Skip to content

Instantly share code, notes, and snippets.

@tracyhatemice
Forked from luginbash/ocsetup.sh
Created June 1, 2016 08:17
Show Gist options
  • Save tracyhatemice/963d68b59b5d1ddd893b1539f7a2a010 to your computer and use it in GitHub Desktop.
Save tracyhatemice/963d68b59b5d1ddd893b1539f7a2a010 to your computer and use it in GitHub Desktop.
setting up ocserv (open source AnyConnect alternative) on a new Debian, use passwd auth by default
echo "this file isn't supposed to run"
exit 0
# <------------------------------ Enviroment Variables ------------------------------->
FQDN = <Server DNS Name> # can also get from PTR record
ORG_NAME = <Org name>
RELEASE_NAME = $(lsb_release -sc)
# <------------------------------ Network Stack Setups ------------------------------->
# Please edit /etc/default/ufw first
# DEFAULT_FORWARD_POLICY="ACCEPT"
# then at /etc/ufw/sysctl.conf
# net/ipv4/ip_forward=1
# net/ipv6/conf/default/forwarding=1
# allow mtu dectection
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# <--------------------------------- Building --------------------------------------->
# build-essentials
aptitude -y install build-essential
# newer gnutls req backports
echo "deb http://ftp.debian.org/debian $RELEASE_NAME-backports main contrib non-free" | tee -a /etc/apt/sources.list
aptitude update
aptitude -t $RELEASE_NAME-backports -y install libgnutls28-dev
aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin
aptitude -y install libreadline-dev
# Get OCServ
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.1.tar.xz # as of today, latest=0.8.4
tar xvf ocserv-0.10.1.tar.xz
cd ocserv-0.10.1
./configure --prefix=/usr --sysconfdir=/etc
make
make install
# <------------------------------ Keypair Generation ------------------------------->
# Certificate Authority
# If you are willing to use your own CA, or intermediate CA for OpenConnect
# just copy & paste keys certs. I recommend this over self-signed CA.
certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ > ca.tmpl
cn = $FQDN
organization = $ORG_NAME
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
cat << _EOF_ > server.tmpl
cn = $FQDN
organization = $ORG_NAME
expiration_days = 3650
signing_key
encryption_key
tls_www_server
_EOF_
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
# -- USER KEY, not mandatory --
certtool --generate-privkey --outfile user-key.pem
cat << _EOF_ >user.tmpl
cn = $FQDN
unit = $ORG_NAME
serial = 1001
expiration_days = 3650
signing_key
tls_www_client
_EOF_
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem
cat << _EOF_ >crl.tmpl
crl_next_update = 999
crl_number = 1
_EOF_
cat user-cert.pem >>revoked.pem
certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem
certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem
cp ca-cert.pem /etc/ssl/certs
cp ca-key.pem /etc/ssl/private
cp server-cert.pem /etc/ssl/certs
cp server-key.pem /etc/ssl/private
mkdir /etc/ocserv
# <------------------------------ OC Server Specific ------------------------------->
# Profile generation
cat << _EOF_ > /etc/ocserv/profile.xml
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>$FQDN</HostName>
<HostAddress>$FQDN</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
_EOF_
cat << _EOF_ > /etc/init.d/ocserv
#!/bin/sh
### BEGIN INIT INFO
# Provides: ocserv
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
# Copyright Rene Mayrhofer, Gibraltar, 1999
# This script is distibuted under the GPL
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/ocserv
PIDFILE=/var/run/ocserv.pid
DAEMON_ARGS="-c /etc/ocserv/ocserv.conf"
case "$1" in
start)
if [ ! -r $PIDFILE ]; then
echo -n "Starting OpenConnect VPN Server Daemon: "
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS > /dev/null
echo "ocserv."
else
echo -n "OpenConnect VPN Server is already running.\n\r"
exit 0
fi
;;
stop)
echo -n "Stopping OpenConnect VPN Server Daemon: "
start-stop-daemon --stop --quiet --pidfile $PIDFILE --exec $DAEMON
echo "ocserv."
rm -f $PIDFILE
;;
force-reload|restart)
echo "Restarting OpenConnect VPN Server: "
$0 stop
sleep 1
$0 start
;;
status)
if [ ! -r $PIDFILE ]; then
# no pid file, process doesn't seem to be running correctly
exit 3
fi
PID=`cat $PIDFILE | sed 's/ //g'`
EXE=/proc/$PID/exe
if [ -x "$EXE" ] &&
[ "`ls -l \"$EXE\" | cut -d'>' -f2,2 | cut -d' ' -f2,2`" = \
"$DAEMON" ]; then
# ok, process seems to be running
exit 0
elif [ -r $PIDFILE ]; then
# process not running, but pidfile exists
exit 1
else
# no lock file to check for, so simply return the stopped status
exit 3
fi
;;
*)
echo "Usage: /etc/init.d/ocserv {start|stop|restart|force-reload|status}"
exit 1
;;
esac
exit 0
_EOF_
vim /etc/ocserv/ocserv.conf
chmod +x /etc/init.d/ocserv
update-rc.d ocserv defaults
ufw allow 443
ufw allow 443/udp
echo "*nat" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
######
# Change NAT IP/subnet HERE accordingly to your ocserv.conf configs
echo "-A POSTROUTING -s 10.88.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
#####
echo "COMMIT" >> /etc/ufw/before.rules
ufw disable && sudo ufw enable
ocpasswd newuser
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment