From 5156cf76c3222aa48efdf7c4e3cea42674398286 Mon Sep 17 00:00:00 2001 From: Alexander Verbovetsky Date: Fri, 2 Feb 2024 08:16:14 +0700 Subject: network/ocserv: Added (OpenConnect VPN). Signed-off-by: Willy Sudiarto Raharjo --- network/ocserv/README | 39 ++ network/ocserv/doinst.sh | 23 ++ network/ocserv/ocserv.SlackBuild | 119 ++++++ network/ocserv/ocserv.conf | 779 +++++++++++++++++++++++++++++++++++++++ network/ocserv/ocserv.info | 10 + network/ocserv/rc.ocserv | 55 +++ network/ocserv/slack-desc | 19 + 7 files changed, 1044 insertions(+) create mode 100644 network/ocserv/README create mode 100644 network/ocserv/doinst.sh create mode 100644 network/ocserv/ocserv.SlackBuild create mode 100644 network/ocserv/ocserv.conf create mode 100644 network/ocserv/ocserv.info create mode 100644 network/ocserv/rc.ocserv create mode 100644 network/ocserv/slack-desc (limited to 'network') diff --git a/network/ocserv/README b/network/ocserv/README new file mode 100644 index 0000000000..82510b0a05 --- /dev/null +++ b/network/ocserv/README @@ -0,0 +1,39 @@ +The OpenConnect VPN server (ocserv) is an open source Linux SSL VPN +server designed for organizations that require a remote access VPN with +enterprise user management and control. It follows the openconnect +protocol and is the counterpart of the openconnect VPN client. It is +also compatible with CISCO's AnyConnect SSL VPN. + +The OpenConnect VPN is less vulnerable to detection than OpenVPN, IPSec, +and WireGuard because it looks like a normal https connection (if udp is +not used). + +The program consists of: + +1. ocserv, the main server application +2. occtl, the server's control tool. A tool which allows one to query + the server for information. +3. ocpasswd, a tool to administer simple password files. + +A user and group "ocserv" must exist prior to running this script. +To create them run as root: + groupadd -g 382 ocserv + useradd -u 382 -g 382 -s /sbin/nologin -M ocserv + + +In order to start ocserv at boot and stop it properly at shutdown, +make sure rc.local and rc.local_shutdown contain the following lines: + + /etc/rc.d/rc.local + ================== + # Start ocserv + if [ -x /etc/rc.d/rc.ocserv ]; then + /etc/rc.d/rc.ocserv start + fi + + /etc/rc.d/rc.local_shutdown + =========================== + # Stop ocserv + if [ -x /etc/rc.d/rc.ocserv ]; then + /etc/rc.d/rc.ocserv stop + fi diff --git a/network/ocserv/doinst.sh b/network/ocserv/doinst.sh new file mode 100644 index 0000000000..1d3e5778f8 --- /dev/null +++ b/network/ocserv/doinst.sh @@ -0,0 +1,23 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + rm $NEW + fi +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.ocserv.new +config etc/ocserv/ocserv.conf.new diff --git a/network/ocserv/ocserv.SlackBuild b/network/ocserv/ocserv.SlackBuild new file mode 100644 index 0000000000..0636d788d7 --- /dev/null +++ b/network/ocserv/ocserv.SlackBuild @@ -0,0 +1,119 @@ +#!/bin/bash + +# Slackware build script for ocserv + +# Copyright 2024, Alexander Verbovetsky, Moscow, Russia +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +cd $(dirname $0) ; CWD=$(pwd) + +PRGNAM=ocserv +VERSION=${VERSION:-1.2.4} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} +PKGTYPE=${PKGTYPE:-tgz} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i586 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then + echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" + exit 0 +fi + +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i586" ]; then + SLKCFLAGS="-O2 -march=i586 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +elif [ "$ARCH" = "aarch64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.xz +cd $PRGNAM-$VERSION +chown -R root:root . +find -L . \ + \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ + -o -perm 511 \) -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ + -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/man \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --disable-static \ + --build=$ARCH-slackware-linux + +make +make install DESTDIR=$PKG + +rm -f $PKG/{,usr/}lib${LIBDIRSUFFIX}/*.la + +find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a AUTHORS CONTRIBUTING* ChangeLog NEWS README* \ + doc/README* doc/sample.