failed to run sysctl"
exit 2
fi
if [ "$val" -eq 0 ]; then
echo -n "enabling $control: "
$SYSCTL "${control}=1"
if [ $? -eq 0 ]; then
changed+=("$control")
fi
fi
done
if (( ${#changed[@]} )); then
mkdir -p "$STATEDIR"
for changed in ${changed[@]}; do
echo "$changed" >>"$STATEFILE"
done
fi
elif [ "$operation" = "--disable" ]; then
if [ ! -f "$STATEFILE" ]; then
# nothing to restore
exit 0
fi
for control in `cat $STATEFILE`; do
echo -n "restoring $control: "
$SYSCTL "${control}=0" || continue
done
rm -f "$STATEFILE"
else
errecho "invalid argument: $operation"
usage
fi

507
ocserv.changes Normal file
View File

@ -0,0 +1,507 @@
-------------------------------------------------------------------
Fri Aug 23 15:09:09 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire /usr/bin/ronn instead of rubygem(ronn): there are
alternatives around and the build does not care wich one is used.
-------------------------------------------------------------------
Wed May 15 12:58:13 UTC 2024 - Андрей Кувшинов <m407@mail.ru>
- Update to version 1.3.0
* Switch to https://github.com/nodejs/llhttp from http-parser.
http-parser was a liability as an unmaintained project (#598)
* Bump the number of groups per account from 128 to 512 (#219)
* Allow connecting users to select an authgroup by appending the
group name to the URL, as in https://vpn.example.com/groupname;
this introduces the select-group-by-url config option (#597).
* Informational messages due to configuration loading are not printed
during worker initialization.
- Update to version 1.2.4
* Get connection speed limits (traffic shaping) from RADIUS (#554)
* Fix logging to stderr: add missing newline.
* Fixed compatibility with AnyConnect clients on Linux (#544)
* Detect the new AnyConnect-compatible identifier of OpenConnect clients
* occtl: Print bit rates as kb/s.
- Update to version 1.2.3
* Treat unknown clients as capable of IPv6 routes and DNS servers
* Introduced new ocserv options --log-stderr and --syslog that redirect
logging to stderr or syslog explicitly. The stderr option allows for better
integration with logging on containers or under systemd. The default remains
syslog.
* Warn when more than 2 DNS server IPv6 addresses are sent by Radius.
* Improved server shutdown (#563)
* Modified Camouflage functionality to allow AnyConnect clients (#544)
* ocserv-fw: Move under libexec.
* ocserv-fw: Fixed clean_all_rules logic on multiple similar devices (!384)
* occtl: added machine-readable raw_connected_at field for user stats
-------------------------------------------------------------------
Mon Feb 26 12:40:44 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %autosetup macro. Allows to eliminate the usage of deprecated
PatchN.
-------------------------------------------------------------------
Mon Sep 25 08:41:26 UTC 2023 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.2.2
* Fix session and accounting data tracking of ocserv. This
reverts fix for #444 (#541)
* No longer account ICMP and IGMP data for idle session detection
- Update URL
-------------------------------------------------------------------
Tue Aug 29 12:37:56 UTC 2023 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.2.1
* Accept the Clavister OneConnect VPN Android client.
* No longer require to set device name per vhost.
* Account the correct number of points when proxyproto is in use
* nuttcp tests were replaced with iperf3 that is available
in more environments
* occtl: fix duplicate key in `occtl --json show users` output
- Update to version 1.2.0
* Add support for Cisco Enterprise phones to authenticate via
the /svc endpoint and the 'cisco-svc-client-compat' config
option.
* Enhanced radius group support to enable radius servers send
multiple group class attributes
See doc/README-radius.md for more information.
* Enhanced the seccomp filters to open files related to FIPS
compliance on SuSe.
* Added "Camouflage" functionality that makes ocserv look like a
web server to unauthorized parties.
* Avoid login failure when the end point of server URI
contains a query string.
* Make sure we print proper JSON with `occtl --debug --json`
* Eliminated the need for using the gnulib portability library.
- Update to version 1.1.7
* Emit a LOG_ERR error message with plain authentication fails
* The bundled inih was updated to r56.
* The bundled protobuf-c was updated to 1.4.1.
* Enhanced the seccomp filters for ARMv7 compatibility and musl
libc
* HTTP headers always capitalised as in RFC 9110
-------------------------------------------------------------------
Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
installed into /etc by a more tailored mechanism. Enabling IP routing
globally and permanently, just because the package is installed is quite
invasive. This new script will be invoked before and after the ocserv
service to switch on and off forwarding, if necessary (bsc#1174722).
-------------------------------------------------------------------
Sun Aug 14 14:11:34 UTC 2022 - Michael Du <duyizhaozj321@yahoo.com>
- Update to version 1.1.6
* Fixed compatibility with clients on Windows ARM64.
* Added futex() to the accepted list of seccomp.
It is required by Fedora 36s libc.
* Work around change of returned error code in GnuTLS 3.7.3
for gnutls_privkey_import_x509_raw().
- Changes in version 1.1.5
* Fixed manpage output.
- Changes in version 1.1.4
* Added newfstatat() and epoll_pwait() to the accepted list of
seccomp calls. This improves compatibility with certain libcs
and aarch64.
* Do not allow assigning the same IPv6 as tun device address and
to the client. This allows using /127 as prefix (#430).
-------------------------------------------------------------------
Mon Jun 20 07:49:38 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- explicitly buildignore libevent-devel, which is pulled in by
ubound. We use libev here and can get away with this.
-------------------------------------------------------------------
Sat Jun 5 10:37:15 UTC 2021 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.1.3
* No longer close stdin and stdout on worker processes as they
are already closed in main process.
* Advertise X-CSTP-Session-Timeout.
* No longer recommend building with system's libpcl but rather
the bundled as it is not a very common shared library.
* Corrected busyloop on failed DTLS handshakes.
* Emit OWASP best practice headers for HTTP.
-------------------------------------------------------------------
Mon Dec 7 15:32:12 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.1.2
* Allow setup of new DTLS session concurrent with old session.
* Fixed an infinite loop on sec-mod crash when server-drain-ms
is set.
* Don't apply BanIP checks to clients on the same subnet.
* Don't attempt TLS if the client closes the connection with
zero data sent.
* Increased the maximum configuration line; this allows banner
messages longer than 200 characters.
* Removed the listen-clear-file config option. This option was
incompatible with several clients, and thus is unusable for a
generic server.
-------------------------------------------------------------------
Mon Sep 21 15:27:14 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Update to version 1.1.1:
* Improved rate-limit-ms and made it dependent on secmod backlog.
This makes the server more resilient (and prevents connection
failures) on multiple concurrent connections
- Added namespace support for listen address by introducing the
listen-netns option.
- Disable TLS1.3 when cisco client compatibility is enabled. New
anyconnect clients seem to supporting TLS1.3 but are unable to
handle a client with an RSA key.
- Enable a race free user disconnection via occtl.
- Added the config option of a pre-login-banner.
- Ocserv siwtched to using multiple ocserv-sm processes to
improve scale, with the number of ocserv-sm process dependent
on maximum clients and number of CPUs. Configuration option
sec-mod-scale can be used to override the heuristics.
- Fixed issue with group selection on radius servers sending
multiple group class attribute.
- Update patch:
* ocserv-enable-systemd.patch
* ocserv.config.patch
-------------------------------------------------------------------
Wed Aug 19 10:46:22 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
-------------------------------------------------------------------
Fri Jul 3 17:34:58 UTC 2020 - Michael Du <duyizhaozj321@yahoo.com>
- Update to version 1.1.0:
* Switch from fork to fork/exec model to achieve better scaling
and ASLR protection. This introduces an ocserv-worker application
which should be installed at the same path as ocserv (#285).
* When Linux OOM takes control kill ocserv workers before
ocserv-main or ocserv-secmod (#283).
* Disable TCP queuing on the TLS port.
