fix ocserv.conf

ocserv/Dockerfile

@@ -53,15 +53,15 @@ RUN set -xe \
     && mkdir -p /etc/ocserv/certs \
     && cp ./doc/sample.config /etc/ocserv/ocserv.conf \
     && cp ./doc/profile.xml /etc/ocserv/profile.xml \
-    && sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \
+    && sed -i -e 's@^#user-profile = /path/to/file.xml@#user-profile = /etc/ocserv/profile.xml@' \
               -e 's@../tests/@/etc/ocserv/certs/@' \
               -e 's@certs/ca.pem@certs/ca-cert.pem@' \
               -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
               -e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
               -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
               -e 's@^dns =.*$@dns = 8.8.8.8@' \
+              -e 's@^default-domain@#&@' \
               -e 's@^route@#&@' \
-              -e 's@^no-route =.*$@no-route = 192.168.0.0/255.255.0.0@' \
               /etc/ocserv/ocserv.conf \
     && cd .. \
     && apt-get purge --auto-remove -y autogen \
@@ -93,6 +93,8 @@ VOLUME /etc/ocserv
 ENV VPN_DOMAIN=vpn.easypi.info \
     VPN_NETWORK=10.20.30.0     \
     VPN_NETMASK=255.255.255.0  \
+    LAN_NETWORK=192.168.0.0    \
+    LAN_NETMASK=255.255.0.0    \
     VPN_USERNAME=username      \
     VPN_PASSWORD=password
 

ocserv/README.md

@@ -18,6 +18,8 @@ ocserv:
     - VPN_DOMAIN=vpn.easypi.info
     - VPN_NETWORK=10.20.30.0
     - VPN_NETMASK=255.255.255.0
+    - LAN_NETWORK=192.168.0.0
+    - LAN_NETMASK=255.255.0.0
     - VPN_USERNAME=username
     - VPN_PASSWORD=password
   cap_add:
@@ -36,15 +38,28 @@ ocserv:
 $ docker-compose up -d
 $ docker-compose exec ocserv bash
 >>> cd /etc/ocserv/
->>> ocpasswd -c /etc/ocserv/ocpasswd username
+>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf
+>>> ocpasswd -c ocpasswd username
     Enter password: ******
     Re-enter password: ******
 >>> exit
+$ docker-compose restart
 $ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
 $ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
 $ docker-compose logs -f
 ```
 
+To remove the password protection of `client.p12`:
+
+```bash
+mv client.p12 client.p12.orig
+openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
+openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
+rm tmp.pem
+```
+
+> :warning: Apple's Keychain Access will refuse to open it with no passphrase.
+
 ## mobile client
 
 There are two auth types:
@@ -62,7 +77,7 @@ AnyConnect ->
             File System: client.p12
 ```
 
-> :question: Android client show warning dialog: `Certificate is not yet valid.`
+> :question: Android client show warning dialog: `Certificate is not yet valid.` ([WHY?][4])
 
 ## desktop client
 
@@ -74,3 +89,4 @@ AnyConnect ->
 [1]: http://www.infradead.org/ocserv/
 [2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html
 [3]: http://www.infradead.org/ocserv/manual.html
+[4]: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

ocserv/docker-compose.yml

@@ -7,6 +7,8 @@ ocserv:
     - VPN_DOMAIN=vpn.easypi.info
     - VPN_NETWORK=10.20.30.0
     - VPN_NETMASK=255.255.255.0
+    - LAN_NETWORK=192.168.0.0
+    - LAN_NETMASK=255.255.0.0
     - VPN_USERNAME=username
     - VPN_PASSWORD=password
   cap_add:

ocserv/init.sh

@@ -86,6 +86,7 @@ certtool --to-p12 \
          --password "${VPN_PASSWORD}"
 
 sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
-       -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf
+       -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \
+       -e 's@^no-route =.*$@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@' /etc/ocserv/ocserv.conf
 
 echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"