OpenConnect on Ubuntu

By @sskaje
Link: https://sskaje.me/2014/02/openconnect-ubuntu/

This post is not yet finished

OpenConnect is an open source implementation of Cisco’s AnyConnect SSL VPN which is natively supported by iOS(You can create profile with Apple Configurator like iOS IPSec VPN Server on Ubuntu).

OpenConnect VPN Server can be found on http://www.infradead.org/ocserv/ and downloaded from ftp://ftp.infradead.org/pub/ocserv/, manual http://www.infradead.org/ocserv/manual.html
Let’s build it on Ubuntu 13.10!

Download & Extract

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz
tar xvf ocserv-0.3.0.tar.xz
cd ocserv-0.3.0

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz

tar xvf ocserv-0.3.0.tar.xz

cd ocserv-0.3.0

Dependencies

apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \
  libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \
  autogen libgnutls28 libgnutls28-dev  libseccomp-dev

apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \

libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \

autogen libgnutls28 libgnutls28-dev libseccomp-dev

OpenConnect requires GNUTLS 3.0+ which is libgnutls28 in Ubuntu;
libseccomp-dev is mis-spelled in README;
libhttp-parser-dev is offered in Ubuntu Trusty(14.04)

Build

Let’s configure it as simple as possible like:

 ./configure --prefix=/opt/ocserv 
...
configure:
Summary of build options:
  version:              0.3.0
  Host type:            x86_64-unknown-linux-gnu
  Install prefix:       /opt/ocserv
  Compiler:             gcc
  CFlags:               -g -O2 -Wall

  PAM auth backend:     yes
  TCP wrappers:         yes
  systemd:              no
  (socket activation)
  dbus:                 yes
  readline:             yes
  libnl3:               yes
  local protobuf-c:     no
  local PCL library:    no
  local libopts:        no
  local http-parser:    yes

Optional programs:
  occtl:                yes

configure:

Experimental options:
  seccomp:              no
  Anyconnect compat:    yes

./configure --prefix=/opt/ocserv

...

configure:

Summary of build options:

version: 0.3.0

Host type: x86_64-unknown-linux-gnu

Install prefix: /opt/ocserv

Compiler: gcc

CFlags: -g -O2 -Wall

PAM auth backend: yes

TCP wrappers: yes

systemd: no

(socket activation)

dbus: yes

readline: yes

libnl3: yes

local protobuf-c: no

local PCL library: no

local libopts: no

local http-parser: yes

Optional programs:

occtl: yes

configure:

Experimental options:

seccomp: no

Anyconnect compat: yes

Then make:

root@sskaje:~/build/ocserv-0.3.0# make
make  all-recursive
make[1]: Entering directory `/root/build/ocserv-0.3.0'
Making all in gl
make[2]: Entering directory `/root/build/ocserv-0.3.0/gl'
make  all-recursive
make[3]: Entering directory `/root/build/ocserv-0.3.0/gl'
make[4]: Entering directory `/root/build/ocserv-0.3.0/gl'
make[4]: Nothing to be done for `all-am'.
make[4]: Leaving directory `/root/build/ocserv-0.3.0/gl'
make[3]: Leaving directory `/root/build/ocserv-0.3.0/gl'
make[2]: Leaving directory `/root/build/ocserv-0.3.0/gl'
Making all in src
make[2]: Entering directory `/root/build/ocserv-0.3.0/src'
make  all-recursive
make[3]: Entering directory `/root/build/ocserv-0.3.0/src'
make[4]: Entering directory `/root/build/ocserv-0.3.0/src'
  CC       ocserv-args.o
In file included from ocserv-args.c:43:0:
ocserv-args.h:61:3: error: #error option template version mismatches autoopts/options.h header
 # error option template version mismatches autoopts/options.h header
   ^
ocserv-args.h:62:3: error: unknown type name ‘Choke’
   Choke Me.
   ^
ocserv-args.h:62:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘.’ token
   Choke Me.
           ^
ocserv-args.h:78:3: warning: data definition has no type or storage class [enabled by default]
 } teOptIndex;
   ^
ocserv-args.h:78:3: warning: type defaults to ‘int’ in declaration of ‘teOptIndex’ [-Wimplicit-int]
ocserv-args.c:303:29: error: ‘INDEX_OPT_VERSION’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,
                             ^
ocserv-args.c:317:29: error: ‘INDEX_OPT_HELP’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP,
                             ^
ocserv-args.c:329:29: error: ‘INDEX_OPT_MORE_HELP’ undeclared here (not in a function)
   {  /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP,
                             ^
ocserv-args.c:490:5: warning: suggest parentheses around arithmetic in operand of ‘|’ [-Wparentheses]
     + OPTPROC_MISUSE ),
     ^
make[4]: *** [ocserv-args.o] Error 1
make[4]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/build/ocserv-0.3.0/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/build/ocserv-0.3.0'
make: *** [all] Error 2

root@sskaje:~/build/ocserv-0.3.0# make

make all-recursive

make[1]: Entering directory `/root/build/ocserv-0.3.0'

Making all in gl

make[2]: Entering directory `/root/build/ocserv-0.3.0/gl'

make all-recursive

make[3]: Entering directory `/root/build/ocserv-0.3.0/gl'

make[4]: Entering directory `/root/build/ocserv-0.3.0/gl'

make[4]: Nothing to be done for `all-am'.

make[4]: Leaving directory `/root/build/ocserv-0.3.0/gl'

make[3]: Leaving directory `/root/build/ocserv-0.3.0/gl'

make[2]: Leaving directory `/root/build/ocserv-0.3.0/gl'

Making all in src

make[2]: Entering directory `/root/build/ocserv-0.3.0/src'

make all-recursive

make[3]: Entering directory `/root/build/ocserv-0.3.0/src'

make[4]: Entering directory `/root/build/ocserv-0.3.0/src'

CC ocserv-args.o

In file included from ocserv-args.c:43:0:

ocserv-args.h:61:3: error: #error option template version mismatches autoopts/options.h header

# error option template version mismatches autoopts/options.h header

ocserv-args.h:62:3: error: unknown type name ‘Choke’

Choke Me.

ocserv-args.h:62:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘.’ token

Choke Me.

ocserv-args.h:78:3: warning: data definition has no type or storage class [enabled by default]

} teOptIndex;

ocserv-args.h:78:3: warning: type defaults to ‘int’ in declaration of ‘teOptIndex’ [-Wimplicit-int]

ocserv-args.c:303:29: error: ‘INDEX_OPT_VERSION’ undeclared here (not in a function)

{ /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,

ocserv-args.c:317:29: error: ‘INDEX_OPT_HELP’ undeclared here (not in a function)

{ /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP,

ocserv-args.c:329:29: error: ‘INDEX_OPT_MORE_HELP’ undeclared here (not in a function)

{ /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP,

ocserv-args.c:490:5: warning: suggest parentheses around arithmetic in operand of ‘|’ [-Wparentheses]

+ OPTPROC_MISUSE ),

make[4]: *** [ocserv-args.o] Error 1

make[4]: Leaving directory `/root/build/ocserv-0.3.0/src'

make[3]: *** [all-recursive] Error 1

make[3]: Leaving directory `/root/build/ocserv-0.3.0/src'

make[2]: *** [all] Error 2

make[2]: Leaving directory `/root/build/ocserv-0.3.0/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/root/build/ocserv-0.3.0'

make: *** [all] Error 2

To solve this:

./configure --prefix=/opt/ocserv --enable-local-libopts --enable-libopts-install

1	./configure --prefix=/opt/ocserv --enable-local-libopts --enable-libopts-install

Install

Create config folder and copy sample config.

