This repo combines ocserv VPN server and certbot in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default.
This image provided a default config in /etc/ocserv/ocserv.conf
. If you don't mount a conf file, it will generate a new one. And ENV file is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate.
The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the offical documention.
The latest version is 1.3.0, and dockerhub page is here.
-
clone this repo, or copy the content of
docker-compose.yml.sample
and.env.sample
, and paste into your own docker compose file and env file -
check the environment config in
docker-compose.yml
. email address is optional and only for certs expiration remind if certs renew failed -
(optional) mount your local dir to keep your certificates and config files
- if you want to get certs via cloudflare api token, mount your own token config file
- if you want to get certs via http, please make sure 80 port is open
-
run
docker-compose up -d
-
keep in mind add
listen-proxy-proto = true
in yourocserv.conf
if you want to put ocserv in the back of proxy, like haproxy. -
if you don't provide a default user/pass, a new user/pass will be generated by default, and you could check it at
$HOME/initial_pass.txt
ordocker compose logs ocserv
-
added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: link
-
generate new user
docker exec <your-ocserv-container-name> bash -c "echo <password> | echo <password> | ocpasswd <username>"
You could use a Cisco Anyconnect client or Cisco secure client to connect the server, or use openconnect client by following steps.
-
prepare connect and disconnect scripts and save them to somewhere in your user space:
anyconnect.sh
#!/bin/bash sudo openconnect -b -q --protocol=anyconnect <your-domain> << delimiter <your-username> <your-password> delimiter
kill-anyconnect.sh
#!/bin/bash sudo pkill openconnect
-
create a soft link of script as a system command:
sudo ln -s <your-srcipt.sh> /usr/local/bin/<command-you-want>
See more usage: openconnect --help
Please make sure your docker service has been enabled ipv6 support, if not yet, you could add config below into your docker daemon settings /etc/docker/daemon.json
:
{
"experimental": true,
"ip6tables": true
}
then, restart your docker service:
sudo systemctl restart docker.service
The ocserv server should be works now.
If you want, you can add settings to assign a default ipv6 network segment:
{
"experimental": true,
"ip6tables": true,
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
Maybe you will see the error when you connect to the server with your Cisco Security Client, especailly when your server is IPv6 only. Maybe thers's a problem in your DNS settings or IPv4/IPv6 weights settings etc. The easy way to solve problem is edit your HOST file. For example, on Windows you could find C:\Windows\System32\drivers\etc\hosts
and open it, and add content into it:
2406:da12:3456:7890:1abc:1:2 vpn.example.com
18.111.222.333 vpn.example.com
If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the Let's Encrypt email subscription service dose not support IPv6 access.
- Openconnect VPN Manual - Official
- Recipes for Openconnect VPN - Official
- Ocserv Advanced
- Block Visitors by Country Using Firewall
- ocserv changelog
- Docker Enable IPv6 support
- Docker compose wait