PandaRyshan / ocserv

OpenConnect server(ocserv) 1.3.0 with Certbot
https://hub.docker.com/r/pandasrun/ocserv
5 stars 1 forks source link

ocserv with certbot support


Description

This repo combines ocserv VPN server and certbot in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default.

This image provided a default config in /etc/ocserv/ocserv.conf. If you don't mount a conf file, it will generate a new one. And ENV file is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate.

The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the offical documention.

The latest version is 1.3.0, and dockerhub page is here.


Usage

Server

Client

You could use a Cisco Anyconnect client or Cisco secure client to connect the server, or use openconnect client by following steps.

See more usage: openconnect --help

IPv6 support

Please make sure your docker service has been enabled ipv6 support, if not yet, you could add config below into your docker daemon settings /etc/docker/daemon.json:

{
  "experimental": true,
  "ip6tables": true
}

then, restart your docker service:

sudo systemctl restart docker.service

The ocserv server should be works now.

If you want, you can add settings to assign a default ipv6 network segment:

{
  "experimental": true,
  "ip6tables": true,
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

resolve IPv6 domain error

Maybe you will see the error when you connect to the server with your Cisco Security Client, especailly when your server is IPv6 only. Maybe thers's a problem in your DNS settings or IPv4/IPv6 weights settings etc. The easy way to solve problem is edit your HOST file. For example, on Windows you could find C:\Windows\System32\drivers\etc\hosts and open it, and add content into it:

2406:da12:3456:7890:1abc:1:2 vpn.example.com
18.111.222.333 vpn.example.com

Certificate application error

If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the Let's Encrypt email subscription service dose not support IPv6 access.


References


Known issues