make install
mkdir /opt/ocserv/etc/
cp doc/sample.* /opt/ocserv/etc/

make install

mkdir /opt/ocserv/etc/

cp doc/sample.* /opt/ocserv/etc/

Create configurations

cd /opt/ocserv/;
cp /etc/ipsec.d/crls/crl.pem etc/
cp /etc/ipsec.d/cacerts/cacert.pem etc/

cd /opt/ocserv/;

cp /etc/ipsec.d/crls/crl.pem etc/

cp /etc/ipsec.d/cacerts/cacert.pem etc/

config file like…(I’ll upload it later)

Add User(Plain)

cd /opt/ocserv/;
./bin/ocpasswd -c etc/passwd -g GROUPNAME sskaje

1 2	cd /opt/ocserv/; ./bin/ocpasswd -c etc/passwd -g GROUPNAME sskaje

Start & Stop

root@sskaje:/opt/ocserv# cd /opt/ocserv/;
root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config 
root@sskaje:/opt/ocserv# ps -ef|grep ocserv
root     16583     1  0 14:38 ?        00:00:00 ./sbin/ocserv -c etc/config
root     16584 16583  0 14:38 ?        00:00:00 ./sbin/ocserv -c etc/config
root     16586 19163  0 14:38 pts/0    00:00:00 grep --color=auto ocserv
root@sskaje:/opt/ocserv# ./bin/occtl  stop now
Server scheduled to stop
root@sskaje:/opt/ocserv# ps -ef|grep ocserv
root     16590 19163  0 14:38 pts/0    00:00:00 grep --color=auto ocserv

root@sskaje:/opt/ocserv# cd /opt/ocserv/;

root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config

root@sskaje:/opt/ocserv# ps -ef|grep ocserv

root 16583 1 0 14:38 ? 00:00:00 ./sbin/ocserv -c etc/config

root 16584 16583 0 14:38 ? 00:00:00 ./sbin/ocserv -c etc/config

root 16586 19163 0 14:38 pts/0 00:00:00 grep --color=auto ocserv

root@sskaje:/opt/ocserv# ./bin/occtl stop now

Server scheduled to stop

root@sskaje:/opt/ocserv# ps -ef|grep ocserv

root 16590 19163 0 14:38 pts/0 00:00:00 grep --color=auto ocserv

iOS Connect

This time, you need to have Cisco AnyConnect installed on your iDevice, Apple Configurator is not necessory.
I added a ‘0.0.0.0/0.0.0.0’ route but does not yet work for me.

Trouble Shooting

Debug foreground

root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config  -d -f
listening (TCP) on 0.0.0.0:8443...
listening (TCP) on [::]:8443...
listening (UDP) on 0.0.0.0:8443...
listening (UDP) on [::]:8443...
ocserv[16335]: [main] initialized ocserv 0.3.0
ocserv[16336]: sec-mod initialized (socket: /var/run/ocserv-socket.16335)
DBUS connection error (Connection ":1.225" is not allowed to own the service "org.infradead.ocserv" due to security policies in the configuration file)Cannot create command handler

root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config -d -f

listening (TCP) on 0.0.0.0:8443...

listening (TCP) on [::]:8443...

listening (UDP) on 0.0.0.0:8443...

listening (UDP) on [::]:8443...

ocserv[16335]: [main] initialized ocserv 0.3.0

ocserv[16336]: sec-mod initialized (socket: /var/run/ocserv-socket.16335)

DBUS connection error (Connection ":1.225" is not allowed to own the service "org.infradead.ocserv" due to security policies in the configuration file)Cannot create command handler

If you see this error, you need to copy dbus config files to /etc:

cp /root/build/ocserv-0.3.0/doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/

1	cp /root/build/ocserv-0.3.0/doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/

OpenConnect on Ubuntu by @sskaje: https://sskaje.me/2014/02/openconnect-ubuntu/

Download & Extract

Dependencies

Build

Install

Create configurations

Add User(Plain)

Start & Stop

iOS Connect

Trouble Shooting

Incoming search terms:

Related posts: