├── .github
    ├── dependabot.yml
    └── workflows
    │   └── build.yml
├── .gitmodules
├── Dockerfile
├── LICENSE
├── README.md
└── docker-compose.yml


/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | updates:
 3 |   - package-ecosystem: "github-actions"
 4 |     directory: "/"
 5 |     schedule:
 6 |       interval: "daily"
 7 | 
 8 |   - package-ecosystem: "docker"
 9 |     directory: "/"
10 |     schedule:
11 |       interval: "daily"
12 | 
13 |   - package-ecosystem: "gitsubmodule"
14 |     directory: "/"
15 |     schedule:
16 |       interval: "daily"
17 | 


--------------------------------------------------------------------------------
/.github/workflows/build.yml:
--------------------------------------------------------------------------------
 1 | name: build
 2 | 
 3 | on:
 4 |   push:
 5 |     branches:
 6 |       - '**'
 7 |     tags:
 8 |       - 'v*.*.*'
 9 |   pull_request:
10 |     branches:
11 |       - '**'
12 | 
13 | concurrency:
14 |   group: ${{ github.workflow }}-${{ github.ref }}
15 |   cancel-in-progress: true
16 | 
17 | jobs:
18 |   build:
19 |     name: Build
20 | 
21 |     runs-on: ubuntu-latest
22 | 
23 |     steps:
24 |       - name: Checkout
25 |         uses: actions/checkout@v4
26 | 
27 |       - name: Docker Metadata
28 |         id: docker-metadata
29 |         uses: docker/metadata-action@v5
30 |         with:
31 |           images: |
32 |             ghcr.io/${{ github.repository }}
33 |           tags: |
34 |             type=edge
35 |             type=ref,event=branch
36 |             type=ref,event=pr
37 |             type=schedule
38 |             type=semver,pattern={{version}}
39 |             type=semver,pattern={{major}}.{{minor}}
40 |             type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
41 | 
42 |       - name: Set up QEMU
43 |         uses: docker/setup-qemu-action@v3
44 | 
45 |       - name: Set up Docker Buildx
46 |         uses: docker/setup-buildx-action@v3
47 | 
48 |       - name: Login to GitHub Container Registry
49 |         uses: docker/login-action@v3
50 |         with:
51 |           registry: ghcr.io
52 |           username: ${{ github.actor }}
53 |           password: ${{ github.token }}
54 | 
55 |       - name: Build and push
56 |         uses: docker/build-push-action@v6
57 |         with:
58 |           context: .
59 |           platforms: linux/amd64,linux/arm64
60 |           push: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}
61 |           tags: ${{ steps.docker-metadata.outputs.tags }}
62 |           labels: ${{ steps.docker-metadata.outputs.labels }}
63 | 


