-
-
Save arho/48ae1e315863d992634ad16075b39dfb to your computer and use it in GitHub Desktop.
How to install ocserv (OpenConnect server, aka: free version of Cisco's Anyconnect) on Ubuntu 14.04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "This gist have not to be executed directly" | |
exit 0 | |
# Process of installing ocserv 0.10.10 in Ubuntu 14.04. | |
# Thanks to http://fewspider.github.io/2015/08/16/ubuntu-ocserv-deploy.html | |
# Download ocserv: | |
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.10.tar.xz | |
tar -xf ocserv-0.10.10.tar.xz | |
# Install dependencies | |
apt-get install gnutls-bin build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-dev | |
# Compile ocserv | |
cd ocserv-0.10.10/ | |
./configure | |
make | |
make install | |
# Create configuration directory | |
mkdir /etc/ocserv | |
cd /etc/ocserv | |
# Generate authentication file | |
ocpasswd A_USER_NAME | |
# Create certificates | |
cat << _EOF_ > ca.tmpl | |
cn = "fff" | |
organization = "fff" | |
serial = 1 | |
expiration_days = 3650 | |
ca | |
signing_key | |
cert_signing_key | |
crl_signing_key | |
_EOF_ | |
certtool --generate-privkey --outfile ca-key.pem | |
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem | |
cat << _EOF_ > server.tmpl | |
cn = "YOUR DNS OR VPS IP ADDRESS" | |
organization = "fff" | |
expiration_days = 3650 | |
signing_key | |
encryption_key | |
tls_www_server | |
_EOF_ | |
certtool --generate-privkey --outfile server-key.pem | |
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem | |
# Copy config file | |
cp ~/ocserv-0.10.10/doc/sample.config config | |
# EDIT config file as follow: | |
auth = "plain[passwd=/etc/ocserv/ocpasswd]" | |
server-cert = /etc/ocserv/server-cert.pem | |
server-key = /etc/ocserv/server-key.pem | |
ca-cert = /etc/ocserv/ca-cert.pem | |
tcp-port = 443 | |
udp-port = 443 | |
dns = 8.8.8.8 | |
dns = 8.8.4.4 | |
# comment out all route fields | |
#route = 10.10.10.0/255.255.255.0 | |
#route = 192.168.0.0/255.255.0.0 | |
#route = fef4:db8:1000:1001::/64 | |
#no-route = 192.168.5.0/255.255.255.0 | |
try-mtu-discovery = true | |
cisco-client-compat = true | |
###################### END EDIT CONFIG | |
# EDIT /etc/sysctl.conf as follow: | |
net.ipv4.ip_forward=1 | |
###################### END EDIT /etc/sysctl.conf | |
# Apply changes to sysctl | |
sysctl -p /etc/sysctl.conf | |
# Config iptables | |
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
iptables -t filter -A INPUT -p udp -m udp --dport 443 -j ACCEPT | |
iptables -t nat -A POSTROUTING -j MASQUERADE | |
# Run debuggable process to test evertything. Remove `-f -d 1` to run it as daemon | |
ocserv --config=/etc/ocserv/config -f -d 1 | |
# Copy ca-cert.pem to your client to prevent certificate authority error. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment