2026-02-10 08:46:58 +08:00 · 2013-02-12 18:50:16 +01:00
parent 718d07208c
commit 8da6d44d8f
5 changed files with 102 additions and 111 deletions
							
							
							
						
@@ -1,7 +1,7 @@
AM_CPPFLAGS = -I$(srcdir)/../gl/ -I$(builddir)/../gl/ \
	-I$(srcdir)/ -I$(builddir)/../ -I$(srcdir)/../libopts
EXTRA_DIST = ocserv.1 sample.config ccan/licenses/BSD-MIT \
EXTRA_DIST = ccan/licenses/BSD-MIT \
	ccan/licenses/CC0 ccan/licenses/LGPL-2.1
							
								
							
							
								
							
							
						
@@ -30,7 +30,3 @@ ocserv_LDADD += $(LIBGNUTLS_LIBS) $(GDBM_LIBS) $(PAM_LIBS) $(LIBUTIL) \
ocserv-args.c ocserv-args.h: $(srcdir)/ocserv-args.def
	-autogen ocserv-args.def
ocserv.1: ocserv-args.def
	-sed 's/@subheading \(.*\)/@*\n@var{\1}\n@*/' $< > "$<".tmp && \
	autogen -DMAN_SECTION=1 -Tagman-cmd.tpl "$<".tmp && \
	rm -f "$<".tmp
							
							
							
						
 
							
							
								
							
							
						
@@ -2,7 +2,7 @@
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.c)
 *  
 *  It has been AutoGen-ed  February  9, 2013 at 08:11:58 PM by AutoGen 5.16
 *  It has been AutoGen-ed  February 12, 2013 at 01:34:57 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *
							
								
							
							
								
							
							
						
@@ -65,7 +65,7 @@ extern FILE * option_usage_fp;
/*
 *  ocserv option static const strings
 */
static char const ocserv_opt_strs[1340] =
static char const ocserv_opt_strs[1505] =
/*     0 */ "ocserv\n"
            "Copyright (C) 2013 Nikos Mavrogiannopoulos, all rights reserved.\n"
            "This is free software. It is licensed for use, modification and\n"
							
								
							
							
								
							
							
						
@@ -102,8 +102,10 @@ static char const ocserv_opt_strs[1340] =
/*  1220 */ "nmav@gnutls.org\0"
/*  1236 */ "\n\n\0"
/*  1239 */ "\n"
            "OpenConnect VPN server.\n\0"
/*  1265 */ "Usage: ocserv [options] -c [config]\n"
            "This program is openconnect VPN server (ocserv), a server compatible with\n"
            "the openconnect VPN client.  It is believed to be compatible with the\n"
            "protocol used by CISCO's AnyConnect SSL VPN.\n\0"
/*  1430 */ "Usage: ocserv [options] -c [config]\n"
            "ocserv --help for usage instructions.\n";
/*
							
								
							
							
								
							
							
						
@@ -270,7 +272,7 @@ static tOptDesc optDesc[OPTION_CT] = {
#define ocserv_full_usage (NULL)
#define ocserv_short_usage (ocserv_opt_strs+1265)
#define ocserv_short_usage (ocserv_opt_strs+1430)
#endif /* not defined __doxygen__ */
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -10,7 +10,12 @@ long-opts;
no-misuse-usage;
short-usage   = "Usage: ocserv [options] -c [config]\nocserv --help for usage instructions.\n";
explain       = "";
detail        = "OpenConnect VPN server.";
detail        = "This program is openconnect VPN server (ocserv), a server compatible with the
openconnect VPN client. It is believed to be compatible with the protocol
used by CISCO's AnyConnect SSL VPN.
";
copyright = {
    date  = "2013";
							
								
							
							
								
							
							
						
@@ -51,6 +56,22 @@ flag = {
help-value    = h;
doc-section = {
  ds-type = 'FEATURES';
  ds-format = 'texi';
  ds-text   = <<-_EOT_
@subheading Features of the server
@itemize
@item Supports both TCP and UDP VPN tunnels using TLS and DTLS.
@item Authentication using PAM (username-password) or certificates
@item Privilege separation between the main process which performs TUN allocation and authentication, with the worker processes which handles messages from the client.
@item Registers VPN leases to UTMP and WTMP files.
@item Persistent storage of cookies, to allow a seamless server restart.
@end itemize
_EOT_;
};
doc-section = {
  ds-type = 'FILES';
  ds-format = 'texi';
							
