Skip to content

Instantly share code, notes, and snippets.

@shahinism

shahinism/ocserver_install.sh

Last active June 22, 2021 08:13
Show Gist options
  • Save shahinism/69f319687b745e63cf90 to your computer and use it in GitHub Desktop.
Save shahinism/69f319687b745e63cf90 to your computer and use it in GitHub Desktop.
Download ZIP
How to install ocserv (OpenConnect server, aka: free version of Cisco's Anyconnect) on Ubuntu 16.04
Raw
ocserver_install.sh
echo "This gist have not to be executed directly"
exit 0
# Edit `/etc/default/ufw` and set:
# DEFAULT_FORWARD_POLICY="ACCEPT"
# The restart ufw
systemctl restart ufw
# Install ufw from command line
apt install ocserv
# The command above will try to start preconfigured daemon on port 443
# If you already use port 443 (serving SSL website), you should change it.
# Based on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837944 report
# updating `tcp/udp` configuration in ocserv.conf will not effect the failure.
# To change daemon port you can edit `/lib/systemd/system/ocserv.socket` and set following values:
# [Socket]
# 5 ListenStream=4443
# 6 ListenDatagram=4443
# And finally run: `systemctl daemon-reload`
# Generate authentication file
ocpasswd A_USER_NAME
# Create certificates
cat << _EOF_ > ca.tmpl
cn = "fff"
organization = "fff"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
cat << _EOF_ > server.tmpl
cn = "YOUR DNS OR VPS IP ADDRESS"
organization = "fff"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
_EOF_
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
# EDIT /etc/ocserv.config file as follow:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
tcp-port = 443
udp-port = 443
dns = 8.8.8.8
dns = 8.8.4.4
# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0
try-mtu-discovery = true
cisco-client-compat = true
###################### END EDIT CONFIG
# EDIT /etc/sysctl.conf as follow:
net.ipv4.ip_forward=1
###################### END EDIT /etc/sysctl.conf
# Apply changes to sysctl
sysctl -p /etc/sysctl.conf
# Config iptables
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
# Run debuggable process to test evertything. Remove `-f -d 1` to run it as daemon
systemctl start ocserv
# Copy ca-cert.pem to your client to prevent certificate authority error.
@SquirrelCoder
Copy link

Unfortunately I get error when I enter the command: make check

In file included from ../src/main.h:30:0,
                 from ../src/str.c:30,
                 from str-test.c:25:
../src/ipc.pb-c.h:7:35: fatal error: protobuf-c/protobuf-c.h: No such file or directory
 #include <protobuf-c/protobuf-c.h>
                                   ^
compilation terminated.
make[3]: *** [str-test.o] Error 1
make[3]: Leaving directory `/home/username/ocserv-0.10.10/tests'
make[2]: *** [check-am] Error 2
make[2]: Leaving directory `/home/username/ocserv-0.10.10/tests'
make[1]: *** [check-recursive] Error 1
make[1]: Leaving directory `/home/username/ocserv-0.10.10/tests'
make: *** [check-recursive] Error 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment