هک‌ها و تشعشعات وجدان آزاد

نوشته‌های سیدمحمدمسعود صدرنژاد

User Tools

Site Tools


en:ocserv

OCServ Installation and Setup

This guide provides procedures for the installation and setup of OCServ on Ubuntu 16.04.

Installation

Install ocserv:

apt install ocserv

OCServ configurations

Edit ocserv configurations:

nano /etc/ocserv/ocserv.conf

Find the line:

tcp-port = 443
udp-port = 443

Replace it with the following:

tcp-port = 8080
udp-port = 8080

Find the line:

auth = "pam[gid-min=1000]"

Replace it with the following:

auth = "plain[/etc/ocserv/ocpasswd]"

Change the value of `try-mtu-discovery` from false to true:

try-mtu-discovery = true

Find the line:

dns = 192.168.1.2

Change it to:

dns = 8.8.8.8
dns = 4.2.2.4

Place a # in front of following lines:

route = 10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0

no-route = 192.168.5.0/255.255.255.0

Find the line:

default-domain = example.com

Change it to:

default-domain = cisco.com

Uncomment the following line:

tunnel-all-dns = true

Add the following lines:

no-route = 10.0.0.0/255.0.0.0
no-route = 172.16.0.0/255.240.0.0
no-route = 192.168.0.0/255.255.0.0

Find:

ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

Change it to:

ipv4-network = 10.10.0.0
ipv4-netmask = 255.255.0.0

Edit system control configuration file to allow forwarding:

nano /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Activate the change:

sysctl -p

Create users

Create a password file with your desired username with details. Then type your password and confirmation of password:

ocpasswd -c /etc/ocserv/ocpasswd YOUR_USERNAME_HERE

IPTable Configuration

Add 8080 port to the firewall’s accepted list:

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p udp --dport 8080 -j ACCEPT

Enable NAT by using the following command:

iptables -t nat -A POSTROUTING -j MASQUERADE

Make your changes persist across server reboots:

apt install iptables-persistent
dpkg-reconfigure iptables-persistent

If it doesn't work open input and forward chains on the firewall:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

Run OCServ

Find the respective unit that is listening to the 443 port:

netstat -tulpn | grep 443

Stop the ocserv listening on 443:

systemctl stop ocserv.socket

Stop ocserv service which is listening on 443 from starting on boot:

update-rc.d -f ocserv remove
systemctl stop ocserv.socket
systemctl disable ocserv.socket
systemctl disable ocserv

Run ocserv:

ocserv -c /etc/ocserv/ocserv.conf

To run ocserv on server boot:

nano /etc/rc.local

Add the following line before `exit 0` line:

ocserv -c /etc/ocserv/ocserv.conf

Configure Https with Let's Encrypt

install certbot, a program for requesting Let's Encrypt certificates:

add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

Request a certificate:

certbot certonly --email [email protected] --standalone -d example.com --agree-tos --noninteractive

Edit ocserv configurations:

nano /etc/ocserv/ocserv.conf

Find the line:

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Replace it with the following:

server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem

Clients

Installation

Run

Host: YOUR_PUBLIC_IP

Port: 8080

Username: YOUR_USERNAME

Password: YOUR_PASSWORD

Ubuntu:

echo "YOUR_PASSWORD" | sudo openconnect --no-cert-check --script /etc/vpnc/vpnc-script -u YOUR_USERNAME --passwd-on-stdin URL:PORT
en/ocserv.txt · Last modified: 2019/03/31 18:00 by smmsadrnezh