* doc/scripts/ $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +mkdir -p $PKG/etc/{rc.d,ocserv} +cat $CWD/rc.ocserv > $PKG/etc/rc.d/rc.ocserv.new +cat $CWD/ocserv.conf > $PKG/etc/ocserv/ocserv.conf.new + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE diff --git a/network/ocserv/ocserv.conf b/network/ocserv/ocserv.conf new file mode 100644 index 0000000000..d00fdcb414 --- /dev/null +++ b/network/ocserv/ocserv.conf @@ -0,0 +1,779 @@ +### The following directives do not change with server reload. + +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. The values +# in the 'auth' directive are AND composed (if multiple all must +# succeed). +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). + +# certificate: +# This indicates that all connecting users must present a certificate. +# The username and user group will be then extracted from it (see +# cert-user-oid and cert-group-oid). The certificate to be accepted +# it must be signed by the CA certificate as specified in 'ca-cert' and +# it must not be listed in the CRL, as specified by the 'crl' option. +# +# pam[gid-min=1000]: +# This enabled PAM authentication of the user. The gid-min option is used +# by auto-select-group option, in order to select the minimum valid group ID. +# +# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname1,groupname2:encoded-password" +# One entry must be listed per line, and 'ocpasswd' should be used +# to generate password entries. The 'otp' suboption allows one to specify +# an oath password file to be used for one time passwords; the format of +# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile +# +# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: +# The radius option requires specifying freeradius-client configuration +# file. If the groupconfig option is set, then config-per-user/group will be overridden, +# and all configuration will be read from radius. That also includes the +# Acct-Interim-Interval, and Session-Timeout values. +# +# See doc/README-radius.md for the supported radius configuration attributes. +# +# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] +# The gssapi option allows one to use authentication methods supported by GSSAPI, +# such as Kerberos tickets with ocserv. It should be best used as an alternative +# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with +# tickets and without tickets to login. The default value for require-local-user-map +# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented +# to have been issued within the provided number of seconds. That option is used to +# restrict logins even if the KDC provides long time TGT tickets. + +#auth = "pam" +#auth = "pam[gid-min=1000]" +#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" +auth = "plain[passwd=/etc/ocserv/passwd]" +#auth = "certificate" +#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" + +# Specify alternative authentication methods that are sufficient +# for authentication. That is, if set, any of the methods enabled +# will be sufficient to login, irrespective of the main 'auth' entries. +# When multiple options are present, they are OR composed (any of them +# succeeding allows login). +#enable-auth = "certificate" +#enable-auth = "gssapi" +#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" + +# Accounting methods available: +# radius: can be combined with any authentication method, it provides +# radius accounting to available users (see also stats-report-time). +# +# pam: can be combined with any authentication method, it provides +# a validation of the connecting user's name using PAM. It is +# superfluous to use this method when authentication is already +# PAM. +# +# Only one accounting method can be specified. +#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided +# hostname. if not set, listen-host will be used +#udp-listen-host = [IP|HOSTNAME] + +# When the server has a dynamic DNS address (that may change), +# should set that to true to ask the client to resolve again on +# reconnects. +#listen-host-is-dyndns = true + +# move the listen socket within the specified network namespace +# listen-netns = "foo" + +# TCP and UDP port number +tcp-port = 443 +udp-port = 443 + +# The user the worker processes will be run as. This should be a dedicated +# unprivileged user (e.g., 'ocserv') and no other services should run as this +# user. +run-as-user = ocserv +run-as-group = ocserv + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# socket file used for server IPC (worker-main), will be appended with .PID +# It must be accessible within the chroot environment (if any), so it is best +# specified relatively to the chroot directory. +socket-file = /var/run/ocserv-socket + +# The default server directory. Does not require any devices present. +#chroot-dir = /var/lib/ocserv + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# The server-cert file may contain a single certificate, or +# a sorted certificate chain. +# There may be multiple server-cert and server-key directives, +# but each key should correspond to the preceding certificate. +# The certificate files will be reloaded when changed allowing for in-place +# certificate renewal (they are checked and reloaded periodically; +# a SIGHUP signal to main server will force reload). + +#server-cert = /etc/ocserv/fullchain.pem +#server-key = /etc/ocserv/privkey.pem + +# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 +# versions of GnuTLS for supporting DHE ciphersuites. +# Can be generated using: +# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem +#dh-params = /etc/ocserv/dh.pem + +# In case PKCS #11, TPM or encrypted keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /etc/ocserv/pin.txt +#srk-pin-file = /etc/ocserv/srkpin.txt + +# The password or PIN needed to unlock the key in server-key file. +# Only needed if the file is encrypted or a PKCS #11 object. This +# is an alternative method to pin-file. +#key-pin = 1234 + +# The SRK PIN for TPM. +# This is an alternative method to srk-pin-file. +#srk-pin = 1234 + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.pem + +# The number of sub-processes to use for the security module (authentication) +# processes. Typically this should not be set as the number of processes +# is determined automatically by the initially set maximum number of clients. +#sec-mod-scale = 4 + + + +### All configuration options below this line are reloaded on a SIGHUP. +### The options above, will remain unchanged. Note however, that the +### server-cert, server-key, dh-params and ca-cert options will be reloaded +### if the provided file changes, on server reload. That allows certificate +### rotation, but requires the server key to remain the same for seamless +### operation. If the server key changes on reload, there may be connection +### failures during the reloading time. + + +# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of +# system calls allowed to a worker process, in order to reduce damage from a +# bug in the worker process. It is available on Linux systems at a performance cost. +# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8). +# Note however, that process isolation is restricted to the specific libc versions +# the isolation was tested at. If you get random failures on worker processes, try +# disabling that option and report the failures you, along with system and debugging +# information at: https://gitlab.com/openconnect/ocserv/issues +isolate-workers = true + +# A banner to be displayed on clients after connection +#banner = "Welcome" + +# A banner to be displayed on clients before connection +#pre-login-banner = "Welcome" + +# Limit the number of clients. Unset or set to zero if unknown. In +# that case the maximum value is ~8k clients. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# When the server receives connections from a proxy, like haproxy +# which supports the proxy protocol, set this to obtain the correct +# client addresses. The proxy protocol would then be expected in +# the TCP or UNIX socket (not the UDP one). Although both v1 +# and v2 versions of proxy protocol are supported, the v2 version +# is recommended as it is more efficient in parsing. +#listen-proxy-proto = true + +# Rate limit the number of incoming connections to one every X milliseconds +# (X is the provided value), as the secmod backlog grows. This +# makes the server more resilient (and prevents connection failures) on +# multiple concurrent connections. Set to zero for no limit. +rate-limit-ms = 100 + +# Stats report time. The number of seconds after which each +# worker process will report its usage statistics (number of +# bytes transferred etc). This is useful when accounting like +# radius is in use. +#stats-report-time = 360 + +# Stats reset time. The period of time statistics kept by main/sec-mod +# processes will be reset. These are the statistics shown by cmd +# 'occtl show stats'. For daily: 86400, weekly: 604800 +# This is unrelated to stats-report-time. +server-stats-reset-time = 604800 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +# Note that when the client is behind a NAT this value +# needs to be short enough to prevent the NAT disassociating +# his UDP session from the port number. Otherwise the client +# could have his UDP connection stalled, for several minutes. +dpd = 90 + +# Dead peer detection for mobile clients. That needs to +# be higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# The mobile clients are distinguished from the header +# 'X-AnyConnect-Identifier-Platform'. +mobile-dpd = 1800 + +# If using DTLS, and no UDP traffic is received for this +# many seconds, attempt to send future traffic over the TCP +# connection instead, in an attempt to wake up the client +# in the case that there is a NAT and the UDP translation +# was deleted. If this is unset, do not attempt to use this +# recovery mechanism. +switch-to-tcp-timeout = 25 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# To enable load-balancer connection draining, set server-drain-ms to a value +# higher than your load-balancer health probe interval. +#server-drain-ms = 15000 + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /etc/ocserv/ocsp.der + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name) +cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. If the user may belong to multiple groups, then use multiple such fields +# in the certificate's DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +# See the manual to generate an