Last active
December 13, 2018 06:05
-
-
Save luginbash/52e745ab46cdf46b9061 to your computer and use it in GitHub Desktop.
setting up ocserv (open source AnyConnect alternative) on a new Debian, use passwd auth by default
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "this file isn't supposed to run" | |
| exit 0 | |
| # <------------------------------ Enviroment Variables -------------------------------> | |
| FQDN = <Server DNS Name> # can also get from PTR record | |
| ORG_NAME = <Org name> | |
| RELEASE_NAME = $(lsb_release -sc) | |
| # <------------------------------ Network Stack Setups -------------------------------> | |
| # Please edit /etc/default/ufw first | |
| # DEFAULT_FORWARD_POLICY="ACCEPT" | |
| # then at /etc/ufw/sysctl.conf | |
| # net/ipv4/ip_forward=1 | |
| # net/ipv6/conf/default/forwarding=1 | |
| # allow mtu dectection | |
| iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | |
| # <--------------------------------- Building ---------------------------------------> | |
| # build-essentials | |
| aptitude -y install build-essential | |
| # newer gnutls req backports | |
| echo "deb http://ftp.debian.org/debian $RELEASE_NAME-backports main contrib non-free" | tee -a /etc/apt/sources.list | |
| aptitude update | |
| aptitude -t $RELEASE_NAME-backports -y install libgnutls28-dev | |
| aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin | |
| aptitude -y install libreadline-dev | |
| # Get OCServ | |
| wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.1.tar.xz # as of today, latest=0.8.4 | |
| tar xvf ocserv-0.10.1.tar.xz | |
| cd ocserv-0.10.1 | |
| ./configure --prefix=/usr --sysconfdir=/etc | |
| make | |
| make install | |
| # <------------------------------ Keypair Generation -------------------------------> | |
| # Certificate Authority | |
| # If you are willing to use your own CA, or intermediate CA for OpenConnect | |
| # just copy & paste keys certs. I recommend this over self-signed CA. | |
| certtool --generate-privkey --outfile ca-key.pem | |
| cat << _EOF_ > ca.tmpl | |
| cn = $FQDN | |
| organization = $ORG_NAME | |
| serial = 1 | |
| expiration_days = 3650 | |
| ca | |
| signing_key | |
| cert_signing_key | |
| crl_signing_key | |
| _EOF_ | |
| certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem | |
| cat << _EOF_ > server.tmpl | |
| cn = $FQDN | |
| organization = $ORG_NAME | |
| expiration_days = 3650 | |
| signing_key | |
| encryption_key | |
| tls_www_server | |
| _EOF_ | |
| certtool --generate-privkey --outfile server-key.pem | |
| certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem | |
| # -- USER KEY, not mandatory -- | |
| certtool --generate-privkey --outfile user-key.pem | |
| cat << _EOF_ >user.tmpl | |
| cn = $FQDN | |
| unit = $ORG_NAME | |
| serial = 1001 | |
| expiration_days = 3650 | |
| signing_key | |
| tls_www_client | |
| _EOF_ | |
| certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem | |
| cat << _EOF_ >crl.tmpl | |
| crl_next_update = 999 | |
| crl_number = 1 | |
| _EOF_ | |
| cat user-cert.pem >>revoked.pem | |
| certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem | |
| certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem | |
| cp ca-cert.pem /etc/ssl/certs | |
| cp ca-key.pem /etc/ssl/private | |
| cp server-cert.pem /etc/ssl/certs | |
| cp server-key.pem /etc/ssl/private | |
| mkdir /etc/ocserv | |
| # <------------------------------ OC Server Specific -------------------------------> | |
| # Profile generation | |
| cat << _EOF_ > /etc/ocserv/profile.xml | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> | |
| <ClientInitialization> | |
| <AutoUpdate>true</AutoUpdate> | |
| <BypassDownloader>true</BypassDownloader> | |
| <UseStartBeforeLogon>false</UseStartBeforeLogon> | |
| <StrictCertificateTrust>false</StrictCertificateTrust> | |
| <RestrictPreferenceCaching>false</RestrictPreferenceCaching> | |
| <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> | |
| <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> | |
| <CertificateMatch> | |
| <KeyUsage> | |
| <MatchKey>Digital_Signature</MatchKey> | |
| </KeyUsage> | |
| <ExtendedKeyUsage> | |
| <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> | |
| </ExtendedKeyUsage> | |
| </CertificateMatch> | |
| </ClientInitialization> | |
| <ServerList> | |
| <HostEntry> | |
| <HostName>$FQDN</HostName> | |
| <HostAddress>$FQDN</HostAddress> | |
| </HostEntry> | |
| </ServerList> | |
| </AnyConnectProfile> | |
| _EOF_ | |
| cat << _EOF_ > /etc/init.d/ocserv | |
| #!/bin/sh | |
| ### BEGIN INIT INFO | |
| # Provides: ocserv | |
| # Required-Start: $remote_fs $syslog | |
| # Required-Stop: $remote_fs $syslog | |
| # Default-Start: 2 3 4 5 | |
| # Default-Stop: 0 1 6 | |
| ### END INIT INFO | |
| # Copyright Rene Mayrhofer, Gibraltar, 1999 | |
| # This script is distibuted under the GPL | |
| PATH=/bin:/usr/bin:/sbin:/usr/sbin | |
| DAEMON=/usr/sbin/ocserv | |
| PIDFILE=/var/run/ocserv.pid | |
| DAEMON_ARGS="-c /etc/ocserv/ocserv.conf" | |
| case "$1" in | |
| start) | |
| if [ ! -r $PIDFILE ]; then | |
| echo -n "Starting OpenConnect VPN Server Daemon: " | |
| start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ | |
| $DAEMON_ARGS > /dev/null | |
| echo "ocserv." | |
| else | |
| echo -n "OpenConnect VPN Server is already running.\n\r" | |
| exit 0 | |
| fi | |
| ;; | |
| stop) | |
| echo -n "Stopping OpenConnect VPN Server Daemon: " | |
| start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON | |
| echo "ocserv." | |
| rm -f $PIDFILE | |
| ;; | |
| force-reload|restart) | |
| echo "Restarting OpenConnect VPN Server: " | |
| $0 stop | |
| sleep 1 | |
| $0 start | |
| ;; | |
| status) | |
| if [ ! -r $PIDFILE ]; then | |
| # no pid file, process doesn't seem to be running correctly | |
| exit 3 | |
| fi | |
| PID=`cat $PIDFILE | sed 's/ //g'` | |
| EXE=/proc/$PID/exe | |
| if [ -x "$EXE" ] && | |
| [ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \ | |
| "$DAEMON" ]; then | |
| # ok, process seems to be running | |
| exit 0 | |
| elif [ -r $PIDFILE ]; then | |
| # process not running, but pidfile exists | |
| exit 1 | |
| else | |
| # no lock file to check for, so simply return the stopped status | |
| exit 3 | |
| fi | |
| ;; | |
| *) | |
| echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}" | |
| exit 1 | |
| ;; | |
| esac | |
| exit 0 | |
| _EOF_ | |
| vim /etc/ocserv/ocserv.conf | |
| chmod +x /etc/init.d/ocserv | |
| update-rc.d ocserv defaults | |
| ufw allow 443 | |
| ufw allow 443/udp | |
| echo "*nat" >> /etc/ufw/before.rules | |
| echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules | |
| ###### | |
| # Change NAT IP/subnet HERE accordingly to your ocserv.conf configs | |
| echo "-A POSTROUTING -s 10.88.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules | |
| ##### | |
| echo "COMMIT" >> /etc/ufw/before.rules | |
| ufw disable && sudo ufw enable | |
| ocpasswd newuser |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thank you,