diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 2f55d8d27..5cf3265d3 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv PKG_VERSION:=0.10.9 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/net/ocserv/README b/net/ocserv/README index d868872c9..ed1ff4287 100644 --- a/net/ocserv/README +++ b/net/ocserv/README @@ -1,17 +1,86 @@ +Setting up OpenConnect VPN server +================================= + The openconnect server expects to be configured using the uci interface. It is recommended to setup a dynamic DNS address with openwrt prior to starting the server. That is because during the first startup a certificate file which contain the setup dynamic DNS name will be -created. +created. You can always regenerate the certificate by deleting +/etc/ocserv/server-key.pem. + +There are two approaches to setup the VPN. The proxy-arp approach (1) +which provides clients with addresses of the LAN, and the "forwarding" +approach (2) which provides clients with addresses of a separate private +network. The former is suitable when you have "roadwarrior" type of clients +connecting to the LAN, and the latter when you may need to connect +multiple networks with the LAN. + + +1. Proxy-ARP Approach +===================== + +[This option is available since ocserv-0.10.9-2 package] + +To setup a server the provides access to LAN with network address +10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv. +The following setup will assign the upper 62 addresses for VPN use. + +``` +----/etc/config/ocserv------------------------------------------- +config ocserv 'config' + option port '443' + option dpd '120' + option max_clients '8' + option max_same '2' + option netmask '255.255.255.192' + option ipaddr '10.100.2.192' + option auth 'plain' + option default_domain 'lan' + option compression '1' + option proxy_arp '1' + option ping_leases '1' + option enable '1' + +config dns + option ip '10.100.2.1' + +config routes + option ip '10.100.2.0' + option netmask '255.255.255.0' + +config ocservusers + option name 'test' + option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1' + +----------------------------------------------------------------- +``` + +This setup re-utilizes the addresses assigned to LAN for the VPN clients. +To ensure that there are no conflicts with the DHCP server use the following +commands. These will set the maximum address assigned by DHCP to be 10.100.2.191 +which is below the first VPN assigned address (10.100.2.192). + +``` +# uci set dhcp.lan.start=100 +# uci set dhcp.lan.limit=91 +``` + +For simple networks like that you may also leave the 'netmask' and 'ipaddr' +fields empty and ocserv on startup will set the necessary values. + + +2. Forwarding Approach +====================== To setup a server the provides access to LAN with network address 10.100.2.0/255.255.255.0 using the VPN address range 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv: +``` ----/etc/config/ocserv------------------------------------------- config ocserv 'config' - option port '4443' + option port '443' option dpd '120' option max_clients '8' option max_same '2' @@ -34,19 +103,21 @@ config ocservusers option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1' ----------------------------------------------------------------- +``` -This configuration also adds the user "test" with password "test". The -password is specified in the crypt(3) format. -The server can be enabled and started using: -# /etc/init.d/ocserv enable -# /etc/init.d/ocserv start +Setting up the firewall +======================= +Since the connected users will be assigned to other interfaces than the LAN +one, it is required to assign the VPN clients to an interface, and enable +forwarding for them. That is, you should setup an unmanaged interface (e.g., +called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns +interfaces). Then a zone called vpn should be setup to handle interactions +with lan. An example, which alls all forwarding between LAN and VPN clients, +follows. -To simplify firewall configuration, you should setup an unmanaged interface -(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone -called vpn should be setup to handle interactions with lan. An