Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

ocserv: allow enabling proxy ARP

Browse source 
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This commit is contained in:
Nikos Mavrogiannopoulos 2015-11-01 10:38:43 +01:00
parent ddb59c4f72
commit 6252504514
4 changed files with 148 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/ocserv/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=ocserv PKG_NAME:=ocserv
PKG_VERSION:=0.10.9 PKG_VERSION:=0.10.9
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_USE_MIPS16:=0 PKG_USE_MIPS16:=0
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

119
net/ocserv/README
View file

@ -1,17 +1,86 @@
Setting up OpenConnect VPN server
=================================
The openconnect server expects to be configured using the uci interface. The openconnect server expects to be configured using the uci interface.
It is recommended to setup a dynamic DNS address with openwrt prior It is recommended to setup a dynamic DNS address with openwrt prior
to starting the server. That is because during the first startup to starting the server. That is because during the first startup
a certificate file which contain the setup dynamic DNS name will be a certificate file which contain the setup dynamic DNS name will be
created. created. You can always regenerate the certificate by deleting
/etc/ocserv/server-key.pem.
There are two approaches to setup the VPN. The proxy-arp approach (1)
which provides clients with addresses of the LAN, and the "forwarding"
approach (2) which provides clients with addresses of a separate private
network. The former is suitable when you have "roadwarrior" type of clients
connecting to the LAN, and the latter when you may need to connect
multiple networks with the LAN.
1. Proxy-ARP Approach
=====================
[This option is available since ocserv-0.10.9-2 package]
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
The following setup will assign the upper 62 addresses for VPN use.
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
option netmask '255.255.255.192'
option ipaddr '10.100.2.192'
option auth 'plain'
option default_domain 'lan'
option compression '1'
option proxy_arp '1'
option ping_leases '1'
option enable '1'
config dns
option ip '10.100.2.1'
config routes
option ip '10.100.2.0'
option netmask '255.255.255.0'
config ocservusers
option name 'test'
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
```
This setup re-utilizes the addresses assigned to LAN for the VPN clients.
To ensure that there are no conflicts with the DHCP server use the following
commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
which is below the first VPN assigned address (10.100.2.192).
```
# uci set dhcp.lan.start=100
# uci set dhcp.lan.limit=91
```
For simple networks like that you may also leave the 'netmask' and 'ipaddr'
fields empty and ocserv on startup will set the necessary values.
2. Forwarding Approach
======================
To setup a server the provides access to LAN with network address To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 using the VPN address range 10.100.2.0/255.255.255.0 using the VPN address range
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv: 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
```
----/etc/config/ocserv------------------------------------------- ----/etc/config/ocserv-------------------------------------------
config ocserv 'config' config ocserv 'config'
option port '4443' option port '443'
option dpd '120' option dpd '120'
option max_clients '8' option max_clients '8'
option max_same '2' option max_same '2'
@ -34,19 +103,21 @@ config ocservusers
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1' option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
----------------------------------------------------------------- -----------------------------------------------------------------
```
This configuration also adds the user "test" with password "test". The
password is specified in the crypt(3) format.
The server can be enabled and started using:
# /etc/init.d/ocserv enable
# /etc/init.d/ocserv start
To simplify firewall configuration, you should setup an unmanaged interface Setting up the firewall
(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone =======================
called vpn should be setup to handle interactions with lan. An example
follows: Since the connected users will be assigned to other interfaces than the LAN
one, it is required to assign the VPN clients to an interface, and enable
forwarding for them. That is, you should setup an unmanaged interface (e.g.,
called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
interfaces). Then a zone called vpn should be setup to handle interactions
with lan. An example, which alls all forwarding between LAN and VPN clients,
follows.
```
----/etc/config/network------------------------------------------ ----/etc/config/network------------------------------------------
config interface 'vpn' config interface 'vpn'
