luginbash/gist:ffd9ec4c9f9e80cb57be

## gistfile1.txt
# Please edit /etc/default/ufw first
# DEFAULT_FORWARD_POLICY="ACCEPT"

# then at /etc/ufw/sysctl.conf
# net/ipv4/ip_forward=1
# net/ipv6/conf/default/forwarding=1

# allow mtu dectection
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# build-essentials
aptitude -y install build-essential

# newer gnutls req backports
echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" | tee -a /etc/apt/sources.list
aptitude update
aptitude -t wheezy-backports -y install libgnutls28-dev
aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin
aptitude -y install libreadline-dev

# Get OCServ
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.1.tar.xz # as of today, latest=0.8.1
tar xvf ocserv-0.8.1.tar.xz
cd ocserv-0.8.1
./configure --prefix=/usr --sysconfdir=/etc
make
make install

# setting up ocserv
certtool --generate-privkey --outfile ca-key.pem

cat << _EOF_ > ca.tmpl
cn = "Khazad-dum"
organization = "Mines Of Moria"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

cat << _EOF_ > server.tmpl
cn = "Grand Stair"
organization = "Mines Of Moria"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
_EOF_
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

# -- USER KEY, not mandatory --
certtool --generate-privkey --outfile user-key.pem
cat << _EOF_ >user.tmpl
cn = "Iron Foot"
unit = "Spawns"
serial = 1001
expiration_days = 3650
signing_key
tls_www_client
_EOF_

certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

cat << _EOF_ >crl.tmpl
crl_next_update = 999
crl_number = 1
_EOF_

cat user-cert.pem >>revoked.pem
certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem

certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem

cp ca-cert.pem /etc/ssl/certs
cp ca-key.pem /etc/ssl/private
cp server-cert.pem /etc/ssl/certs
cp server-key.pem /etc/ssl/private

mkdir /etc/ocserv

# Profile generation
cat << _EOF_ > /etc/ocserv/profile.xml
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>
<AutoUpdate>true</AutoUpdate>
<BypassDownloader>true</BypassDownloader>
<UseStartBeforeLogon>false</UseStartBeforeLogon>
<StrictCertificateTrust>false</StrictCertificateTrust>
<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
<CertificateMatch>
<KeyUsage>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
</ClientInitialization>

<ServerList>
<HostEntry>
<HostName>Khaza-dum</HostName>
<HostAddress>us.qzhou.in</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
_EOF_

vim /etc/init.d/ocserv
# put ocserv.init.sh into this file
vim /etc/ocserv/ocserv.conf

chmod +x /etc/init.d/ocserv

update-rc.d ocserv defaults
ufw allow 443
ufw allow 443/udp

echo "*nat" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
echo "-A POSTROUTING -s 10.88.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
echo "COMMIT" >> /etc/ufw/before.rules
ufw disable && sudo ufw enable

ocpasswd newuser
	# Please edit /etc/default/ufw first
	# DEFAULT_FORWARD_POLICY="ACCEPT"

	# then at /etc/ufw/sysctl.conf
	# net/ipv4/ip_forward=1
	# net/ipv6/conf/default/forwarding=1

	# allow mtu dectection
	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

	# build-essentials
	aptitude -y install build-essential

	# newer gnutls req backports
	echo "deb http://ftp.debian.org/debian wheezy-backports main contrib non-free" \| tee -a /etc/apt/sources.list
	aptitude update
	aptitude -t wheezy-backports -y install libgnutls28-dev
	aptitude -y install libgmp3-dev m4 gcc pkg-config make gnutls-bin
	aptitude -y install libreadline-dev

	# Get OCServ
	wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.8.1.tar.xz # as of today, latest=0.8.1
	tar xvf ocserv-0.8.1.tar.xz
	cd ocserv-0.8.1
	./configure --prefix=/usr --sysconfdir=/etc
	make
	make install

	# setting up ocserv
	certtool --generate-privkey --outfile ca-key.pem

	cat << _EOF_ > ca.tmpl
	cn = "Khazad-dum"
	organization = "Mines Of Moria"
	serial = 1
	expiration_days = 3650
	ca
	signing_key
	cert_signing_key
	crl_signing_key
	_EOF_

	certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

	cat << _EOF_ > server.tmpl
	cn = "Grand Stair"
	organization = "Mines Of Moria"
	serial = 2
	expiration_days = 3650
	signing_key
	encryption_key
	tls_www_server
	_EOF_
	certtool --generate-privkey --outfile server-key.pem
	certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

	# -- USER KEY, not mandatory --
	certtool --generate-privkey --outfile user-key.pem
	cat << _EOF_ >user.tmpl
	cn = "Iron Foot"
	unit = "Spawns"
	serial = 1001
	expiration_days = 3650
	signing_key
	tls_www_client
	_EOF_

	certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template user.tmpl --outfile user-cert.pem

	cat << _EOF_ >crl.tmpl
	crl_next_update = 999
	crl_number = 1
	_EOF_

	cat user-cert.pem >>revoked.pem
	certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --load-certificate revoked.pem --template crl.tmpl --outfile crl.pem

	certtool --generate-crl --load-ca-privkey ca-key.pem --load-ca-certificate ca.pem --template crl.tmpl --outfile crl.pem

	cp ca-cert.pem /etc/ssl/certs
	cp ca-key.pem /etc/ssl/private
	cp server-cert.pem /etc/ssl/certs
	cp server-key.pem /etc/ssl/private

	mkdir /etc/ocserv

	# Profile generation
	cat << _EOF_ > /etc/ocserv/profile.xml
	<?xml version="1.0" encoding="UTF-8"?>
	<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

	<ClientInitialization>
	<AutoUpdate>true</AutoUpdate>
	<BypassDownloader>true</BypassDownloader>
	<UseStartBeforeLogon>false</UseStartBeforeLogon>
	<StrictCertificateTrust>false</StrictCertificateTrust>
	<RestrictPreferenceCaching>false</RestrictPreferenceCaching>
	<RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols>
	<CertEnrollmentPin>pinAllowed</CertEnrollmentPin>
	<CertificateMatch>
	<KeyUsage>
	<MatchKey>Digital_Signature</MatchKey>
	</KeyUsage>
	<ExtendedKeyUsage>
	<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
	</ExtendedKeyUsage>
	</CertificateMatch>
	</ClientInitialization>

	<ServerList>
	<HostEntry>
	<HostName>Khaza-dum</HostName>
	<HostAddress>us.qzhou.in</HostAddress>
	</HostEntry>
	</ServerList>
	</AnyConnectProfile>
	_EOF_

	vim /etc/init.d/ocserv
	# put ocserv.init.sh into this file
	vim /etc/ocserv/ocserv.conf

	chmod +x /etc/init.d/ocserv

	update-rc.d ocserv defaults
	ufw allow 443
	ufw allow 443/udp

	echo "*nat" >> /etc/ufw/before.rules
	echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules
	echo "-A POSTROUTING -s 10.88.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
	echo "COMMIT" >> /etc/ufw/before.rules
	ufw disable && sudo ufw enable

	ocpasswd newuser