This repo combines ocserv VPN server and certbot in one image, allowing users to use secure VPN service and request or renew cert automatically. The certbot-dns-cloudflare plugin is installed by default.
This image provided a default config in /etc/ocserv/ocserv.conf
. If you don't mount a conf file, it will generate a new one. And ENV file is used to request a Let's Encrypt certificate and create a default username. If no ENV is provided, the ocserv service will generate a self-signed certificate.
The default ocserv config I provided is designed to offer a basic, out-of-box VPN environment. It doesn't include additional config for internal resources access control, user authentication, user management, auditing, etc. And camouflage feature default is disabled in the config, you can enable it and set a secret string for it if you need. For more features and settings, please refer to the offical documention.
The latest version is 1.3.0, and dockerhub page is here.
docker-compose.yml.sample
and .env.sample
, and paste into your own docker compose file and env filedocker-compose.yml
. email address is optional and only for certs expiration remind if certs renew faileddocker-compose up -d
listen-proxy-proto = true
in your ocserv.conf
if you want to put ocserv in the back of proxy, like haproxy.$HOME/initial_pass.txt
or docker compose logs ocserv
generate new user
docker exec <your-ocserv-container-name> bash -c "echo <password> | echo <password> | ocpasswd <username>"
You could use a Cisco Anyconnect client or Cisco secure client to connect the server, or use openconnect client by following steps.
prepare connect and disconnect scripts and save them to somewhere in your user space:
anyconnect.sh
#!/bin/bash
sudo openconnect -b -q --protocol=anyconnect <your-domain> << delimiter
<your-username>
<your-password>
delimiter
kill-anyconnect.sh
#!/bin/bash
sudo pkill openconnect
create a soft link of script as a system command:
sudo ln -s <your-srcipt.sh> /usr/local/bin/<command-you-want>
See more usage: openconnect --help
Please make sure your docker service has been enabled ipv6 support, if not yet, you could add config below into your docker daemon settings /etc/docker/daemon.json
:
{
"experimental": true,
"ip6tables": true
}
then, restart your docker service:
sudo systemctl restart docker.service
The ocserv server should be works now.
If you want, you can add settings to assign a default ipv6 network segment:
{
"experimental": true,
"ip6tables": true,
"ipv6": true,
"fixed-cidr-v6": "2001:db8:1::/64"
}
Maybe you will see the error when you connect to the server with your Cisco Security Client, especailly when your server is IPv6 only. Maybe thers's a problem in your DNS settings or IPv4/IPv6 weights settings etc. The easy way to solve problem is edit your HOST file. For example, on Windows you could find C:\Windows\System32\drivers\etc\hosts
and open it, and add content into it:
2406:da12:3456:7890:1abc:1:2 vpn.example.com
18.111.222.333 vpn.example.com
If you see an error when you are applying for certificates in an IPv6 only network, and you have provided an email address to subscribe the mail notification, there will be an network connection error after the certificates generated. This is because the Let's Encrypt email subscription service dose not support IPv6 access.