Console log for ocserv configuration

gistfile1.txt

# Please edit /etc/default/ufw first
# DEFAULT_FORWARD_POLICY="ACCEPT"

# then at /etc/ufw/sysctl.conf
# net/ipv4/ip_forward=1
# net/ipv6/conf/default/forwarding=1

# allow mtu dectection
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# build-essentials
aptitude -y install build-essential

# newer gnutls req backports
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
aptitude update
aptitude -t wheezy-backports -y install libgnutls28-dev
aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin
aptitude -y install libreadline-dev

# Get OCServ
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.1.tar.xz # as of today, latest=0.8.1
tar xvf ocserv-0.8.1.tar.xz
cd ocserv-0.8.1
./configure --prefix=/usr --sysconfdir=/etc
make
make install

# setting up ocserv
certtool --generate-privkey --outfile ca-key.pem 

cat << _EOF_ > ca.tmpl
cn = "Khazad-dum"
organization = "Mines Of Moria"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

cat << _EOF_ > server.tmpl
cn = "Grand Stair"
organization = "Mines Of Moria"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
_EOF_
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

# -- USER KEY, not mandatory --
certtool --generate-privkey --outfile user-key.pem 
cat << _EOF_ >user.tmpl 
cn = "Iron Foot" 
unit = "Spawns" 
serial = 1001
expiration_days = 3650 
signing_key 
tls_www_client
_EOF_ 

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

cat << _EOF_ >crl.tmpl 
crl_next_update = 999 
crl_number = 1 
_EOF_ 

cat user-cert.pem >>revoked.pem 
certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem

certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem

cp ca-cert.pem /etc/ssl/certs
cp ca-key.pem /etc/ssl/private
cp server-cert.pem /etc/ssl/certs
cp server-key.pem /etc/ssl/private

mkdir /etc/ocserv

# Profile generation
cat << _EOF_ > /etc/ocserv/profile.xml
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 
<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
 
<ServerList>
<HostEntry>
<HostName>Khaza-dum</HostName>
<HostAddress>us.qzhou.in</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
_EOF_

vim /etc/init.d/ocserv
# put ocserv.init.sh into this file
vim /etc/ocserv/ocserv.conf

chmod +x /etc/init.d/ocserv

update-rc.d ocserv defaults
ufw allow 443
ufw allow 443/udp

echo "*nat" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
echo "-A POSTROUTING -s 10.88.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
echo "COMMIT" >> /etc/ufw/before.rules
ufw disable && sudo ufw enable

ocpasswd newuser