empty CRL initially. The CRL will be reloaded +# periodically when ocserv detects a change in the file. To force a reload use +# SIGHUP. +#crl = /etc/ocserv/crl.pem + +# Uncomment this to enable compression negotiation (LZS, LZ4). +#compression = true + +# Set the minimum size under which a packet will not be compressed. +# That is to allow low-latency for VoIP packets. The default size +# is 256 bytes. Modify it if the clients typically use compression +# as well of VoIP with codecs that exceed the default value. +#no-compress-limit = 256 + +# GnuTLS priority string; note that SSL 3.0 is disabled by default +# as there are no openconnect (and possibly anyconnect clients) using +# that protocol. The string below does not enforce perfect forward +# secrecy, in order to be compatible with legacy clients. +# +# Note that the most performant ciphersuites are the moment are the ones +# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and +# in addition require no padding, thus taking full advantage of the MTU. +# For that to be taken advantage of, the openconnect client must be +# used, and the server must be compiled against GnuTLS 3.2.7 or later. +# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance +# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) +# in your system. + +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1" + +# More combinations in priority strings are available, check +# http://gnutls.org/manual/html_node/Priority-Strings.html +# E.g., the string below enforces perfect forward secrecy (PFS) +# on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" + +# That option requires the established DTLS channel to use the same +# cipher as the primary TLS channel.Note also, that this option implies +# that the dtls-legacy option is false; this option cannot be enforced +# in the legacy/compat protocol. +#match-tls-dtls-ciphers = true + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 240 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a client is allowed to stay connected +# Unset to disable. When set a client will be disconnected after being +# continuously connected for this amount of time, and its cookies will +# be invalidated (i.e., re-authentication will be required). +#session-timeout = 86400 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +min-reauth-time = 300 + +# Banning clients in ocserv works with a point system. IP addresses +# that get a score over that configured number are banned for +# min-reauth-time seconds. By default a wrong password attempt is 10 points, +# a KKDCP POST is 1 point, and a connection is 1 point. Note that +# due to different processes being involved the count of points +# will not be real-time precise. Local subnet IPs are exempt to allow +# services that check for process health. +# +# Set to zero to disable. +max-ban-score = 80 + +# The time (in seconds) that all score kept for a client is reset. +ban-reset-time = 1200 + +# In case you'd like to change the default points. +#ban-points-wrong-password = 10 +#ban-points-connection = 1 +#ban-points-kkdcp = 1 + +# Cookie timeout (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. That cookie will be invalidated if not +# used within this timeout value. This cookie remains valid, during +# the user's connected time, and after user disconnection it +# remains active for this amount of time. That setting should allow a +# reasonable amount of time for roaming between different networks. +cookie-timeout = 300 + +# If this is enabled (not recommended) the cookies will stay +# valid even after a user manually disconnects, and until they +# expire. This may improve roaming with some broken clients. +#persistent-cookies = true + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be reused +# from a different IP. +deny-roaming = false + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable (note +# that, some clients fail if rekey is disabled). +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP. +# The following parameters are passed on the environment. +# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), +# REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL +# (the local interface IP the client connected), IP_LOCAL +# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 +# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +# In addition the following variables OCSERV_ROUTES (the applied routes for this +# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), +# will contain a space separated list of routes or DNS servers. A version +# of these variables with the 4 or 6 suffix will contain only the IPv4 or +# IPv6 values. The connect script must return zero as exit code, or the +# client connection will be refused. + +# The disconnect script will receive the additional values: STATS_BYTES_IN, +# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes +# output from the tun device, and