--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "vendor/gitlab.com/openconnect/ocserv"]
2 | 	path = vendor/gitlab.com/openconnect/ocserv
3 | 	url = https://gitlab.com/openconnect/ocserv.git
4 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM docker.io/library/alpine:3.22.0
 2 | 
 3 | RUN apk add --no-cache freeradius-client gnutls iptables ip6tables krb5-libs libev libmaxminddb libnl3 libseccomp lz4-libs linux-pam oath-toolkit-liboath readline shadow \
 4 |  && apk add --no-cache --virtual .build-deps alpine-sdk autoconf automake freeradius-client-dev gnutls-dev gperf krb5-dev libev-dev libseccomp-dev linux-pam-dev lz4-dev libmaxminddb-dev libnl3-dev oath-toolkit-dev protobuf-c-compiler readline-dev \
 5 |  && git clone --depth 1 -- https://gitlab.com/openconnect/ocserv.git \
 6 |  && cd ocserv \
 7 |  && autoreconf -fiv \
 8 |  && ./configure \
 9 |  && make \
10 |  && make install \
11 |  && mkdir -p /etc/ocserv \
12 |  && sed -e '/^\[vhost:/,$d' \
13 |         -e '/^auth\|^max-same-clients\|^default-domain\|^dns\|^route\|^no-route/s/^/#/' \
14 |         -e '/^#auth = "certificate"/s/^#//' \
15 |         -e '/^#acct = /a acct = "pam"' \
16 |         -e '/^server-cert = /s/=.*$/= \/etc\/ocserv\/certs\/server-cert.pem/' \
17 |         -e '/^server-key = /s/=.*$/= \/etc\/ocserv\/certs\/server-key.pem/' \
18 |         -e '/^ca-cert = /s/=.*$/= \/etc\/ocserv\/certs\/ca-cert.pem/' \
19 |         -e '/^try-mtu-discovery = /s/=.*$/= true/' \
20 |         -e '/^cert-user-oid = /s/=.*$/= 2.5.4.3/' \
21 |         -e '/^#compression = true/s/^#//' \
22 |         -e '/^tls-priorities = /s/=.*$/= "SECURE256:+SECURE128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-AES-128-CBC:-AES-128-CCM:-AES-256-CBC:-AES-256-CCM:-RSA:-SHA1"/' \
23 |         -e '/^#dns = /{' \
24 |         -e 'a dns = 1.1.1.1' \
25 |         -e 'a dns = 1.0.0.1' \
26 |         -e 'a dns = 2606:4700:4700::1111' \
27 |         -e 'a dns = 2606:4700:4700::1001' \
28 |         -e '}' \
29 |         -e '/^#route = default/s/^#//' \
30 |         -- doc/sample.config \
31 |   | tee /etc/ocserv/ocserv.conf \
32 |  && cd .. \
33 |  && rm -rf ocserv \
34 |  && git clone --depth 1 -- https://github.com/ntkme/certrdn.git \
35 |  && cd certrdn \
36 |  && autoreconf -fiv \
37 |  && ./configure \
38 |  && make \
39 |  && make install \
40 |  && cd .. \
41 |  && rm -rf certrdn \
42 |  && apk del --purge .build-deps \
43 |  && which occtl ocpasswd ocserv \
44 |   | xargs -n 1 ldd \
45 |  && ocserv --version
46 | 
47 | EXPOSE 443/tcp
48 | EXPOSE 443/udp
49 | 
50 | ENTRYPOINT ["/bin/sh", "-c", "test -f /etc/ocserv/certs/server-cert.pem -a -f /etc/ocserv/certs/server-key.pem -a -f /etc/ocserv/certs/ca-cert.pem || { test -d /etc/letsencrypt && { test -f /etc/letsencrypt/live/$(hostname)/fullchain.pem -a -f /etc/letsencrypt/live/$(hostname)/privkey.pem -a -f /etc/letsencrypt/live/$(hostname)/chain.pem && mkdir -p /etc/ocserv/certs && ln -sf /etc/letsencrypt/live/$(hostname)/fullchain.pem /etc/ocserv/certs/server-cert.pem && ln -sf /etc/letsencrypt/live/$(hostname)/privkey.pem /etc/ocserv/certs/server-key.pem && ln -sf /etc/letsencrypt/live/$(hostname)/chain.pem /etc/ocserv/certs/ca-cert.pem || timeout 10 sleep infinity; }; } || exit 1 && find /etc/ocserv/certs -name '*.pem' -exec sh -c 'useradd -d /dev/null -g nogroup -r -s /sbin/nologin \"$(certrdn 2.5.4.3 \"$1\")\"' -- {} \\; || true && test -c /dev/net/tun || { mkdir -p /dev/net && mknod -m 666 /dev/net/tun c 10 200; } && iptables --table nat --check POSTROUTING --jump MASQUERADE || iptables --table nat --append POSTROUTING --jump MASQUERADE && exec ocserv -f \"$@\"", "--"]
51 | CMD ["-c", "/etc/ocserv/ocserv.conf"]
52 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 なつき
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ocserv
 2 | 
 3 | ``` sh
 4 | docker run -d \
 5 |   --cap-add MKNOD \
 6 |   --cap-add NET_ADMIN \
 7 |   --cap-add NET_RAW \
 8 |   --hostname $(hostname -f) \
 9 |   --publish 443:443/tcp \
10 |   --publish 443:443/udp \
11 |   --volume /etc/letsencrypt:/etc/letsencrypt:ro \
12 |   ghcr.io/ntkme/ocserv:edge
13 | ```
14 | 


--------------------------------------------------------------------------------
/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: "3.8"
 2 | services:
 3 |   ocserv:
 4 |     image: ghcr.io/ntkme/ocserv:edge
 5 |     hostname: $HOSTNAME
 6 |     cap_add:
 7 |       - NET_ADMIN
 8 |     ports:
 9 |       - "443:443/tcp"
10 |       - "443:443/udp"
11 |     volumes:
12 |       - "./etc/letsencrypt:/etc/letsencrypt:ro"
13 |     restart: always
14 |     depends_on:
15 |       - certbot
16 |   certbot:
17 |     image: ghcr.io/ntkme/certbot:edge
18 |     hostname: $HOSTNAME
19 |     ports:
20 |       - "80:80/tcp"
21 |     volumes:
22 |       - "./etc/letsencrypt:/etc/letsencrypt"
23 |       - "/var/run/docker.sock:/var/run/docker.sock"
24 |     restart: always
25 | 


--------------------------------------------------------------------------------