mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 16:57:00 +08:00
95 lines
2.8 KiB
Plaintext
95 lines
2.8 KiB
Plaintext
|
|
=== About ===
|
|
|
|
This program is openconnect VPN server (ocserv), a server compatible with the
|
|
openconnect VPN client [0]. It is believed to be compatible with the protocol
|
|
used by CISCO's AnyConnect SSL VPN.
|
|
|
|
[0]. http://www.infradead.org/openconnect/
|
|
|
|
|
|
=== Build dependencies ===
|
|
|
|
Required dependencies:
|
|
libgnutls-dev / gnutls-devel
|
|
|
|
Optional dependencies that enable specific functionality:
|
|
* TCP wrappers: libwrap0-dev / tcp_wrappers-devel
|
|
* PAM: libpam0g-dev / pam-devel
|
|
* seccomp: libseccomp-dev / libseccomp-devel
|
|
* occtl: libreadline-dev / readline-devel
|
|
libnl-route-3-dev / libnl3-devel
|
|
|
|
Dependencies that can be skipped in an embedded system:
|
|
(a replacement library is included)
|
|
|
|
libprotobuf-c0-dev / protobuf-c-devel
|
|
libhttp-parser-dev / http-parser-devel
|
|
libpcl1-dev / pcllib-devel
|
|
libopts25-dev / autogen-libopts-devel
|
|
autogen / autogen
|
|
|
|
|
|
|
|
=== Build instructions ===
|
|
|
|
To build from a distributed release use:
|
|
|
|
$ ./configure && make
|
|
|
|
When cross compiling it may be useful to add the --enable-local-libopts
|
|
option to configure.
|
|
|
|
To prevent ocserv's worker process from executing non authorized system
|
|
calls you may compile ocserv with the --enable-seccomp option. That is
|
|
currently experimental and not enabled by default.
|
|
|
|
|
|
To build from the git repository use:
|
|
|
|
$ autoreconf -fvi
|
|
$ ./configure && make
|
|
|
|
In addition to the prerequisites listed above, building from git requires
|
|
the following packages: autoconf, automake, autogen, git2cl, and xz.
|
|
|
|
Note that the system's autogen version must match the included libopts
|
|
version on the development system, if the included libopts library is to
|
|
be used.
|
|
|
|
|
|
=== Installation instructions ===
|
|
|
|
Now you need to generate a certificate. E.g.
|
|
$ certtool --generate-privkey > ./test-key.pem
|
|
$ certtool --generate-self-signed --load-privkey test-key.pem --outfile test-cert.pem
|
|
(make sure you enable encryption or signing)
|
|
|
|
To run the server on the foreground edit the doc/sample.config and then run:
|
|
# src/ocserv -f -c src/sample.config
|
|
|
|
|
|
=== Profiling ===
|
|
|
|
If you use ocserv on a server with significant load and you'd like to help
|
|
improve it, you may help by sending profiling information. That includes
|
|
the bottlenecks in software, so future optimizations could be spent on the
|
|
real needs.
|
|
|
|
In a Linux system you can profile ocserv using the following command.
|
|
# perf record -g ocserv
|
|
|
|
After the server is terminated, the output is placed in perf.data. It does
|
|
not contain any sensitive information. If you run a server for long time,
|
|
and under usage (i.e., clients connecting and transferring data), please
|
|
send that information to nmav@gnutls.org.
|
|
|
|
You may examine the output using:
|
|
# perf report
|
|
|
|
|
|
=== How the VPN works ===
|
|
|
|
Please see:
|
|
http://www.infradead.org/ocserv/technical.html
|