Skip to content

Latest commit

 

History

History
128 lines (86 loc) · 5.25 KB

README.md

File metadata and controls

128 lines (86 loc) · 5.25 KB

ocserv with certbot support


Description

This repo combines ocserv VPN server and certbot in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default.

This image provided a default config in /etc/ocserv/ocserv.conf. If you don't mount a conf file, it will generate a new one. And ENV file is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate.

The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the offical documention.

The latest version is 1.3.0, and dockerhub page is here.


Usage

Server

  • clone this repo, or copy the content of docker-compose.yml.sample and .env.sample, and paste into your own docker compose file and env file

  • check the environment config in docker-compose.yml. email address is optional and only for certs expiration remind if certs renew failed

  • (optional) mount your local dir to keep your certificates and config files

    • if you want to get certs via cloudflare api token, mount your own token config file
    • if you want to get certs via http, please make sure 80 port is open
  • run docker-compose up -d

  • keep in mind add listen-proxy-proto = true in your ocserv.conf if you want to put ocserv in the back of proxy, like haproxy.

  • if you don't provide a default user/pass, a new user/pass will be generated by default, and you could check it at $HOME/initial_pass.txt or docker compose logs ocserv

  • added WAIT_* options in compose file, and ocserv will be run after items you provided are ready, see usage: link

  • generate new user

    docker exec <your-ocserv-container-name> bash -c "echo <password> | echo <password> | ocpasswd <username>"

Client

You could use a Cisco Anyconnect client or Cisco secure client to connect the server, or use openconnect client by following steps.

  • prepare connect and disconnect scripts and save them to somewhere in your user space:

    anyconnect.sh

    #!/bin/bash
    
    sudo openconnect -b -q --protocol=anyconnect <your-domain> << delimiter
    <your-username>
    <your-password>
    delimiter

    kill-anyconnect.sh

    #!/bin/bash
    
    sudo pkill openconnect
  • create a soft link of script as a system command:

    sudo ln -s <your-srcipt.sh> /usr/local/bin/<command-you-want>

See more usage: openconnect --help

IPv6 support

Please make sure your docker service has been enabled ipv6 support, if not yet, you could add config below into your docker daemon settings /etc/docker/daemon.json:

{
  "experimental": true,
  "ip6tables": true
}

then, restart your docker service:

sudo systemctl restart docker.service

The ocserv server should be works now.

If you want, you can add settings to assign a default ipv6 network segment:

{
  "experimental": true,
  "ip6tables": true,
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

resolve IPv6 domain error

Maybe you will see the error when you connect to the server with your Cisco Security Client, especailly when your server is IPv6 only. Maybe thers's a problem in your DNS settings or IPv4/IPv6 weights settings etc. The easy way to solve problem is edit your HOST file. For example, on Windows you could find C:\Windows\System32\drivers\etc\hosts and open it, and add content into it:

2406:da12:3456:7890:1abc:1:2 vpn.example.com
18.111.222.333 vpn.example.com

Certificate application error

If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the Let's Encrypt email subscription service dose not support IPv6 access.


References


Known issues