* Fix leak of GnuTLS session when DTLS connection is
re-established (#293).
- Verify source with keyring before build.
-------------------------------------------------------------------
Tue Apr 21 17:20:49 UTC 2020 - Martin Hauke <mardnh@gmx.de>
- Add signature and keyring for source verification
- Build with support for maxminddb
- Build with support for OATH
- Update to version 1.0.1
* Prevent clients that use broken versions of gnutls from
connecting using DTLS.
* occtl: added machine-readable fields in json output.
* occtl: IPs in ban list value is now reflecting the actual
banned IPs rather than the database size.
- Update to version 1.0.0
* Avoid crash on invalid configuration values.
* Updated manpage generation to work with newer versions of ronn.
* Ensure scripts have all the information on all disconnection
types.
* Several updates to further restrict the control that worker
processes have on the main process.
* Add support for RFC6750 bearer tokens. This adds the "auth=oidc"
config option. See doc/README-oidc.md for more information.
* Add USER_AGENT, DEVICE_TYPE and DEVICE_PLATFORM environment
variables when connect/disconnect scripts execute.
* Corrected issue with DTLS-PSK negotiation which prevented it
from being enabled.
* Improved IPv6 handling of AnyConnect client for Apple ios.
* Fixed issue with Radius accounting.
- Update to version 0.12.6
* Improved IPv6 support for anyconnect clients.
* The 'split-dns' configuration directive can be used per-user.
* The max-same-clients=1 configuration option no longer refuses
the reconnection of an already connected user.
* Added openat() to the accepted list of seccomp calls. This
allows ocserv to run under certain libcs.
- Update to version 0.12.5
* Added configuration option udp-listen-host. This option
supports different listen addresses for tcp and udp such as
haproxy for tcp, but support dtls at the same time.
* occtl: fixed json output of show status command. Introduced
tests for checking its json output using yajl.
* occtl: use maxminddb when available.
- Update to version 0.12.4
* Added support for radius access-challenge (multifactor)
authentication.
* Fixed race condition when connect-script and disconnect-script
are set, which could potentially cause a crash.
* Perform quicker cleanup of sessions which their user explicitly
disconnected.
-------------------------------------------------------------------
Thu Dec 19 14:56:10 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- BuildRequire pkgconfig(libsystemd) instead of systemd-devel:
Allow OBS to shortcut through the -mini flavors.
-------------------------------------------------------------------
Wed Jul 24 13:28:00 UTC 2019 - matthias.gerstner@suse.com
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
-------------------------------------------------------------------
Tue Apr 23 09:08:03 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
- Update to version 0.12.3:
* Fixed crash when no DTLS ciphersuite is negotiated.
* Fixed crash happening arbitrarily depending on handled string
sizes (#197).
* Fixed compatibility issue with GnuTLS 3.3.x (#201).
* occtl: print the TLS session information, even if the DTLS
channel is not established.
-------------------------------------------------------------------
Fri Jan 25 14:54:35 UTC 2019 - Michael Du <duyizhaozj321@yahoo.com>
- Update to version 0.12.2:
* Added support for AES256-SHA legacy cipher. This allows the
anyconnect clients to use AES256.
* Added support for the DTLS1.2 protocol hack used by new
Anyconnect clients.
-------------------------------------------------------------------
Thu May 17 10:48:43 UTC 2018 - duyizhaozj321@yahoo.com
- Update to version 0.12.1:
* Fixed crash on initialization when server was running on background
* Work around issues with GnuTLS 3.4.x on ubuntu 16.04, at the cost of a memory leak on key reload
-------------------------------------------------------------------
Fri May 11 08:08:54 UTC 2018 - duyizhaozj321@yahoo.com
- Update to version 0.12.0
* Allow DTLS stream to come from different IP from TLS stream. There are situations where internet providers send the UDP stream from different IP.
* Increased possibilities of allowed combinations of authentication methods.
* Corrected regression since 0.11.8 with OTP authentication.
* Added support for hostname-based virtual hosts, utilizing TLS SNI. With that change it is possible to configure multiple servers running over the same port.
* Rename the tun device on BSD systems which support SIOCSIFNAME ioctl.
* Correctly handle proxy-protocols health commands. That eliminates few connection drops when proxy protocol is in use.
* Corrected crash on certain cases when proxy protocol is in use.
- Update ocserv.config.patch due to upstream changes
-------------------------------------------------------------------
Tue Feb 27 02:50:33 UTC 2018 - i@marguerite.su
- add firewalld service
-------------------------------------------------------------------
Sat Feb 24 05:43:55 UTC 2018 - i@marguerite.su
- update version 0.11.10
* see NEWS
- drop boo1021353-ocserv-doc-racing-in-parallel-build.patch
* upstreamed
- add ocserv-LZ4_compress_default.patch
* leap doesn't have LZ4_compress_default
-------------------------------------------------------------------
Thu May 11 08:35:51 UTC 2017 - dimstar@opensuse.org
- Use readline (current) instead of readline5:
+ Replace readline5-devel BuildRequires with readline-devel.
-------------------------------------------------------------------
Mon Jan 23 16:35:52 UTC 2017 - i@marguerite.su
- fix boo#1021353: ocserv randomly misbuilds man pages
- add patch: boo1021353-ocserv-doc-racing-in-parallel-build.patch
* occtl and ocpasswd are both built from args.def, which
will cause a racing problem in parallel builds that autogen
write contents randomly. fixed by adding a prefix to make
them different in filename.
-------------------------------------------------------------------
Wed Dec 21 10:59:26 UTC 2016 - i@marguerite.su
- update version 0.11.6
* cserv: Improved detection of mobile clients
* ocserv: Update the worker's ID on Radius accounting messages.
That is, even if we initially advertize the ID of the worker
handling the client as NAS-Port, the client may eventually end-up
being served by another process with different ID. In that case we make
sure that the radius server is notified on the next accounting message.
If you are using radius see doc/README.radius.md about NAS-Port, since
that behavior may cause issues in freeradius installations.
* ocserv: Added config option 'switch-to-tcp-timeout'. That allows an
automatic switch to TCP in case of no received UDP traffic for
certain time
* ocserv: Pre-load the OCSP response file; that way worker processes can
serve it, even if they have no access to it.
* ocserv: When compiled with GnuTLS 3.5.6 automatically set DH
parameters from the known set.
-------------------------------------------------------------------
Fri Feb 12 14:10:54 UTC 2016 - i@marguerite.su
- update version 0.10.11
* Corrected the reporting of keepalive to occtl.
* Handle clients which send the first request to /VPN
* Prevent a crash in per-user config dir is not available if
expose-iroutes is set to true.
- update license: GPL-2.0
- open ports using ocserv.SuSEfirewall
- enable ip forwarding using ocserv.sysctl
-------------------------------------------------------------------
Thu Jan 7 16:08:58 UTC 2016 - i@marguerite.su
- update version 0.10.10
* Increase the number of log messages logged in the default level.
That is added messages that could be of use to administrators.
* Introduced ipv6-subnet-prefix config option. That option allows
to specify the IPv6 subnet prefix to be given to client. That is,
allow providing the clients networks larger than /128. The default
setting is 128 to keep backwards compatibility.
* Introduced the expose-iroutes config option. That option allows
the server to advertise routes offered by some clients to all of
them. This requires the config-per-user option.
* When a client has assigned iroutes which cannot be applied, he
will be denied access.
* Added restrict-user-to-routes configuration option which will
execute ocserv-fw script on user connection. The script will
set firewall rules which deny the user access to any other
networks than the routes set for the user. This is added as a
tech preview; details of this option may change on later releases.
* When banning IPv6 addresses treat a /64 network as a single address.
* Fixed conflict with isolate-workers and user-profile.
* occtl: Allow disabling the pager functionality on compile time
using --with-pager="".
-------------------------------------------------------------------
Wed Oct 21 11:34:00 UTC 2015 - i@marguerite.su
- update version 0.10.9
* When compiled with GnuTLS 3.4 automatically sort the certificate
list to be imported
* Reload the CRL during periodic maintaince if its modification
time changes
* Address issue with duplicate check failing on IPv6 addresses
* Added the ability to specify a UsersFile in plain auth for using
an OTP
This allows to use an OTP 2nd factor authentication without having
to rely on PAM. This change, also enables the usage of an empty
password field in the password file if an OTP file is present
* Allow loading DER-encoded CRLs
* Re-added the PAM accounting method. That accounting method can
be combined with any authentication method, and can be used to
check for a valid system account
- changes in 0.10.8
* Pass the proxy protocol information at earlier stage to main
process, to allow the correct information to be passed at the
connect script and occtl
* Added the IP_REAL_LOCAL environment variable to scripts. This
passes the local IP the client connected to
* The PAM accounting method was dropped as there was no practical
usage of it, the way it was implemented
* When assigning IPv6 addresses use the whole available netmask
* occtl: Print the local IP the client connected to, with the
client information
* occtl: Print the configured for the client split-dns domains
- changes in 0.10.7
* Added a fuzzying factor to CPU intensive, or radius communication
tasks when initiated by worker process. That avoids a very
high load periodically, e.g., when multiple clients connect
at the same time
* Added support for haproxy's protocol v2 format. That allows
to report the correct client IP even on proxied sessions.
It introduces the configuration option listen-proxy-proto
* occtl: added -n/--no-pager option. That allows to disable
pager explicitly
* occtl: fixed several cases of invalid JSON output
- changes in 0.10.6
* Transmit packets to the last incoming source, allowing faster
switch of the communication channel
* The worker processes will utilize the UDP socket address
(if any), when reporting peer's address if the listen-clear-file
option is set
* Lifted the limit on the number of configuration options. That
allows to add an "unlimited" number of 'route' options
* Support encrypted key files. That adds the key-pin and srk-pin
configuration options
* The dbus communication option has been dropped
* Radius: depend on radcli radius library
* occtl: added -j/--json option. That allows to output in a
JSON format
-------------------------------------------------------------------
Mon Jun 8 13:51:18 UTC 2015 - i@marguerite.su
- set isolated-workers to false since we didn't build w/ seccomp yet
- change systemd socket ports as well
-------------------------------------------------------------------
Sun Jun 7 04:47:47 UTC 2015 - i@marguerite.su
- update version 0.10.5
* Added tgt-freshness-time option for gssapi/Kerberos authentication
option. That allows to specify the maximum number of seconds after
which a reauthentication with Kerberos is required to login to VPN.
* main/sec-mod: impose long timeouts on reads from sec-mod. That
would prevent issues when reading in a blocked in authentication
sec-mod.
* radius: When using radius accounting with certificate
authentication, properly notify of user session termination.
* radius: On definitely terminated sessions contact the radius server
as soon as possible. For sessions that can still be resumed the
radius server is contacted periodically after the cookies expire.
* radius: consider Acct-Interim-Interval when seen by the server.
That will be taken into account if groupconfig=true in radius
subconfig.
* Added configuration options persistent-cookies and session-timeout.
* radius: added support for Route-IPv6-Information,
Delegated-IPv6-Prefix, NAS-IPv6-Address, NAS-IP-Address,
Session-Timeout.
* Corrected desync of main and sec-mod by introducing a synchronous
communication socket. Reported by Mani Behrouz.
* PAM: forward the actual prompt to worker process, and not only
informational messages.
- drop ocserv-str_init.patch, upstream fixed.
-------------------------------------------------------------------
Fri Feb 13 11:28:14 UTC 2015 - i@marguerite.su
- add user.tmpl, for certificate login
- tweak default config more
- add README.SUSE as setup instructions
-------------------------------------------------------------------
Mon Feb 2 10:04:45 UTC 2015 - i@marguerite.su
- initial version 0.9.0.1
* Added native support for radius. That adds the new auth
configuration option "radius", which has as parameters
the freeradius-client configuration file and optionally
the groupconfig option which instructs to read
configuration from radius; the stats-report-time option
enables interim-updates. That adds the dependency to
freeradius-client (see doc/README.radius).
