+++ /dev/null
-#
-# Copyright (C) 2007-2011 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=ocserv
-PKG_VERSION:=0.3.5
-PKG_RELEASE:=1
-
-PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
-PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5
-
-PKG_LICENSE:=GPLv2
-PKG_LICENSE_FILES:=COPYING
-PKG_FIXUP:=autoreconf
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/ocserv/config
- source "$(SOURCE)/Config.in"
-endef
-
-define Package/ocserv
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=VPN
- TITLE:=OpenConnect VPN server
- URL:=http://www.infradead.org/ocserv/
- DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +libprotobuf-c
-endef
-
-define Package/ocserv/description
- OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be
- a secure, small, fast and configurable VPN server. It implements the
- OpenConnect SSL VPN protocol, and has also (currently experimental)
- compatibility with clients using the AnyConnect SSL VPN protocol. The
- OpenConnect VPN protocol uses the standard IETF security protocols such
- as TLS 1.2, and Datagram TLS to provide the secure VPN service.
-endef
-
-CONFIGURE_ARGS+= \
- --enable-local-libopts \
- --with-libcrypt-prefix="$(STAGING_DIR)/include" \
-
-ifneq ($(CONFIG_OCSERV_DBUS),y)
-CONFIGURE_ARGS += --without-dbus
-endif
-
-ifneq ($(CONFIG_OCSERV_PAM),y)
-CONFIGURE_ARGS += --without-pam
-endif
-
-define Package/ocserv/install
- $(INSTALL_DIR) $(1)/usr/sbin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/
- $(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/
- $(INSTALL_DIR) $(1)/etc/init.d
- $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv
- $(INSTALL_DIR) $(1)/etc/ocserv
- $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf
-ifeq ($(CONFIG_OCSERV_DBUS),y)
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/
- $(INSTALL_DIR) $(1)/etc/dbus-1/system.d
- $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/
-endif
-endef
-
-$(eval $(call BuildPackage,ocserv))
+++ /dev/null
-# User authentication method. Could be set multiple times and in that case
-# all should succeed.
-# Options: certificate, pam.
-#auth = "certificate"
-#auth = "pam"
-
-# The plain option requires specifying a password file which contains
-# entries of the following format.
-# "username:groupname:encoded-password"
-# One entry must be listed per line, and 'ocpasswd' can be used
-# to generate password entries.
-auth = "plain[/etc/ocserv/ocpasswd]"
-
-# A banner to be displayed on clients
-banner = "Welcome to OpenWRT"
-
-# Use listen-host to limit to specific IPs or to the IPs of a provided
-# hostname.
-#listen-host = [IP|HOSTNAME]
-
-# Limit the number of clients. Unset or set to zero for unlimited.
-#max-clients = 1024
-max-clients = 8
-
-# Limit the number of client connections to one every X milliseconds
-# (X is the provided value). Set to zero for no limit.
-#rate-limit-ms = 100
-
-# Limit the number of identical clients (i.e., users connecting
-# multiple times). Unset or set to zero for unlimited.
-max-same-clients = 2
-
-# TCP and UDP port number
-tcp-port = 4443
-udp-port = 4443
-
-# Keepalive in seconds
-keepalive = 32400
-
-# Dead peer detection in seconds.
-dpd = 120
-
-# Dead peer detection for mobile clients. The needs to
-# be much higher to prevent such clients being awaken too
-# often by the DPD messages, and save battery.
-# (clients that send the X-AnyConnect-Identifier-DeviceType)
-#mobile-dpd = 1800
-
-# MTU discovery (DPD must be enabled)
-try-mtu-discovery = false
-
-# The key and the certificates of the server
-# The key may be a file, or any URL supported by GnuTLS (e.g.,
-# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
-# or pkcs11:object=my-vpn-key;object-type=private)
-#
-# There may be multiple certificate and key pairs and each key
-# should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server-cert.pem
-server-key = /etc/ocserv/server-key.pem
-
-# Diffie-Hellman parameters. Only needed if you require support
-# for the DHE ciphersuites (by default this server supports ECDHE).
-# Can be generated using:
-# certtool --generate-dh-params --outfile /path/to/dh.pem
-#dh-params = /path/to/dh.pem
-
-# If you have a certificate from a CA that provides an OCSP
-# service you may provide a fresh OCSP status response within
-# the TLS handshake. That will prevent the client from connecting
-# independently on the OCSP server.
-# You can update this response periodically using:
-# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
-# Make sure that you replace the following file in an atomic way.
