added more comments

README.md

@@ -4,9 +4,11 @@
 
 ## Description
 
-This repo combines [ocserv](https://ocserv.gitlab.io/www/recipes.html) VPN server and [certbot](https://eff-certbot.readthedocs.io/en/stable/using.html#) in one image, allowing users to use secure VPN service and request or renew cert automatically.  The certbot-dns-cloudflare plugin is installed by default.
+This repo combines [ocserv](https://ocserv.openconnect-vpn.net/) VPN server and [certbot](https://certbot.eff.org/) in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default.
 
-This image provided a default config in `/etc/ocserv/ocserv.conf`. If you don't mount a conf file, it will generate a new one. And [ENV file](https://github.com/PandaRyshan/ocserv/blob/main/.env) is used to request a Letsencrypt certificate and create a default username. If no ENV is provided, the ocserv service will be started with a locally generated certificate.
+This image provided a default config in `/etc/ocserv/ocserv.conf`. If you don't mount a conf file, it will generate a new one. And [ENV file](https://github.com/PandaRyshan/ocserv/blob/main/.env) is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate.
+
+The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the [offical documention](https://ocserv.openconnect-vpn.net/ocserv.8.html).
 
 The latest version is 1.3.0, and dockerhub page is [here](https://ocserv.gitlab.io/www/download.html).
 
@@ -103,12 +105,16 @@ Maybe you will see the error when you connect to the server with your Cisco Secu
 18.111.222.333 vpn.example.com
 ```
 
+### Certificate application error
+
+If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the [Let's Encrypt email subscription service](https://supporters.eff.org/subscribe/certbot) dose not support IPv6 access.
+
 ---
 
 ## References
 
-* [Recipes for Openconnect VPN - Official](https://ocserv.gitlab.io/www/recipes.html)
-* [Openconnect VPN Manual - Official](https://ocserv.gitlab.io/www/manual.html)
+* [Openconnect VPN Manual - Official](https://ocserv.openconnect-vpn.net/ocserv.8.html)
+* [Recipes for Openconnect VPN - Official](https://docs.openconnect-vpn.net/recipes/)
 * [Ocserv Advanced](https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced)
 * [Block Visitors by Country Using Firewall](https://www.ip2location.com/free/visitor-blocker)
 * [ocserv changelog](https://ocserv.gitlab.io/www/changelog.html)

docker-entrypoint.sh

@@ -38,6 +38,7 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then
 	dtls-legacy = false
 	cisco-client-compat = false
 
+	# tun device name
 	device = vpns
 
 	# Prior to leasing any IP from the pool ping it to verify that
@@ -97,23 +98,39 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then
 	# Uncomment if you are using haproxy
 	# listen-proxy-proto = true
 
-	# Uncomment to enable compression negotiation (LZS, LZ4)
-	# And set minimum under a packet will not be compressed.
-	# Compression is designed to save bandwidth, but it can be
-	# bring a little latency. The default size is 256 bytes,
-	# to avoid latency for VoIP packets. Modify it if the clients
-	# typically use compression as well of VoIP with codecs that
-	# exceed the default value.
+	# Uncomment to enable compression negotiation (LZS, LZ4) and set minimum
+	# under a packet will not be compressed.
+	# Compression is designed to save bandwidth, but it can be bring a little latency.
+	# The default size is 256 bytes, to avoid latency for VoIP packets.
+	# Modify it if the clients typically use compression as well of VoIP with codecs
+	# that exceed the default value.
 	# compression = true
 	# no-compress-limit = 256
 
+	# Enable camouflage feature that make vpn service look like a web server.
+	# Connection to the vpn can be established only if the client provided a specific secret string,
+	# other wise the server will return HTTP error for all requests.
+	camouflage = false
+
+	# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check,
+	# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey".
+	camouflage_secret = "thegreatwall"
+
+	# Defines the realm (browser prompt) for HTTP authentication.
+	# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
+	# Better change it from the default value to avoid fingerprinting.
+	camouflage_realm = "Restricted Content"
+
+	# enable occtl tool
 	use-occtl = true
+
+	# default 0/2 info leavel, 1 basic, 3 debug, 4 http, 8 sensitive, 9 tls
 	log-level = 1
 	EOCONF
 
 fi
 
-# Create certs if no local or letsencrypt certs
+# Create certs if no certs are provided
 if [[ ! -f "/etc/ocserv/server.cert" ]] && [[ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then
 
 	IPV4=$(timeout 3 curl -s https://ipinfo.io/ip || echo "")
@@ -202,7 +219,7 @@ if [[ ! -f "/etc/ocserv/server.cert" ]] && [[ ! -f "/etc/letsencrypt/live/$DOMAI
 
 fi
 
-# Create init user for PAM authentication
+# Create random initial user if no PAM user file is provided
 if [[ ! -f "/etc/ocserv/ocpasswd" ]]; then
 
 	if [[ -z $USERNAME ]] && [[ -z $PASSWORD ]]; then
@@ -223,7 +240,7 @@ fi
 
 # Enable NAT forwarding
 # if you want to specific translate ip, uncomment the following line, -j MASQUERADE is dynamic way
-# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source $(hostname -I)
+# iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j SNAT --to-source $(hostname -I)
 iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j MASQUERADE
 ip6tables -t nat -A POSTROUTING -s 2001:db8:2::/64 -j MASQUERADE
 iptables -I FORWARD -s 172.20.0.0/24 -j ACCEPT