├── cert.sh ├── README.md ├── entrypoint.sh └── Dockerfile /cert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Generating client certificates 4 | CA_CERT="/etc/ocserv/certs/ca-cert.pem" 5 | CA_KEY="/etc/ocserv/certs/ca-key.pem" 6 | 7 | 8 | USER="$1" 9 | USER_TMPL="/etc/ocserv/certs/$USER.tmpl" 10 | USER_KEY="/etc/ocserv/certs/$USER-key.pem" 11 | USER_CERT="/etc/ocserv/certs/$USER-cert.pem" 12 | USER_P12="/etc/ocserv/certs/$USER.p12" 13 | 14 | # User Template 15 | cat << _EOF_ > $USER_TMPL 16 | cn = "$USER" 17 | expiration_days = 3650 18 | signing_key 19 | tls_www_client 20 | _EOF_ 21 | 22 | # User Private Key 23 | certtool --generate-privkey --outfile $USER_KEY 24 | 25 | # User Certificate 26 | certtool --generate-certificate --load-privkey $USER_KEY --load-ca-certificate $CA_CERT --load-ca-privkey $CA_KEY --template $USER_TMPL --outfile $USER_CERT 27 | 28 | # Export User Certificate 29 | echo "==> Please enter key name and password manually." 30 | certtool --to-p12 --pkcs-cipher 3des-pkcs12 --load-privkey $USER_KEY --load-certificate $USER_CERT --outfile $USER_P12 --outder 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DOCKER-OCSERV 2 | 3 | `docker-ocserv ` 是基于 `debian:jessie` 构建的Docker镜像,镜像默认安装配置了`OpenConnect` 服务端,支持证书和密码认证登陆。 4 | 5 | # 一般使用 6 | 7 | ``` 8 | docker run --name ocserv \ 9 | --privileged \ 10 | -p 443:443 -p 443:443/udp \ 11 | -v /var/docker/ocserv:/var/docker/ocserv \ 12 | -d myidwy/ocserv 13 | ``` 14 | 15 | # 配置文件 16 | 17 | - 主配置文件:`/etc/ocserv/ocserv.conf` 18 | - 用户账号密码:`/etc/ocserv/ocpasswd` 19 | - 证书目录:`/etc/ocserv/certs` 20 | 21 | # 常用命令 22 | 23 | 查看日志 24 | 25 | ``` 26 | docker logs ocserv 27 | ``` 28 | 29 | 进入容器: 30 | 31 | ``` 32 | docker exec -it shadowsocks bash 33 | ``` 34 | 35 | 创建用户 36 | 37 | ``` 38 | docker exec -it ocserv ocpasswd -c /etc/ocserv/ocpasswd 39 | ``` 40 | 41 | 删除用户 42 | 43 | ``` 44 | docker exec -it ocserv ocpasswd -c /etc/ocserv/ocpasswd -d 45 | ``` 46 | 47 | 创建用户p12证书 48 | 49 | 注:创建证书需要定义一个key和证书密码 50 | 51 | ``` 52 | /cert.sh 53 | ``` 54 | 55 | 重启服务 56 | 57 | ``` 58 | supervisortl restart ocserv 59 | ``` 60 | 61 | # 环境变量 62 | 63 | 用于自定义证书,一般不用理会。 64 | 65 | | 变量名 | 默认值 | 66 | | ------------ | --------------- | 67 | | **CA_CN** | VPN CA | 68 | | **CA_ORG** | Big Corp | 69 | | **CA_DAYS** | -1 | 70 | | **SRV_CN** | VPN server | 71 | | **SRV_DNS** | www.example.com | 72 | | **SRV_ORG** | My Company | 73 | | **SRV_DAYS** | -1 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Generating the CA 4 | CA_TMPL="/etc/ocserv/certs/ca.tmpl" 5 | CA_KEY="/etc/ocserv/certs/ca-key.pem" 6 | CA_CERT="/etc/ocserv/certs/ca-cert.pem" 7 | 8 | [ -z "$CA_CN" ] && CA_CN="VPN CA" 9 | [ -z "$CA_ORG" ] && CA_ORG="Big Corp" 10 | [ -z "$CA_DAYS" ] && CA_DAYS="-1" 11 | 12 | [ -f "$CA_TMPL" ] || cat << _EOF_ > $CA_TMPL 13 | cn = "$CA_CN" 14 | organization = "$CA_ORG" 15 | serial = 1 16 | expiration_days = "$CA_DAYS" 17 | ca 18 | signing_key 19 | cert_signing_key 20 | crl_signing_key 21 | _EOF_ 22 | 23 | [ -f "$CA_KEY" ] || certtool --generate-privkey --outfile $CA_KEY 24 | [ -f "$CA_CERT" ] || certtool --generate-self-signed --load-privkey $CA_KEY --template $CA_TMPL --outfile $CA_CERT 25 | 26 | # Generating server certificate 27 | SRV_TMPL="/etc/ocserv/certs/server.tmpl" 28 | SRV_KEY="/etc/ocserv/certs/server-key.pem" 29 | SRV_CERT="/etc/ocserv/certs/server-cert.pem" 30 | 31 | [ -z "$SRV_CN" ] && SRV_CN="VPN server" 32 | [ -z "$SRV_DNS" ] && SRV_DNS="www.example.com" 33 | [ -z "$SRV_ORG" ] && SRV_ORG="MyCompany" 34 | [ -z "$SRV_DAYS" ] && SRV_DAYS="-1" 35 | 36 | [ -f "$SRV_TMPL" ] || cat << _EOF_ > $SRV_TMPL 37 | cn = "$SRV_CN" 38 | dns_name = "$SRV_DNS" 39 | organization = "$SRV_ORG" 40 | expiration_days = "$SRV_DAYS" 41 | signing_key 42 | encryption_key 43 | tls_www_server 44 | _EOF_ 45 | 46 | [ -f "$SRV_KEY" ] || certtool --generate-privkey --outfile $SRV_KEY 47 | [ -f "$SRV_CERT" ] || certtool --generate-certificate --load-privkey $SRV_KEY --load-ca-certificate $CA_CERT --load-ca-privkey $CA_KEY --template $SRV_TMPL --outfile $SRV_CERT 48 | 49 | # Create a test user 50 | if [ -z "$NO_TEST_USER" ] && [ ! -f /etc/ocserv/ocpasswd ]; then 51 | echo "Create test user 'test' with password 'test'" 52 | echo 'test:*:$5$DktJBFKobxCFd7wN$sn.bVw8ytyAaNamO.CvgBvkzDiFR6DaHdUzcif52KK7' > /etc/ocserv/ocpasswd 53 | fi 54 | 55 | # Open ipv4 ip forward 56 | sysctl -w net.ipv4.ip_forward=1 57 | 58 | # Enable NAT forwarding 59 | iptables -t nat -A POSTROUTING -j MASQUERADE 60 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 61 | 62 | # Enable TUN device 63 | if [ ! -e /dev/net/tun ]; then 64 | mkdir -p /dev/net 65 | mknod /dev/net/tun c 10 200 66 | chmod 600 /dev/net/tun 67 | fi 68 | 69 | # Run OpennConnect Server 70 | OCSERV_CONF="/etc/supervisor/conf.d/ocserv.conf" 71 | 72 | [ -f $OCSERV_CONF ] || cat << _EOF_ > $OCSERV_CONF 73 | [program:ocserv] 74 | command=ocserv -c /etc/ocserv/ocserv.conf -f -d 1 75 | autostart=true 76 | autorestart=true 77 | stderr_logfile=/var/log/ocserv_error.log 78 | stdout_logfile=/var/log/ocserv.log 79 | priority=5 80 | _EOF_ 81 | 82 | exec "$@" 83 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:jessie 2 | MAINTAINER WangYan 3 | 4 | # Build dependencies 5 | RUN apt-get update && \ 6 | apt-get install -y make gcc curl xz-utils net-tools