1
2
mirror of https://github.com/vimagick/dockerfiles synced 2024-06-16 11:58:47 +00:00

fix ocserv.conf

This commit is contained in:
kev 2016-06-30 00:03:46 +08:00
parent 6841473d27
commit b94a0b75e1
4 changed files with 26 additions and 5 deletions

@ -53,15 +53,15 @@ RUN set -xe \
&& mkdir -p /etc/ocserv/certs \
&& cp ./doc/sample.config /etc/ocserv/ocserv.conf \
&& cp ./doc/profile.xml /etc/ocserv/profile.xml \
&& sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \
&& sed -i -e 's@^#user-profile = /path/to/file.xml@#user-profile = /etc/ocserv/profile.xml@' \
-e 's@../tests/@/etc/ocserv/certs/@' \
-e 's@certs/ca.pem@certs/ca-cert.pem@' \
-e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
-e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
-e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
-e 's@^dns =.*$@dns = 8.8.8.8@' \
-e 's@^default-domain@#&@' \
-e 's@^route@#&@' \
-e 's@^no-route =.*$@no-route = 192.168.0.0/255.255.0.0@' \
/etc/ocserv/ocserv.conf \
&& cd .. \
&& apt-get purge --auto-remove -y autogen \
@ -93,6 +93,8 @@ VOLUME /etc/ocserv
ENV VPN_DOMAIN=vpn.easypi.info \
VPN_NETWORK=10.20.30.0 \
VPN_NETMASK=255.255.255.0 \
LAN_NETWORK=192.168.0.0 \
LAN_NETMASK=255.255.0.0 \
VPN_USERNAME=username \
VPN_PASSWORD=password

@ -18,6 +18,8 @@ ocserv:
- VPN_DOMAIN=vpn.easypi.info
- VPN_NETWORK=10.20.30.0
- VPN_NETMASK=255.255.255.0
- LAN_NETWORK=192.168.0.0
- LAN_NETMASK=255.255.0.0
- VPN_USERNAME=username
- VPN_PASSWORD=password
cap_add:
@ -36,15 +38,28 @@ ocserv:
$ docker-compose up -d
$ docker-compose exec ocserv bash
>>> cd /etc/ocserv/
>>> ocpasswd -c /etc/ocserv/ocpasswd username
>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf
>>> ocpasswd -c ocpasswd username
Enter password: ******
Re-enter password: ******
>>> exit
$ docker-compose restart
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
$ docker-compose logs -f
```
To remove the password protection of `client.p12`:
```bash
mv client.p12 client.p12.orig
openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
rm tmp.pem
```
> :warning: Apple's Keychain Access will refuse to open it with no passphrase.
## mobile client
There are two auth types:
@ -62,7 +77,7 @@ AnyConnect ->
File System: client.p12
```
> :question: Android client show warning dialog: `Certificate is not yet valid.`
> :question: Android client show warning dialog: `Certificate is not yet valid.` ([WHY?][4])
## desktop client
@ -74,3 +89,4 @@ AnyConnect ->
[1]: http://www.infradead.org/ocserv/
[2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html
[3]: http://www.infradead.org/ocserv/manual.html
[4]: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

@ -7,6 +7,8 @@ ocserv:
- VPN_DOMAIN=vpn.easypi.info
- VPN_NETWORK=10.20.30.0
- VPN_NETMASK=255.255.255.0
- LAN_NETWORK=192.168.0.0
- LAN_NETMASK=255.255.0.0
- VPN_USERNAME=username
- VPN_PASSWORD=password
cap_add:

@ -86,6 +86,7 @@ certtool --to-p12 \
--password "${VPN_PASSWORD}"
sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \
-e 's@^no-route =.*$@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@' /etc/ocserv/ocserv.conf
echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"