├── README.md
├── ocserv-2fa.md
├── ocserv-ad-authentication.md
├── ocserv-authentication-pam.md
├── ocserv-authentication-radius-radcli.md
├── ocserv-certificates-letsencrypt.md
├── ocserv-configuration-basic.md
├── ocserv-country-blocking.md
├── ocserv-firewall-iptables-ipv4.md
├── ocserv-firewall-shorewall-ipv4.md
├── ocserv-freeipa.md
├── ocserv-installation-CentOS-RHEL-Fedora.md
├── ocserv-installation-Debian-Ubuntu.md
├── ocserv-installation-generic.md
├── ocserv-ip-phone.md
├── ocserv-kerberos.md
├── ocserv-multihost.md
├── ocserv-pseudo-bridge.md
├── ocserv-radcli-installation.md
└── ocserv-site-to-site.md
/README.md:
--------------------------------------------------------------------------------
1 | # Recipes for Openconnect VPN
2 |
3 | This document contains recipes for various advanced configuration
4 | settings in OpenConnect VPN server.
5 |
6 | It is open for contribution; if you think you have a good overview
7 | of a common (or not so-common) scenario, open a pull request
8 | and submit it [at github](https://github.com/openconnect/recipes).
9 |
10 | 0. Installation
11 | * [Generic](ocserv-installation-generic.md)
12 | * [Centos/RHEL/Fedora](ocserv-installation-CentOS-RHEL-Fedora.md)
13 | * [Debian/Ubuntu](ocserv-installation-Debian-Ubuntu.md)
14 | 1. Generic recipes
15 | * [Basic ocserv configuration](ocserv-configuration-basic.md)
16 | * [Certificates - Letsencrypt](ocserv-certificates-letsencrypt.md)
17 | * [Firewall setup](ocserv-firewall-iptables-ipv4.md)
18 | * [Firewall setup with shorewall](ocserv-firewall-shorewall-ipv4.md)
19 | 2. Authentication
20 | * [Two factor authentication with ocserv](ocserv-2fa.md)
21 | * [How to setup ocserv for RADIUS authentication](ocserv-authentication-radius-radcli.md)
22 | * [How to setup ocserv for PAM authentication](ocserv-authentication-pam.md)
23 | * [Using Kerberos authentication with ocserv](ocserv-kerberos.md)
24 | * [Integrating ocserv with FreeIPA](ocserv-freeipa.md)
25 | * [Integrating ocserv with Microsoft AD](ocserv-ad-authentication.md)
26 | * [How to restrict authentication by country](ocserv-country-blocking.md)
27 | 3. Networking
28 | * [Pseudo-Bridge setup with Proxy ARP](ocserv-pseudo-bridge.md)
29 | * [How to share the same port for VPN and HTTP](ocserv-multihost.md)
30 | * [Site to site links with ocserv](ocserv-site-to-site.md)
31 | * [VoIP network](ocserv-ip-phone.md)
32 | 4. Configuration Management
33 | * [Link to Ansible role](https://github.com/aprt5pr/lansible-role-ocserv)
34 | * [Link to Chef cookbook](https://supermarket.chef.io/cookbooks/ocserv)
35 |
--------------------------------------------------------------------------------
/ocserv-2fa.md:
--------------------------------------------------------------------------------
1 | # Two factor authentication with ocserv
2 |
3 | Author: Nikos Mavrogiannopoulos, John Thiltges
4 |
5 | ## Introduction
6 | ocserv allows for multiple authentication factors per session. This
7 | document discusses the options available for one-time passwords, Duo, and
8 | smart cards.
9 |
10 | ## Table of Contents
11 | 1. [OATH: One-time passwords with PAM](#OATH1)
12 | 2. [OATH: One-time passwords with ocserv's password file](#OATH2)
13 | 3. [PKI: Smart cards](#PKI)
14 | 4. [Authentication using Duo](#Duo)
15 |
16 | ## OATH: One-time passwords with PAM
17 |
18 | It is possible to require each user to enter their password and an additional
19 | one time password. That can be done using PAM as the authentication backend and
20 | pam_oath to provide the seeds. The rest of this text assumes that a working PAM
21 | configuration is in place and pam_oath is installed.
22 |
23 | In that case, the following lines should be present in ocserv.conf.
24 |
25 | ```
26 | auth = "pam"
27 | ```
28 |
29 | Then in addition to the system's authentication you need to add the following
30 | line to /etc/pam.d/ocserv.
31 |
32 | ```
33 | auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
34 | ```
35 |
36 | That configuration, expects in /etc/users.oath the keys for the users
37 | to login. To generate an entry for user 'testuser' use the following
38 | command line.
39 |
40 | ```
41 | echo "HOTP testuser - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >>/etc/users.oath
42 | ```
43 |
44 | You can print the first 5 passwords for the 'testuser' using the following command (where
45 | KEY is replaced with the key generated above).
46 |
47 | ```
48 | $ oathtool -w 5 KEY
49 | ```
50 |
51 | The user can then use OTP tools in his mobile like FreeOTP (in android app-store),
52 | or a yubikey as a second factor.
53 |
54 | ### Yubikey
55 |
56 | To store that key in a yubikey to be given to user, use the following command
57 | (requires the yubikey personalization tools).
58 |
59 | ```
60 | $ ykpersonalize -1 -ooath-hotp -aKEY
61 | ```
62 |
63 | ### FreeOTP
64 |
65 | Convert the KEY to base32 using the command:
66 | ```
67 | echo 0xKEY|xxd -r -c 256|base32
68 | ```
69 |
70 | Then use the application 'quearcode' to create a QR code which can be imported
71 | in FreeOTP. The QR code text must be the following (with the obvious parts
72 | being replaced).
73 |
74 | ```
75 | otpauth://hotp/testuser@example.com?secret=BASE32KEY&issuer=COMPANY&counter=1
76 | ```
77 |
78 | ## OATH: One-time passwords with ocserv's password file
79 |
80 | Since version 0.10.9 it is possible to use ocserv's password file for 2FA. It
81 | requires ocserv to be compiled with liboath.
82 |
83 | In that case, the following lines should be present in ocserv.conf.
84 |
85 | ```
86 | auth = "plain[passwd=/etc/ocserv/passwd,otp=/etc/ocserv/users.oath]"
87 | ```
88 |
89 | In that case 'passwd' needs to be in the password file format of ocserv,
90 | and users.oath must be in the "UsersFile" format as described in
91 | https://code.google.com/p/mod-authn-otp/wiki/UsersFile. To add a user,
92 | with a time-based token, in that file use the following command.
93 |
94 | Since the following instructions are similar to the PAM case. For diversity
95 | we will use a time-based OTP.
96 |
97 | ```
98 | echo "HOTP/T30 testuser - $(head -c 16 /dev/urandom |xxd -c 256 -ps)" >>/etc/users.oath
99 | ```
100 |
101 | In case an OTP file is specified, it is allowed for the password field in the
102 | 'passwd' file to be empty. In that case the user will only be prompted for the OTP.
103 |
104 | You can print the first 5 passwords for the 'testuser' above using the following command
105 | (where KEY is replaced with the key generated above).
106 |
107 | ```
108 | $ oathtool --totp -w 5 KEY
109 | ```
110 |
111 | The user can then use OTP tools in his mobile like FreeOTP (in android app-store),
112 | or a yubikey as a second factor.
113 |
114 | ### Yubikey/FreeOTP
115 |
116 | The instructions to setup Yubikey or FreeOTP are identical to the PAM case. Note that
117 | Yubikeys cannot use time based OTP.
118 |
119 | ## PKI: Smart cards
120 |
121 | It is possible to use openconnect and ocserv using smart cards as a second factor.
122 | This text will guide the steps required to generate the Public Key Infrastructure
123 | (PKI) to achieve that. The following instructions assume the availability of the
124 | latest releases of GnuTLS 3.3.x or later.
125 |
126 | ### Generate a certificate authority
127 |
128 | Smart cards contain public keys, which in order to be accepted by the server
129 | must be signed with a key the server trusts. That key is called the certificate
130 | authority's key, and the signed public key in smart card is called the certificate.
131 |
132 | To generate a CA use the following steps.
133 | ```
134 | $ certtool --generate-privkey --outfile ca-key.pem
135 | $ cat << _EOF_ >ca.tmpl
136 | cn = "VPN CA"
137 | organization = "Big Corp"
138 | serial = 1
139 | expiration_days = -1
140 | ca
141 | signing_key
142 | cert_signing_key
143 | crl_signing_key
144 | _EOF_
145 | $ certtool --generate-self-signed --load-privkey ca-key.pem \
146 | --template ca.tmpl --outfile ca-cert.pem
147 | ```
148 |
149 | The private key of the CA is now stored in ca-key.pem, and the public key
150 | in ca-cert.pem. The private key of the CA is used to sign client certificates,
151 | and as such it should be unaccessible by anyone, but the manager of the CA.
152 | Ideally it should be stored in a Hardware Security Module or smart card (in that
153 | case you may replace ca-key.pem with the equivalent PKCS #11 URL in the subsequent
154 | steps).
155 |
156 | ### Generate and sign clients' keys in the card
157 |
158 | Suppose we have a smart card and need to generate and sign the client's keys in
159 | the card. The following steps are required. We assume that the PKCS #11 URL of
160 | the smart card is known. If not use "p11tool --list-tokens" to find it out, and
161 | replace "pkcs11:" with the actual URL.
162 |
163 | ```
164 | $ p11tool --generate-rsa "pkcs11:" --label user-vpn-key --login
165 | $ cat << _EOF_ >client.tmpl
166 | cn = "my-user-name"
167 | organization = "MyCompany"
168 | ou = groupname
169 | expiration_days = 600
170 | signing_key
171 | tls_www_client
172 | _EOF_
173 | $ GNUTLS_PIN=XXXX certtool --generate-certificate --load-privkey "pkcs11:...;object=user-vpn-key;type=private" \
174 | --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile \
175 | client-cert.pem
176 | $ p11tool --write --load-certificate client-cert.pem --label user-vpn-key --login "pkcs11:"
177 | ```
178 |
179 | At this point the smart card contains both the client's certificate and private key.
180 |
181 | ### Configure ocserv for certificate authentication
182 |
183 | The VPN server needs to be configured in order to require certificates signed
184 | by the trusted CA, in addition to a username-password pair. That can be done
185 | by having a configuration that at minimum contains the following configuration options.
186 |
187 | ```
188 | auth = "pam" #or any other password auth method
189 | auth = "certificate"
190 |
191 | ca-cert = /path/to/ca-cert.pem
192 | cert-user-oid = 2.5.4.3
193 | cert-group-oid = 2.5.4.11
194 | ```
195 |
196 | ### Configure openconnect client for certificate authentication
197 |
198 | The client can connect to the server by specifying the PKCS #11 URLs of
199 | his certificate and private key (the -c and -k parameters). Note that,
200 | you may specify the minimum URL required, e.g., a URL which identifies the
201 | card and the object name only, and openconnect will expand as necessary.
202 |
203 | See also [Smart Card / PKCS#11 support](http://www.infradead.org/openconnect/pkcs11.html)
204 |
205 |
206 | ## Authentication using Duo
207 |
208 | Two-factor authentication service from [Duo Security](https://duo.com/) can be
209 | combined with ocserv. This recipe was tested on CentOS 7.
210 |
211 | 1. Install Duo Unix.
212 | Duo provides [installation packages](https://duo.com/docs/duounix#linux-distribution-packages);
213 | you will need to configure your site keys in ```/etc/duo/pam_duo.conf```.
214 |
215 | 2. Configure PAM to enable Duo for password authentication.
216 | You need to modify ```/etc/pam.d/password-auth```:
217 | * Using local accounts (users in /etc/passwd)
218 | * Change auth pam_unix.so from "sufficient" to "requisite"
219 | * Add "auth sufficient pam_duo.so"
220 |
221 | ```
222 | --- password-auth.orig
223 | +++ password-auth
224 | @@ -1,6 +1,7 @@
225 | #%PAM-1.0
226 | auth required pam_env.so
227 | -auth sufficient pam_unix.so nullok try_first_pass
228 | +auth requisite pam_unix.so nullok try_first_pass
229 | +auth sufficient pam_duo.so
230 | auth requisite pam_succeed_if.so uid >= 1000 quiet_success
231 | auth required pam_deny.so
232 | ```
233 |
234 | * Using LDAP accounts and SSSD
235 | * Change auth pam_sss.so from "sufficient" to "requisite"
236 | * Add "auth sufficient pam_duo.so"
237 |
238 | ```
239 | --- password-auth-ac.orig
240 | +++ password-auth-ac
241 | @@ -3,7 +3,8 @@
242 | auth [default=1 success=ok] pam_localuser.so
243 | auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
244 | auth requisite pam_succeed_if.so uid >= 1000 quiet_success
245 | -auth sufficient pam_sss.so forward_pass
246 | +auth requisite pam_sss.so forward_pass
247 | +auth sufficient pam_duo.so
248 | auth required pam_deny.so
249 |
250 | account required pam_unix.so broken_shadow
251 | ```
252 |
253 | 3. You're done!
254 | ocserv passes the Duo prompts to VPN clients.
255 |
256 |
--------------------------------------------------------------------------------
/ocserv-ad-authentication.md:
--------------------------------------------------------------------------------
1 | # How to setup ocserv for Microsoft AD Authentication
2 |
3 | Author: Dionis Pelivan
4 |
5 |
6 | ### Scope
7 |
8 | This Recipe provides step by step instructions on how to install, configure,
9 | and test Microsoft AD Authentication for Openconnect Server. This recipe was
10 | tested on CentOS 7 with the EPEL packages of ocserv.
11 |
12 | ### Platforms used for testing
13 |
14 | This Recipe was tested on the following platforms:
15 |
16 | * CentOS 7 on amd64 architecture
17 |
18 | ### Assumptions
19 |
20 | This recipe assumes the reader has a basic understanding of a linux
21 | system and all commands are run from a privileged user. It is recommended
22 | to login the system using root.
23 |
24 | ### Prerequisite
25 | In order to take advantage of this setup, you should join your linux server into AD domain.
26 | The packages below are required in order to join linux to AD Domain, create home dir and so on.