supervisor iptables gnutls-bin libgnutls28-dev libev-dev \ 7 | libwrap0-dev libpam0g-dev liblz4-dev libseccomp-dev libreadline-dev libnl-route-3-dev libkrb5-dev liboath-dev \ 8 | libprotobuf-c0-dev libtalloc-dev libhttp-parser-dev libpcl1-dev libopts25-dev autogen protobuf-c-compiler gperf liblockfile-bin nuttcp && \ 9 | apt-get autoremove -y && \ 10 | apt-get clean && \ 11 | rm -rf /var/lib/apt/lists/* 12 | 13 | RUN export LZ4_VERSION=`curl https://github.com/Cyan4973/lz4/releases/latest | sed -n 's/^.*tag\/\(.*\)".*/\1/p'` && \ 14 | curl -SL "https://github.com/Cyan4973/lz4/archive/$LZ4_VERSION.tar.gz" -o lz4.tar.gz && \ 15 | tar -xf lz4.tar.gz && cd ./lz4-* && \ 16 | make -j$(nproc) && make install && \ 17 | cd ../ && rm -rf ./lz4* 18 | 19 | RUN export ocserv_version=$(curl -s http://www.infradead.org/ocserv/download.html | grep -o '[0-9]*\.[0-9]*\.[0-9]*') && \ 20 | curl -O ftp://ftp.infradead.org/pub/ocserv/ocserv-$ocserv_version.tar.xz && \ 21 | tar xvf ocserv-$ocserv_version.tar.xz && \ 22 | cd ocserv-$ocserv_version && \ 23 | ./configure && make -j$(nproc) && make install && \ 24 | mkdir -p /etc/ocserv/certs && \ 25 | cp doc/sample.config /etc/ocserv/ocserv.conf && \ 26 | cd ../ && rm -rf ocserv* 27 | 28 | # Ocserv config 29 | RUN set -x \ 30 | && sed -i 's/\.\/sample\.passwd/\/etc\/ocserv\/ocpasswd/' /etc/ocserv/ocserv.conf \ 31 | && sed -i 's/\.\.\/tests/\/etc\/ocserv\/certs/' /etc/ocserv/ocserv.conf \ 32 | && sed -i 's/max-clients = 16/max-clients = 32/' /etc/ocserv/ocserv.conf \ 33 | && sed -i 's/ca\.pem/ca-cert\.pem/' /etc/ocserv/ocserv.conf \ 34 | && sed -i 's/max-same-clients = 2/max-same-clients = 4/' /etc/ocserv/ocserv.conf \ 35 | && sed -i 's/#enable-auth = \"certificate\"/enable-auth = \"certificate\"/' /etc/ocserv/ocserv.conf \ 36 | && sed -i 's/#compression/compression/' /etc/ocserv/ocserv.conf \ 37 | && sed -i 's/#no-compress-limit/no-compress-limit/' /etc/ocserv/ocserv.conf \ 38 | && sed -i '/^ipv4-network = /{s/192.168.1.0/192.168.99.0/}' /etc/ocserv/ocserv.conf \ 39 | && sed -i '/cert-user-oid = /{s/0.9.2342.19200300.100.1.1/2.5.4.3/}' /etc/ocserv/ocserv.conf \ 40 | && sed -i 's/192.168.1.2/8.8.8.8/' /etc/ocserv/ocserv.conf \ 41 | && sed -i 's/^route/#route/' /etc/ocserv/ocserv.conf \ 42 | && sed -i 's/^no-route/#no-route/' /etc/ocserv/ocserv.conf 43 | 44 | EXPOSE 443 45 | VOLUME /etc/ocserv/ 46 | 47 | COPY cert.sh /cert.sh 48 | COPY entrypoint.sh /entrypoint.sh 49 | RUN chmod +x /cert.sh /entrypoint.sh 50 | ENTRYPOINT ["/entrypoint.sh"] 51 | 52 | CMD ["/usr/bin/supervisord", "-n"] 53 | --------------------------------------------------------------------------------