option proto 'none' option proto 'none'
@ -74,17 +145,35 @@ config rule
option target 'ACCEPT' option target 'ACCEPT'
option src 'wan' option src 'wan'
option proto 'tcp' option proto 'tcp'
option dest_port '4443' option dest_port '443'
option name 'vpn' option name 'vpn'
config rule config rule
option target 'ACCEPT' option target 'ACCEPT'
option src 'wan' option src 'wan'
option proto 'udp' option proto 'udp'
option dest_port '4443' option dest_port '443'
option name 'vpn' option name 'vpn'
----------------------------------------------------------------- -----------------------------------------------------------------
```
Note, that the last two rules, enable connections to port 443 from the
Internet. That is the port used by OpenConnect VPN.
Starting the server
===================
Note that both configurations above add the user "test" with password "test". The
password is specified in the crypt(3) format.
The server can be enabled and started using:
# /etc/init.d/ocserv enable
# /etc/init.d/ocserv start
For any custom configuration options of ocserv you may add values in
/etc/ocserv/ocserv.conf.local.
There is a luci plugin to allow configuring the server from There is a luci plugin to allow configuring the server from
the web environment; see the package luci-app-ocserv. the web environment; see the package luci-app-ocserv.

2
net/ocserv/files/ocserv.conf.template
View file

@ -275,7 +275,7 @@ ipv4-netmask = |NETMASK|
# Prior to leasing any IP from the pool ping it to verify that # Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host. # it is not in use by another (unrelated to this server) host.
ping-leases = false ping-leases = |PING_LEASES|
# Unset to assign the default MTU of the device # Unset to assign the default MTU of the device
# mtu = # mtu =

44
net/ocserv/files/ocserv.init
View file

@ -14,11 +14,47 @@ setup_config() {
config_get udp $1 udp "1" config_get udp $1 udp "1"
config_get auth $1 auth "plain" config_get auth $1 auth "plain"
config_get cisco_compat $1 cisco_compat "1" config_get cisco_compat $1 cisco_compat "1"
config_get ipaddr $1 ipaddr "192.168.100.0" config_get ipaddr $1 ipaddr ""
config_get netmask $1 netmask "255.255.255.0" config_get netmask $1 netmask ""
config_get ip6addr $1 ip6addr "" config_get ip6addr $1 ip6addr ""
config_get proxy_arp $1 proxy_arp "0"
config_get ping_leases $1 ping_leases "0"
config_get default_domain $1 default_domain "" config_get default_domain $1 default_domain ""
# Enable proxy arp, and make sure that ping leases is set to true in that case,
# to prevent conflicts.
if test "$proxy_arp" = 1;then
local ip
# IP address is empty. Auto-configure LAN + VPN.
if test -z "$ipaddr";then
local mask
mask=$(uci get network.lan.netmask)
if test "$mask" = "255.255.255.0";then
uci set dhcp.lan.start=100
uci set dhcp.lan.limit=91
fi
ip=$(uci get network.lan.ipaddr)
ipaddr="$(echo $ip|cut -d . -f1,2,3).192"
netmask="255.255.255.192"
uci set ocserv.config.ipaddr="$ipaddr"
uci set ocserv.config.netmask="$netmask"
uci commit
fi
if test -z "$ip6addr";then
ip6addr=$(uci get network.lan.ip6addr 2>/dev/null)
test -n "$ip6addr" && uci set ocserv.config.ip6addr="$ip6addr"
uci commit
fi
ping_leases=1
test -n "$ipaddr" && sysctl -w "net.ipv4.conf.$(uci get network.lan.ifname).proxy_arp"=1 >/dev/null
test -n "$ip6addr" && sysctl -w "net.ipv6.conf.$(uci get network.lan.ifname).proxy_ndp"=1 >/dev/null
else
test "$ipaddr" = "" && ipaddr="192.168.100.0"
test "$netmask" = "" && ipaddr="255.255.255.0"
fi
enable_default_domain="#" enable_default_domain="#"
enable_udp="#" enable_udp="#"
enable_compression="#" enable_compression="#"
@ -26,6 +62,8 @@ setup_config() {
test $predictable_ips = "1" && predictable_ips="true" test $predictable_ips = "1" && predictable_ips="true"
test $cisco_compat = "0" && cisco_compat="false" test $cisco_compat = "0" && cisco_compat="false"
test $cisco_compat = "1" && cisco_compat="true" test $cisco_compat = "1" && cisco_compat="true"
test $ping_leases = "0" && ping_leases="false"
test $ping_leases = "1" && ping_leases="true"
test $udp = "1" && enable_udp="" test $udp = "1" && enable_udp=""
test $compression = "1" && enable_compression="" test $compression = "1" && enable_compression=""
test -z $default_domain && enable_default_domain="" test -z $default_domain && enable_default_domain=""
@ -48,6 +86,7 @@ setup_config() {
-e "s/|DEFAULT_DOMAIN|/$default_domain/g" \ -e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
-e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \ -e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
-e "s/|CISCO_COMPAT|/$cisco_compat/g" \ -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
-e "s/|PING_LEASES|/$ping_leases/g" \
-e "s/|UDP|/$enable_udp/g" \ -e "s/|UDP|/$enable_udp/g" \
-e "s/|COMPRESSION|/$enable_compression/g" \ -e "s/|COMPRESSION|/$enable_compression/g" \
-e "s/|IPV4ADDR|/$ipaddr/g" \ -e "s/|IPV4ADDR|/$ipaddr/g" \
@ -180,3 +219,4 @@ reload() {
/usr/bin/occtl reload /usr/bin/occtl reload
fi fi
} }