====== ocserv - OpenConnect Server ======

===== 安装 =====
ports 或者 pkg : /usr/ports/net/ocserv

手动编译, 需要依赖 /usr/ports/archivers/liblz4 和 /usr/ports/security/gnutls

===== 证书生成 =====

== CA ==
CA模板
<code>
$ cat > ca.tmpl
cn = "OpenConnect CA"
organization = "OpenConnect"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
</code>

生成私钥
<code>
$ certtool --generate-privkey --outfile ca.key
</code>

生成CA证书
<code>
$ certtool --generate-self-signed --load-privkey ca.key --template ca.tmpl --outfile ca.crt
</code>

== 服务器证书 ==
服务器模板, 其中cn必须对应client连进来的域名或者ip
<code>
$ cat > server.tmpl
cn = "host.domin"
organization = "OpenConnect"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
</code>

生成私钥和证书
<code>
$ certtool --generate-privkey --outfile server.key
$ certtool --generate-certificate --load-ca-certificate ca.crt --load-ca-privkey ca.key --template server.tmpl --load-privkey server.key --outfile server.crt
</code>

== 客户端证书 ==
如果不用证书, 则如果使用Cisco AnyConnect连接的时候每次都会提示输入密码

客户端模板
<code>
$ cat > user.tmpl
cn = "vpn_user"
unit = "all"
organization = "OpenConnect"
expiration_days = 3650 
signing_key
tls_www_client
</code>

生成私钥
<code>
$ certtool --generate-privkey --outfile vpn_user.key
</code>

生成证书
<code>
$ certtool --generate-certificate --load-ca-certificate ca.crt --load-ca-privkey ca.key --template vpn_user.tmpl --load-privkey vpn_user.key --outfile vpn_user.crt
</code>

合并成p12, 用于AnyConnect导入, 会提示输入证书名和密码, 密码将用于导入
<code>
$ certtool --to-p12 --pkcs-cipher 3des-pkcs12 --outder --load-privkey vpn_user.key --load-certificate vpn_user.crt --outfile vpn_user.p12
</code>

===== 配置要点 =====

== 验证方式 ==
  * 普通列表项目如果需要用密码连入, 则修改 auth = "plain[passwd=/path/ocserv.passwd]" 对应的密码文件

密码文件的生成使用 ocpasswd -c /path/ocserv.passwd username 生成

  * 如果同时支持密码连接和证书连接, 则在上面基础上增加 enable-auth = "certificate"

必须先启用密码验证再启用证书验证, 反之则不能使用密码验证.

  * 如果只是证书验证, 则直接修改验证方式为 auth = "certificate"

== 证书的用户获取 ==
如果按照上面的模板生成的用户证书, 配置文件中获取用户的设置为 cert-user-oid = 2.5.4.3

== cookie设置 ==
cookie有助于用户在重新链接时快速恢复, 相关设置
<code>
cookie-timeout = 86400
persistent-cookies = true
</code>

== 其他 ==
建议打开mtu检测, 这个会同时打开DPD检测
<code>
try-mtu-discovery = true
mobile-dpd = 1800
</code>

如果编译依赖lz4, 可以打开数据压缩
<code>
compression = true
</code>

如果要记录用户的登陆情况到系统记录里, 可以开启使用utmp
<code>
use-utmp = true
</code>

== 正在使用精简配置文件 ==
<code>
auth = "plain[passwd=/path/etc/ocserv.passwd]"
enable-auth = "certificate"
tcp-port = 1000
udp-port = 1000
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /path/etc/certs/server.crt
server-key = /path/etc/certs/server.key
dh-params = /path/etc/certs/dh.pem
ca-cert = //path/etc/certs/ca.crt
max-clients = 200
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
compression = true
no-compress-limit = 256
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
cookie-rekey-time = 14400
persistent-cookies = true
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = tun
predictable-ips = true
ipv4-network = 192.168.100.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
config-per-user = /path/etc/config-per-user/
default-user-config = /path/etc/default-user.config
cisco-client-compat = true
</code>