27 | ```
28 | [root@vpn ~]# yum install oddjob oddjob-mkhomedir sssd samba-common-tools realmd polkit.i686 iptables-services pam cracklib
29 | ```
30 |
31 | Additionally you need to add PAM as the authentication backend of ocserv.
32 | The rest of this text assumes that a working PAM configuration is in place and
33 | pam_sss is enabled.
34 |
35 | In that case, the following lines should be present in ocserv.conf.
36 |
37 | ```
38 | auth = "pam"
39 | ```
40 |
41 | ### Join in Active Directory domain
42 | ```
43 | [root@vpn ~]# realm join YOURDOMAIN.COM --user Administrator
44 | ```
45 | Open /etc/sssd/sssd.conf with text editor and replace with the below config (replace yourdomain.com acordingly)
46 | ```
47 | [root@vpn ~]# vim /etc/sssd/sssd.conf
48 | ```
49 |
50 | ```
51 | [sssd]
52 | debug_level = 5
53 | domains = yourdomain.com
54 | config_file_version = 2
55 | services = nss, sudo, pam, ssh
56 |
57 | [domain/yourdomain.com]
58 | debug_level = 5
59 | ad_domain = yourdomain.com
60 | krb5_realm = YOURDOMAIN.COM
61 | realmd_tags = manages-system joined-with-samba
62 | cache_credentials = True
63 | id_provider = ad
64 | krb5_store_password_if_offline = True
65 | default_shell = /bin/bash
66 | ldap_id_mapping = True
67 | use_fully_qualified_names = False
68 | fallback_homedir = /home/yourdomain/%u
69 | access_provider = ad
70 | ```
71 |
72 |
--------------------------------------------------------------------------------
/ocserv-authentication-pam.md:
--------------------------------------------------------------------------------
1 | ## How to setup ocserv for PAM authentication
2 |
3 | Author: Mauro Gaspari
4 |
5 |
6 | ### Scope
7 |
8 | This Recipe provides step by step instructions on how to configure and
9 | test PAM Authentication for Openconnect Server. No precompiled binary
10 | packages will be used, therefore this recipe applies to all linux
11 | distributions. As a secondary and optional scope, this recipe will show
12 | how to integrate Webmin and Usermin with PAM authentication, to provide
13 | end users a quick and easy way to reset their own passwords.
14 |
15 | ### Platforms used for testing
16 |
17 | This Recipe was tested on the following platforms:
18 |
19 | * Debian 8 (systemd) on armhf architecture.
20 | * Ubuntu Server 16.04 (systemd) on amd64 architecture.
21 | * Gentoo (openRC) on amd64 architecture.
22 |
23 | ### Assumptions
24 |
25 | This recipe assumes the reader has a basic understanding of a linux
26 | system and all commands are run from a privileged user. It is recommended
27 | to login the system using root.If not possible, execute ```su root``` or
28 | ```sudo su``` to get highest privileges.
29 |
30 | ### Requirements
31 |
32 | No special requirements to use PAM authentication on linux computers.
33 |
34 |
35 | ### Details on lab used on this recipe
36 |
37 | * network 192.169.5.0/24 (netmask 255.255.255.0)
38 | * ocserv ip 192.168.5.254
39 | * ocserv hostname fw01
40 |
41 |
42 | ### Ocserv Configuration for Radius authentication
43 |
44 | In order to enable PAM authentication for ocserv, follow the steps below.
45 |
46 | 1. Move to ocserv folder. Note. if you installed from sources following
47 | [Ocserv Installation - Generic](ocserv-installation-generic.md),
48 | the ocserv folder is at ```/usr/local/etc/ocserv/```.
49 |
50 | ```
51 | cd /etc/ocserv
52 | ```
53 | 2. Open ocserv.conf with text editor
54 | ```
55 | nano ocserv.conf
56 | ```
57 | 3. Comment all lines starting with "auth =", it should look like this:
58 | ```
59 | #auth = "pam"
60 |
61 | #auth = "pam[gid-min=1000]"
62 |
63 | #auth = "plain[passwd=./ocserv.passwd]"
64 |
65 | #auth = "certificate"
66 |
67 | #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
68 | ```
69 | 4. Add a line as follows:
70 |
71 | ```
72 | auth = "pam"
73 | ```
74 | 5. If you need to limit ocserv authentication to a specific set of users,
75 | you can change the non-commented line to the following:
76 | ```
77 | auth = "pam[gid-min=1000]"
78 | ```
79 | This means that only account number 1000 and above can be authenticated
80 | via openconnect server. git-min number can be changed according to
81 | administrator needs.
82 |
83 | ## Optional - Install and use Webmin & Usermin to allow users to reset their own passwords
84 |
85 | It is often required even in small to medium businesses, that users can
86 | reset their password without any admin knowing them. In this scenario,
87 | use of RADIUS is preferred as all passwords are in sync. However, for
88 | many reasons it could be not possible or approved to use RADIUS. PAM
89 | authentication advantage is that ocserv depends on no other systems to
90 | provide authentication. It is also considered to be much easier to
91 | configure and maintain compared to RADIUS.
92 |
93 | Having said that, end users often do not know how to use ssh and linux
94 | cli to reset their passwords. This is where Webmin and Usermin come to
95 | play. Users can login from the LAN (or even the WAN if required) using
96 | any web browser. Usermin will provide a very limited web gui where end
97 | users can reset their passwords.
98 |
99 | ### Webmin Installation
100 |
101 | Download and install webmin for your distribution. Webmin packages for
102 | main distributions are [available on this page](http://www.webmin.com/download.html).
103 |
104 | #### Debian
105 |
106 | ```
107 | wget http://prdownloads.sourceforge.net/webadmin/webmin_x.xxx_all.deb
108 | dpkg -i webmin_x.xxx_all.deb
109 | ```
110 | In case dpkg returns dependency problem, run the following command:
111 | ```
112 | apt-get -f install
113 | ```
114 |
115 | #### Fedora
116 |
117 | ```
118 | wget http://prdownloads.sourceforge.net/webadmin/webmin-x.xxx-x.noarch.rpm
119 | rpm -I webmin-x.xxx-x.noarch.rpm
120 | ```
121 |
122 | #### Gentoo
123 |
124 | ```
125 | emerge webmin
126 | ```
127 |
128 | At this point, webmin is installed. On its default settings, it is
129 | reachable on its port 10000. In this case: https://192.168.5.254:10000
130 |
131 | A few of notes:
132 | - It is advisable not to use default ports.
133 | - If connection cannot be established, remember to open firewall ports.
134 | - It is advisable to open firewall ports only from the LAN.
135 |
136 | ### Usermin Installation
137 |
138 | Once Webmin is installed, Usermin installation is very easy:
139 |
140 | 1. Connect to your Webmin and login with your admin user.
141 | 2. On the left menu, click Un-used Modules.
142 | 3. Select "Usermin Configuration"
143 | 4. Click on "Install Usermin tar.gz package"
144 |
145 | At this point, usermin is installed. On its default settings, it is
146 | reachable on its port 20000. In this case: https://192.168.5.254:20000
147 |
148 | A few of notes:
149 | - It is advisable not to use default ports.
150 | - If connection cannot be established, remember to open firewall ports.
151 | - It is advisable to open firewall ports only from the LAN.
152 |
153 | ### Usermin Configuration
154 |
155 | Once installed, usermin can be configured and upgraded by system
156 | administrator via webmin - Usermin Configuration.
157 |
158 | ### Usermin Usage
159 |
160 | Users can connect to Usermin interface using any web browser, and perform
161 | the functions allowed by system administrator. In this recipe we focused
162 | on the most basic one, which is for users to login and reset their own
163 | passwords.
164 |
165 |
166 | ### Conclusion and final notes
167 |
168 | This concludes the ocserv **PAM** recipe. At this point
169 | the Openconnect server should be working with PAM authentication.
170 |
171 |
172 |
--------------------------------------------------------------------------------
/ocserv-authentication-radius-radcli.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Authentication - RADIUS (radcli)
2 |
3 | Author: Mauro Gaspari
4 |
5 |
6 | ### Scope
7 | This Recipe provides step by step instructions on how to install, configure,
8 | and test RADIUS Authentication for Openconnect Server. This recipe focuses on
9 | generic installation instructions, from packages available on Openconnect server
10 | and radcli websites. No precompiled binary packages will be used, therefore this
11 | recipe applies to all linux distributions.
12 |
13 | ### Platforms used for testing
14 |
15 | This Recipe was tested on the following platforms:
16 |
17 | - Debian 8 (systemd) on armhf architecture.
18 | - Ubuntu Server 15.10 (systemd) on amd64 architecture.
19 | - Gentoo (openRC) on amd64 architecture.
20 | - Fedora 23
21 |
22 | ### Assumptions
23 |
24 | - This recipe assumes the reader has a basic understanding of a linux system and all
25 | commands are run from a privileged user. It is recommended to login the system using root.
26 | If not possible, execute "su root" or "sudo su" to get highest privileges.
27 | - Software needed to compile from source is required, please refer to distribution specific
28 | guides to install needed packages. See [ocserv's development site](https://gitlab.com/ocserv/ocserv).
29 | - Throughout this recipe, ocserv's version number will be x.x.x . Replace x.x.x on all steps below with
30 | the latest, or preferred version number.
31 |
32 | ### Requirements
33 |
34 | Since version 0.10.6 ocserv RADIUS authentication depends on either libradius-client 1.1.7 or
35 | radcli libraries. At the time of writing, many distributions only offer libradius-client 1.1.6.
36 | In order to avoid unmet dependencies or radius libraries lagging behind ocserv in any way,
37 | Nikos Mavrogiannopulos decided to create the radcli libraries. These are updated to match ocserv
38 | requirements, and are easy to install and use. This recipe includes instructions to compile
39 | radcli libraries.
40 |
41 | NOTE: radcli (or libradius-client) need to be installed before ocserv. If ocserv is compiled
42 | before radius libraries, it will build without radius support. Even if radius libraries are
43 | compiled/installed afterwards, it will not work, and ocserv will return errors when you try
44 | to start the service with RADIUS authentication enabled.
45 |
46 |
47 | ### Network settings used on this recipe
48 | - network 192.169.5.0/24 (netmask 255.255.255.0)
49 | - ocserv ip 192.168.5.254
50 | - ocserv hostname fw01
51 | - radius server ip 192.168.5.5
52 | - radius server password: radiustestsecretpassword
53 |
54 |
55 | ## Installation
56 |
57 | Install radcli through your distribution channels (minimum recommended version is 1.2.5)
58 | or see the [manual installation instructions](ocserv-radcli-installation.md).
59 |
60 | ### radcli configuration (No TLS)
61 |
62 | 1. Move to radcli etc folder
63 | ```
64 | cd /etc/radcli/
65 | ```
66 |
67 | 2. Open radiusclient.conf with text editor
68 |
69 | ```
70 | nano radiusclient.conf
71 | ```
72 |
73 | 3. Configure radius settings according to your environment. Following lab details for this recipe, we will need to change the following paramters:
74 |
75 | ```
76 | nas-identifier fw01
77 | authserver 192.168.5.5
78 | acctserver 192.168.5.5
79 | servers /etc/radcli/servers
80 | dictionary /etc/radcli/dictionary
81 | default_realm
82 | radius_timeout 10
83 | radius_retries 3
84 | bindaddr *
85 | ```
86 |
87 | 4. Save and exit (in nano, ctrl+o to save, then ctrl+x to exit)
88 |
89 | 5. Open servers file with text editor
90 |
91 | ```
92 | nano servers
93 | ```
94 |
95 | 6. Configure servers settings according to your environment. Following lab details for this recipe we will need to add one line to servers file:
96 |
97 | ```
98 | 192.168.5.5 radiustestsecretpassword
99 | ```
100 |
101 | 7. Save and exit (in nano, ctrl+o to save, then ctrl+x to exit)
102 |
103 | ### Security considerations and radcli configuration with TLS.
104 |
105 | If you have security concerns, for example on a corporate network, there are several ways
106 | to secure radius communications. One very common way to achieve this, is by isolating vlans.
107 | If your RADIUS server requires TLS authentication of radius messages for security reasons, or
108 | if you are unable to implement separate management vlans, please use radiusclient-tls.conf
109 | instead of radiusclient.conf, and servers-tls instead of servers. Radius configuration with
110 | TLS is out of the scope of this document. Having said that, comments on radiusclient-tls.conf
111 | and servers-tls are clear and a system admin should have no issue with configuration.
112 |
113 |
114 | ### Ocserv Installation
115 | You can install ocserv using distribution packages. If ocserv is not available in your package manager, you can follow instructions on Ocserv installation recipe, available here: [Ocserv Installation - Generic](ocserv-installation-generic.md)
116 |
117 | ### Ocserv Configuration for Radius authentication
118 | In order to enable radius authentication for ocserv, follow the steps below.
119 |
120 | 1. Move to ocserv folder.
121 | ```
122 | cd /etc/ocserv
123 | ```
124 |
125 | 2. Open ocserv.conf with text editor
126 |
127 | ```
128 | nano ocserv.conf
129 | ```
130 |
131 | 3. Comment all lines starting with "auth =", it should look like this:
132 |
133 | ```
134 | #auth = "pam"
135 | #auth = "pam[gid-min=1000]"
136 | #auth = "plain[passwd=./ocserv.passwd]"
137 | #auth = "certificate"
138 | #auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
139 | ```
140 |
141 | 4. Add a line as follows:
142 |
143 | ```
144 | auth = "radius [config=/usr/local/etc/radcli/radiusclient.conf,groupconfig=true]"
145 | ```
146 |
147 | 5. If you need RADIUS accounting, add a line in the "Accounting methods available" Section:
148 |
149 | ```
150 | acct = "radius [config=/usr/local/etc/radcli/radiusclient.conf,groupconfig=true]"
151 | ```
152 |
153 | ### Final notes
154 |
155 | This concludes **Ocserv Authentication - RADIUS (radcli)** recipe. At this point Openconnect
156 | server should be working with radcli RADIUS libraries.
157 |
--------------------------------------------------------------------------------
/ocserv-certificates-letsencrypt.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Certificates - letsencrypt
2 |
3 | Author: Mauro Gaspari
4 |
5 | ###Scope
6 | This recipe provides a deployment example of letsencrypt to provide ssl certificates for ocserv.
