diff --git a/ocserv/Dockerfile b/ocserv/Dockerfile index f8cda6d..f65f0ce 100644 --- a/ocserv/Dockerfile +++ b/ocserv/Dockerfile @@ -53,15 +53,15 @@ RUN set -xe \ && mkdir -p /etc/ocserv/certs \ && cp ./doc/sample.config /etc/ocserv/ocserv.conf \ && cp ./doc/profile.xml /etc/ocserv/profile.xml \ - && sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \ + && sed -i -e 's@^#user-profile = /path/to/file.xml@#user-profile = /etc/ocserv/profile.xml@' \ -e 's@../tests/@/etc/ocserv/certs/@' \ -e 's@certs/ca.pem@certs/ca-cert.pem@' \ -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \ -e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \ -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \ -e 's@^dns =.*$@dns = 8.8.8.8@' \ + -e 's@^default-domain@#&@' \ -e 's@^route@#&@' \ - -e 's@^no-route =.*$@no-route = 192.168.0.0/255.255.0.0@' \ /etc/ocserv/ocserv.conf \ && cd .. \ && apt-get purge --auto-remove -y autogen \ @@ -93,6 +93,8 @@ VOLUME /etc/ocserv ENV VPN_DOMAIN=vpn.easypi.info \ VPN_NETWORK=10.20.30.0 \ VPN_NETMASK=255.255.255.0 \ + LAN_NETWORK=192.168.0.0 \ + LAN_NETMASK=255.255.0.0 \ VPN_USERNAME=username \ VPN_PASSWORD=password diff --git a/ocserv/README.md b/ocserv/README.md index b658afa..0a1710d 100644 --- a/ocserv/README.md +++ b/ocserv/README.md @@ -18,6 +18,8 @@ ocserv: - VPN_DOMAIN=vpn.easypi.info - VPN_NETWORK=10.20.30.0 - VPN_NETMASK=255.255.255.0 + - LAN_NETWORK=192.168.0.0 + - LAN_NETMASK=255.255.0.0 - VPN_USERNAME=username - VPN_PASSWORD=password cap_add: @@ -36,15 +38,28 @@ ocserv: $ docker-compose up -d $ docker-compose exec ocserv bash >>> cd /etc/ocserv/ ->>> ocpasswd -c /etc/ocserv/ocpasswd username +>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf +>>> ocpasswd -c ocpasswd username Enter password: ****** Re-enter password: ****** >>> exit +$ docker-compose restart $ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 . $ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem . $ docker-compose logs -f ``` +To remove the password protection of `client.p12`: + +```bash +mv client.p12 client.p12.orig +openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem +openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass: +rm tmp.pem +``` + +> :warning: Apple's Keychain Access will refuse to open it with no passphrase. + ## mobile client There are two auth types: @@ -62,7 +77,7 @@ AnyConnect -> File System: client.p12 ``` -> :question: Android client show warning dialog: `Certificate is not yet valid.` +> :question: Android client show warning dialog: `Certificate is not yet valid.` ([WHY?][4]) ## desktop client @@ -74,3 +89,4 @@ AnyConnect -> [1]: http://www.infradead.org/ocserv/ [2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html [3]: http://www.infradead.org/ocserv/manual.html +[4]: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html diff --git a/ocserv/docker-compose.yml b/ocserv/docker-compose.yml index 6b00f9b..d0ce9f5 100644 --- a/ocserv/docker-compose.yml +++ b/ocserv/docker-compose.yml @@ -7,6 +7,8 @@ ocserv: - VPN_DOMAIN=vpn.easypi.info - VPN_NETWORK=10.20.30.0 - VPN_NETMASK=255.255.255.0 + - LAN_NETWORK=192.168.0.0 + - LAN_NETMASK=255.255.0.0 - VPN_USERNAME=username - VPN_PASSWORD=password cap_add: diff --git a/ocserv/init.sh b/ocserv/init.sh index 028018f..183b3c5 100755 --- a/ocserv/init.sh +++ b/ocserv/init.sh @@ -86,6 +86,7 @@ certtool --to-p12 \ --password "${VPN_PASSWORD}" sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \ - -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf + -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \ + -e 's@^no-route =.*$@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@' /etc/ocserv/ocserv.conf echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"