From f87ad00ae2e4123fa74955d00bf7d25d5e0f1de5 Mon Sep 17 00:00:00 2001 From: kev Date: Wed, 29 Jun 2016 04:35:26 +0800 Subject: [PATCH] add ocserv --- README.md | 1 + ocserv/Dockerfile | 98 +++++++++++++++++++++++++++++++++++++ ocserv/README.md | 26 ++++++++++ ocserv/docker-compose.yml | 14 ++++++ ocserv/docker-entrypoint.sh | 13 +++++ ocserv/init.sh | 58 ++++++++++++++++++++++ 6 files changed, 210 insertions(+) create mode 100644 ocserv/Dockerfile create mode 100644 ocserv/README.md create mode 100644 ocserv/docker-compose.yml create mode 100755 ocserv/docker-entrypoint.sh create mode 100755 ocserv/init.sh diff --git a/README.md b/README.md index e25e280..71d7eed 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ A collection of delicious docker recipes. - [x] nullmailer - [x] nullmailer-arm - [x] obfsproxy +- [x] ocserv - [x] opencart - [x] openrefine - [x] openvpn :+1: diff --git a/ocserv/Dockerfile b/ocserv/Dockerfile new file mode 100644 index 0000000..d17d6e4 --- /dev/null +++ b/ocserv/Dockerfile @@ -0,0 +1,98 @@ +# +# Dockerfile for ocserv +# + +FROM debian:jessie +MAINTAINER kev + +ENV OCSERV_VERSION 0.11.3 + +RUN set -xe \ + && apt-get update \ + && apt-get install -y autogen \ + build-essential \ + curl \ + gnutls-bin \ + iptables \ + libdbus-1-3 \ + libdbus-1-dev \ + libev4 \ + libev-dev \ + libgnutlsxx28 \ + libgnutls28-dev \ + libhttp-parser2.1 \ + libhttp-parser-dev \ + libnl-route-3-200 \ + libnl-route-3-dev \ + libopts25 \ + libopts25-dev \ + libpam0g \ + libpam0g-dev \ + libpcl1 \ + libpcl1-dev \ + libprotobuf-c1 \ + libprotobuf-c-dev \ + libprotobuf9 \ + libprotobuf-dev \ + libprotoc9 \ + libprotoc-dev \ + libreadline6 \ + libreadline-dev \ + libseccomp2 \ + libseccomp-dev \ + libtalloc2 \ + libtalloc-dev \ + libwrap0 \ + libwrap0-dev \ + protobuf-c-compiler \ + protobuf-compiler \ + && curl -sSL ftp://ftp.infradead.org/pub/ocserv/ocserv-$OCSERV_VERSION.tar.xz | tar xJ \ + && cd ocserv-$OCSERV_VERSION \ + && ./configure --prefix=/usr --sysconfdir=/etc --with-local-talloc \ + && make install \ + && mkdir -p /etc/ocserv/certs \ + && cp ./doc/sample.config /etc/ocserv/ocserv.conf \ + && sed -i -e 's@../tests/@/etc/ocserv/certs/@' \ + -e 's@certs/ca.pem@certs/ca-cert.pem@' \ + -e 's@./sample.passwd@/etc/ocserv/ocpasswd@' \ + -e 's@^try-mtu-discovery = false$@try-mtu-discovery = true@' \ + -e 's@^dns =.*$@dns = 8.8.8.8@' \ + -e 's@^route@#&@' \ + -e 's@^no-route@#&@' \ + /etc/ocserv/ocserv.conf \ + && cd .. \ + && apt-get purge --auto-remove -y autogen \ + build-essential \ + libdbus-1-dev \ + libev-dev \ + libgnutls28-dev \ + libhttp-parser-dev \ + libnl-route-3-dev \ + libopts25-dev \ + libpam0g-dev \ + libpcl1-dev \ + libprotobuf-c-dev \ + libprotobuf-dev \ + libprotoc-dev \ + libreadline-dev \ + libseccomp-dev \ + libtalloc-dev \ + libwrap0-dev \ + protobuf-c-compiler \ + protobuf-compiler \ + && rm -rf ocserv-$OCSERV_VERSION /var/lib/apt/lists/* + +COPY init.sh /init.sh +COPY docker-entrypoint.sh /entrypoint.sh + +VOLUME /etc/ocserv + +ENV VPN_DOMAIN=vpn.easypi.info \ + VPN_NETWORK=10.20.30.0 \ + VPN_NETMASK=255.255.255.0 \ + VPN_USERNAME=username \ + VPN_PASSWORD=password + +EXPOSE 443/tcp 443/udp + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/ocserv/README.md b/ocserv/README.md new file mode 100644 index 0000000..b0d9e71 --- /dev/null +++ b/ocserv/README.md @@ -0,0 +1,26 @@ +ocserv +====== + +[OpenConnect server][1] (ocserv) is an SSL VPN server. Its purpose is to be a +secure, small, fast and configurable VPN server. + +## docker-compose.yml + +```yaml +ocserv: + image: vimagick/ocserv + ports: + - "4443:443/tcp" + - "4443:443/udp" + environment: + - VPN_DOMAIN=vpn.easypi.info + - VPN_NETWORK=10.20.30.0 + - VPN_NETMASK=255.255.255.0 + - VPN_USERNAME=username + - VPN_PASSWORD=password + cap_add: + - NET_ADMIN + restart: always +``` + +[1]: http://www.infradead.org/ocserv/ diff --git a/ocserv/docker-compose.yml b/ocserv/docker-compose.yml new file mode 100644 index 0000000..6b00f9b --- /dev/null +++ b/ocserv/docker-compose.yml @@ -0,0 +1,14 @@ +ocserv: + image: vimagick/ocserv + ports: + - "4443:443/tcp" + - "4443:443/udp" + environment: + - VPN_DOMAIN=vpn.easypi.info + - VPN_NETWORK=10.20.30.0 + - VPN_NETMASK=255.255.255.0 + - VPN_USERNAME=username + - VPN_PASSWORD=password + cap_add: + - NET_ADMIN + restart: always diff --git a/ocserv/docker-entrypoint.sh b/ocserv/docker-entrypoint.sh new file mode 100755 index 0000000..6620e43 --- /dev/null +++ b/ocserv/docker-entrypoint.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +/init.sh + +if [ ! -e /dev/net/tun ]; then + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + chmod 600 /dev/net/tun +fi + +iptables -t nat -A POSTROUTING -s ${VPN_NETWORK}/${VPN_NETMASK} -j MASQUERADE + +exec ocserv -c /etc/ocserv/ocserv.conf -f $@ diff --git a/ocserv/init.sh b/ocserv/init.sh new file mode 100755 index 0000000..47fc524 --- /dev/null +++ b/ocserv/init.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +set -e + +if [ -f /etc/ocserv/certs/server-cert.pem ] +then + echo "Initialized!" + exit 0 +else + echo "Initializing ..." +fi + +mkdir -p /etc/ocserv/certs +cd /etc/ocserv/certs + +cat > ca.tmpl <<_EOF_ +cn = "ocserv Root CA" +organization = "ocserv" +serial = 1 +expiration_days = 3650 +ca +signing_key +cert_signing_key +crl_signing_key +_EOF_ + +cat > server.tmpl <<_EOF_ +cn = "${VPN_DOMAIN}" +organization = "ocserv" +serial = 2 +expiration_days = 3650 +encryption_key +signing_key +tls_www_server +_EOF_ + +certtool --generate-privkey \ + --outfile ca-key.pem + +certtool --generate-self-signed \ + --load-privkey /etc/ocserv/certs/ca-key.pem \ + --template ca.tmpl \ + --outfile ca-cert.pem + +certtool --generate-privkey \ + --outfile server-key.pem + +certtool --generate-certificate \ + --load-privkey server-key.pem \ + --load-ca-certificate ca-cert.pem \ + --load-ca-privkey ca-key.pem \ + --template server.tmpl \ + --outfile server-cert.pem + +sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \ + -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" /etc/ocserv/ocserv.conf + +echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"