* Reply using the same address that received UDP packets
are sent.
* Simplify the input of IPv6 network addresses.
* Use a separate IPC and PID namespace in Linux systems
for worker processes. That effectively puts each worker
process in a separate container. This can be enabled at
compile time using --enable-linux-namespaces.
* Configuration option 'use-seccomp' was replaced by
'isolate-workers', which in addition to seccomp it enables
the Linux namespaces restrictions.
* Added support for stateless compression using LZ4 and LZS.
This is disabled by default.
- disable dbus interface because currently it provides less
function than unix socket
- add patch: ocserv-str_init.patch
- add patch: ocserv-enable-systemd.patch
- add patch: ocserv.config.patch

54
ocserv.config.patch Normal file
View File

@ -0,0 +1,54 @@
diff --git a/doc/sample.config b/doc/sample.config
index 4c8c8c6..7a4697f 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -48,7 +48,7 @@
#auth = "pam"
#auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]"
+auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
@@ -90,8 +90,8 @@ auth = "plain[passwd=./sample.passwd]"
# listen-netns = "foo"
# TCP and UDP port number
-tcp-port = 443
-udp-port = 443
+tcp-port = 9000
+udp-port = 9001
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
@@ -126,9 +126,8 @@ socket-file = /var/run/ocserv-socket
#server-cert = /etc/ocserv/server-cert.pem
#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
-
+server-cert = /etc/ocserv/certificates/server-cert.pem
+server-key = /etc/ocserv/certificates/server-key.pem
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
# Can be generated using:
@@ -154,7 +153,7 @@ server-key = ../tests/certs/server-key.pem
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
-ca-cert = ../tests/certs/ca.pem
+ca-cert = /etc/ocserv/certificates/ca-cert.pem
# The number of sub-processes to use for the security module (authentication)
# processes. Typically this should not be set as the number of processes
@@ -249,7 +248,7 @@ mobile-dpd = 1800
switch-to-tcp-timeout = 25
# MTU discovery (DPD must be enabled)
-try-mtu-discovery = false
+try-mtu-discovery = true
# To enable load-balancer connection draining, set server-drain-ms to a value
# higher than your load-balancer health probe interval.

7
ocserv.firewalld.xml Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ocserv</short>
<description>open ports for ocserv vpn service</description>
<port port="9000" protocol="tcp"/>
<port port="9001" protocol="udp"/>
</service>

159
ocserv.spec Normal file
View File

@ -0,0 +1,159 @@
#
# spec file for package ocserv
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: ocserv
Version: 1.3.0
Release: 0
Summary: OpenConnect VPN Server
License: GPL-2.0-only
Group: Productivity/Networking/Security
URL: https://ocserv.gitlab.io/www/
#Git-Clone: https://gitlab.com/openconnect/ocserv.git
Source: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz
Source1: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
Source2: ca.tmpl
Source3: server.tmpl
Source4: user.tmpl
Source5: ocserv-forwarding.sh
Source6: ocserv.firewalld.xml
Source99: README.SUSE
Source100: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
#PATCH-FIX-UPSTREAM marguerite@opensuse.org $LIBSYSTEMD_DAEMON env is not set on openSUSE
Patch1: %{name}-enable-systemd.patch
#PATCH-FIX-UPSTREAM marguerite@opensuse.org tweak configuration
Patch2: %{name}.config.patch
#PATCH-FIX-OPENSUSE marguerite@opensuse.org leap doesn't have LZ4_compress_default
Patch3: %{name}-LZ4_compress_default.patch
BuildRequires: autogen
BuildRequires: dbus-1-devel
BuildRequires: firewall-macros
BuildRequires: freeradius-client-devel
BuildRequires: gperf
BuildRequires: gpg2
BuildRequires: ipcalc
BuildRequires: libev-devel
#!BuildIgnore: libevent-devel
BuildRequires: /usr/bin/ronn
BuildRequires: libgnutls-devel >= 3.1.10
BuildRequires: liblz4-devel
BuildRequires: libmaxminddb-devel
BuildRequires: libnl3-devel
BuildRequires: libprotobuf-c-devel
BuildRequires: libseccomp-devel
BuildRequires: libtalloc-devel
BuildRequires: libtool
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: protobuf-c
BuildRequires: readline-devel
BuildRequires: pkgconfig(liboath)
BuildRequires: pkgconfig(libsystemd)
# /usr/bin/certtool for generating certificates
Requires: gnutls >= 3.1.10
%{?systemd_requires}
%description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to
be a secure, small, fast and configurable VPN server. It implements
the OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol.
The OpenConnect protocol provides a dual TCP/UDP VPN channel, and
uses the standard IETF security protocols to secure it. The server
is implemented primarily for the GNU/Linux platform but its code
is designed to be portable to other UNIX variants as well.
Ocserv's main features are security through privilege separation
and sandboxing, accounting, and resilience due to a combined use
of TCP and UDP. Authentication occurs in an isolated security
module process, and each user is assigned an unprivileged worker
process, and a networking (tun) device. That not only eases the
control of the resources of each user or group of users, but also
prevents data leak (e.g., heartbleed-style attacks), and privilege
escalation due to any bug on the VPN handling (worker) process.
A management interface allows for viewing and querying logged-in users.
%prep
%autosetup -p1
%build
autoreconf -fiv
%configure --enable-systemd \
--enable-seccomp \
--disable-rpath \
--enable-local-libopts \
--enable-libopts-install
make V=1 %{?_smp_mflags}
%install
make %{?_smp_mflags} DESTDIR=%{buildroot} install
install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
install -d %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/ocserv/certificates
install -m 0644 %{SOURCE99} %{buildroot}%{_sysconfdir}/ocserv/
install -m 0644 doc/sample.config %{buildroot}%{_sysconfdir}/ocserv/ocserv.conf
install -m 0644 doc/sample.passwd %{buildroot}%{_sysconfdir}/ocserv/ocpasswd
install -m 0755 doc/scripts/ocserv-script %{buildroot}%{_bindir}
install -d %{buildroot}%{_unitdir}
# if --with-dubs, here should be "standalone"
install -m 0644 doc/systemd/socket-activated/ocserv.socket %{buildroot}%{_unitdir}
install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitdir}
sed -i '/^\[Service\].*/a ExecStopPost=%{_sbindir}/ocserv-forwarding --disable' %{buildroot}%{_unitdir}/ocserv.service
sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable' %{buildroot}%{_unitdir}/ocserv.service
%pre
%service_add_pre ocserv.service ocserv.socket
%post
%service_add_post ocserv.service ocserv.socket
%firewalld_reload
%preun
%service_del_preun ocserv.service ocserv.socket
%postun
%service_del_postun ocserv.service ocserv.socket
%files
%defattr(-,root,root)
%doc AUTHORS NEWS README.md
%license COPYING
%config %{_sysconfdir}/ocserv
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/ocserv.xml
%{_bindir}/occtl
%{_bindir}/ocpasswd
%{_bindir}/ocserv-script
%{_libexecdir}/ocserv-fw
%{_sbindir}/ocserv
%{_sbindir}/ocserv-forwarding
%{_sbindir}/ocserv-worker
%{_unitdir}/ocserv.service
%{_unitdir}/ocserv.socket
%{_mandir}/man8/occtl.8%{ext_man}
%{_mandir}/man8/ocpasswd.8%{ext_man}
%{_mandir}/man8/ocserv.8%{ext_man}
%changelog

6
server.tmpl Normal file
View File

@ -0,0 +1,6 @@
cn = "Your hostname or IP"
organization = "opensuse"
expiration_days = 3650
signing_key
encryption_key
tls_www_server

5
user.tmpl Normal file
View File

@ -0,0 +1,5 @@
cn = "opensuse"
unit = "opensuse"
expiration_days = 365
signing_key
tls_www_client