OpenConnect: Difference between revisions

Run commands as root/sudo

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld} 
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv

• /etc/ocserv/ocserv.conf

auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true

ocpasswd -c /etc/ocserv/ocpasswd MYUSER

systemctl restart ocserv

iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

apt-get install iptables-persistent

/etc/init.d/netfilter-persistent reload

• /etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl -p

• Auto renew update

Edit /etc/cron.d/certbot and append this to the end of the certbot command

--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

or add to crontab as root

@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

Build It

cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz

apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev

./configure
make

SNIPROXY

• /etc/sniproxy.conf

listener 0.0.0.0:443 {
   protocol tls
   table TableName

   #we set fallback to be ocserv as older versions of openconnect 
   #don't advertise the hostname they connect to.
   fallback 127.0.0.1:4443
}

table TableName {
   # Match exact request hostnames
   vpn.example.com 127.0.0.1:4443
   www.example.com 127.0.0.1:4444
   .*\\.com    127.0.0.1:4444
}

GROUPS

ocpasswd -c /path/to/passwd/file -g "full,split" username
echo "route = default" > /etc/ocserv/config-per-group/full
echo "route = 192.168.0.0/24" > /etc/ocserv/config-per-group/split

Edit ocserv.conf

select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/

EXAMPLE CONFIG

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 4443
udp-port = 4443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/domain.com/fullchain.pem
server-key = /etc/letsencrypt/live/domain.com/privkey.pem
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
listen-proxy-proto = true
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 0
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = hurlster.com
ipv4-network = 192.168.91.0
ipv4-netmask = 255.255.255.0
dns = 192.168.0.1
ping-leases = false
route = default
select-group = split
select-group = full[full]
auto-select-group = false
config-per-group = /etc/ocserv/config-per-group/
cisco-client-compat = true
dtls-legacy = true