moony
/
dockerfiles
mirror of https://github.com/vimagick/dockerfiles
1
2
Fork 0
Code Issues Releases Wiki Activity
dockerfiles/ocserv
History
kev 77ab5b5c20 fix ocserv 2017-09-01 23:54:33 +08:00
..
3rd-party update ocserv 2017-08-31 17:49:45 +08:00
Dockerfile fix ocserv 2017-09-01 23:54:33 +08:00
README.md fix ocserv 2017-09-01 23:54:33 +08:00
docker-compose.yml update ocserv 2017-09-01 19:38:21 +08:00
docker-entrypoint.sh fix ocserv 2017-09-01 19:42:28 +08:00
init.sh fix ocserv 2017-09-01 23:54:33 +08:00

README.md

ocserv

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server.

docker-compose.yml

ocserv:
  image: vimagick/ocserv
  ports:
    - "4443:443/tcp"
    - "4443:443/udp"
  environment:
    - VPN_DOMAIN=vpn.easypi.pro
    - VPN_NETWORK=10.20.30.0
    - VPN_NETMASK=255.255.255.0
    - LAN_NETWORK=192.168.0.0
    - LAN_NETMASK=255.255.0.0
    - VPN_USERNAME=username
    - VPN_PASSWORD=password
  cap_add:
    - NET_ADMIN
  restart: always
  • ⚠️ Please choose a strong password to protect VPN service.
  • These environment variables are used to generate config files/keys.
  • VPN accounts can be managed via ocpasswd command.
  • VPN status can be viewed via occtl command
  • You can edit the config file /etc/ocserv/ocserv.conf, then restart service.

up and running

$ docker-compose up -d
$ docker-compose exec ocserv sh
>>> cd /etc/ocserv/
>>> echo 'no-route = 1.2.3.4/32' >> /etc/ocserv/defaults/group.conf
>>> ocpasswd -c ocpasswd username
    Enter password: ******
    Re-enter password: ******
>>> exit
$ docker-compose restart
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
$ docker-compose logs -f

You need to access your vpn server directly with no-route.

To remove the password protection of client.p12:

$ mv client.p12 client.p12.orig
$ openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
$ openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
$ rm tmp.pem

⚠️ Apple's Keychain Access will refuse to open it with no passphrase.

mobile client

There are two auth types:

  • 👎 passwd: type everytime
  • 👍 certificate: import once
AnyConnect ->
  Connection ->
    Add New VPN Connection... ->
      Advanced Preferences... ->
        Certificate ->
          Import ->
            File System: client.p12

Android client show warning dialog: Certificate is not yet valid. (WHY?)

desktop client

download

client.p12 and server-cert.pem can be imported into keychain.