Hello,
I installed the latest version of ocserv on rocky linux. I also have a
separate server in a different subnet running HAProxy.
Here is my ocserv.conf:
auth = "radius [config=/etc/radcli/radiusclient.conf]"
acct = "radius [config=/etc/radcli/radiusclient.conf]"
tcp-port = 443
#udp-port = 0
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /opt/docker/letsencrypt/live/ocvpn.ardentrook.cx/fullchain.pem
server-key = /opt/docker/letsencrypt/live/ocvpn.ardentrook.cx/privkey.pem
mtu = 1400
log-level = 3
isolate-workers = true
max-clients = 16
max-same-clients = 4
keepalive = 32400
dpd = 15
mobile-dpd = 1800
listen-proxy-proto = true
try-mtu-discovery = true
tls-priorities = "SECURE256:%COMPAT"
auth-timeout = 30
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-rekey-time = 14400
cookie-timeout = 172800
rate-limit-ms = 100
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = ardentrook.cx
ipv4-network = 172.16.5.0/25
dns = 172.16.2.220
route = default
tunnel-all-dns = true
ping-leases = true
cisco-client-compat = false
dtls-legacy = false
Here is my haproxy.cfg:
global
log 127.0.0.1 local2
maxconn 2048
pidfile /var/run/haproxy.pid
defaults
mode http
option tcplog
option dontlognull
option contstats
option http-server-close
option log-health-checks
retries 3
option redispatch
timeout connect 5000
timeout client 10000
timeout server 10000
# make sure log-format is on a single line
log global
frontend httpfront
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-ocserv
bind 0.0.0.0:443 tfo npn http/1.1
mode tcp
timeout connect 5000ms
option redispatch
timeout client 200000ms
timeout server 200000ms
option tcplog
option clitcpka
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend vpn_ocserv if { req_ssl_sni ocvpn.ardentrook.cx }
use_backend www_mailcow if { req_ssl_sni mail.ardentrook.cx }
default_backend tcp_to_https
backend www_mailcow
mode tcp
acl mailcow req_ssl_sni -i mail.ardentrook.cx
timeout connect 5000ms
option redispatch
timeout client 200000ms
timeout server 200000ms
option tcplog
use-server mailcow if mailcow
option tcp-check
server mailcow 172.16.1.11:443
backend vpn_ocserv
mode tcp
acl ocserv req_ssl_sni -i ocvpn.ardentrook.cx
use-server ocserv if ocserv
option tcp-check
server ocserv 172.16.1.2:443 send-proxy-v2
backend tcp_to_https
mode tcp
server haproxy-https 127.0.0.1:8443 check
frontend ft_https
mode http
# HAProxy will take the fitting certificate from the available ones
bind *:8443 ssl crt
/opt/docker/letsencrypt/live/ardentrook.cx/ardentrook.cx.pem
# Spread the requests between backends
use_backend emby if { req_ssl_sni emby.ardentrook.cx }
default_backend emby
backend emby
server emby 172.16.3.252:8096 check
Here is what ocserv says:
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info> [1624354013.2734]
device (vpns0): state change: config -> ip-config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info> [1624354013.2738]
device (vpns0): state change: ip-config -> ip-check (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn dbus-daemon[1006]: [system] Activating via
systemd: service name='org.freedesktop.nm_dispatcher'
unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8'
(uid=0 pid=1082 comm="/usr/sbin/NetworkManager --no-daemon "
label="system_u:system_r:NetworkManager_t:s0")
Jun 22 05:26:53 ocvpn systemd[1]: Starting Network Manager Script
Dispatcher Service...
Jun 22 05:26:53 ocvpn dbus-daemon[1006]: [system] Successfully
activated service 'org.freedesktop.nm_dispatcher'
Jun 22 05:26:53 ocvpn systemd[1]: Started Network Manager Script
Dispatcher Service.
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info> [1624354013.2985]
device (vpns0): state change: ip-check -> secondaries (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info> [1624354013.2990]
device (vpns0): state change: secondaries -> activated (reason 'none',
sys-iface-state: 'external')
Jun 22 05:26:53 ocvpn NetworkManager[1082]: <info> [1624354013.3012]
device (vpns0): Activation: successful, device activated.
Jun 22 05:27:03 ocvpn systemd[1]: NetworkManager-dispatcher.service: Succeeded.
Jun 22 05:27:17 ocvpn ocserv[6299]: worker[regis]: 172.16.1.12
worker-vpn.c:1543: error parsing CSTP data
Jun 22 05:27:17 ocvpn ocserv[6299]: worker[regis]: 172.16.1.12
worker-vpn.c:2670: tls_mainloop failed -1
Jun 22 05:27:17 ocvpn ocserv[5011]: sec-mod: temporarily closing
session for regis (session: 8S8RBI)
Jun 22 05:27:17 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62176 user
disconnected (reason: unspecified error, rx: 195, tx: 1096)
Jun 22 05:27:17 ocvpn NetworkManager[1082]: <info> [1624354037.8630]
device (vpns0): state change: activated -> unmanaged (reason
'unmanaged', sys-iface-state: 'removed')
Jun 22 05:27:17 ocvpn dbus-daemon[1006]: [system] Activating via
systemd: service name='org.freedesktop.nm_dispatcher'
unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.8'
(uid=0 pid=1082 comm="/usr/sbin/NetworkManager --no-daemon "
label="system_u:system_r:NetworkManager_t:s0")
Jun 22 05:27:17 ocvpn systemd[1]: Starting Network Manager Script
Dispatcher Service...
Jun 22 05:27:17 ocvpn dbus-daemon[1006]: [system] Successfully
activated service 'org.freedesktop.nm_dispatcher'
Jun 22 05:27:17 ocvpn systemd[1]: Started Network Manager Script
Dispatcher Service.
Jun 22 05:27:17 ocvpn ocserv[5010]: warning: skipping unknown option 'log-level'
Jun 22 05:27:17 ocvpn ocserv[5010]: warning: skipping unknown option
'cookie-rekey-time'
Jun 22 05:27:17 ocvpn ocserv[5010]: note: skipping 'pid-file' config option
Jun 22 05:27:17 ocvpn ocserv[5010]: note: vhost:default: setting
'radius' as primary authentication method
Jun 22 05:27:17 ocvpn ocserv[5010]: note: setting 'radius' as accounting method
Jun 22 05:27:17 ocvpn ocserv[5010]: note: setting 'file' as
supplemental config option
Jun 22 05:27:18 ocvpn ocserv[5010]: main:172.16.1.12:38720 updating
remote IP to 174.250.6.6
Jun 22 05:27:18 ocvpn ocserv[5011]: sec-mod: initiating session for
user 'regis' (session: 8S8RBI)
Jun 22 05:27:18 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62179 new
user session
Jun 22 05:27:21 ocvpn ocserv[5010]: main: pinged 172.16.5.115 and is not in use
Jun 22 05:27:21 ocvpn ocserv[5010]: main[regis]:174.250.6.6:62179 user logged in
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1574]
manager: (vpns0): new Tun device
(/org/freedesktop/NetworkManager/Devices/5)
Jun 22 05:27:21 ocvpn systemd-udevd[6478]: link_config:
autonegotiation is unset or enabled, the speed and duplex are not
writable.
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1755]
device (vpns0): state change: unmanaged -> unavailable (reason
'connection-assumed', sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1807]
device (vpns0): state change: unavailable -> disconnected (reason
'connection-assumed', sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1820]
device (vpns0): Activation: starting connection 'vpns0'
(2ac4818d-90a6-4a2b-b1a5-74e11ab72d9f)
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1824]
device (vpns0): state change: disconnected -> prepare (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1831]
device (vpns0): state change: prepare -> config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1835]
device (vpns0): state change: config -> ip-config (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1840]
device (vpns0): state change: ip-config -> ip-check (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1870]
device (vpns0): state change: ip-check -> secondaries (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1875]
device (vpns0): state change: secondaries -> activated (reason 'none',
sys-iface-state: 'external')
Jun 22 05:27:21 ocvpn NetworkManager[1082]: <info> [1624354041.1896]
device (vpns0): Activation: successful, device activated.
I've tried several config options. Haproxy works for everything else
except ocserv. Any suggestions? Haproxy is a necessity.
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
