PKG_NAME:=ocserv
PKG_VERSION:=1.4.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_BUILD_FLAGS:=no-mips16
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
to starting the server. That is because during the first startup
a certificate file which will contain the dynamic DNS name will be
created. You can always regenerate the certificate by deleting
-/etc/ocserv/server-key.pem.
+/etc/ocserv/server-key.pem. Alternatively, an externally-supplied
+certificate may be provided (obtained for example from Let's Encrypt
+using the acme package); this too will require the server's DNS name
+to match that of the certicate.
There are two approaches to setup the VPN. The proxy-arp approach (1)
which provides clients with addresses of the LAN, and the "forwarding"
Note, that the last two rules, enable connections to port 443 from the
Internet. That is the port used by OpenConnect VPN.
+Using an externally-supplied server certificate
+===============================================
+
+By default, a self-signed SSL certificate is used to identify the server.
+A certificate obtained by an external Certificate Authority (such as
+Let's Encrypt) may be used instead.
+
+First, obtain the certificate and private key (for example using acme):
+it will be installed somewhere like `/etc/acme/<your-dns-name>`. The two
+relevant files are <your-dns-name>.key for the private key, and
+fullchain.cer for the certificate containing the full chain of trust.
+
+Then add the following configuration to the ocserv configuration file:
+
+```
+----/etc/config/ocserv-------------------------------------------
+config ocserv 'config'
+ option server_key <path-to-server-key.key>
+ option server_cert <path-to-fullchain-cert.cer>
+```
+
+
Starting the server
===================
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
-server-cert = /etc/ocserv/server-cert.pem
-server-key = /etc/ocserv/server-key.pem
+server-cert = |SERVER_CERT|
+server-key = |SERVER_KEY|
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
config_get ping_leases $1 ping_leases "0"
config_get split_dns $1 split_dns "0"
config_get default_domain $1 default_domain ""
+ config_get server_cert $1 server_cert "/etc/ocserv/server-cert.pem"
+ config_get server_key $1 server_key "/etc/ocserv/server-key.pem"
# Enable proxy arp, and make sure that ping leases is set to true in that case,
# to prevent conflicts.
-e "s~|NETMASK|~$netmask~g" \
-e "s~|IPV6ADDR|~$ip6addr~g" \
-e "s~|ENABLE_IPV6|~$enable_ipv6~g" \
+ -e "s~|SERVER_CERT|~$server_cert~g" \
+ -e "s~|SERVER_KEY|~$server_key~g" \
/etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
test -f /etc/ocserv/ocserv.conf.local && cat /etc/ocserv/ocserv.conf.local >> /var/etc/ocserv.conf
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
}
- #generate server certificate/key
+ #generate default server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
- logger -t ocserv "Generating server certificate..."
+ logger -t ocserv "Generating default server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
git.99rst.org / openwrt-packages.git / commitdiff