From 380bd6016a26184c37a533087d4b9cb9589b6c63 Mon Sep 17 00:00:00 2001 From: Florian Fainelli Date: Tue, 20 May 2014 04:51:50 +0000 Subject: [PATCH] ocserv: Added ocserv 0.3.5, an SSL VPN server. This server is compatible with the openconnect client, and cisco's anyconnect clients. Signed-off-by: Nikos Mavrogiannopoulos [florian: fix libcrypt detection and missing protobuf-c dependency] Signed-off-by: Florian Fainelli SVN-Revision: 40797 --- net/ocserv/Config.in | 14 ++ net/ocserv/Makefile | 75 +++++++++ net/ocserv/files/ocserv.conf | 293 +++++++++++++++++++++++++++++++++++ net/ocserv/files/ocserv.init | 61 ++++++++ 4 files changed, 443 insertions(+) create mode 100644 net/ocserv/Config.in create mode 100644 net/ocserv/Makefile create mode 100644 net/ocserv/files/ocserv.conf create mode 100644 net/ocserv/files/ocserv.init diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in new file mode 100644 index 0000000000..e0d298390c --- /dev/null +++ b/net/ocserv/Config.in @@ -0,0 +1,14 @@ +# ocserv avanced configuration + +menu "Configuration" + depends on PACKAGE_ocserv + +config OCSERV_PAM + bool "enable PAM" + default n + +config OCSERV_DBUS + bool "enable DBUS (needed for occtl)" + default n + +endmenu diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile new file mode 100644 index 0000000000..9fcff95a23 --- /dev/null +++ b/net/ocserv/Makefile @@ -0,0 +1,75 @@ +# +# Copyright (C) 2007-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=ocserv +PKG_VERSION:=0.3.5 +PKG_RELEASE:=1 + +PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ +PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5 + +PKG_LICENSE:=GPLv2 +PKG_LICENSE_FILES:=COPYING +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/ocserv/config + source "$(SOURCE)/Config.in" +endef + +define Package/ocserv + SECTION:=net + CATEGORY:=Network + SUBMENU:=VPN + TITLE:=OpenConnect VPN server + URL:=http://www.infradead.org/ocserv/ + DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +libprotobuf-c +endef + +define Package/ocserv/description + OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be + a secure, small, fast and configurable VPN server. It implements the + OpenConnect SSL VPN protocol, and has also (currently experimental) + compatibility with clients using the AnyConnect SSL VPN protocol. The + OpenConnect VPN protocol uses the standard IETF security protocols such + as TLS 1.2, and Datagram TLS to provide the secure VPN service. +endef + +CONFIGURE_ARGS+= \ + --enable-local-libopts \ + --with-libcrypt-prefix="$(STAGING_DIR)/include" \ + +ifneq ($(CONFIG_OCSERV_DBUS),y) +CONFIGURE_ARGS += --without-dbus +endif + +ifneq ($(CONFIG_OCSERV_PAM),y) +CONFIGURE_ARGS += --without-pam +endif + +define Package/ocserv/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv + $(INSTALL_DIR) $(1)/etc/ocserv + $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf +ifeq ($(CONFIG_OCSERV_DBUS),y) + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/dbus-1/system.d + $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/ +endif +endef + +$(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf new file mode 100644 index 0000000000..badf4b59c7 --- /dev/null +++ b/net/ocserv/files/ocserv.conf @@ -0,0 +1,293 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "pam" + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +auth = "plain[/etc/ocserv/ocpasswd]" + +# A banner to be displayed on clients +banner = "Welcome to OpenWRT" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 8 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 4443 +udp-port = 4443 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 120 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +#mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/server-cert.pem +server-key = /etc/ocserv/server-key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /etc/ocserv/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /etc/ocserv/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +#connect-script = /scripts/ocserv-script +#disconnect-script = /scripts/ocserv-script + +# UTMP +use-utmp = false + +# D-BUS usage. If disabled occtl tool cannot be used. If enabled +# then ocserv must have access to register org.infradead.ocserv +# D-BUS service. See doc/dbus/org.infradead.ocserv.conf +use-dbus = true + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +chroot-dir = /var/lib/ocserv + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +#socket-file = /var/run/ocserv-socket +socket-file = ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = ocserv +run-as-group = ocserv + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +#ipv6-network = fc00:: +#ipv6-prefix = 16 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 +route = 192.168.5.0/255.255.255.0 +#route = fef4:db8:1000:1001::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %R dev %D" +#route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +cisco-client-compat = true + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init new file mode 100644 index 0000000000..559ec802ef --- /dev/null +++ b/net/ocserv/files/ocserv.init @@ -0,0 +1,61 @@ +#!/bin/sh /etc/rc.common + +SERVICE_USE_PID=1 + +START=50 + +start() { + user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv + group_exists ocserv 72 || group_add ocserv 72 + + [ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && { + echo "Generating CA certificate..." + mkdir -p /etc/ocserv/pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1 + echo "cn=`uci get system.@system[0].hostname` CA" >/etc/ocserv/pki/ca.tmpl + echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl + echo "serial=1" >>/etc/ocserv/pki/ca.tmpl + echo "ca" >>/etc/ocserv/pki/ca.tmpl + echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl + + certtool --template /etc/ocserv/pki/ca.tmpl \ + --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \ + --outfile /etc/ocserv/ca.pem >/dev/null 2>&1 + } + + #generate server certificate/key + [ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && { + echo "Generating server certificate..." + mkdir -p /etc/ocserv/pki/ + certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1 + echo "cn=`uci get system.@system[0].hostname`" >/etc/ocserv/pki/server.tmpl + echo "serial=2" >>/etc/ocserv/pki/server.tmpl + echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl + echo "signing_key" >>/etc/ocserv/pki/server.tmpl + echo "encryption_key" >>/etc/ocserv/pki/server.tmpl + certtool --template /etc/ocserv/pki/server.tmpl \ + --generate-certificate --load-privkey /etc/ocserv/server-key.pem \ + --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \ + /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1 + } + + [ -f /etc/ocserv/ocpasswd ] || { + touch /etc/ocserv/ocpasswd + } + + [ -f /var/run/ocserv.pid ] || { + touch /var/run/ocserv.pid + chown ocserv:ocserv /var/run/ocserv.pid + } + [ -d /var/lib/ocserv ] || { + mkdir -m 0755 -p /var/lib/ocserv + chmod 0700 /var/lib/ocserv + chown ocserv:ocserv /var/lib/ocserv + } + service_start /usr/sbin/ocserv -c /etc/ocserv/ocserv.conf +} + +stop() { + service_stop /usr/sbin/ocserv +} + -- 2.30.2