OpenConnect: Difference between revisions

From Hurlster Wiki
Jump to navigation Jump to search
(Created page with "Run commands as root/sudo add-apt-repository ppa:certbot/certbot apt-get update apt-get install certbot certbot certonly --standalone --preferred-challenges tls-sni -d ''...")
 
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
Run commands as root/sudo
Run commands as root/sudo
apt-get install software-properties-common
  add-apt-repository ppa:certbot/certbot
  add-apt-repository ppa:certbot/certbot
  apt-get update
  apt-get update
  apt-get install certbot
  apt-get install certbot


  certbot certonly --standalone --preferred-challenges tls-sni -d '''{domain.tld}'''
  ''certbot certonly --standalone --preferred-challenges tls-sni -d '''{domain.tld}''' ''
 
certbot certonly --standalone -d '''{domain.tld}'''
  apt-get install ocserv
  apt-get install ocserv
* /etc/ocserv/ocserv.conf
* /etc/ocserv/ocserv.conf
Line 39: Line 40:


  sysctl -p
  sysctl -p
* Auto renew update
Edit ''/etc/cron.d/certbot'' and append this to the end of the certbot command
--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
or add to crontab as root
@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"
== Build It ==
cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz
apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev
./configure
make
== SNIPROXY ==
* /etc/sniproxy.conf
listener 0.0.0.0:443 {
    protocol tls
    table TableName
    #we set fallback to be ocserv as older versions of openconnect
    #don't advertise the hostname they connect to.
    fallback 127.0.0.1:4443
}
table TableName {
    # Match exact request hostnames
    vpn.example.com 127.0.0.1:4443
    www.example.com 127.0.0.1:4444
    .*\\.com    127.0.0.1:4444
}
== GROUPS ==
ocpasswd -c /path/to/passwd/file -g "full,split" username
echo "route = default" > /etc/ocserv/config-per-group/full
echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split
Edit ocserv.conf
select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
== EXAMPLE OCSERV CONFIG ==
<pre>
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 4443
udp-port = 4443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem
server-key = /etc/letsencrypt/live/domain.com/privkey.pem
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 0
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = domain.com
ipv4-network = 192.168.91.0
ipv4-netmask = 255.255.255.0
dns = 192.168.0.1
ping-leases = false
route = default
select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
cisco-client-compat = true
dtls-legacy = true
</pre>
== EXAMPLE HAPROXY CONFIG ==
<pre>
frontend HTTPS-IN
        bind                    0.0.0.0:443 name 0.0.0.0:443 
        mode                    tcp
        log                    global
        option                  log-separate-errors
        option                  tcplog
        timeout client          30000
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }
        acl                    host_areus      req_ssl_sni -i host.domain.com
        use_backend AREUS-HTTPS_ipvANY  if  host_areus
        default_backend OCSERV-SSL_ipvANY
backend AREUS-HTTPS_ipvANY
        mode                    tcp
        id                      107
        log                    global
        timeout connect        30000
        timeout server          30000
        retries                3
        server                  AREUS-HTTPS 192.168.0.254:443 id 108 
backend OCSERV-SSL_ipvANY
        mode                    tcp
        id                      105
        log                    global
        timeout connect        30000
        timeout server          30000
        retries                3
        option ssl-hello-chk
        server                  AREUS-OCSERV 192.168.0.254:4443 id 106  send-proxy-v2
</pre>


[[Category:Linux]]
[[Category:Linux]]

Latest revision as of 22:18, 19 February 2019

Run commands as root/sudo 

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld} 
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv
  • /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true

ocpasswd -c /etc/ocserv/ocpasswd MYUSER

systemctl restart ocserv

iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

apt-get install iptables-persistent

/etc/init.d/netfilter-persistent reload
  • /etc/sysctl.conf
net.ipv4.ip_forward=1

sysctl -p
  • Auto renew update

Edit /etc/cron.d/certbot and append this to the end of the certbot command 

--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

or add to crontab as root 

@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

Build It

cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz

apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev

./configure
make

SNIPROXY

  • /etc/sniproxy.conf
listener 0.0.0.0:443 {
   protocol tls
   table TableName

   #we set fallback to be ocserv as older versions of openconnect 
   #don't advertise the hostname they connect to.
   fallback 127.0.0.1:4443
}

table TableName {
   # Match exact request hostnames
   vpn.example.com 127.0.0.1:4443
   www.example.com 127.0.0.1:4444
   .*\\.com    127.0.0.1:4444
}

GROUPS

ocpasswd -c /path/to/passwd/file -g "full,split" username
echo "route = default" > /etc/ocserv/config-per-group/full
echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split

Edit ocserv.conf 

select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/

EXAMPLE OCSERV CONFIG

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 4443
udp-port = 4443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem
server-key = /etc/letsencrypt/live/domain.com/privkey.pem
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 0
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = domain.com
ipv4-network = 192.168.91.0
ipv4-netmask = 255.255.255.0
dns = 192.168.0.1
ping-leases = false
route = default
select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
cisco-client-compat = true
dtls-legacy = true

EXAMPLE HAPROXY CONFIG

frontend HTTPS-IN
        bind                    0.0.0.0:443 name 0.0.0.0:443   
        mode                    tcp
        log                     global
        option                  log-separate-errors
        option                  tcplog
        timeout client          30000
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }
        acl                     host_areus      req_ssl_sni -i host.domain.com
        use_backend AREUS-HTTPS_ipvANY  if  host_areus 
        default_backend OCSERV-SSL_ipvANY

backend AREUS-HTTPS_ipvANY
        mode                    tcp
        id                      107
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  AREUS-HTTPS 192.168.0.254:443 id 108  

backend OCSERV-SSL_ipvANY
        mode                    tcp
        id                      105
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option ssl-hello-chk
        server                  AREUS-OCSERV 192.168.0.254:4443 id 106  send-proxy-v2
Retrieved from "https://hurlster.com/wiki/index.php?title=OpenConnect&oldid=2679"