From 2d5408339fcdbfb740d0c82ea538287ad9c2646c Mon Sep 17 00:00:00 2001 From: Hu Xiaohong Date: Sat, 11 May 2024 09:56:48 +0800 Subject: [PATCH] added more comments --- README.md | 14 ++++++++++---- docker-entrypoint.sh | 37 +++++++++++++++++++++++++++---------- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index d40c4d8..1d64a7f 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,11 @@ ## Description -This repo combines [ocserv](https://ocserv.gitlab.io/www/recipes.html) VPN server and [certbot](https://eff-certbot.readthedocs.io/en/stable/using.html#) in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default. +This repo combines [ocserv](https://ocserv.openconnect-vpn.net/) VPN server and [certbot](https://certbot.eff.org/) in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default. -This image provided a default config in `/etc/ocserv/ocserv.conf`. If you don't mount a conf file, it will generate a new one. And [ENV file](https://github.com/PandaRyshan/ocserv/blob/main/.env) is used to request a Letsencrypt certificate and create a default username. If no ENV is provided, the ocserv service will be started with a locally generated certificate. +This image provided a default config in `/etc/ocserv/ocserv.conf`. If you don't mount a conf file, it will generate a new one. And [ENV file](https://github.com/PandaRyshan/ocserv/blob/main/.env) is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate. + +The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the [offical documention](https://ocserv.openconnect-vpn.net/ocserv.8.html). The latest version is 1.3.0, and dockerhub page is [here](https://ocserv.gitlab.io/www/download.html). @@ -103,12 +105,16 @@ Maybe you will see the error when you connect to the server with your Cisco Secu 18.111.222.333 vpn.example.com ``` +### Certificate application error + +If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the [Let's Encrypt email subscription service](https://supporters.eff.org/subscribe/certbot) dose not support IPv6 access. + --- ## References -* [Recipes for Openconnect VPN - Official](https://ocserv.gitlab.io/www/recipes.html) -* [Openconnect VPN Manual - Official](https://ocserv.gitlab.io/www/manual.html) +* [Openconnect VPN Manual - Official](https://ocserv.openconnect-vpn.net/ocserv.8.html) +* [Recipes for Openconnect VPN - Official](https://docs.openconnect-vpn.net/recipes/) * [Ocserv Advanced](https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced) * [Block Visitors by Country Using Firewall](https://www.ip2location.com/free/visitor-blocker) * [ocserv changelog](https://ocserv.gitlab.io/www/changelog.html) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 28f9644..51893b8 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -38,6 +38,7 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then dtls-legacy = false cisco-client-compat = false + # tun device name device = vpns # Prior to leasing any IP from the pool ping it to verify that @@ -97,23 +98,39 @@ if [[ ! -f "/etc/ocserv/ocserv.conf" ]]; then # Uncomment if you are using haproxy # listen-proxy-proto = true - # Uncomment to enable compression negotiation (LZS, LZ4) - # And set minimum under a packet will not be compressed. - # Compression is designed to save bandwidth, but it can be - # bring a little latency. The default size is 256 bytes, - # to avoid latency for VoIP packets. Modify it if the clients - # typically use compression as well of VoIP with codecs that - # exceed the default value. + # Uncomment to enable compression negotiation (LZS, LZ4) and set minimum + # under a packet will not be compressed. + # Compression is designed to save bandwidth, but it can be bring a little latency. + # The default size is 256 bytes, to avoid latency for VoIP packets. + # Modify it if the clients typically use compression as well of VoIP with codecs + # that exceed the default value. # compression = true # no-compress-limit = 256 + # Enable camouflage feature that make vpn service look like a web server. + # Connection to the vpn can be established only if the client provided a specific secret string, + # other wise the server will return HTTP error for all requests. + camouflage = false + + # The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check, + # e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey". + camouflage_secret = "thegreatwall" + + # Defines the realm (browser prompt) for HTTP authentication. + # If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized. + # Better change it from the default value to avoid fingerprinting. + camouflage_realm = "Restricted Content" + + # enable occtl tool use-occtl = true + + # default 0/2 info leavel, 1 basic, 3 debug, 4 http, 8 sensitive, 9 tls log-level = 1 EOCONF fi -# Create certs if no local or letsencrypt certs +# Create certs if no certs are provided if [[ ! -f "/etc/ocserv/server.cert" ]] && [[ ! -f "/etc/letsencrypt/live/$DOMAIN/fullchain.pem" ]]; then IPV4=$(timeout 3 curl -s https://ipinfo.io/ip || echo "") @@ -202,7 +219,7 @@ if [[ ! -f "/etc/ocserv/server.cert" ]] && [[ ! -f "/etc/letsencrypt/live/$DOMAI fi -# Create init user for PAM authentication +# Create random initial user if no PAM user file is provided if [[ ! -f "/etc/ocserv/ocpasswd" ]]; then if [[ -z $USERNAME ]] && [[ -z $PASSWORD ]]; then @@ -223,7 +240,7 @@ fi # Enable NAT forwarding # if you want to specific translate ip, uncomment the following line, -j MASQUERADE is dynamic way -# iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source $(hostname -I) +# iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j SNAT --to-source $(hostname -I) iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j MASQUERADE ip6tables -t nat -A POSTROUTING -s 2001:db8:2::/64 -j MASQUERADE iptables -I FORWARD -s 172.20.0.0/24 -j ACCEPT