7 | This recipe does not claim to be a step-by-step guide or a letsencrypt tutorial, as there are plenty of those available online. Also, this recipe does not claim to be the best or most secure letsencrypt setup, but barely a starting point example for a GNU/Linux based router/firewall with Ocserv.
8 |
9 | ### Platforms used for testing
10 | This Recipe was tested on the following platforms:
11 |
12 | - Ubuntu Server 18.04LTS on amd64 architecture.
13 | - CentOS 7 on amd64 architecture.
14 | - openSUSE Tumbleweed on amd64 architecture.
15 |
16 |
17 | ### Assumptions
18 | - This recipe assumes the reader has a basic understanding of a GNU/Linux system and all commands are run from a privileged user. It is recommended to login the system using root. If not possible, execute "su root" or "sudo su" to get highest privileges.
19 | - The reader is applying ocserv to a GNU/Linux server that is already configured as a router.
20 | ### Requirements
21 | - The GNU/Linux server in the recipe is configured to work as a router. sysctl.conf is already configured with the line:
22 | ```
23 | net.ipv4.ip_forward = 1
24 | ```
25 | - The GNU/Linux server in the recipe has ocserv installed and configured. Please refer to if needed.
26 |
27 |
28 | ### Details on lab used on this recipe
29 | - network 192.169.5.0/24 (netmask 255.255.255.0)
30 | - ocserv ip 192.168.5.254
31 | - ocserv hostname fw01
32 | - ocserv WAN interface is eth0
33 | - ocserv LAN interface is eth1
34 | - ocserv ports for openconnect vpn are default TCP 443 and UDP 443
35 | - letsencrypt uses port TCP 80. This is done to avoid overlapping with TCP 443 used for ocserv
36 |
37 |
38 |
39 |
40 | ###Install let's encrypt to manage certificates
41 |
42 | **Debian/Ubuntu**
43 |
44 | ```
45 | apt-get install certbot
46 | ```
47 |
48 | **CentOS/RHEL/Fedora**
49 | On older versions
50 | ```
51 | yum install certbot
52 | ```
53 | Or, on latest versions
54 | ```
55 | dnf install certbot
56 | ```
57 |
58 | **openSUSE**
59 | ```
60 | zypper in shorewall certbot
61 | ```
62 |
63 |
64 | ###Create certificates for ocserv
65 | ```
66 | certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d vpn.yourdomain.domain
67 | ```
68 | **NOTE1:** closely monitor the output to find any issue with certificate creation.
69 | **NOTE2:** make sure you have a valid dns A record to point "vpn.yourdomain.domain" to the public IP address configured of your wan.
70 |
71 | ###Setup auto renewal of certificates
72 | Edit: /etc/crontab
73 | Add this line to your crontab:
74 | ```
75 | 15 00 * * * root certbot renew --quiet && systemctl restart ocserv
76 | ```
77 |
78 | ###Configure openconnect server
79 | Configure ocserv according to instructions on official site:
80 | - Skip the certificate creation step, we are getting certificates from letsencrypt.
81 | - Instead of generating certificates, link the location where your certificates are stored by letsencrypt: /etc/letsencrypt/live/vpn.yourdomain.domain
82 |
83 | ###restart openconnect server
84 | ```
85 | service ocserv restart
86 | ```
87 | **Check status**
88 | ```
89 | service ocserv status
90 | ```
91 |
92 | ###Firewall
93 | **Shorewall**
94 | Appendix A. of shorewall recipe has configuration examples for letsencrypt. Refer to the recipe here: .
95 |
96 |
97 | ### Conclusion and final notes
98 | This concludes **Ocserv Certificates - letsencrypt** recipe. At this point Openconnect server should be configured with ssl certificates released by letsencrypt. Also, certificates will be automatically renewed with certbot.
99 | If you want to learn more, you can find Ocserv recipes here:
100 |
--------------------------------------------------------------------------------
/ocserv-configuration-basic.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Configuration - Basic
2 |
3 | Author: Mauro Gaspari
4 |
5 | ### Scope
6 | This recipe provides step by step instructions on how to configure ocserv for basic functionality.
7 |
8 | ### Platforms used for testing
9 | This Recipe was tested on the following platforms:
10 |
11 | - Debian 8 (systemd) on armhf architecture.
12 | - Ubuntu Server 15.10 (systemd) on amd64 architecture.
13 | - Gentoo (openRC) on amd64 architecture.
14 | - Fedora 23
15 |
16 | ### Assumptions
17 | - This recipe assumes the reader has a basic understanding of a linux system and all commands
18 | are run from a privileged user. It is recommended to login the system using root. If not possible,
19 | execute "su root" or "sudo su" to get highest privileges.
20 | - The reader is applying ocserv to a linux server that is already configured as a router and has a
21 | firewall running (iptables, shorewall, or other).
22 |
23 | ### Requirements
24 |
25 | ### Network settings used on this recipe
26 | - network 192.169.5.0/24 (netmask 255.255.255.0)
27 | - ocserv ip 192.168.5.254
28 | - ocserv hostname fw01
29 | - authentication method used for testing: pam
30 |
31 |
32 | ### Certificate Management (Self Signed)
33 |
34 | **Create CA template file and server template file:**
35 |
36 | 1. Create a folder to store your certificates
37 | ```
38 | mkdir /root/certificates
39 | ```
40 |
41 | 2. Move to certificetes folder
42 |
43 | ```
44 | cd /root/certificates
45 | ```
46 |
47 | 3. Create CA and server templates based on this example file, edit parameters according to your organization name and needs. Please note that anyconnect VPN clients connecting to your ocserv will complain if certificates do not match hostname, or if are self signed.
48 |
49 | ```
50 | nano ca.tmpl
51 | ```
52 |
53 | ```
54 | cn = "your organization’s certificate authority"
55 | organization = "your organization"
56 | serial = 1
57 | expiration_days = 3650
58 | ca
59 | signing_key
60 | cert_signing_key
61 | crl_signing_key
62 | ```
63 |
64 | 4. Create Server template (edit parameters according to your organization name and needs)
65 |
66 | ```
67 | nano server.tmpl
68 | ```
69 |
70 | ```
71 | cn = "a sever's name, usually matches hostname"
72 | organization = "your organization"
73 | serial = 2
74 | expiration_days = 3650
75 | signing_key
76 | encryption_key
77 | tls_www_server
78 | dns_name = "your organization's host name"
79 | #ip_address = "if no hostname uncomment and set the IP address here"
80 | ```
81 |
82 | 5. Generate CA key, CA certificate:
83 |
84 | ```
85 | certtool --generate-privkey --outfile ca-key.pem
86 | certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
87 | ```
88 |
89 | 6. Generate Server key and certificate
90 |
91 | ```
92 | certtool --generate-privkey --outfile server-key.pem
93 | certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
94 | ```
95 |
96 | 7. Copy certificates in ocserv directory
97 |
98 | ```
99 | cp server-cert.pem server-key.pem /etc/ocserv/
100 | ```
101 |
102 | ### Configure ocserv
103 |
104 | 1. Open /etc/ocserv/ocserv.conf file
105 |
106 | ```
107 | nano /etc/ocserv/ocserv.conf
108 | ```
109 |
110 | 2. In the Authentication section, comment all lines and add the following line:
111 |
112 | ```
113 | auth = "pam"
114 | ```
115 |
116 | 3. In the TCP and UDP port number, leave the default and make sure both lines are uncommented
117 |
118 | ```
119 | tcp-port = 443
120 | udp-port = 443
121 | ```
122 |
123 | 4. In the seccomp section, decide if you want to use seccomp or not. If you removed seccomp when compiling or did not install seccomp packages, disable seccomp or ocserv will fail to start.
124 |
125 | ```
126 | isolate-workers = true
127 | ```
128 |
129 | 5. In the Network Settings section, change the following lines:
130 |
131 | ```
132 | ipv4-network = 192.168.5.254
133 | ipv4-netmask = 255.255.255.0
134 | dns = 8.8.8.8
135 | ```
136 |
137 | 6. In the "Routes to be forwarded to the client" section, commend all lines and add the following line:
138 |
139 | ```
140 | route = 192.168.5.0/255.255.255.0
141 | ```
142 |
143 | 7. Save the file and exit (CTRL+o to save, CTRL+x to exit)
144 |
145 | ### Start ocserv and test
146 |
147 | To manually start ocserv:
148 |
149 | ```
150 | ocserv -c /etc/ocserv/ocserv.conf
151 | ```
152 |
153 | Authentication was set to pam, so from your client you can use any linux users of your system
154 |
155 | ### Use ocserv as a service and enable service start on system boot
156 |
157 |
158 | If you are using systemd, you can activate ocserv easily by doing the following:
159 |
160 | 1. Copy systemd script
161 |
162 | ```
163 | cp /usr/share/doc/ocserv/doc/systemd/standalone/ocserv.service /lib/systemd/system
164 | ```
165 |
166 | 2. Enable ocserv on system bootup
167 |
168 | ```
169 | systemctl enable ocserv.service
170 | ```
171 |
172 | Note that scripts for other init systems are currently not included in ocserv package.
173 |
174 | ### Final notes
175 |
176 | This concludes **Ocserv Configuration - Basic** recipe. At this point Openconnect server
177 | should be ready to accept VPN connections. Remember to open ports on your firewall, and
178 | test connection.
179 |
180 |
--------------------------------------------------------------------------------
/ocserv-country-blocking.md:
--------------------------------------------------------------------------------
1 | # Country Blocking
2 |
3 | Author: Lance LeFlore
4 |
5 | When providing VPN services, it is expected that clients will be connecting from a vast number of different subnets around the internet at-large. Because of this, it's not entirely feasible to use a packet filter to whitelist the subnets from which clients may be connecting to the VPN server. Very often, however, one may safely assume that clients will only be connecting from a particular set of countries. This then gives us a parameter we can in turn use to whitelist client connections. For example, if one assumes his or her clients will only ever connect from the US and Czech Republic; a GeoIP lookup can be performed against the clients' source IP to determine whether they are in fact connecting from the US or the Czech Republic.
6 |
7 | ### Prerequisites
8 |
9 | - cURL
10 | - Tested on Ocserv 0.11.5.
11 |
12 | ### Configuration
13 | - Set ```connect-script = /usr/bin/ocserv-country-blocker``` in ```ocserv.conf```.
14 | - Create a file with the following code at ```/usr/bin/ocserv-country-blocker```:
15 |
16 | ``` sh
17 | #!/bin/sh
18 |
19 | ALLOW_COUNTRY_CODES="CZ US"
20 |
21 | # Make sure Ocserv passes IP_REAL
22 | if [ "x${IP_REAL}" = "x" ]; then
23 | exit 1
24 | fi
25 |
26 | GEOIP_STRING=$(curl -s https://freegeoip.live/csv/$IP_REAL)
27 | # Alternatively, in Fedora 23 or higher, the following would also provide the
28 | # country code variable using the local geoip database:
29 | # COUNTRY_CODE=$(ipcalc -g ${IP_REAL} | grep CODE | cut -d'=' -f2)
30 |
31 | COUNTRY_CODE=$(echo $GEOIP_STRING | cut -d ',' -f2)
32 |
33 | # Handle instances where COUNTRY_CODE is empty (e.g. RFC 1918 addresses)
34 | if [ "x${COUNTRY_CODE}" = "x" ]; then
35 | # Fail open
36 | exit 0
37 | # Fail closed
38 | # exit 1
39 | fi
40 |
41 | for c in $ALLOW_COUNTRY_CODES; do
42 | if [ "${c}" = "${COUNTRY_CODE}" ]; then
43 | exit 0
44 | fi
45 | done
46 |
47 | # If we made it here, then COUNTRY_CODE was not found in ALLOW_COUNTRY_CODES
48 | exit 1
49 | ```
50 |
51 | - Be certain to set ```ALLOW_COUNTRY_CODES``` to a list of countries you'd like to whitelist VPN access from.
52 | - You should also decide the behavior you'd like the script exhibit in the event that FreeGeoIP does not return a country code. Currently the script "fails open" meaning that it will allow a client connection to proceed if, for some reason, FreeGeoIP does not return a country code.
53 | - Set the executable bit on ```/usr/bin/ocserv-country-blocker```
54 | - Restart Ocserv
55 |
56 | ### Limitations
57 | - FreeGeoIP enforces an API limit of 10000 API calls per hour per API client source IP.
58 | - The ALLOW_COUNTRY_CODES will obviously affect all VPN clients. If you need a solution to allow clients to connect from different sets of countries then this solution may not suit your use case without some modifications.
59 |
--------------------------------------------------------------------------------
/ocserv-firewall-iptables-ipv4.md:
--------------------------------------------------------------------------------
1 | # Ocserv Firewall - iptables IPv4
2 |
3 | Author: Mauro Gaspari
4 |
5 | ## Scope
6 |
7 | This recipe provides a deployment example of iptables (ipv4) for a GNU/Linux based router/firewall and ocserv as VPN server.
8 | This recipe does not claim to be a step-by-step guide or a iptables tutorial, as there are plenty of those available online. Also, this recipe does not claim to be the best or most secure iptables setup, but barely a starting point example for a GNU/Linux based router/firewall with Ocserv.
9 |
10 | ## Platforms used for testing
11 |
12 | This Recipe was tested on the following platforms:
13 |
14 | - Debian 8 (systemd) on armhf architecture.
15 | - Ubuntu Server 16.04LTS (systemd) on amd64 architecture.
16 | - CentOS 7 (systemd) on amd64 architecture.
17 | - Gentoo (openRC) on amd64 architecture.
18 |
19 |
20 | ## Assumptions
21 |
22 | - This recipe assumes the reader has a basic understanding of a GNU/Linux system and all commands are run from a privileged user. It is recommended to login the system using root.If not possible, execute "su root" or "sudo su" to get highest privileges.
23 | - The reader is applying ocserv to a GNU/Linux server that is already configured as a router.
24 |
25 | ## Requirements
26 |
27 | - The GNU/Linux server in the recipe is configured to work as a router. sysctl.conf is already configured with the line:
28 | ```net.ipv4.ip_forward = 1```
29 |
30 | - The GNU/Linux server in the recipe has ocserv installed and configured. Please refer to [installation recipes](README.md) if needed.