								
							
							
								
							
							
						
@@ -170,3 +191,74 @@ route = 192.168.5.0/255.255.255.0
_EOT_;
};
doc-section = {
  ds-type = 'AUTHENTICATION';
  ds-format = 'texi';
  ds-text   = <<-_EOT_
@subheading Password authentication
If your system supports Pluggable Authentication Modules (PAM), then
ocserv will take advantage of it to password authenticate its users.
It can be used in conjunction with certificate authentication.
@subheading Certificate authentication
In order to support certificate authentication you will need in addition to 
the server certificate and key for TLS, a certificate authority (CA) to sign
certificates for the clients. That authority should also provide a CRL to
allow the server to reject the revoked clients (see @var{ca-cert, crl}).
Each client will then hold a key and certificate that identifies him.
The user ID of the client must be embedded in the certificate's Distinguished
Name (DN), e.g. in the Common Name, or UID fields. For the server to
read the name, the @var{cert-user-oid} configuration option must be set.
The following examples demonstrate how to use certtool from GnuTLS to
generate such CA.
@subheading Generating the CA
@example
$ certtool --generate-privkey --outfile ca-key.pem
$ cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
$ certtool --generate-self-signed --load-privkey ca-key.pem \
	--template ca.tmpl --outfile ca-cert.pem
@end example
@subheading Generating the client certificates
@example
$ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
serial = 1824
email = "user@example.com"
expiration_days = 9999
signing_key
tls_www_client
_EOF_
$ certtool --generate-certificate --load-privkey user-key.pem \
	--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
	--template user.tmpl --outfile user-cert.pem
@end example
@subheading Revoking a client certificate
To revoke the previous client certificate use:
@example
$ cat user-cert.pem >>revoked.pem
$ certtool --generate-crl --load-ca-privkey ca-key.pem \
	--load-ca-certificate ca.pem --load-certificate revoked.pem \
	--outfile crl.pem
@end example
After that you may want to notify ocserv of the new CRL by using
the HUP signal.
_EOT_;
};
							
							
							
						
 
							
							
								
							
							
						
@@ -2,7 +2,7 @@
 *  
 *  DO NOT EDIT THIS FILE   (ocserv-args.h)
 *  
 *  It has been AutoGen-ed  February  9, 2013 at 08:11:58 PM by AutoGen 5.16
 *  It has been AutoGen-ed  February 12, 2013 at 01:34:57 PM by AutoGen 5.16
 *  From the definitions    ocserv-args.def
 *  and the template file   options
 *
							
								
							
							
							
						
 
							
							
							
						
@@ -1,99 +0,0 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
#auth = certificate
auth = "pam"
# UTMP
use-utmp = true
# PID file
pid-file = /var/run/ocserv.pid
# Limit the number of clients. Set to zero for unlimited.
# max-clients = 1024
max-clients = 4
# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 1
# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
# listen-host = [IP|HOSTNAME]
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# TCP and UDP port number
tcp-port = 3333
udp-port = 3333
# Keepalive in seconds
keepalive = 60
# Dead peer detection in seconds
dpd = 30
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (i.e., tpmkey or pkcs11)
server-cert = ./test-cert.pem
server-key = ./test-key.pem
# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
#cert-user-oid = 0.9.2342.19200300.100.1.1
# A revocation list of ca-cert is set
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
# The default server directory
#chroot-dir = /root
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 14400
#cookie-db = /var/tmp/vpn-cookies.db
run-as-user = nobody
run-as-group = nogroup
# Network settings
device = vpns
# Script to call when a client connects and obtains an IP
# Parameters: username hostname device IP-REAL IP-LOCAL IP-REMOTE
# hostname is the hostname selected by the client
# IP-REAL is the remote IP of the client,
# IP-LOCAL is the local IP in the P-t-P connection and IP-REMOTE
# is the VPN client IP.
#connect-script = /bin/echo
#disconnect-script = /bin/echo
# The pool from which the VPN user IPs will be drawn from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# Use the keywork local to advertize the local P-t-P address as DNS server
# ipv4-dns = 192.168.2.1
ipv4-dns = local
#ipv6-address = 
#ipv6-mask = 
#ipv6-dns = 
# Leave empty to assign the default MTU of the device
# mtu = 
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0