-#ocsp-response = /path/to/ocsp.der
-
-# In case PKCS #11 or TPM keys are used the PINs should be available
-# in files. The srk-pin-file is applicable to TPM keys only, and is the
-# storage root key.
-#pin-file = /path/to/pin.txt
-#srk-pin-file = /path/to/srkpin.txt
-
-# The Certificate Authority that will be used to verify
-# client certificates (public keys) if certificate authentication
-# is set.
-#ca-cert = /etc/ocserv/ca.pem
-
-# The object identifier that will be used to read the user ID in the client
-# certificate. The object identifier should be part of the certificate's DN
-# Useful OIDs are:
-# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
-#cert-user-oid = 0.9.2342.19200300.100.1.1
-
-# The object identifier that will be used to read the user group in the
-# client certificate. The object identifier should be part of the certificate's
-# DN. Useful OIDs are:
-# OU (organizational unit) = 2.5.4.11
-#cert-group-oid = 2.5.4.11
-
-# The revocation list of the certificates issued by the 'ca-cert' above.
-#crl = /etc/ocserv/crl.pem
-
-# GnuTLS priority string
-tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
-
-# To enforce perfect forward secrecy (PFS) on the main channel.
-#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
-
-# The time (in seconds) that a client is allowed to stay connected prior
-# to authentication
-auth-timeout = 40
-
-# The time (in seconds) that a client is allowed to stay idle (no traffic)
-# before being disconnected. Unset to disable.
-#idle-timeout = 1200
-
-# The time (in seconds) that a mobile client is allowed to stay idle (no
-# traffic) before being disconnected. Unset to disable.
-#mobile-idle-timeout = 2400
-
-# The time (in seconds) that a client is not allowed to reconnect after
-# a failed authentication attempt.
-#min-reauth-time = 2
-
-# Cookie validity time (in seconds)
-# Once a client is authenticated he's provided a cookie with
-# which he can reconnect. This option sets the maximum lifetime
-# of that cookie.
-cookie-validity = 86400
-
-# ReKey time (in seconds)
-# ocserv will ask the client to refresh keys periodically once
-# this amount of seconds is elapsed. Set to zero to disable.
-rekey-time = 172800
-
-# ReKey method
-# Valid options: ssl, new-tunnel
-# ssl: Will perform an efficient rehandshake on the channel allowing
-# a seamless connection during rekey.
-# new-tunnel: Will instruct the client to discard and re-establish the channel.
-# Use this option only if the connecting clients have issues with the ssl
-# option.
-rekey-method = ssl
-
-# Script to call when a client connects and obtains an IP
-# Parameters are passed on the environment.
-# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
-# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
-# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
-# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
-#connect-script = /scripts/ocserv-script
-#disconnect-script = /scripts/ocserv-script
-
-# UTMP
-use-utmp = false
-
-# D-BUS usage. If disabled occtl tool cannot be used. If enabled
-# then ocserv must have access to register org.infradead.ocserv
-# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
-use-dbus = true
-
-# PID file. It can be overriden in the command line.
-pid-file = /var/run/ocserv.pid
-
-# The default server directory. Does not require any devices present.
-chroot-dir = /var/lib/ocserv
-
-# socket file used for IPC, will be appended with .PID
-# It must be accessible within the chroot environment (if any)
-#socket-file = /var/run/ocserv-socket
-socket-file = ocserv-socket
-
-# The user the worker processes will be run as. It should be
-# unique (no other services run as this user).
-run-as-user = ocserv
-run-as-group = ocserv
-
-# Set the protocol-defined priority (SO_PRIORITY) for packets to
-# be sent. That is a number from 0 to 6 with 0 being the lowest
-# priority. Alternatively this can be used to set the IP Type-
-# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
-# This can be set per user/group or globally.
-#net-priority = 3
-
-# Set the VPN worker process into a specific cgroup. This is Linux
-# specific and can be set per user/group or globally.
-#cgroup = "cpuset,cpu:test"
-
-#
-# Network settings
-#
-
-# The name of the tun device
-device = vpns
-
-# The default domain to be advertised
-default-domain = example.com
-
-# The pool of addresses that leases will be given from.
-ipv4-network = 192.168.1.0
-ipv4-netmask = 255.255.255.0
-
-# The advertized DNS server. Use multiple lines for
-# multiple servers.
-# dns = fc00::4be0
-dns = 192.168.1.2
-
-# The NBNS server (if any)
-#nbns = 192.168.1.3
-
-# The IPv6 subnet that leases will be given from.
-#ipv6-network = fc00::
-#ipv6-prefix = 16
-
-# The domains over which the provided DNS should be used. Use
-# multiple lines for multiple domains.
