forked from pool/ocserv
08902fbc93
- Update to version 1.1.2
* Allow setup of new DTLS session concurrent with old session.
* Fixed an infinite loop on sec-mod crash when server-drain-ms
is set.
* Don't apply BanIP checks to clients on the same subnet.
* Don't attempt TLS if the client closes the connection with
zero data sent.
* Increased the maximum configuration line; this allows banner
messages longer than 200 characters.
* Removed the listen-clear-file config option. This option was
incompatible with several clients, and thus is unusable for a
generic server.
- Update to version 1.1.1:
* Improved rate-limit-ms and made it dependent on secmod backlog.
This makes the server more resilient (and prevents connection
failures) on multiple concurrent connections
- Added namespace support for listen address by introducing the
listen-netns option.
- Disable TLS1.3 when cisco client compatibility is enabled. New
anyconnect clients seem to supporting TLS1.3 but are unable to
handle a client with an RSA key.
- Enable a race free user disconnection via occtl.
- Added the config option of a pre-login-banner.
- Ocserv siwtched to using multiple ocserv-sm processes to
improve scale, with the number of ocserv-sm process dependent
on maximum clients and number of CPUs. Configuration option
sec-mod-scale can be used to override the heuristics.
- Fixed issue with group selection on radius servers sending
multiple group class attribute.
OBS-URL: https://build.opensuse.org/request/show/853618
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=37
|
||
|---|---|---|
| .gitattributes | ||
| .gitignore | ||
| ca.tmpl | ||
| gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg | ||
| ocserv-1.1.2.tar.xz | ||
| ocserv-1.1.2.tar.xz.sig | ||
| ocserv-enable-systemd.patch | ||
| ocserv-LZ4_compress_default.patch | ||
| ocserv.changes | ||
| ocserv.config.patch | ||
| ocserv.firewalld.xml | ||
| ocserv.spec | ||
| ocserv.sysctl | ||
| README.SUSE | ||
| server.tmpl | ||
| user.tmpl | ||
## Setup AnyConnect VPN w/ ocserv ### What is Cisco Anyconnect? What is ocserv? Cisco Anyconnect is an enterprise VPN first launched by Cisco. The open source technology behind is OpenConnect. It uses UDP DTLS (Datagram Transport Layer Security) to encrypt traffic during regular times, and uses TCP TLS for reconnect when offline. So it's more stable then other types of VPN, and massively used by big multinational companys which make it unlikely to be overkilled. With its rare scale among individuals, it's less likely to attract blockage. ### Initialization After getting ocserv installed through zypper/YaST, you need to edit /etc/ocserv/certificates/server.tmpl. Change: cn = "Your hostname or IP" to the real one. You can /sbin/ifconfig -a to check yours. #### Generate Certificates cd /etc/ocserv/certificates sudo certtool --generate-privkey --outfile ca-key.pem sudo certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem sudo certtool --generate-privkey --outfile server-key.pem sudo certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem #### Generate passwd file sudo ocpasswd -c /etc/ocserv/ocpasswd your_username_wanted The later "your_username_wanted" is left for you. Then log your chosen passwords twice. #### Shutdown SUSEFirewall2 through YaST Because I don't know how to convert iptables rules to SUSEFirewall2 ones. If you can help me, please fork this package and submit back. #### Set iptables rules sudo /sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE sudo /sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT The 9000/9001 ports, IP range 192.168.1.0/24 are default ones, you can change them in /etc/ocserv/ocserv.conf Warning: Your eth0 may not exist, you can ifconfig -a to find yours. #### Test sudo /sbin/ocserv -f -d 1 #### Enable systemd services sudo systemctl enable ocserv.service sudo systemctl start ocserv.service ### Client Cert Login sudo certtool --generate-privkey --outfile user-key.pem sudo certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem #### Change ocserv.conf Change: #auth = "certificate" auth = "plain[/etc/ocserv/ocpasswd]" To: auth = "certificate" #auth = "plain[/etc/ocserv/ocpasswd]" And comment: #listen-clear-file = /var/run/ocserv-conn.socket And uncomment: ca-cert = /etc/ocserv/certificates/ca-cert.pem Restart service: sudo systemctl restart ocserv.service #### Generate pk12 file for iOS openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user.p12 ### Client Connection Remember to set the server address to xxx.xxx.xxx.xxx:your_port, eg: opensuse.org:9000 #### iOS Search "anyconnect" in App Store. Either type username/password manually or import the pk12 file (You can put the later on your download server) #### Linux Install NetworkManager-openconnect, also plasma-nm-openconnect if you're under KDE. Support certificate login only. You need your ca-cert.pem, user-cert.pem and user-key.pem. #### Android Search "AnyConnect", "SmoothConnect" or "OpenConnect" in Google Play.