the duration of the session in seconds. + +#connect-script = /usr/bin/myscript +#disconnect-script = /usr/bin/myscript + +# This script is to be called when the client's advertised hostname becomes +# available. It will contain REASON with "host-update" value and the +# variable REMOTE_HOSTNAME in addition to the connect variables. + +#host-update-script = /usr/bin/myhostnamescript + +# UTMP +# Register the connected clients to utmp. This will allow viewing +# the connected clients using the command 'who'. +#use-utmp = true + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# PID file. It can be overridden in the command line. +pid-file = /run/ocserv.pid + +# Log Level. Ocserv sends the logging messages to standard error +# as well as the system log. The log level can be overridden in the +# command line with the -d option. All messages at the configured +# level and lower will be displayed. +# Supported levels (default 0): +# 0 default (Same as info) +# 1 basic +# 2 info +# 3 debug +# 4 http +# 8 sensitive +# 9 TLS +log-level = 2 + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name to use for the tun device +device = vpns + +# Whether the generated IPs will be predictable, i.e., IP stays the +# same for the same user when possible. +predictable-ips = true + +# The default domain to be advertised. Multiple domains (functional on +# openconnect clients) can be provided in a space separated list. +default-domain = example.com +#default-domain = "example.com one.example.com" + +# The pool of addresses that leases will be given from. If the leases +# are given via Radius, or via the explicit-ip? per-user config option then +# these network values should contain a network with at least a single +# address that will remain under the full control of ocserv (that is +# to be able to assign the local part of the tun device address). +# Note that, you could use addresses from a subnet of your LAN network if you +# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html); +# in that case it is recommended to set ping-leases to true. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# An alternative way of specifying the network: +#ipv4-network = 192.168.1.0/24 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fda9:4efe:7e3b:03ea::/48 + +# Specify the size of the network to provide to clients. It is +# generally recommended to provide clients with a /64 network in +# IPv6, but any subnet may be specified. To provide clients only +# with a single IP use the prefix 128. +#ipv6-subnet-prefix = 128 +#ipv6-subnet-prefix = 64 + +# Whether to tunnel all DNS queries via the VPN. This is the default +# when a default route is set. +#tunnel-all-dns = true + +# The advertised DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +dns = 192.168.1.1 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +# Only set to true, if there can be occupied addresses in the +# IP range for leases. +ping-leases = false + +# Use this option to set a link MTU value to the incoming +# connections. Unset to use the default MTU of the TUN device. +# Note that the MTU is negotiated using the value set and the +# value sent by the peer. +#mtu = 1420 + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +# The RX direction refers to received data on the server from the +# VPN client, and the TX refers to transmitted data by the server +# to the client. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server, or use the special keyword +# 'default'. + +#route = 10.10.10.0/255.255.255.0 +#route = 192.168.0.0/255.255.0.0 +#route = fef4:db8:1000:1001::/64 +#route = default + +route = 10.10.10.0/24 +route = 192.168.0.0/16 + +# Subsets of the routes above that will not be routed by +# the server. + +#no-route = 192.168.5.0/255.255.255.0 + +# Note the that following two firewalling options currently are available +# in Linux systems with iptables software. + +# If set, the script /usr/libexec/ocserv-fw will be called to restrict +# the user to its allowed routes and prevent him from accessing +# any other routes. In case of defaultroute, the no-routes are restricted. +# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw +# --removeall. This option can be set globally or in the per-user configuration. +#restrict-user-to-routes = true + +# This option implies restrict-user-to-routes set to true. If set, the +# script /usr/libexec/ocserv-fw will be called to restrict the user to +# access specific ports in the network. This option can be set globally +# or in the per-user configuration. +#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" + +# You could also use negation, i.e., block the user from accessing these ports only. +#restrict-user-to-ports = "!