-#split-dns = example.com
-
-# Prior to leasing any IP from the pool ping it to verify that
-# it is not in use by another (unrelated to this server) host.
-ping-leases = false
-
-# Unset to assign the default MTU of the device
-# mtu =
-
-# Unset to enable bandwidth restrictions (in bytes/sec). The
-# setting here is global, but can also be set per user or per group.
-#rx-data-per-sec = 40000
-#tx-data-per-sec = 40000
-
-# The number of packets (of MTU size) that are available in
-# the output buffer. The default is low to improve latency.
-# Setting it higher will improve throughput.
-#output-buffer = 10
-
-# Routes to be forwarded to the client. If you need the
-# client to forward routes to the server, you may use the
-# config-per-user/group or even connect and disconnect scripts.
-#
-# To set the server as the default gateway for the client just
-# comment out all routes from the server.
-route = 192.168.1.0/255.255.255.0
-route = 192.168.5.0/255.255.255.0
-#route = fef4:db8:1000:1001::/64
-
-# Configuration files that will be applied per user connection or
-# per group. Each file name on these directories must match the username
-# or the groupname.
-# The options allowed in the configuration files are dns, nbns,
-# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
-# net-priority and cgroup.
-#
-# Note that the 'iroute' option allows to add routes on the server
-# based on a user or group. The syntax depends on the input accepted
-# by the commands route-add-cmd and route-del-cmd (see below).
-
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
-
-# The system command to use to setup a route. %R will be replaced with the
-# route/mask and %D with the (tun) device.
-#
-# The following example is from linux systems. %R should be something
-# like 192.168.2.0/24
-
-#route-add-cmd = "ip route add %R dev %D"
-#route-del-cmd = "ip route delete %R dev %D"
-
-#
-# The following options are for (experimental) AnyConnect client
-# compatibility.
-
-# Client profile xml. A sample file exists in doc/profile.xml.
-# This file must be accessible from inside the worker's chroot.
-# It is not used by the openconnect client.
-#user-profile = profile.xml
-
-# Binary files that may be downloaded by the CISCO client. Must
-# be within any chroot environment.
-#binary-files = /path/to/binaries
-
-# Unless set to false it is required for clients to present their
-# certificate even if they are authenticating via a previously granted
-# cookie and complete their authentication in the same TCP connection.
-# Legacy CISCO clients do not do that, and thus this option should be
-# set for them.
-cisco-client-compat = true
-
-#Advanced options
-
-# Option to allow sending arbitrary custom headers to the client after
-# authentication and prior to VPN tunnel establishment.
-#custom-header = "X-My-Header: hi there"
+++ /dev/null
-#!/bin/sh /etc/rc.common
-
-SERVICE_USE_PID=1
-
-START=50
-
-start() {
- user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
- group_exists ocserv 72 || group_add ocserv 72
-
- [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
- echo "Generating CA certificate..."
- mkdir -p /etc/ocserv/pki/
- certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
- echo "cn=`uci get system.@system[0].hostname` CA" >/etc/ocserv/pki/ca.tmpl
- echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
- echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
- echo "ca" >>/etc/ocserv/pki/ca.tmpl
- echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
-
- certtool --template /etc/ocserv/pki/ca.tmpl \
- --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
- --outfile /etc/ocserv/ca.pem >/dev/null 2>&1
- }
-
- #generate server certificate/key
- [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
- echo "Generating server certificate..."
- mkdir -p /etc/ocserv/pki/
- certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
- echo "cn=`uci get system.@system[0].hostname`" >/etc/ocserv/pki/server.tmpl
- echo "serial=2" >>/etc/ocserv/pki/server.tmpl
- echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
- echo "signing_key" >>/etc/ocserv/pki/server.tmpl
- echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
- certtool --template /etc/ocserv/pki/server.tmpl \
- --generate-certificate --load-privkey /etc/ocserv/server-key.pem \
- --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
- /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
- }
-
- [ -f /etc/ocserv/ocpasswd ] || {
- touch /etc/ocserv/ocpasswd
- }
-
- [ -f /var/run/ocserv.pid ] || {
- touch /var/run/ocserv.pid
- chown ocserv:ocserv /var/run/ocserv.pid
- }
- [ -d /var/lib/ocserv ] || {
- mkdir -m 0755 -p /var/lib/ocserv
- chmod 0700 /var/lib/ocserv
- chown ocserv:ocserv /var/lib/ocserv
- }
- service_start /usr/sbin/ocserv -c /etc/ocserv/ocserv.conf
-}
-
-stop() {
- service_stop /usr/sbin/ocserv
-}
-