mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-28 17:51:24 +00:00
fix ocserv.conf
This commit is contained in:
parent
6841473d27
commit
b94a0b75e1
@ -53,15 +53,15 @@ RUN set -xe \
|
|||||||
&& mkdir -p /etc/ocserv/certs \
|
&& mkdir -p /etc/ocserv/certs \
|
||||||
&& cp ./doc/sample.config /etc/ocserv/ocserv.conf \
|
&& cp ./doc/sample.config /etc/ocserv/ocserv.conf \
|
||||||
&& cp ./doc/profile.xml /etc/ocserv/profile.xml \
|
&& cp ./doc/profile.xml /etc/ocserv/profile.xml \
|
||||||
&& sed -i -e 's@^#user-profile = /path/to/file.xml@user-profile = /etc/ocserv/profile.xml@' \
|
&& sed -i -e 's@^#user-profile = /path/to/file.xml@#user-profile = /etc/ocserv/profile.xml@' \
|
||||||
-e 's@../tests/@/etc/ocserv/certs/@' \
|
-e 's@../tests/@/etc/ocserv/certs/@' \
|
||||||
-e 's@certs/ca.pem@certs/ca-cert.pem@' \
|
-e 's@certs/ca.pem@certs/ca-cert.pem@' \
|
||||||
-e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
|
-e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \
|
||||||
-e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
|
-e 's@^#enable-auth = "certificate"$@enable-auth = "certificate"@' \
|
||||||
-e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
|
-e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \
|
||||||
-e 's@^dns =.*$@dns = 8.8.8.8@' \
|
-e 's@^dns =.*$@dns = 8.8.8.8@' \
|
||||||
|
-e 's@^default-domain@#&@' \
|
||||||
-e 's@^route@#&@' \
|
-e 's@^route@#&@' \
|
||||||
-e 's@^no-route =.*$@no-route = 192.168.0.0/255.255.0.0@' \
|
|
||||||
/etc/ocserv/ocserv.conf \
|
/etc/ocserv/ocserv.conf \
|
||||||
&& cd .. \
|
&& cd .. \
|
||||||
&& apt-get purge --auto-remove -y autogen \
|
&& apt-get purge --auto-remove -y autogen \
|
||||||
@ -93,6 +93,8 @@ VOLUME /etc/ocserv
|
|||||||
ENV VPN_DOMAIN=vpn.easypi.info \
|
ENV VPN_DOMAIN=vpn.easypi.info \
|
||||||
VPN_NETWORK=10.20.30.0 \
|
VPN_NETWORK=10.20.30.0 \
|
||||||
VPN_NETMASK=255.255.255.0 \
|
VPN_NETMASK=255.255.255.0 \
|
||||||
|
LAN_NETWORK=192.168.0.0 \
|
||||||
|
LAN_NETMASK=255.255.0.0 \
|
||||||
VPN_USERNAME=username \
|
VPN_USERNAME=username \
|
||||||
VPN_PASSWORD=password
|
VPN_PASSWORD=password
|
||||||
|
|
||||||
|
@ -18,6 +18,8 @@ ocserv:
|
|||||||
- VPN_DOMAIN=vpn.easypi.info
|
- VPN_DOMAIN=vpn.easypi.info
|
||||||
- VPN_NETWORK=10.20.30.0
|
- VPN_NETWORK=10.20.30.0
|
||||||
- VPN_NETMASK=255.255.255.0
|
- VPN_NETMASK=255.255.255.0
|
||||||
|
- LAN_NETWORK=192.168.0.0
|
||||||
|
- LAN_NETMASK=255.255.0.0
|
||||||
- VPN_USERNAME=username
|
- VPN_USERNAME=username
|
||||||
- VPN_PASSWORD=password
|
- VPN_PASSWORD=password
|
||||||
cap_add:
|
cap_add:
|
||||||
@ -36,15 +38,28 @@ ocserv:
|
|||||||
$ docker-compose up -d
|
$ docker-compose up -d
|
||||||
$ docker-compose exec ocserv bash
|
$ docker-compose exec ocserv bash
|
||||||
>>> cd /etc/ocserv/
|
>>> cd /etc/ocserv/
|
||||||
>>> ocpasswd -c /etc/ocserv/ocpasswd username
|
>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf
|
||||||
|
>>> ocpasswd -c ocpasswd username
|
||||||
Enter password: ******
|
Enter password: ******
|
||||||
Re-enter password: ******
|
Re-enter password: ******
|
||||||
>>> exit
|
>>> exit
|
||||||
|
$ docker-compose restart
|
||||||
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
|
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
|
||||||
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
|
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
|
||||||
$ docker-compose logs -f
|
$ docker-compose logs -f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
To remove the password protection of `client.p12`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
mv client.p12 client.p12.orig
|
||||||
|
openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
|
||||||
|
openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
|
||||||
|
rm tmp.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
> :warning: Apple's Keychain Access will refuse to open it with no passphrase.
|
||||||
|
|
||||||
## mobile client
|
## mobile client
|
||||||
|
|
||||||
There are two auth types:
|
There are two auth types:
|
||||||
@ -62,7 +77,7 @@ AnyConnect ->
|
|||||||
File System: client.p12
|
File System: client.p12
|
||||||
```
|
```
|
||||||
|
|
||||||
> :question: Android client show warning dialog: `Certificate is not yet valid.`
|
> :question: Android client show warning dialog: `Certificate is not yet valid.` ([WHY?][4])
|
||||||
|
|
||||||
## desktop client
|
## desktop client
|
||||||
|
|
||||||
@ -74,3 +89,4 @@ AnyConnect ->
|
|||||||
[1]: http://www.infradead.org/ocserv/
|
[1]: http://www.infradead.org/ocserv/
|
||||||
[2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html
|
[2]: http://www.gnutls.org/manual/html_node/certtool-Invocation.html
|
||||||
[3]: http://www.infradead.org/ocserv/manual.html
|
[3]: http://www.infradead.org/ocserv/manual.html
|
||||||
|
[4]: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html
|
||||||
|
@ -7,6 +7,8 @@ ocserv:
|
|||||||
- VPN_DOMAIN=vpn.easypi.info
|
- VPN_DOMAIN=vpn.easypi.info
|
||||||
- VPN_NETWORK=10.20.30.0
|
- VPN_NETWORK=10.20.30.0
|
||||||
- VPN_NETMASK=255.255.255.0
|
- VPN_NETMASK=255.255.255.0
|
||||||
|
- LAN_NETWORK=192.168.0.0
|
||||||
|
- LAN_NETMASK=255.255.0.0
|
||||||
- VPN_USERNAME=username
|
- VPN_USERNAME=username
|
||||||
- VPN_PASSWORD=password
|
- VPN_PASSWORD=password
|
||||||
cap_add:
|
cap_add:
|
||||||
|
@ -86,6 +86,7 @@ certtool --to-p12 \
|
|||||||
--password "${VPN_PASSWORD}"
|
--password "${VPN_PASSWORD}"
|
||||||
|
|
||||||
sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
|
sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \
|
||||||
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf
|
-e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \
|
||||||
|
-e 's@^no-route =.*$@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@' /etc/ocserv/ocserv.conf
|
||||||
|
|
||||||
echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"
|
echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"
|
||||||
|
Loading…
Reference in New Issue
Block a user