example -follows: +``` ----/etc/config/network------------------------------------------ config interface 'vpn' option proto 'none' @@ -74,17 +145,35 @@ config rule option target 'ACCEPT' option src 'wan' option proto 'tcp' - option dest_port '4443' + option dest_port '443' option name 'vpn' config rule option target 'ACCEPT' option src 'wan' option proto 'udp' - option dest_port '4443' + option dest_port '443' option name 'vpn' ----------------------------------------------------------------- +``` + +Note, that the last two rules, enable connections to port 443 from the +Internet. That is the port used by OpenConnect VPN. + + +Starting the server +=================== + +Note that both configurations above add the user "test" with password "test". The +password is specified in the crypt(3) format. + +The server can be enabled and started using: +# /etc/init.d/ocserv enable +# /etc/init.d/ocserv start +For any custom configuration options of ocserv you may add values in +/etc/ocserv/ocserv.conf.local. There is a luci plugin to allow configuring the server from the web environment; see the package luci-app-ocserv. + diff --git a/net/ocserv/files/ocserv.conf.template b/net/ocserv/files/ocserv.conf.template index 842101234..9a5f195c6 100644 --- a/net/ocserv/files/ocserv.conf.template +++ b/net/ocserv/files/ocserv.conf.template @@ -275,7 +275,7 @@ ipv4-netmask = |NETMASK| # Prior to leasing any IP from the pool ping it to verify that # it is not in use by another (unrelated to this server) host. -ping-leases = false +ping-leases = |PING_LEASES| # Unset to assign the default MTU of the device # mtu = diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init index 41a0e2474..61eb67cd3 100644 --- a/net/ocserv/files/ocserv.init +++ b/net/ocserv/files/ocserv.init @@ -13,11 +13,47 @@ setup_config() { config_get udp $1 udp "1" config_get auth $1 auth "plain" config_get cisco_compat $1 cisco_compat "1" - config_get ipaddr $1 ipaddr "192.168.100.0" - config_get netmask $1 netmask "255.255.255.0" + config_get ipaddr $1 ipaddr "" + config_get netmask $1 netmask "" config_get ip6addr $1 ip6addr "" + config_get proxy_arp $1 proxy_arp "0" + config_get ping_leases $1 ping_leases "0" config_get default_domain $1 default_domain "" + # Enable proxy arp, and make sure that ping leases is set to true in that case, + # to prevent conflicts. + if test "$proxy_arp" = 1;then + local ip + # IP address is empty. Auto-configure LAN + VPN. + if test -z "$ipaddr";then + local mask + mask=$(uci get network.lan.netmask) + if test "$mask" = "255.255.255.0";then + uci set dhcp.lan.start=100 + uci set dhcp.lan.limit=91 + fi + ip=$(uci get network.lan.ipaddr) + ipaddr="$(echo $ip|cut -d . -f1,2,3).192" + netmask="255.255.255.192" + uci set ocserv.config.ipaddr="$ipaddr" + uci set ocserv.config.netmask="$netmask" + uci commit + fi + + if test -z "$ip6addr";then + ip6addr=$(uci get network.lan.ip6addr 2>/dev/null) + test -n "$ip6addr" && uci set ocserv.config.ip6addr="$ip6addr" + uci commit + fi + + ping_leases=1 + test -n "$ipaddr" && sysctl -w "net.ipv4.conf.$(uci get network.lan.ifname).proxy_arp"=1 >/dev/null + test -n "$ip6addr" && sysctl -w "net.ipv6.conf.$(uci get network.lan.ifname).proxy_ndp"=1 >/dev/null + else + test "$ipaddr" = "" && ipaddr="192.168.100.0" + test "$netmask" = "" && ipaddr="255.255.255.0" + fi + enable_default_domain="#" enable_udp="#" enable_compression="#" @@ -25,6 +61,8 @@ setup_config() { test $predictable_ips = "1" && predictable_ips="true" test $cisco_compat = "0" && cisco_compat="false" test $cisco_compat = "1" && cisco_compat="true" + test $ping_leases = "0" && ping_leases="false" + test $ping_leases = "1" && ping_leases="true" test $udp = "1" && enable_udp="" test $compression = "1" && enable_compression="" test -z $default_domain && enable_default_domain="" @@ -47,6 +85,7 @@ setup_config() { -e "s/|DEFAULT_DOMAIN|/$default_domain/g" \ -e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \ -e "s/|CISCO_COMPAT|/$cisco_compat/g" \ + -e "s/|PING_LEASES|/$ping_leases/g" \ -e "s/|UDP|/$enable_udp/g" \ -e "s/|COMPRESSION|/$enable_compression/g" \ -e "s/|IPV4ADDR|/$ipaddr/g" \ @@ -164,3 +203,4 @@ start_service() { procd_set_param respawn procd_close_instance } +