(tcp(443), tcp(80))" + +# When set to true, all client's iroutes are made visible to all +# connecting clients except for the ones offering them. This option +# only makes sense if config-per-user is set. +#expose-iroutes = true + +# Groups that a client is allowed to select from. +# A client may belong in multiple groups, and in certain use-cases +# it is needed to switch between them. For these cases the client can +# select prior to authentication. Add multiple entries for multiple groups. +# The group may be followed by a user-friendly name in brackets. +#select-group = group1 +#select-group = group2[My special group] + +# The name of the (virtual) group that if selected it would assign the user +# to its default group. +#default-select-group = DEFAULT + +# Instead of specifying manually all the allowed groups, you may instruct +# ocserv to scan all available groups and include the full list. +#auto-select-group = true + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route, +# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, +# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, +# restrict-user-to-routes, cgroup, stats-report-time, +# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, +# split-dns and session-timeout. +# +# Note that the 'iroute' option allows one to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). The no-udp +# is a boolean option (e.g., no-udp = true), and will prevent a UDP session +# for that specific user or group. The hostname option will set a +# hostname to override any proposed by the user. Note also, that, any +# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# When config-per-xxx is specified and there is no group or user that +# matches, then utilize the following configuration. +#default-user-config = /etc/ocserv/defaults/user.conf +#default-group-config = /etc/ocserv/defaults/group.conf + +# The system command to use to setup a route. %{R} will be replaced with the +# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. +# +# The following example is from linux systems. %{R} should be something +# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). + +#route-add-cmd = "ip route add %{R} dev %{D}" +#route-del-cmd = "ip route delete %{R} dev %{D}" + +# This option allows one to forward a proxy. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#proxy-url = http://example.com/ +#proxy-url = http://example.com/%{U}/ + +# This option allows you to specify a URL location where a client can +# post using MS-KKDCP, and the message will be forwarded to the provided +# KDC server. That is a translation URL between HTTP and Kerberos. +# In MIT kerberos you'll need to add in realms: +# EXAMPLE.COM = { +# kdc = https://ocserv.example.com/KdcProxy +# http_anchors = FILE:/etc/ocserv-ca.pem +# } +# In some distributions the krb5-k5tls plugin of kinit is required. +# +# The following option is available in ocserv, when compiled with GSSAPI support. + +#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" +#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" +#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" + +# Client profile xml. This can be used to advertise alternative servers +# to the client. A minimal file can be: +# +# +# +# +# VPN Server name +# localhost +# +# +# +# +# Other fields may be used by some of the CISCO clients. +# This file must be accessible from inside the worker's chroot. +# Note that: +# (1) enabling this option is not recommended as it will allow the +# worker processes to open arbitrary files (when isolate-workers is +# set to true). +# (2) This option cannot be set per-user or per-group; only the global +# version is being sent to client. +#user-profile = profile.xml + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# This option will enable the pre-draft-DTLS version of DTLS, and +# will not require clients to present their certificate on every TLS +# connection. It must be set to true to support legacy CISCO clients +# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. +cisco-client-compat = true + +# This option allows one to disable the DTLS-PSK negotiation (enabled by default). +# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate +# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the +# DTLS channel to negotiate its ciphers and the DTLS protocol version. +#dtls-psk = false + +# This option allows one to disable the legacy DTLS negotiation (enabled by default, +# but that may change in the future). +# The legacy DTLS uses a pre-draft version of the DTLS protocol and was +# from AnyConnect protocol. It has several limitations, that are addressed +# by the dtls-psk protocol supported by openconnect 7.08+. +dtls-legacy = true + +# This option will enable the settings needed for Cisco SVC IPPhone clients +# to connect. It implies dtls-legacy = true and tls-priorities is changed to +# only the ciphers the device supports. +cisco-svc-client-compat = false + +# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default). +# If the server has not configured an IPv6 or IPv4 address pool, enabling this option +# will instruct