31 |
32 |
33 | ## Details on lab used on this recipe
34 |
35 | - network 192.169.5.0/24 (netmask 255.255.255.0)
36 | - ocserv ip 192.168.5.254
37 | - ocserv hostname fw01
38 | - ocserv WAN interface is eth0
39 | - ocserv LAN interface is eth1
40 | - ocserv ports for openconnect vpn are default TCP 443 and UDP 443
41 | - Firewall is in learning mode on all 3 filtering chains. This means iptables is logging a lot of traffic. this could create problems with disk space or I/O on small devices, such as arm based mini-computers, or devices using flash memory for file system. Learning mode is meant to be a temporary stage to learn and adjust the firewall. General practice is to create custom rules, place those before the LOG rules to reduce the logs. Once learning stage is completed, it is recommended to disable (comment) the LOG rules and change last rules from ACCEPT to DROP.
42 |
43 |
44 | ## Details on Firewall configuration
45 |
46 | ### Filtering - input chain
47 |
48 | - Firewall only allows connections to ports for OCSERV from WAN interface "eth0".
49 | - Firewall stateful rule is enabled.
50 | - Firewall allows incoming traffic from LAN interface "eth1" for minimal services. This includes DNS, DHCP, SSH, Webmin.
51 | - Firewall is in learning mode for all remaining traffic from LAN interface "eth1". This means all traffic is logged and then accepted. It is recommended to look at the logs marked as "IPTABLES-LOG-INPUT-LAN:", allow what is needed with specific rules, then change the rule that allow traffic from LAN to drop packets. LOG rule can be left enabled for a while so admin can monitor and adjust as needed. This LOG rule can be enabled and disabled as needed.
52 | - Keep the last rule as drop all to avoid unwanted traffic from reaching the firewall.
53 |
54 | ### Filtering - forward chain
55 |
56 | - All traffic from LAN to WAN is allowed. This can be changed according to admin requirements or preferences. It is usually ok to leave this rule in a SOHO environment if there are no strict rules to block outgoing traffic.
57 | - If the admin needs to create port forwards (DNAT) to internal server, remember to add firewall forwarding rules to accept the traffic. from WAN to LAN on DNAT ip address.
58 | - Firewall stateful rule is enabled.
59 | - Firewall is in learning mode for all remaining forwarded traffic. This means all traffic is logged and then accepted. It is recommended to look at the logs marked as "IPTABLES-LOG-FORWARD:", allow what is needed with specific rules, then change the last rule to drop packets. LOG rule can be left enabled for a while so admin can monitor and adjust as needed. This log rule can be enabled and disabled as needed.
60 | - Change the last rule from ACCEPT to DROP once learning phase is completed, in order to avoid unwanted traffic to be forwarded.
61 |
62 | ### Filtering - output chain
63 |
64 | - Firewall stateful rule is enabled.
65 | - Firewall is in learning mode for all outgoing traffic. This means all traffic is logged and then accepted. It is recommended to look at the logs marked as "IPTABLES-LOG-OUTPUT:", allow what is needed with specific rules, then change the last rule to drop packets. LOG rule can be left enabled for a while so admin can monitor and adjust as needed. This LOG rule can be enabled and disabled as needed.
66 | - Change the last rule from ACCEPT to DROP once learning phase is completed, in order to avoid unwanted outgoing traffic from firewall.
67 |
68 | ### NAT - prerouting chain
69 |
70 | - No rules in this chain. This is where admin needs to create port forwards (DNAT) if needed.
71 |
72 | ### NAT - postrouting chain
73 |
74 | - A single rule in this chain, is the generic outgoing NAT rule (Masquerade).
75 | - If the admin needs site to site VPNs, it is important to add rules to allow packets from local LAN to remote LAN. These rules must be before the generic outgoing NAT rule. Those are usually referred as "nat exemption" rules.
76 |
77 | ## Enable Kernel Network Security options
78 |
79 | 1. Edit sysctl.conf
80 |
81 | ```nano /etc/sysctl.conf```
82 |
83 | 2. Add the following lines to sysctl.conf
84 |
85 | ```
86 | # Protect from IP Spoofing
87 | net.ipv4.conf.all.rp_filter = 1
88 | net.ipv4.conf.default.rp_filter = 1
89 |
90 | # Ignore ICMP broadcast requests
91 | net.ipv4.icmp_echo_ignore_broadcasts = 1
92 |
93 | # Protect from bad icmp error messages
94 | net.ipv4.icmp_ignore_bogus_error_responses = 1
95 |
96 | # Disable source packet routing
97 | net.ipv4.conf.all.accept_source_route = 0
98 | net.ipv6.conf.all.accept_source_route = 0
99 | net.ipv4.conf.default.accept_source_route = 0
100 | net.ipv6.conf.default.accept_source_route = 0
101 |
102 | # Turn on exec shield
103 | kernel.exec-shield = 1
104 | kernel.randomize_va_space = 1
105 |
106 | # Block SYN attacks
107 | net.ipv4.tcp_syncookies = 1
108 | net.ipv4.tcp_max_syn_backlog = 2048
109 | net.ipv4.tcp_synack_retries = 2
110 | net.ipv4.tcp_syn_retries = 5
111 |
112 | # Log Martians
113 | net.ipv4.conf.all.log_martians = 1
114 | net.ipv4.icmp_ignore_bogus_error_responses = 1
115 |
116 | # Ignore send redirects
117 | net.ipv4.conf.all.send_redirects = 0
118 | net.ipv4.conf.default.send_redirects = 0
119 |
120 | # Ignore ICMP redirects
121 | net.ipv4.conf.all.accept_redirects = 0
122 | net.ipv6.conf.all.accept_redirects = 0
123 | net.ipv4.conf.default.accept_redirects = 0
124 | net.ipv6.conf.default.accept_redirects = 0
125 | net.ipv4.conf.all.secure_redirects = 0
126 | net.ipv4.conf.default.secure_redirects = 0
127 | ```
128 |
129 |
130 | 3. Apply Changes without rebooting:
131 |
132 | ```sysctl -p```
133 |
134 |
135 | ## Disable distribution specific firewalls
136 |
137 | * Ubuntu UFW
138 | ```ufw disable```
139 |
140 | * CentOS/RHEL/Fedora
141 | ```
142 | systemctl stop firewalld
143 | systemctl mask firewalld
144 | ```
145 |
146 | ## Install and enable iptables services
147 |
148 | * Debian/Ubuntu
149 | ```
150 | apt-get install iptables-persistent
151 | service iptables start
152 | ```
153 |
154 | * CentOS/RHEL/Fedora
155 | ```
156 | yum install iptables-services
157 | service iptables start
158 | ```
159 |
160 | * Gentoo
161 | ```
162 | emerge --ask net-firewall/iptables
163 | rc-update add iptables default
164 | ```
165 |
166 | ## Saved rules
167 |
168 | For easy reference, this is where distribution specific iptables services save iptables rules.
169 |
170 | * Debian/Ubuntu
171 | ```
172 | /etc/iptables/rules.v4
173 | ```
174 |
175 | * CentOS/RHEL/Fedora
176 | ```
177 | /etc/sysconfig/iptables
178 | ```
179 |
180 | * Gentoo
181 | ```
182 | /var/lib/iptables/rules-save
183 | ```
184 |
185 | **Note for Webmin Users **. Webmin users can enjoy web based iptables management. However, the basic configuration of webmin iptables module, called "Linux Firewall", under "Networking" has its own way of starting, saving, and restoring iptables rules.
186 | Default webmin ipv4 rules location is:
187 | ```
188 | /etc/iptables.up.rules
189 | ```
190 |
191 | There are two easy ways to avoid conflicts and issues:
192 |
193 | 1. Use Webmin iptables management instead of installing distribution specific iptables services.
194 |
195 | 2. In order to coexist with distribution specific iptables services, it is recommended to change the webmin "Linux Firewall" "module config" options to match distribution specific iptables location. Please also note on main "Linux Firewall" page, keep the "Activate at boot" option to no, as distribution specific services will take care of this.
196 |
197 |
198 | ## iptables basic configuration
199 |
200 | As already stated in the recipe's scope, this is not an ultimate firewall configuration, just a starting point to have a working firewall with common policies. There are no port forwards and the only traffic allowed from outside is to reach openconnect server, installed on same box.
201 |
202 | 1. Copy the following in your firewall configuration file.
203 |
204 | ```
205 | *nat
206 | :INPUT ACCEPT [0:0]
207 | :PREROUTING ACCEPT [0:0]
208 | :OUTPUT ACCEPT [0:0]
209 | :POSTROUTING ACCEPT [0:0]
210 | # Generic NAT for LAN Network 192.168.5.0/24
211 | -A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
212 | COMMIT
213 |
214 | *mangle
215 | :PREROUTING ACCEPT [0:0]
216 | :INPUT ACCEPT [0:0]
217 | :FORWARD ACCEPT [0:0]
218 | :OUTPUT ACCEPT [0:0]
219 | :POSTROUTING ACCEPT [0:0]
220 | COMMIT
221 |
222 | *filter
223 | :INPUT ACCEPT [0:0]
224 | :FORWARD ACCEPT [0:0]
225 | :OUTPUT ACCEPT [0:0]
226 | # START INPUT RULES
227 | # Stateful Rule - INPUT
228 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
229 | # ACCEPT traffic from Loopback interface
230 | -A INPUT -i lo -j ACCEPT
231 | # ACCEPT SSH from LAN
232 | -A INPUT -p tcp -m tcp -i eth1 --dport 22 -j ACCEPT
233 | # ACCEPT DHCP from LAN
234 | -A INPUT -p udp -m udp -i eth1 --dport 67:68 -j ACCEPT
235 | # ACCEPT Webmin from LAN (Optional, only for Webmin users)
236 | -A INPUT -p tcp -m tcp -i eth1 --dport 10000 -j ACCEPT
237 | # ACCEPT DNS UDP From LAN
238 | -A INPUT -p udp -m udp -i eth1 --dport 53 -j ACCEPT
239 | # ACCEPT DNS TCP From LAN
240 | -A INPUT -p tcp -m tcp -i eth1 --dport 53 -j ACCEPT
241 | # ACCEPT ping from LAN
242 | -A INPUT -p icmp --icmp-type echo-request -i eth1 -j ACCEPT
243 | # ACCEPT OpenConnect TCP From WAN
244 | -A INPUT -p tcp -m tcp -i eth0 --dport 443 -j ACCEPT
245 | # ACCEPT OpenConnect UPD From WAN
246 | -A INPUT -p udp -m udp -i eth0 --dport 443 -j ACCEPT
247 | # DROP wan traffic
248 | -A INPUT -i eth0 -j DROP
249 | # LOG LAN
250 | -A INPUT -i eth1 -j LOG --log-prefix "IPTABLES-LOG-INPUT-LAN:" --log-level 4
251 | # ACCEPT LAN traffic - Learning rule - Should be changed to DROP once custom rules are created.
252 | -A INPUT -i eth1 -j ACCEPT
253 | # LAST RULE - DROP all traffic
254 | -A INPUT -j DROP
255 | # END INPUT RULES
256 |
257 | # START FORWARD RULES
258 | # Stateful Rule - FORWARD
259 | -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
260 | # ACCEPT LAN to WAN
261 | -A FORWARD -s 192.168.5.0/24 -j ACCEPT
262 | # LOG Forwarded traffic
263 | -A FORWARD -j LOG --log-prefix "IPTABLES-LOG-FORWARD:" --log-level 4
264 | # LAST RULE - ACCEPT all traffic - Should be changed to DROP once custom rules are created.
265 | -A FORWARD -j ACCEPT
266 | # END FORWARD RULES
267 |
268 | # START OUTPUT RULES
269 | # Stateful Rule - OUTPUT
270 | -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
271 | # LOG Outgoing traffic
272 | -A OUTPUT -j LOG --log-prefix "IPTABLES-LOG-OUTPUT:" --log-level 4
273 | # LAST RULE - ACCEPT all traffic - Should be changed to DROP once custom rules are created.
274 | -A OUTPUT -j ACCEPT
275 | # END OUTPUT RULES
276 | COMMIT
277 | ```
278 |
279 | 2. Check and apply rules
280 | It is recommended to have a look at the rules, and tweak them for specific needs before applying. Worth of notice, if ssh and webmin ports are not standard, firewall input rules should be changed to match. Failing to do so will result in admin being locked out.
281 | Once all rules are reviewed and changed as needed, admin can proceed and apply. the general command is:
282 |
283 | ```iptables-restore < /path/to/your/iptables/rules/file```
284 |
285 | ### Examples
286 |
287 | A few examples are given below.
288 |
289 | * Debian/Ubuntu
290 | ```
291 | iptables-restore < /etc/iptables/rules.v4
292 | ```
293 |
294 | * CentOS/RHEL/Fedora
295 | ```
296 | iptables-restore < /etc/sysconfig/iptables
297 | ```
298 |
299 | * Gentoo
300 | ```
301 | iptables-restore < /var/lib/iptables/rules-save
302 | ```
303 |
304 | **Note for webmin users**
305 | Webmin users can apply rules from web interface.
306 |
307 |
308 | ## Security Note on IPS/IDS system
309 |
310 | - Since Ocserv is the only exposed service on this server, a third party ISD/IPS system is not required. Ocserv includes client ban functionalities that can be easily customized. Please see ocserv.conf for more information, comments above each option are very clear.
311 | - It is good practice, especially if admin wants to expose ssh, webmin, or other services to the WAN, to install and configure Fail2Ban package. Fail2Ban will automatically block source IPs when monitored services receive failed logins or suspicious actions.
312 |
313 |
314 | ## Final notes
315 |
316 | This concludes **Ocserv Firewall - iptables IPv4** recipe. At this point iptables will allow Openconnect server to receive VPN connections from the WAN interface.
317 |
--------------------------------------------------------------------------------
/ocserv-firewall-shorewall-ipv4.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Firewall - shorewall IPv4
2 |
3 | Author: Mauro Gaspari
4 |
5 | ###Scope
6 | This recipe provides a deployment example of shorewall (ipv4) for a GNU/Linux based router/firewall and ocserv as VPN server.
