cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 07:28:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

ocserv: allow enabling proxy ARP

Browse Source 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos
2015-11-01 10:38:43 +01:00
parent 25eeddbb21
commit 637bc76c06
4 changed files with 148 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/ocserv/README
+104 -15
View File
@@ -1,17 +1,86 @@
Setting up OpenConnect VPN server
=================================
The openconnect server expects to be configured using the uci interface.
It is recommended to setup a dynamic DNS address with openwrt prior
to starting the server. That is because during the first startup
a certificate file which contain the setup dynamic DNS name will be
created.
created. You can always regenerate the certificate by deleting
/etc/ocserv/server-key.pem.
There are two approaches to setup the VPN. The proxy-arp approach (1)
which provides clients with addresses of the LAN, and the "forwarding"
approach (2) which provides clients with addresses of a separate private
network. The former is suitable when you have "roadwarrior" type of clients
connecting to the LAN, and the latter when you may need to connect
multiple networks with the LAN.
1. Proxy-ARP Approach
=====================
[This option is available since ocserv-0.10.9-2 package]
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
The following setup will assign the upper 62 addresses for VPN use.
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
option netmask '255.255.255.192'
option ipaddr '10.100.2.192'
option auth 'plain'
option default_domain 'lan'
option compression '1'
option proxy_arp '1'
option ping_leases '1'
option enable '1'
config dns
option ip '10.100.2.1'
config routes
option ip '10.100.2.0'
option netmask '255.255.255.0'
config ocservusers
option name 'test'
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
```
This setup re-utilizes the addresses assigned to LAN for the VPN clients.
To ensure that there are no conflicts with the DHCP server use the following
commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
which is below the first VPN assigned address (10.100.2.192).
```
# uci set dhcp.lan.start=100
# uci set dhcp.lan.limit=91
```
For simple networks like that you may also leave the 'netmask' and 'ipaddr'
fields empty and ocserv on startup will set the necessary values.
2. Forwarding Approach
======================
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 using the VPN address range
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option port '4443'
option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
@@ -34,19 +103,21 @@ config ocservusers
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
This configuration also adds the user "test" with password "test". The
password is specified in the crypt(3) format.
The server can be enabled and started using:
# /etc/init.d/ocserv enable
# /etc/init.d/ocserv start
```
To simplify firewall configuration, you should setup an unmanaged interface
(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone
called vpn should be setup to handle interactions with lan. An example
follows:
Setting up the firewall
=======================
Since the connected users will be assigned to other interfaces than the LAN
one, it is required to assign the VPN clients to an interface, and enable
forwarding for them. That is, you should setup an unmanaged interface (e.g.,
called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
interfaces). Then a zone called vpn should be setup to handle interactions
with lan. An example, which alls all forwarding between LAN and VPN clients,
follows.
```
----/etc/config/network------------------------------------------
config interface 'vpn'
option proto 'none'
@@ -74,17 +145,35 @@ config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '4443'
option dest_port '443'
option name 'vpn'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '4443'
option dest_port '443'
option name 'vpn'
-----------------------------------------------------------------
```
Note, that the last two rules, enable connections to port 443 from the
Internet. That is the port used by OpenConnect VPN.
Starting the server
===================
Note that both configurations above add the user "test" with password "test". The
password is specified in the crypt(3) format.
The server can be enabled and started using:
# /etc/init.d/ocserv enable
# /etc/init.d/ocserv start
For any custom configuration options of ocserv you may add values in
/etc/ocserv/ocserv.conf.local.
There is a luci plugin to allow configuring the server from
the web environment; see the package luci-app-ocserv.