This post is not yet finished
OpenConnect is an open source implementation of Cisco’s AnyConnect SSL VPN which is natively supported by iOS(You can create profile with Apple Configurator like iOS IPSec VPN Server on Ubuntu).
OpenConnect VPN Server can be found on http://www.infradead.org/ocserv/ and downloaded from ftp://ftp.infradead.org/pub/ocserv/, manual http://www.infradead.org/ocserv/manual.html
Let’s build it on Ubuntu 13.10!
Download & Extract
|
1 2 3 |
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.0.tar.xz tar xvf ocserv-0.3.0.tar.xz cd ocserv-0.3.0 |
Dependencies
|
1 2 3 |
apt-get install libwrap0-dev libpam0g-dev libdbus-1-dev libreadline-dev \ libnl-route-3-dev libprotobuf-c0-dev libpcl1-dev libopts25-dev \ autogen libgnutls28 libgnutls28-dev libseccomp-dev |
OpenConnect requires GNUTLS 3.0+ which is libgnutls28 in Ubuntu;
libseccomp-dev is mis-spelled in README;
libhttp-parser-dev is offered in Ubuntu Trusty(14.04)
Build
Let’s configure it as simple as possible like:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
./configure --prefix=/opt/ocserv ... configure: Summary of build options: version: 0.3.0 Host type: x86_64-unknown-linux-gnu Install prefix: /opt/ocserv Compiler: gcc CFlags: -g -O2 -Wall PAM auth backend: yes TCP wrappers: yes systemd: no (socket activation) dbus: yes readline: yes libnl3: yes local protobuf-c: no local PCL library: no local libopts: no local http-parser: yes Optional programs: occtl: yes configure: Experimental options: seccomp: no Anyconnect compat: yes |
Then make:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
root@sskaje:~/build/ocserv-0.3.0# make make all-recursive make[1]: Entering directory `/root/build/ocserv-0.3.0' Making all in gl make[2]: Entering directory `/root/build/ocserv-0.3.0/gl' make all-recursive make[3]: Entering directory `/root/build/ocserv-0.3.0/gl' make[4]: Entering directory `/root/build/ocserv-0.3.0/gl' make[4]: Nothing to be done for `all-am'. make[4]: Leaving directory `/root/build/ocserv-0.3.0/gl' make[3]: Leaving directory `/root/build/ocserv-0.3.0/gl' make[2]: Leaving directory `/root/build/ocserv-0.3.0/gl' Making all in src make[2]: Entering directory `/root/build/ocserv-0.3.0/src' make all-recursive make[3]: Entering directory `/root/build/ocserv-0.3.0/src' make[4]: Entering directory `/root/build/ocserv-0.3.0/src' CC ocserv-args.o In file included from ocserv-args.c:43:0: ocserv-args.h:61:3: error: #error option template version mismatches autoopts/options.h header # error option template version mismatches autoopts/options.h header ^ ocserv-args.h:62:3: error: unknown type name ‘Choke’ Choke Me. ^ ocserv-args.h:62:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘.’ token Choke Me. ^ ocserv-args.h:78:3: warning: data definition has no type or storage class [enabled by default] } teOptIndex; ^ ocserv-args.h:78:3: warning: type defaults to ‘int’ in declaration of ‘teOptIndex’ [-Wimplicit-int] ocserv-args.c:303:29: error: ‘INDEX_OPT_VERSION’ undeclared here (not in a function) { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, ^ ocserv-args.c:317:29: error: ‘INDEX_OPT_HELP’ undeclared here (not in a function) { /* entry idx, value */ INDEX_OPT_HELP, VALUE_OPT_HELP, ^ ocserv-args.c:329:29: error: ‘INDEX_OPT_MORE_HELP’ undeclared here (not in a function) { /* entry idx, value */ INDEX_OPT_MORE_HELP, VALUE_OPT_MORE_HELP, ^ ocserv-args.c:490:5: warning: suggest parentheses around arithmetic in operand of ‘|’ [-Wparentheses] + OPTPROC_MISUSE ), ^ make[4]: *** [ocserv-args.o] Error 1 make[4]: Leaving directory `/root/build/ocserv-0.3.0/src' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/root/build/ocserv-0.3.0/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/root/build/ocserv-0.3.0/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/root/build/ocserv-0.3.0' make: *** [all] Error 2 |
To solve this:
|
1 |
./configure --prefix=/opt/ocserv --enable-local-libopts --enable-libopts-install |
Install
Create config folder and copy sample config.
|
1 2 3 |
make install mkdir /opt/ocserv/etc/ cp doc/sample.* /opt/ocserv/etc/ |
Create configurations
Certificate related: Generate Certificate with GnuTLS and Sign with OpenSSL
|
1 2 3 |
cd /opt/ocserv/; cp /etc/ipsec.d/crls/crl.pem etc/ cp /etc/ipsec.d/cacerts/cacert.pem etc/ |
config file like…(I’ll upload it later)
Add User(Plain)
|
1 2 |
cd /opt/ocserv/; ./bin/ocpasswd -c etc/passwd -g GROUPNAME sskaje |
Start & Stop
|
1 2 3 4 5 6 7 8 9 10 |
root@sskaje:/opt/ocserv# cd /opt/ocserv/; root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config root@sskaje:/opt/ocserv# ps -ef|grep ocserv root 16583 1 0 14:38 ? 00:00:00 ./sbin/ocserv -c etc/config root 16584 16583 0 14:38 ? 00:00:00 ./sbin/ocserv -c etc/config root 16586 19163 0 14:38 pts/0 00:00:00 grep --color=auto ocserv root@sskaje:/opt/ocserv# ./bin/occtl stop now Server scheduled to stop root@sskaje:/opt/ocserv# ps -ef|grep ocserv root 16590 19163 0 14:38 pts/0 00:00:00 grep --color=auto ocserv |
iOS Connect
This time, you need to have Cisco AnyConnect installed on your iDevice, Apple Configurator is not necessory.
I added a ‘0.0.0.0/0.0.0.0’ route but does not yet work for me.
Trouble Shooting
Debug foreground
|
1 2 3 4 5 6 7 8 |
root@sskaje:/opt/ocserv# ./sbin/ocserv -c etc/config -d -f listening (TCP) on 0.0.0.0:8443... listening (TCP) on [::]:8443... listening (UDP) on 0.0.0.0:8443... listening (UDP) on [::]:8443... ocserv[16335]: [main] initialized ocserv 0.3.0 ocserv[16336]: sec-mod initialized (socket: /var/run/ocserv-socket.16335) DBUS connection error (Connection ":1.225" is not allowed to own the service "org.infradead.ocserv" due to security policies in the configuration file)Cannot create command handler |
If you see this error, you need to copy dbus config files to /etc:
|
1 |
cp /root/build/ocserv-0.3.0/doc/dbus/org.infradead.ocserv.conf /etc/dbus-1/system.d/ |
OpenConnect on Ubuntu by @sskaje: https://sskaje.me/2014/02/openconnect-ubuntu/
Incoming search terms:
Link to this post!