7 | This recipe does not claim to be a step-by-step guide or a shorewall tutorial, as there are plenty of those available online. Also, this recipe does not claim to be the best or most secure shorewall setup, but barely a starting point example for a GNU/Linux based router/firewall with Ocserv.
8 |
9 | ### Platforms used for testing
10 | This Recipe was tested on the following platforms:
11 |
12 | - Ubuntu Server 18.04LTS on amd64 architecture.
13 | - CentOS 7 on amd64 architecture.
14 | - openSUSE Tumbleweed on amd64 architecture.
15 |
16 |
17 | ### Assumptions
18 | - This recipe assumes the reader has a basic understanding of a GNU/Linux system and all commands are run from a privileged user. It is recommended to login the system using root. If not possible, execute "su root" or "sudo su" to get highest privileges.
19 | - The reader is applying ocserv to a GNU/Linux server that is already configured as a router.
20 |
21 | ### Requirements
22 | - The GNU/Linux server in the recipe is configured to work as a router. sysctl.conf is already configured with the line:
23 | ```
24 | net.ipv4.ip_forward = 1
25 | ```
26 | - The GNU/Linux server in the recipe has ocserv installed and configured. Please refer to if needed.
27 |
28 |
29 |
30 | ### Details on lab used on this recipe
31 | - network 192.169.5.0/24 (netmask 255.255.255.0)
32 | - ocserv ip 192.168.5.254
33 | - ocserv hostname fw01
34 | - ocserv WAN interface is eth0
35 | - ocserv LAN interface is eth1
36 | - ocserv ports for openconnect vpn are default TCP 443 and UDP 443
37 |
38 |
39 | ### Details on Firewall configuration
40 | - Traffic from LAN to WAN is allowed
41 | - Traffic from LAN to Firewall is allowed
42 | - Traffic from WAN to LAN is denied
43 | - Traffic from WAN to Firewall is denied (exception of ocserv ports TCP/UDP 443
44 | - Traffic from VPN to LAN is allowed
45 | - Traffic from LAN to VPN is allowed
46 | - Traffic from VPN to Firewall is allowed
47 |
48 |
49 |
50 | ### Disable distribution specific firewalls
51 |
52 | **Ubuntu ufw**
53 | ```
54 | ufw disable
55 | ```
56 |
57 | **CentOS/RHEL/Fedora/openSUSE**
58 |
59 | ```
60 | systemctl stop firewalld
61 | systemctl mask firewalld
62 | ```
63 |
64 | ### Install shorewall services
65 |
66 | **Debian/Ubuntu**
67 |
68 | ```
69 | apt-get install shorewall
70 | ```
71 |
72 | **CentOS/RHEL/Fedora**
73 | ```
74 | yum install iptables-services
75 | ```
76 |
77 | **openSUSE**
78 |
79 | ```
80 | zypper in shorewall shorewall-docs
81 | ```
82 |
83 | ### Shorewall configuration example
84 | Refer to the below examples for a functioning shorewall with ocserv.
85 | **Note for shorewall configuration:** Shorewall configurations are stored in a few files, usually in the folder /etc/shorewall . If the folder is empty, refer to your distribution shorewall man page, copy sample files from documentation folder to /etc/shorewall.
86 | You can also refer to official shorewall documentation:
87 |
88 | **Shorewall master configuration file**
89 | Edit master configuration file and enable startup option: /etc/shorewall/shorewall.conf
90 | ```
91 | ###############################################################################
92 | # S T A R T U P E N A B L E D
93 | ###############################################################################
94 |
95 | STARTUP_ENABLED=Yes
96 | ```
97 |
98 |
99 |
100 | **Shorewall zones**
101 | Sample for /etc/shorewall/zones
102 | ```
103 | #------------------------------------------------------------------------------
104 | # For information about entries in this file, type "man shorewall-zones"
105 | ###############################################################################
106 | #ZONE TYPE OPTIONS IN OUT
107 | # OPTIONS OPTIONS
108 | fw firewall
109 | net ipv4
110 | loc ipv4
111 | ocs ipv4
112 | ```
113 |
114 | **Shorewall interfaces**
115 | Sample for /etc/shorewall/interfaces
116 | ```
117 | # For information about entries in this file, type "man shorewall-interfaces"
118 | ###############################################################################
119 | ?FORMAT 2
120 | ###############################################################################
121 | #ZONE INTERFACE OPTIONS
122 | net NET_IF dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
123 | loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
124 | ocs OCS_IF physical=vpns+
125 | ```
126 |
127 | **Shorewall policy**
128 | Sample for /etc/shorewall/policy
129 | ```
130 | #------------------------------------------------------------------------------
131 | # For information about entries in this file, type "man shorewall-policy"
132 | ###############################################################################
133 | #SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
134 |
135 | loc net ACCEPT
136 | loc fw ACCEPT
137 | net all DROP $LOG_LEVEL
138 | fw all ACCEPT
139 | loc ocs ACCEPT
140 | ocs loc ACCEPT
141 | ocs fw ACCEPT
142 | # THE FOLOWING POLICY MUST BE LAST
143 | all all REJECT $LOG_LEVEL
144 | ```
145 |
146 |
147 | **Shorewall rules**
148 | Sample for /etc/shorewall/rules
149 | ```
150 | #------------------------------------------------------------------------------
151 | # For information about entries in this file, type "man shorewall-rules"
152 | ###############################################################################################################################################################>
153 | #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME >
154 | # PORT PORT(S) DEST LIMIT GROUP
155 | ?SECTION ALL
156 | ?SECTION ESTABLISHED
157 | ?SECTION RELATED
158 | ?SECTION INVALID
159 | ?SECTION UNTRACKED
160 | ?SECTION NEW
161 |
162 | # Don't allow connection pickup from the net
163 | #
164 | Invalid(DROP) net all tcp
165 | #
166 | # Accept DNS connections from the firewall to the network
167 | #
168 | DNS(ACCEPT) $FW net
169 | #
170 | # Accept SSH connections from the local network for administration
171 | #
172 | SSH(ACCEPT) loc $FW
173 | #
174 | # Accept connections on port 443 (TCP and UDP) for OpenConnect Server
175 | #
176 | ACCEPT all $FW tcp 443
177 | ACCEPT all $FW udp 443
178 | #
179 | #
180 | # PING SECTION
181 | #
182 | # Allow Ping from the local network
183 | #
184 | Ping(ACCEPT) loc $FW
185 | #
186 | # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
187 | #
188 | Ping(DROP) net $FW
189 | ACCEPT $FW loc icmp
190 | ACCEPT $FW net icmp
191 | ```
192 |
193 | **Shorewall snat**
194 | Sample for /etc/shorewall/snat
195 | ```
196 | #------------------------------------------------------------------------------
197 | # For information about entries in this file, type "man shorewall-snat"
198 | #
199 | # See http://shorewall.net/manpages/shorewall-snat.html for more information
200 | ###########################################################################################################################################
201 | #ACTION SOURCE DEST PROTO PORT IPSEC MARK USER SWITCH ORIGDEST PROBABILITY
202 | #
203 | # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
204 | #
205 | MASQUERADE 10.0.0.0/8,\
206 | 169.254.0.0/16,\
207 | 172.16.0.0/12,\
208 | 192.168.0.0/16 NET_IF
209 | ```
210 |
211 | **Shorewall stoppedrules**
212 | Sample for /etc/shorewall/stoppedrules
213 | ```
214 | #------------------------------------------------------------------------------
215 | # For information about entries in this file, type "man shorewall-stoppedrules"
216 | ###############################################################################
217 | #ACTION SOURCE DEST PROTO DEST SOURCE
218 | # PORT(S) PORT(S)
219 | ACCEPT LOC_IF -
220 | ACCEPT - LOC_IF
221 | ```
222 |
223 | ###Test configuration, save and apply
224 | ** Test configuration**
225 | Once configuration is completed, proceed and test it:
226 | ```
227 | shorewall check
228 | ```
229 |
230 | **Start shorewall**
231 | If there are no errors in shorewall check, proceed and start/restart shorewall:
232 | ```
233 | shorewall restart
234 | ```
235 |
236 | **Check shorewall status**
237 | ```
238 | shorewall status
239 | ```
240 |
241 | **Backup shorewall configuration**
242 | ```
243 | shorewall save
244 | ```
245 |
246 | **Enable shorewall to start on system boot**
247 | ```
248 | systemctl enable shorewall.service
249 | ```
250 |
251 | ### Final Test
252 | In order to make sure everything is properly configured, a system reboot is recommended. Check that all services are started after boot, and that shorewall and ocserv are working as intended.
253 |
254 | ** Note for Webmin Users **
255 | Webmin users can enjoy web based shorewall management.
256 |
257 | ### Security Note on IPS/IDS system
258 | - Since Ocserv is the only exposed service on this server, a third party ISD/IPS system is not required. Ocserv includes client ban functionalities that can be easily customized. Please see ocserv.conf for more information, comments above each option are very clear.
259 | - It is good practice, especially if admin wants to expose ssh, webmin, or other services to the WAN, to install and configure Fail2Ban package. Fail2Ban will automatically block source IPs when monitored services receive failed logins or suspicious actions.
260 |
261 | ### Conclusion and final notes
262 | This concludes **Ocserv Firewall - shorewall IPv4** recipe. At this point shorewall will allow Openconnect server to receive VPN connections from the WAN interface.
263 | If you want to learn more, you can find Ocserv recipes here:
264 |
265 | ### Appendix A. Shorewall configuration for letsencrypt
266 |
267 | - Traffic to firewall port TCP 80 is allowed from wan, to allow letsencrypt updates. Note that firewall opens the port but web server is closed most of the time. web server will be brougt up only during certificate renewal.
268 | - An example to open port TCP 80 is provided, so that port TCP 80 is in stealth mode most of the time, and traffic allowed only during certificate renewal.
269 |
270 |
271 | #### Shorewall rules for letsencrypt - Standard rule
272 | - open ports by adding the below lines in shorewall rules file: /etc/shorewall/rules .
273 | - port 80 is needed for letsencrypt. A temporary website will be enabled by certbot only during certificate creation or renewal. Therefore port 80 shows as closed from external port scans. If you want to keep port 80 in stealth mode instead of closed, see paragraph below.
274 | ```
275 | ACCEPT net $FW tcp 80
276 | ```
277 |
278 | #### Shorewall rules for letsencrypt - Stealth port rule
279 | If you prefer port 80 to be in stealth mode instead of showing up as closed from external port scans, use the rules in the example below. Note that with the rule below, http port accepts traffic only between 00:10 and 00:20. Port 80 will be in stealth mode outside of the 10 minutes specified in the rule. And even during the 10 minutes, the port will still be closed, unless letsencrypt opens it for a few seconds to renew certificates.
280 | Further tweaking such as day of the week, month, and more can be done in shorewall. Refer to official documentation . **NOTE** Make sure that accept time matches crontab entry for letsencrypt certificates renewal.
281 | ```
282 | ACCEPT net $FW tcp 80 - - - - - - localtz×tart=00:10×top=00:20
283 | ```
284 |
285 | #### Restart shorewall to apply changes
286 | - Once firewall rules are changed, do not forget to check, restart, and save shorewall rules:
287 | ```
288 | shorewall check
289 | shorewall restart
290 | shorewall save
291 | ```
292 |
--------------------------------------------------------------------------------
/ocserv-freeipa.md:
--------------------------------------------------------------------------------
1 | # Integrating ocserv with [FreeIPA](https://www.freeipa.org)
2 |
3 | Author: Nikos Mavrogiannopoulos
4 |
5 |
6 | ## Introduction
7 | FreeIPA is an identity and policy management solution for POSIX based systems
8 | based on Kerberos. This document provides instructions to take advantage of the
9 | FreeIPA infrastructure when setting up ocserv. Such a combination simplifies
10 | the management of properties such as second factor authentication, either
11 | via passwords, or certificates. In addition it can be used to achieve
12 | [single sign-on](https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/).
13 |
14 | Note that, it is recommended to have the VPN server on a separate system than the
15 | FreeIPA master server, and the following instructions make that assumption.
16 |
17 | ## Setting the server up
18 |
19 | ### Setting up the Kerberos principal
20 |
21 | It is needed to add a new Principal into Kerberos to be used by the VPN server.
22 | As OpenConnect VPN presents HTTPS end-point, a recommended Kerberos principal
23 | should be HTTP/server. If for example, your server is 'vpn.example.com' you may
24 | use the following instructions.
25 |
26 | ```
27 | ipa service-add HTTP/vpn.example.com
28 | ipa-getkeytab -s vpn.example.com -p HTTP/vpn.example.com -k /etc/ocserv/key.tab
29 | ```
30 |
31 | These commands also extract the keytab to be used by ocserv and store it in
32 | /etc/ocserv/key.tab. That contains the Kerberos keys relevant to that principal.
33 |
34 |
35 | ### Setting up the server certificate
36 |
37 | FreeIPA acts a CA for its clients, so it is natural to sign the server's
38 | certificate with it. The following commands generate a server certificate request
39 | and pass it to FreeIPA for signing.
40 |
41 | ```
42 | certtool --generate-privkey --outfile /etc/ocserv/server-key.pem
43 | cat << _EOF_ >server.tmpl
44 | cn = "vpn.example.com"
45 | signing_key
46 | tls_www_server
47 | encryption_key
48 | _EOF_
49 | certtool --generate-request --load-privkey /etc/ocserv/server-key.pem \
50 | --outfile server.csr --template server.tmpl
51 | ipa cert-request --principal HTTP/vpn.example.com server.csr
52 | ipa service-show HTTP/vpn.example.com --out=/etc/ocserv/server-cert.pem
53 | ```
54 |
55 | To enable the certificates generated you'll need to set the following
56 | two lines in /etc/ocserv/ocserv.conf.
57 | ```
58 | server-cert = /etc/ocserv/server-cert.pem
59 | server-key = /etc/ocserv/server-key.pem
60 | ```
61 |
62 | To automatically renew the server certificate when it expires the following
63 | command is required.
64 | ```
65 | ipa-getcert request -f /etc/ocserv/server-cert.pem -k /etc/ocserv/server-key.pem -r
66 | ```
67 |
68 |
69 | ### Setting up OpenConnect server
70 |
71 | To enable logins with either Kerberos tickets or passwords checked via PAM with SSSD, it is required to
72 | instruct ocserv to use PAM and GSSAPI for authentication. That can be done with the following two lines in /etc/ocserv/ocserv.conf.
73 |
74 | ```
75 | auth = pam
76 | enable-auth = gssapi[keytab=/etc/ocserv/key.tab,require-local-user-map=true,tgt-freshness-time=360]
77 | ```
78 |
79 | That will set the primary authentication method based on PAM, and make Kerberos (via GSSAPI)
80 | a sufficient for login authentication method.
81 | It is also important to modify /etc/pam.d/ocserv to use SSSD for authentication. This
82 | is system-specific. A typical Fedora system by default will use SSSD on the host enrolled into
83 | FreeIPA, as shown below.
84 |
85 | ```
86 | #%PAM-1.0
87 | auth include password-auth
88 | account required pam_nologin.so
89 | account include password-auth
90 | session include password-auth
91 | ```
92 |
93 | Alternatively, to require users to present a certificate for VPN login, the following lines are
94 | required in ocserv.conf. That would require the user to present a signed by IPA certificate in
95 | addition to their password or any Kerberos ticket. That effectively, enables [second factor authentication](ocserv-2fa.md)
96 | with smart cards.
97 |
98 | ```
99 | auth = certificate
100 | ca-cert = /etc/ipa/ca.crt
101 | crl = /etc/ocserv/MasterCRL.bin
102 | cert-user-oid = 2.5.4.3
103 | ```
104 |
105 | Since the CRL isn't available as a file in the filesystem you'll need to
106 | download the URL using a periodic cron job from the URL shown below, and then move
107 | the file to the expected location (/etc/ocserv/MasterCRL.bin).
108 |
109 | ```
110 | wget https://master.ipa.example.com/ipa/crl/MasterCRL.bin
111 | mv MasterCRL.bin /etc/ocserv/
112 | ```
113 |
114 | Note that, for versions of ocserv prior to 0.10.9 the Master CRL will have to be converted
115 | to PEM format.
116 |
117 |
118 | ### Setting up single sign-on with MS-KKDCP
119 |
120 | The MS-KKDCP proxy protocol is a protocol which allows access to the Kerberos
121 | authentication server (KDC) via HTTPS. That enables users to obtain Kerberos tickets
122 | even when outside the local network, allowing them to also login to VPN with their ticket, thus
123 | achieving single sign-on.
124 | For that reason, ocserv provides optionally an MS-KKDCP proxy. To enable it the following
125 | lines in /etc/ocserv/ocserv.conf are required. You’ll need to replace the KERBEROS.REALM
126 | with your realm and the master IPA (KDC) address.
127 |
128 | ```
129 | kkdcp = /KdcProxy KERBEROS.REALM tcp@KDC-IP-ADDRESS:88
130 | ```
131 |
132 |
133 | ## Setting the client up
134 |
135 | This section is identical to the [Kerberos document](ocserv-kerberos.md#setting-the-client-up).
136 |
137 |
--------------------------------------------------------------------------------
/ocserv-installation-CentOS-RHEL-Fedora.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Installation - CentOS, RHEL, Fedora
2 |
3 | Author: Mauro Gaspari
4 |
5 |
6 | ### Scope
7 | This recipe provides step by step instructions on how to install ocserv from EPEL repository on
8 | RHEL and CentOS operating systems.
9 |
10 | ### Platforms used for testing
11 | This Recipe was tested on the following platforms:
12 |
13 | - CentOS 7 on amd64 architecture
14 | - Fedora 25 on amd64 architecture
15 |
16 |
17 | ### Assumptions
18 |
19 | This recipe assumes the reader has a basic understanding of a GNU/linux system and all commands are
20 | run from a privileged user. It is recommended to login the system using root. If not possible,
21 | execute "su root" or "sudo -s" to get highest privileges.
22 |
23 |
24 | ### Requirements
25 |
26 | - During this recipe, CentOS and RHEL users will be asked to add the EPEL repository on Centos and RHEL. ocserv and radcli packages are only available on EPEL repository.
27 | - Fedora users do not need to add EPEL repository. ocserv and radcli packages are available on Fedora repositories.
28 |
29 |
30 | ### Installation - CentOS and RHEL
31 |
32 | 1. Add EPEL repository to CentOS, or [see instructions for RHEL](https://fedoraproject.org/wiki/EPEL)
33 |
34 | ```yum install epel-release```
35 |
36 | 2. Confirm the repository when asked.
37 |
38 | 3. Check if the EPEL repository is enabled
39 |
40 | ```yum repolist enabled ```
41 |
42 | 4. Check if ocserv is available for install:
43 |
44 | ```yum info ocserv```
45 |
46 | 5. Install ocserv. This will install ocserv and its dependencies, including radcli radius libraries.
47 |
48 | ```yum install ocserv```
49 |
50 | ### Installation - Fedora
51 |
52 |
53 | 1. Check if ocserv is available for install:
54 |
55 | ```dnf info ocserv```
56 |
57 | 1. Install ocserv. This will install ocserv and its dependencies, including radcli radius libraries.
58 |
59 | ```dnf install ocserv```
60 |
61 |
62 | ### Final notes
63 |
64 | This concludes **Ocserv Installation - CentOS, RHEL, Fedora** recipe. At this point Openconnect server should be ready to be configured.
65 |
66 |
--------------------------------------------------------------------------------
/ocserv-installation-Debian-Ubuntu.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Installation - Debian, Ubuntu
2 | Author: Mauro Gaspari
3 |
4 |
5 | ### Scope
6 |
7 | This recipe provides step by step instructions on how to install ocserv repositories on Debian and Ubuntu operating systems.
8 |
9 | ### Platforms used for testing
10 |
11 | This Recipe was tested on the following platforms:
12 |
13 | - Debian 8 (testing) on amd64 architecture
14 | - Ubuntu 16.04 LTS on amd64 architecture
15 |
16 |
17 | ### Assumptions
18 |
19 | - This recipe assumes the reader has a basic understanding of a GNU/linux system and all commands are run from a privileged user. It is recommended to login the system using root.If not possible, execute "su root" or "sudo su" to get highest privileges.
20 |
21 |
22 | ### Requirements
23 |
24 | - During this recipe, Ubuntu users will be asked to check and enable "universe" repository. Please note that Ubuntu 16.04 LTS is the first ubuntu version that includes ocserv and radcli in its repositories.
25 | - At the time of writing the recipe, Debian 8 stable does not include ocserv and radcli packages. Jessie-Backports includes radcli but not ocserv. In order to install ocserv and radcli from Debian 8 repositories, it is necessary to be on testing or unstable. This recipe assumes user has testing repositories installed and enabled.
26 | - Debian/Ubuntu package currently available on repositories does not support radius authentication. If radius authentication is required, it is recommended to skip this recipe and install from sources. Refer to http://www.infradead.org/ocserv/recipes-ocserv-installation-generic.html and http://www.infradead.org/ocserv/recipes-ocserv-configuration-basic.html .
27 |
28 |
29 | ### Installation - Debian (testing or unstable)
30 |
31 | 1. Check that Debian repositories are configured for either "testing" or "stretch". As previously mentioned, "unstable" or "sid" also works.
32 |
33 | ```cat /etc/apt/sources.list```
34 |
35 | 2. Update apt cache
36 |
37 | ```apt-get update```
38 |
39 | 3. Check if ocserv is available for install:
40 |
41 | ```apt-cache show ocserv```
42 |
43 | 5. Install ocserv. This will install ocserv and its dependencies, however radcli will not be automatically installed. Currently Debian/Ubuntu ocserv package does not support radius authentication.
44 |
45 | ```apt-get install ocserv```
46 |
47 | ### Installation - Ubuntu (required minimum is 16.04 LTS)
48 |
49 | 1. Check that Ubuntu "universe" repository is enabled. Edit the file and uncomment repository if needed.
50 |
51 | ```cat /etc/apt/sources.list```
52 |
53 | 2. Update apt cache
54 |
55 | ```apt-get update```
56 |
57 | 3. Check if ocserv is available for install:
58 |
59 | ```apt-cache show ocserv```
60 |
61 | 5. Install ocserv. This will install ocserv and its dependencies, however radcli will not be automatically installed. Currently Debian/Ubuntu ocserv package does not support radius authentication.
62 |
63 | ```apt-get install ocserv```
64 |
65 | ### Final notes
66 |
67 | This concludes the **Ocserv Installation - Debian, Ubuntu** recipe. At this point Openconnect server should be ready to be configured.
68 |
69 |
--------------------------------------------------------------------------------
/ocserv-installation-generic.md:
--------------------------------------------------------------------------------
1 | ## Ocserv Installation - Generic
2 |
3 | Author: Mauro Gaspari
4 |
5 |
6 | ### Scope
7 | This recipe provides step by step instructions on how to install ocserv from archives available
8 | on Openconnect server webpage. No precompiled binary packages will be used, therefore this recipe
9 | applies to all linux distributions.
10 |
11 | ### Platforms used for testing
12 | This Recipe was tested on the following platforms:
13 |
14 | - Debian 8 (systemd) on armhf architecture.
15 | - Ubuntu Server 15.10 (systemd) on amd64 architecture.
16 | - Gentoo (openRC) on amd64 architecture.
17 |
18 | ### Assumptions
19 |
20 | - This recipe assumes the reader has a basic understanding of a linux system and all commands are
21 | run from a privileged user. It is recommended to login the system using root. If not possible,
22 | execute "su root" or "sudo su" to get highest privileges.
23 | - Software needed to compile from source is required, please refer to distribution specific guides
24 | to install needed packages. For example, in Fedora use ```yum install ocserv```, and in Debian ```apt-get install ocserv```.
25 | - The reader is applying ocserv to a linux server that is already configured as a router and has
26 | a firewall running (iptables, shorewall, or other).
27 | - Throughout this recipe, version number will be x.xx.x . Replace x.xx.x on all steps below with
28 | preferred version number.
29 |
30 | ### Requirements
31 | Openconnect VPN server (ocserv) depends on the following packages:
32 |
33 | See [ocserv's development site](https://gitlab.com/ocserv/ocserv) for the list of
34 | required packages.
35 |
36 | #### Debian/Ubuntu Installation
37 |
38 | See [ocserv's development site](https://gitlab.com/ocserv/ocserv) for the list of
39 | required packages in Debian.
40 |
41 | ```
42 | apt-get install [list of Debian packages]
43 | ```
44 |
45 | #### Fedora/CentOS Installation
46 |
47 | See [ocserv's development site](https://gitlab.com/ocserv/ocserv) for the list of
48 | required packages in Fedora.
49 |
50 | ```
51 | yum install [list of Fedora packages]
52 | ```
53 |
54 | #### Gentoo
55 |
56 | This section translates the dependencies as seen in the [ocserv's development site](https://gitlab.com/ocserv/ocserv)
57 | for Gentoo. For any discrepancies please check the original source.
58 |
59 | * Required Packages
60 | ```
61 | GNUTLS: net-libs/gnutls
62 | ```
63 |
64 | * Recommended Packages
65 | ```
66 | TCP Wrappers: sys-apps/tcp-wrappers
67 | PAM: sys-libs/pam
68 | LZ4: app-arch/lz4
69 | seccomp: sys-libs/libseccomp
70 | occtl: sys-libs/readline, dev-libs/libnl
71 | GSSAPI: app-crypt/mit-krb5
72 | OATH: sys-auth/oath-toolkit
73 | Nettle: dev-libs/nettle
74 | dev-libs/protobuf-c
75 | sys-devel/autogen
76 | net-libs/http-parser
77 | dev-util/gperf
78 | app-misc/lockfile-progs
79 | sys-libs/uid_wrapper
80 | net-libs/socket_wrapper
81 | dev-libs/libev
82 | dev-libs/libevdev
83 | ```
84 |
85 | To install use the following command.
86 |
87 | ```
88 | emerge --ask net-libs/gnutls sys-apps/tcp-wrappers sys-libs/pam app-arch/lz4 sys-libs/libseccomp sys-libs/readline dev-libs/libnl app-crypt/mit-krb5 sys-auth/oath-toolkit dev-libs/nettle dev-libs/protobuf-c sys-devel/autogen net-libs/http-parser dev-util/gperf app-misc/lockfile-progs sys-libs/uid_wrapper net-libs/socket_wrapper dev-libs/libev dev-libs/libevdev
89 | ```
90 |
91 | ### Network settings used on this recipe
92 | - network 192.169.5.0/24 (netmask 255.255.255.0)
93 | - ocserv ip 192.168.5.254
94 | - ocserv hostname fw01
95 |
96 |
97 | ### Installation
98 | NOTE for RADIUS users: In order to use RADIUS authentication, necessary RADIUS libraries
99 | must be installed before ocserv is compiled. Please refer to specific recipe: [Ocserv Authentication - RADIUS](ocserv-authentication-radius-radcli.md)
100 | for detailed instructions on RADIUS libraries installation and configuration.
101 |
102 | NOTE - SECCOMP: If configuration fails, it could be an error with libseccomp version, or
103 | platform that does not support seccomp. In this case you might want to try to compile without
104 | seccomp support:
105 | ```
106 | ./configure --sysconfdir=/etc/ --disable-seccomp && make && make install
107 | ```
108 |
109 | NOTE - sources and installation directory: I recommend using the /usr/local/src/ocserv/ folder
110 | to store downloaded ocserv versions. Keeping a copy here will use up some space, but will be useful
111 | to recompile or remove ocserv later on.
112 |
113 | Although the commands in this documente will use /etc/ocserv as a location for configuration files,
114 | using /usr/local/etc/ocserv/ would separate the compiled version from other software
115 | installed via distribution package managers.
116 |
117 | 1. Create and move to /usr/local/src/ocserv folder
118 | ```
119 | mkdir /usr/local/src/ocserv
120 | cd /usr/local/src/ocserv
121 | ```
122 |
123 | 2. Check available ocserv versions on: ftp://ftp.infradead.org/pub/ocserv/
124 |
125 | 3. Download ocserv from OpenConnect server:
126 | ```
127 | wget ftp://ftp.infradead.org/pub/ocserv/ocserv-x.xx.x.tar.xz
128 | ```
129 |
130 | 4. Extract the archive:
131 | ```
132 | tar xvf ocserv-x.xx.x.tar.xz
133 | ```
134 |
135 | 5. Move to ocserv-x.xx.x directory
136 | ```
137 | cd ocserv-x.xx.x
138 | ```
139 |
140 | 6. Compile ocserv
141 | ```
142 | ./configure --sysconfdir=/etc/ && make && make install
143 | ```
144 |
145 | 7. Create /usr/local/etc/ocserv folder
146 | ```
147 | mkdir /usr/local/etc/ocserv
148 | ```
149 |
150 | 8. copy configuration sample to /etc/ocserv folder
151 | ```
152 | cp /usr/share/doc/ocserv/doc/sample.config /etc/ocserv/ocserv.config
153 | ```
154 |
155 | ### Final notes
156 | This concludes **Ocserv Installation - Generic ** recipe. At this point Openconnect server should
157 | be ready to be configured. See [Ocserv's configuration guide for more information](ocserv-configuration-basic.md).
158 |
--------------------------------------------------------------------------------
/ocserv-ip-phone.md:
--------------------------------------------------------------------------------
1 | # VoIP network with ocserv
2 |
3 | Author: Nikos Mavrogiannopoulos
4 |
5 | In this scenario we describe a VPN server which is setup to provide
6 | access to an existing VoIP network, i.e., to a SIP server (e.g., asterisk or freeswitch).
7 | We will not get into details of setting up the SIP server; we assume it is there
8 | and it works. The VPN server will allow remote users to access the
9 | SIP server in a secure and efficient way for VoIP telephony.
10 | We assume the following setup.
11 |
12 | ```
13 |
14 | 10.10.1.20
15 | server: sip.example.com
16 | ------------
17 | |SIP Server|
18 | ------------
19 |
20 | 10.10.1.0/24
21 | domain: .example.com
22 | name: vpn.example.com
23 | ------------
24 | |VPN Server|
25 | ------------
26 | / \
27 | / \
28 | ---------------- ---------------
29 | |OpenWRT router| |VPN/SIP Phone|
30 | ---------------- ---------------
31 | |
32 | |
33 | -----------
34 | |SIP Phone|
35 | -----------
36 | ```
37 |
38 | ## Prerequisites
39 |
40 | The following instructions require at least ocserv 0.11.15. Two setups
41 | will be presented. The first will use OpenWRT as an intermediate to access
42 | the SIP server over VPN, while the second will use SIP phones which include
43 | support for OpenConnect.
44 |
45 | For the first setup, the hardware that is needed is:
46 |
47 | * [An OpenWRT router](https://wiki.openwrt.org/toh/start)
48 | * Any SIP phone
49 |
50 | While the latter setup requires:
51 |
52 | * CISCO SPA525G or SPA525G2 (these models include an OpenConnect client)
53 |
54 |
55 | ## Configuration
56 |
57 | ### VPN server
58 |
59 | Nothing particularly interesting is needed on the server setup. The
60 | server only needs to provide access to the SIP server. For
61 | authentication, it is recommended to allow password authentication
62 | (either via radius, PAM or plain), since it will simplify the setup of the
63 | clients described in the next sections.
64 |
65 | ```
66 | split-dns = site1.com
67 | ipv4-network = 172.17.163.0/24
68 |
69 | route = 10.10.1.0/24
70 | ```
71 |
72 | The 'ipv4-network' entry contains the addresses that the VPN clients will
73 | be assigned to. The 'route' entry adds the routes that are directly routed by
74 | the VPN server; in our case it must route to the SIP server.
75 |
76 | Some hints for the rest of configuration options which relate to VoIP,
77 | follow. It is recommended to set ```compression = false``` since attempting
78 | to compress will increase latency which is undesirable for VoIP. If
79 | compression is required, utilize the ```no-compress-limit``` option and
80 | adjust it to the average size of RTP packets across the network. The default
81 | value of 256-bytes should be sufficient for common codecs.
82 |
83 | The default value of ```output-buffer``` in ocserv is adjusted for an average
84 | performance in VoIP and throughput (downloading). If you experience latency
85 | issues, you may want to experiment with different values. The lower the
86 | value of ```output-buffer```, the lower the latency, as well as throughput.
87 |
88 | The hardware of the server is also important for latency. If the server
89 | provides hardware accelerated AES (e.g., x86-64 with AES-NI). It is best
90 | to ensure that the version of gnutls used in the server includes
91 | acceleration for the particular hardware. A way to check is the following.
92 | ```
93 | $ GNUTLS_DEBUG_LEVEL=4 gnutls-cli -v
94 | ```
95 |
96 | The output will be something like:
97 | ```
98 | gnutls[2]: Enabled GnuTLS 3.5.5 logging...
99 | gnutls[2]: getrandom random generator was detected
100 | gnutls[2]: Intel SSSE3 was detected
101 | gnutls[2]: Intel AES accelerator was detected
102 | gnutls[2]: Intel GCM accelerator (AVX) was detected
103 | ```
104 |
105 | ### VPN/SIP Phone setup
106 |
107 | #### Setting up VPN on the phone
108 |
109 | The CISCO SPA525G series of phones can only be configured with a fixed
110 | username-password pair, and as such the server must be configured to allow
111 | plain username and password combinations.
112 |
113 | To set it up, on the phone menu (after clicking the button that looks like a 'file') select:
114 | Network configuration -> VPN
115 |
116 | Then on the ```VPN Server``` field set the VPN server's external name
117 | (e.g., vpn.example.com), and then set the ```User name``` and ```Password
118 | fields```. For servers that are available in alternative to 443 ports, it
119 | may be possible to set the server name as vpn.example.com:PORT, though I
120 | have not test this setup.
121 |
122 | Then select ```Enable Connection``` and if that works check ```Connect on bootup```.
123 |
124 | #### Setting up SIP on the phone
125 |
126 | Once the VPN connection is established on the phone you should setup the SIP
127 | accounts. These are available through the web (administrator) interface. As
128 | this information depends on the SIP server we skip that step.
129 |
130 |
131 |
132 | ### OpenWRT Router setup
133 |
134 | #### Setting up OpenWRT
135 |
136 | There are two ways to setup OpenWRT as an openconnect VPN client. Via the
137 | ```luci-proto-openconnect``` package or manually via the the
138 | ```openconnect``` package. In this section we describe the former method via
139 | the web interface. For the manual configuration see
140 | [the openconnect package documentation](https://github.com/openwrt/packages/tree/master/net/openconnect).
141 |
142 | We assume basic knowledge of OpenWRT and accessing its web interface.
143 |
144 | After installing the ```luci-proto-openconnect``` package, go to the web
145 | interface at the Network -> Firewall menu. Click on the 'Add new zone'
146 | option, name it something related to VPN and enable forwarding to and from
147 | the LAN zone.
148 |
149 | Then save and switch to the Network -> Interfaces menu. At this page
150 | click the 'Add new interface' option and you will be redirected to a new
151 | page. There you must name the interface (use something related to VPN), and
152 | on the Protocol field select the 'OpenConnect (CISCO Anyconnect
153 | compatible)' option.
154 |
155 | After submitting you will be asked to set the VPN server name
156 | (vpn.example.com), port, which typically is 443, and username and
157 | password of the VPN user. You must also fill the 'VPN Server's certificate SHA1
158 | hash' option. This can be done the following way.
159 | One your Linux PC type the following commands.
160 | ```
161 | $ /usr/sbin/openconnect vpn.example.com
162 | .
163 | .
164 | .
165 | Certificate from VPN server "vpn.example.com" failed verification.
166 | Reason: signer not found
167 | Enter 'yes' to accept, 'no' to abort; anything else to view:
168 | ```
169 |
170 | Type enter and you will see more information about the server's certificate.
171 | What you need is the server's key hash which is displayed on the last lines.
172 | ```
173 | .
174 | .
175 | .
176 | Server key hash: sha1:6c4a751c55b59756fbcdb0de0a27598b0b34be48
177 | ```
178 |
179 | Then copy paste the ```sha1:6c4a751c55b59756fbcdb0de0a27598b0b34be48``` to
180 | the 'VPN Server's certificate SHA1 hash' field. If you are an administrator
181 | making instructions for users to setup their routers, a more secure alternative
182 | is to use the command ```certtool --key-id --infile server-cert.pem``` on
183 | the server certificate, and provide the output value (with 'sha1:' prepended
184 | to it), to the users setting OpenWRT up.
185 |
186 | After entering all the information above on the 'General Setup' tab click
187 | on the firewall settings, select the zone previously created, and click
188 | 'Save and Apply'.
189 |
190 | If everything was entered correctly, you should be able to ping the SIP server's
191 | internal IP, i.e., ```ping sip.example.com``` or ```ping 10.100.1.20```
192 | should work.
193 |
194 | #### Setting up the SIP phone
195 |
196 | Once the VPN connection is established on the OpenWRT router any SIP phone
197 | connected behind the OpenWRT router should be able to connect to the SIP
198 | server on ```sip.example.com``` as if it was on the same LAN.
199 |
200 |
--------------------------------------------------------------------------------
/ocserv-kerberos.md:
--------------------------------------------------------------------------------
1 | # Using Kerberos authentication with ocserv
2 |
3 | Author: Nikos Mavrogiannopoulos
4 |
5 |
6 | ## Introduction
7 | One of the main features of the 0.10.x branch of OpenConnect VPN is the addition of
8 | MS-KKDCP support and GSSAPI authentication. Putting the acronyms aside that means
9 | that authentication with Kerberos, is greatly simplified for VPN users. A more
10 | elaborate introduction is available at [this blog post](https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/).
11 |
12 | ## Setting the server up
13 |
14 | It is required to instruct ocserv to allow GSSAPI for authentication. That can
15 | be done with the following two lines in ocserv.conf.
16 |
17 | ```
18 | auth = pam
19 | enable-auth = gssapi[keytab=/etc/ocserv/key.tab,tgt-freshness-time=360]
20 | ```
21 |
22 | That will allow authentication with Kerberos tickets, as well as with their password
23 | (e.g., for clients that cannot obtain a ticket – like clients in mobile phones).
24 | In addition the 'keytab' option sets the ocserv's shared key with KDC
25 | explicitly. The option ‘tgt-freshness-time’, when used, specifies the valid for VPN authentication
26 | lifetime, in seconds, of a Kerberos (TGT) ticket. A user will have to reauthenticate if this
27 | time is exceeded. In effect that prevents the usage of the VPN for the whole lifetime of
28 | a Kerberos ticket.
29 |
30 | The following line will enable the MS-KKDCP proxy on ocserv. You’ll need to replace
31 | the KERBEROS.REALM with your realm and the KDC IP address. That proxy will allow
32 | the client to obtain Kerberos tickets through ocserv. The latter is an optional step if
33 | your clients can obtain the tickets with other means.
34 |
35 | ```
36 | kkdcp = /KdcProxy KERBEROS.REALM tcp@KDC-IP-ADDRESS:88
37 | ```
38 |
39 | Note, that for PAM authentication to operate you will also need to set up a
40 | /etc/pam.d/ocserv. We recommend to use pam_krb5 or pam_sssd for that, although
41 | it can contain anything that best suits the local policy. An example for an SSSD
42 | PAM configuration is shown in the [Fedora Deployment guide](https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Setting_Up_SSSD.html).
43 |
44 |
45 | ## Setting the client up
46 |
47 | At the client side you must make sure you use openconnect 7.05 or later.
48 | In order to use the KKDCP proxy as setup above, you need to setup Kerberos to use
49 | ocserv as KDC. For that you’ll need to modify /etc/krb5.conf to contain the following:
50 |
51 | ```
52 | [realms]
53 | KERBEROS.REALM = {
54 | kdc = https://ocserv.example.com/KdcProxy
55 | http_anchors = FILE:/path-to-your/ca.pem
56 | admin_server = ocserv.example.com
57 | auto_to_local = DEFAULT
58 | }
59 |
60 | [domain_realm]
61 | .kerberos.test = KERBEROS.REALM
62 | kerberos.test = KERBEROS.REALM
63 | ```
64 |
65 | Note that, ocserv.example.com should be replaced with the DNS name of your server,
66 | and the /path-to-your/ca.pem should be replaced by the a PEM-formatted file which
67 | holds the server’s Certificate Authority. For the KDC option the server’s DNS name
68 | is preferred to an IP address to simplify server name verification for the Kerberos
69 | libraries. At this point you should be able to use kinit to authenticate and obtain
70 | a ticket from the Kerberos Authentication Server.
71 |
72 | Note however, that kinit is very brief on the printed errors and a server certificate
73 | verification error will not be easy to debug. Ensure that the http_anchors file is in
74 | PEM format, it contains the Certificate Authority that signed the server’s certificate,
75 | and that the server’s certificate DNS name matches the DNS name setup in the file.
76 |
77 | Then, at a terminal run:
78 |
79 | ```
80 | $ kinit
81 | ```
82 |
83 | If the command succeeds, the ticket is obtained, and at this point you will be able to
84 | setup openconnect from network manager GUI and connect to it using the Kerberos
85 | credentials. To setup a VPN via NetworkManager on the system menu, select VPN, Network
86 | Settings, and add a new Network of “CISCO AnyConnect Compatible VPN (openconnect)”. On
87 | the Gateway field, fill in the server’s DNS name, add the server’s CA certificate, and
88 | that’s all required.
89 |
90 | To use the command line client with Kerberos the following trick is recommended. That
91 | avoids using sudo with the client and runs the openconnect client as a normal user, after
92 | having created a tun device. The reason it avoids using the openconnect client with sudo,
93 | is that sudo will prevent access to the user’s Kerberos credentials.
94 |
95 | ```
96 | # sudo ip tuntap add vpn0 mode tun user my-user-name
97 | $ openconnect server.example.com -i vpn0
98 | ```
99 |
100 |
--------------------------------------------------------------------------------
/ocserv-multihost.md:
--------------------------------------------------------------------------------
1 | # How to share the same port for VPN and HTTP
2 |
3 | Author: Nikos Mavrogiannopoulos
4 |
5 | One of the advantages of ocserv is that is an HTTPS-based protocol
6 | and it is often used over 443 to allow bypassing certain firewalls.
7 | However the 443 TCP port is typically used by an HTTP server
8 | on a system. This section will describe two methods on how to collocate
9 | ocserv with a web server.
10 |
11 | We recommend the first method, as it has no inherent limitations, as
12 | opposed to the second which should be considered experimental only.
13 |
14 | ## Method 1: SSL termination on ocserv
15 | ### haproxy
16 |
17 | An method to collocate ocserv and an HTTPS server on port 443,
18 | is by using the server name indication (SNI) present on the first SSL/TLS
19 | ClientHello message, and forwarding traffic according to the name present.
20 |
21 | In the example below we assume that the web server and ocserv have to be setup
22 | to use an alternative port, e.g., ocserv uses 4443, and the web server uses
23 | 4444. We also assume that the web server responds to www.example.com, while
24 | the vpn server, to vpn.example.com. An example configuration of haproxy that
25 | will redirect the traffic to the appropriate server is shown below.
26 |
27 | ```
28 | frontend www-https
29 | bind 0.0.0.0:443
30 | mode tcp
31 | tcp-request inspect-delay 5s
32 | default_backend bk_ssl_default
33 |
34 | backend bk_ssl_default
35 | mode tcp
36 | acl vpn-app req_ssl_sni -i vpn.example.com
37 | acl web-app req_ssl_sni -i www.example.com
38 |
39 | use-server server-vpn if vpn-app
40 | use-server server-web if web-app
41 | use-server server-vpn if !vpn-app !web-app
42 |
43 | option ssl-hello-chk
44 | server server-vpn 127.0.0.1:4443 send-proxy-v2
45 | server server-web 127.0.0.1:4444 check
46 | ```
47 |
48 | In order for ocserv to obtain information on the incoming session,
49 | we have enabled the proxy protocol in haproxy's configuration (with
50 | the send-proxy-v2 option). That requires ocserv's configuration to contain
51 | the following:
52 |
53 | ```
54 | listen-proxy-proto = true
55 | ```
56 |
57 |
58 | ### sniproxy
59 |
60 | An alternative method to collocate ocserv and an HTTPS server on port 443,
61 | is by using SNI and forwarding traffic accordingly. This example is
62 | identical to the previous, but we use [sniproxy](https://github.com/dlundquist/sniproxy).
63 |
64 | Sniproxy allows sharing the HTTPS port as long as the clients advertise
65 | the host name they connect to using server name indication (SNI). This
66 | is true for the majority of web browsers today. For this to work the web
67 | server and ocserv have to be setup to use an alternative port, e.g.,
68 | ocserv uses 4443, and the web server uses 4444. A configuration of sniproxy
69 | that will redirect the traffic to the appropriate server is shown below.
70 |
71 | ```
72 | listener 0.0.0.0:443 {
73 | protocol tls
74 | table TableName
75 |
76 | #we set fallback to be ocserv as older versions of openconnect
77 | #don't advertise the hostname they connect to.
78 | fallback 127.0.0.1:4443
79 | }
80 |
81 | table TableName {
82 | # Match exact request hostnames
83 | vpn.example.com 127.0.0.1:4443
84 | www.example.com 127.0.0.1:4444
85 | .*\\.net 127.0.0.1:4444
86 | }
87 | ```
88 |
89 |
90 | ## Method 2: SSL termination on external program
91 |
92 | To collocate ocserv and an HTTPS server on port 443,
93 | [haproxy](http://www.haproxy.org/) (or similar proxy applications) could
94 | be used. haproxy allows forwarding the HTTPS port data to arbitrary servers,
95 | based on various criteria. This method, however, has few limitations based
96 | on the fact that ocserv does not "see" the SSL session.
97 | * It cannot enforce client certificate authentication.
98 | * It cannot derive any keys needed for the DTLS session.
99 | * It cannot enforce the framing of the SSL/TLS packets, and that
100 | breaks some assumptions of openconnect client.
101 |
102 | Nevertheless, it may be useful on certain scenarios.
103 |
104 | The configuration required for haproxy is something along the lines:
105 | ```
106 | frontend www-https
107 | bind 0.0.0.0:443 ssl crt /etc/ocserv/cert-key.pem
108 | default_backend ocserv-backend
109 |
110 | backend ocserv-backend
111 | server ocserv unix@/var/run/ocserv-conn.socket check
112 | ```
113 |
114 | and ocserv must be configured to accept cleartext connections on
115 | ocserv-conn.socket file. That can be achieved using the following
116 | configuration snippet.
117 |
118 | ```
119 | # Accept connections using a socket file. The connections are
120 | # forwarded without SSL/TLS.
121 | listen-clear-file = /var/run/ocserv-conn.socket
122 | ```
123 |
124 | Note that in that case ocserv will not have enough information
125 | for the client's IP address. That can be fixed by instructing
126 | haproxy to provide that information via the Proxy Protocol (supported
127 | by ocserv 0.10.7 and later). To enable that feature add to ocserv.conf
128 | the following.
129 |
130 | ```
131 | listen-proxy-proto = true
132 | ```
133 |
134 | In haproxy.conf you need to enable the following options.
135 | ```
136 | backend ocserv-backend
137 | server ocserv unix@/var/run/ocserv-conn.socket send-proxy-v2 check
138 | ```
139 |
140 | You could also enable the haproxy's "send-proxy-v2-ssl-cn" option, if
141 | you perform client certificate verification in haproxy and expect
142 | ocserv to trust the user name provided by it.
143 |
144 |
145 |
--------------------------------------------------------------------------------
/ocserv-pseudo-bridge.md:
--------------------------------------------------------------------------------
1 | # Pseudo-Bridge setup with Proxy ARP
2 |
3 | Author: Mauro Gaspari
4 |
5 | Proxy ARP allows to merge the openconnect VPN client network with
6 | an existing network on your firewall/router. This configuration has
7 | several advantage for both SOHO and enterprise environments.
8 |
9 | ## Advantages
10 | Simpler network configuration, less routing, firewall rules to apply
11 | and maintain. Easier to reach Multimedia Streaming software, such as Plex servers.
12 | Easier networking for gamers.
13 |
14 | In enterprise environments, there might be site-to-site IPSEC VPNs
15 | connecting several offices, some of which could be out of our control
16 | (another company handling far end of the tunnels). Since a remote VPN
17 | clients IP are in the same subnet as local LAN computers, there is no
18 | need to create special IPSEC Phase2s, Routing policies, Firewall
19 | rules.
20 |
21 | ## Prerequisites
22 | In order to take advantage of this setup, Proxy Arp must be enabled.
23 | This can be done either as a global setting for all interfaces, or on
24 | specific interfaces. The bare minimum is to enable it on the interface
25 | that has the local IP addresses to be shared with OpenConnect clients.
26 |
27 | To enable Proxy ARP on all interfaces, edit /etc/sysctl.conf with your
28 | preferred editor and add the following lines:
29 |
30 | ```
31 | # Enables Proxy ARP on all interfaces
32 | net.ipv4.conf.all.proxy_arp = 1
33 | ```
34 |
35 | Save the file and exit. items in sysctl.conf are applied on system
36 | boot. To apply this immediately, run the following command:
37 |
38 | ```
39 | # sysctl -p
40 | ```
41 |
42 | To enable Proxy ARP on a specific interface, edit /etc/sysctl.conf
43 | with your preferred editor and add the following lines:
44 |
45 | ```
46 | # Enables Proxy ARP on a specific interface (Replace "interfacename"
47 | # with your interface, eg.eth0, eth0.100, wlan0, etc.)
48 | net.ipv4.conf.interfacename.proxy_arp = 1
49 | ```
50 |
51 | Save the file and exit. items in sysctl.conf are applied on system
52 | boot. To apply this immediately, run the following command:
53 |
54 | ```
55 | # sysctl -p
56 | ```
57 |
58 | Once this is done, we can proceed with OpenConnect Server configuration.
59 | To avoid conflicts with IP addresses of the local network, and have a
60 | better control of the IP addresses OpenConnect server uses, it is
61 | advisable to use a subnet that is smaller than the main local subnet.
62 | On this matter, it is also worth of note to mention that ocserv
63 | virtual interface uses the first available address in assigned subnet.
64 | so if local lan has 192.168.0.0/24 and ocserv ips are configured with
65 | the same, 192.168.0.0/24, IP 192.168.0.1 will be used by ocserv
66 | virtual interface. As this IP is often used by routers or servers, it
67 | is likely to cause some problem of IP clashes.
68 |
69 | ## Example
70 | - Local LAN subnet 192.168.0.0/24 (256 hosts)
71 | - ocserv assigned subnet: 192.168.0.32/27 (32 hosts)
72 |
73 | With this setup, OpenConnect network is considered a segment of the
74 | Local LAN subnet. All routing, policies, nat, etc that apply to
75 | 192.168.0.0/24, also apply to ocserv assigned subnet 192.168.0.32/27.
76 | OpenConnect can assign 30 addresses to server's virtual interface and clients.
77 | OpenConnect server Virtual Interface IP will be 192.168.0.33
78 |
79 | To avoid conflicts, make sure local LAN does not have any IP assigned
80 | in this range: 192.168.0.32-63.
81 |
82 | Also remember to check that DHCP is not going to assign leases in this
83 | range: 192.168.0.32-63, or alternatively, that the ping-leases option to
84 | ocserv's configuration is set to true.
85 |
86 |
--------------------------------------------------------------------------------
/ocserv-radcli-installation.md:
--------------------------------------------------------------------------------
1 | # Radcli installation
2 |
3 | 1. Create a folder to contain downloaded software sources
4 |
5 | ```
6 | mkdir /usr/local/src/radcli
7 | ```
8 |
9 | 2. Move to radcli folder
10 |
11 | ```
12 | cd /usr/local/src/radcli/
13 | ```
14 |
15 | 3. Download radcli libraries
16 |
17 | ```
18 | wget https://github.com/radcli/radcli/releases/download/x.x.x/radcli-x.x.x.tar.gz
19 | ```
20 |
21 | 4. Decompress the archive
22 |
23 | ```
24 | tar zxvf radcli-x.x.x.tar.gz
25 | ```
26 |
27 | 5. Move to radcli-x.x.x folder
28 |
29 | ```
30 | cd radcli-x.x.x
31 | ```
32 |
33 | 6. Compile and install
34 |
35 | ```
36 | ./configure --sysconfdir=/etc/ && make && make install
37 | ```
38 |
39 | That's it. Radcli is now installed. remember to keep a copy of source package in
40 | your /usr/local/src/radcli/ folder, so that you can easily remove the software if needed.
41 | If you need to uninstall, you can do it with the following commands:
42 |
43 | ```
44 | cd /usr/local/src/radcli/radcli-x.x.x
45 | make uninstall
46 | ```
47 |
--------------------------------------------------------------------------------
/ocserv-site-to-site.md:
--------------------------------------------------------------------------------
1 | # Site to site links
2 |
3 | Author: Nikos Mavrogiannopoulos
4 |
5 | In this scenario we describe a VPN server which provides multiple subnets
6 | to connecting users, and some of these subnets are routed by some of
7 | the users themselves. That is, a simple to setup site to site link.
8 | For simplicity we examine an IPv4 setup like the following. Modification
9 | for other setups should be trivial.
10 |
11 | ```
12 |
13 | 10.10.1.0/24
14 | domain: .site1.com
15 | ------------
16 | | Site1 |
17 | ------------
18 | / \
19 | / \
20 | ------------ ------------
21 | | Site2 | | Client1 |
22 | ------------ ------------
23 | 10.100.2.0/24
24 | domain: .site2.com
25 |
26 | ```
27 |
28 | In that scenario Site1 advertises the 10.10.1.0/24, and we would like it
29 | to route 10.10.2.0/24 through 'Site2' when they are connected.
30 |
31 |
32 | ## Prerequisites
33 |
34 | The following instructions require ocserv 0.10.10.
35 |
36 | ## Configuration
37 |
38 | ### Site1
39 |
40 | In order to enable this setup the server must have preconfigured the
41 | routes that each client will serve. This can be done with the following
42 | configuration settings in ocserv.conf of Site1.
43 |
44 | ```
45 | split-dns = site1.com
46 | split-dns = site2.com
47 | ipv4-network = 192.168.1.0/24
48 |
49 | route = 10.10.1.0/24
50 |
51 | config-per-user = /etc/ocserv/config-per-user/
52 |
53 | expose-iroutes = true
54 | ```
55 |
56 | The 'ipv4-network' entry contains the addresses that the VPN clients will
57 | be assigned to. The 'route' entry adds the routes that are directly routed by
58 | the VPN server. The 'config-per-user' option instructs ocserv to read for
59 | each user connecting the additional configuration file placed in
60 | ```/etc/ocserv/config-per-user/``` which has the name of the user. If the
61 | user is named 'Site2' ocserv will open ```/etc/ocserv/config-per-user/Site2```.
62 |
63 | The 'expose-iroutes' option instructs ocserv to expose/advertise any 'iroute'
64 | options found in the per-user configuration files to all connecting clients
65 | (except the one serving it).
66 |
67 | Hence, in our scenario the Site2 file will contain the following.
68 | ```
69 | iroute = 10.100.2.0/24
70 | ```
71 |
72 | This will instruct ocserv to setup route 10.100.2.0/24 via Site2 once it connects.
73 |
74 | We skipped intentionally the 'split-dns' options in the config file above. For
75 | the connecting VPN clients to be able to resolve both .site1.com and .site2.com sites
76 | the Site1 DNS server must be instructed to contact the Site2 DNS server for
77 | the '.site2.com' addresses. That configuration is DNS-server specific. In
78 | dnsmasq, for example, that can be achieved by adding a configuration line such as
79 | "server=/site2.com/10.10.2.1" in its config file.
80 |
81 | ### Site2
82 |
83 | Site2 will be a typical openconnect client. It will only need to allow
84 | forwarding to and from the routes of Site1 (i.e., 10.10.1.0/24) and to
85 | and from VPN client addresses (i.e., 192.168.1.0/24).
86 |
87 | ### Client1
88 |
89 | No special configuration is needed for any of the openconnect clients.
90 |
--------------------------------------------------------------------------------