the client to bypass the server for that IP protocol. The option is +# currently only understood by Anyconnect clients. +client-bypass-protocol = false + +# The following options are related to server camouflage (hidden service) + +# This option allows you to enable the camouflage feature of ocserv that makes it look +# like a web server to unauthorized parties. +# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific +# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey", +# otherwise the server will return HTTP error for all requests. +camouflage = false + +# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check, +# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey". +camouflage_secret = "mysecretkey" + +# Defines the realm (browser prompt) for HTTP authentication. +# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized. +# Better change it from the default value to avoid fingerprinting. +camouflage_realm = "Restricted Content" + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. You shouldn't +# need to use this option normally; if you do and you think that +# this may help others, please send your settings and reason to +# the openconnect mailing list. The special keywords '%{U}' +# and '%{G}', if present will be replaced by the username and group name. +#custom-header = "X-My-Header: hi there" + + + +# An example virtual host with different authentication methods serviced +# by this server. + +#[vhost:www.example.com] +#auth = "certificate" + +#ca-cert = ../tests/certs/ca.pem + +# The certificate set here must include a 'dns_name' corresponding to +# the virtual host name. + +#server-cert = ../tests/certs/server-cert-secp521r1.pem +#server-key = ../tests/certs/server-key-secp521r1.pem + +#ipv4-network = 192.168.2.0 +#ipv4-netmask = 255.255.255.0 + +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# HTTP headers +#included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains +#included-http-headers = X-Frame-Options: deny +#included-http-headers = X-Content-Type-Options: nosniff +#included-http-headers = Content-Security-Policy: default-src 'none' +#included-http-headers = X-Permitted-Cross-Domain-Policies: none +#included-http-headers = Referrer-Policy: no-referrer +#included-http-headers = Clear-Site-Data: "cache","cookies","storage" +#included-http-headers = Cross-Origin-Embedder-Policy: require-corp +#included-http-headers = Cross-Origin-Opener-Policy: same-origin +#included-http-headers = Cross-Origin-Resource-Policy: same-origin +#included-http-headers = X-XSS-Protection: 0 +#included-http-headers = Pragma: no-cache +#included-http-headers = Cache-control: no-store, no-cache diff --git a/network/ocserv/ocserv.info b/network/ocserv/ocserv.info new file mode 100644 index 0000000000..da8951388a --- /dev/null +++ b/network/ocserv/ocserv.info @@ -0,0 +1,10 @@ +PRGNAM="ocserv" +VERSION="1.2.4" +HOMEPAGE="https://ocserv.openconnect-vpn.net" +DOWNLOAD="https://www.infradead.org/ocserv/download/ocserv-1.2.4.tar.xz" +MD5SUM="6f82a924f998a646512714c4544aaee2" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +REQUIRES="http-parser libev protobuf-c rubygem-ronn" +MAINTAINER="Alexander Verbovetsky" +EMAIL="alik@ejik.org" diff --git a/network/ocserv/rc.ocserv b/network/ocserv/rc.ocserv new file mode 100644 index 0000000000..83fa395888 --- /dev/null +++ b/network/ocserv/rc.ocserv @@ -0,0 +1,55 @@ +#!/bin/bash +# Start/stop/restart the ocserv vpn server +# This script uses the occtl tool + +start_ocserv() { + if [ -S /var/run/occtl.socket ]; then + echo "ocserv is already running" + exit 0 + fi + echo "Starting ocserv" + /usr/sbin/ocserv 2>/dev/null +} + +stop_ocserv() { + /usr/bin/occtl stop now +} + +restart_ocserv() { + stop_ocserv + sleep 1 + start_ocserv +} + +reload_ocserv() { + /usr/bin/occtl reload +} + +status_ocserv() { + if [ -S /var/run/occtl.socket ]; then + /usr/bin/occtl show status + else + echo "ocserv is stopped" + exit 1 + fi +} + +case "$1" in +'start') + start_ocserv + ;; +'stop') + stop_ocserv + ;; +'restart') + restart_ocserv + ;; +'reload') + reload_ocserv + ;; +'status') + status_ocserv + ;; +*) + echo "usage $0 start|stop|restart|reload|status" +esac diff --git a/network/ocserv/slack-desc b/network/ocserv/slack-desc new file mode 100644 index 0000000000..c62e2e9f87 --- /dev/null +++ b/network/ocserv/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +ocserv: ocserv (OpenConnect SSL VPN server) +ocserv: +ocserv: The OpenConnect VPN server (ocserv) is an open source Linux SSL VPN +ocserv: server designed for organizations that require a remote access VPN +ocserv: with enterprise user management and control. It follows the +ocserv: openconnect protocol and is the counterpart of the openconnect VPN +ocserv: client. It is also compatible with CISCO's AnyConnect SSL VPN. +ocserv: +ocserv: Homepage: https://ocserv.openconnect-vpn.net +ocserv: +ocserv: -- cgit v1.2.3-79-gdb01