Signed-off-by: Nikos Mavrogiannopoulos <[email protected]>
---
net/ocserv/Config.in | 4 +--
net/ocserv/Makefile | 28 ++++++++---------
net/ocserv/files/ocserv.conf | 71 +++++++++++++++++++++++++++++++++++++-------
net/ocserv/files/ocserv.init | 7 +++--
4 files changed, 82 insertions(+), 28 deletions(-)
diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in
index e0d2983..75ebd5a 100644
--- a/net/ocserv/Config.in
+++ b/net/ocserv/Config.in
@@ -7,8 +7,8 @@ config OCSERV_PAM
bool "enable PAM"
default n
-config OCSERV_DBUS
- bool "enable DBUS (needed for occtl)"
+config OCSERV_PROTOBUF
+ bool "use external libprotobuf"
default n
endmenu
diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile
index 9fcff95..87ad98d 100644
--- a/net/ocserv/Makefile
+++ b/net/ocserv/Makefile
@@ -8,15 +8,15 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=ocserv
-PKG_VERSION:=0.3.5
+PKG_VERSION:=0.8.0
PKG_RELEASE:=1
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
-PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5
+PKG_MD5SUM:=6383535a21f8eecfb1bbb7f7ac99c41f
-PKG_LICENSE:=GPLv2
+PKG_LICENSE:=GPLv3
PKG_LICENSE_FILES:=COPYING
PKG_FIXUP:=autoreconf
@@ -32,7 +32,8 @@ define Package/ocserv
SUBMENU:=VPN
TITLE:=OpenConnect VPN server
URL:=http://www.infradead.org/ocserv/
- DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus
+OCSERV_DBUS:libreadline +libprotobuf-c
+ MAINTAINER:=Nikos Mavrogiannopoulos <[email protected]>
+ DEPENDS:= +libgnutls +libncurses +libreadline +OCSERV_PAM:libpam
+OCSERV_PROTOBUF:libprotobuf-c
endef
define Package/ocserv/description
@@ -44,32 +45,31 @@ define Package/ocserv/description
as TLS 1.2, and Datagram TLS to provide the secure VPN service.
endef
+EXTRA_CPPFLAGS+=-I$(STAGING_DIR)/usr/include/readline/
+EXTRA_LDFLAGS+=-lncurses
+
CONFIGURE_ARGS+= \
--enable-local-libopts \
- --with-libcrypt-prefix="$(STAGING_DIR)/include" \
-
-ifneq ($(CONFIG_OCSERV_DBUS),y)
-CONFIGURE_ARGS += --without-dbus
-endif
+ --with-libreadline-prefix="$(STAGING_DIR)/" \
ifneq ($(CONFIG_OCSERV_PAM),y)
CONFIGURE_ARGS += --without-pam
endif
+ifneq ($(CONFIG_OCSERV_PROTOBUF),y)
+CONFIGURE_ARGS += --without-protobuf
+endif
+
define Package/ocserv/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv
$(INSTALL_DIR) $(1)/etc/ocserv
$(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf
-ifeq ($(CONFIG_OCSERV_DBUS),y)
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/
- $(INSTALL_DIR) $(1)/etc/dbus-1/system.d
- $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf
$(1)/etc/dbus-1/system.d/
-endif
endef
$(eval $(call BuildPackage,ocserv))
diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf
index badf4b5..1b8941e 100644
--- a/net/ocserv/files/ocserv.conf
+++ b/net/ocserv/files/ocserv.conf
@@ -4,6 +4,10 @@
#auth = "certificate"
#auth = "pam"
+# The gid-min option is used by auto-select-group option, in order to
+# select the minimum group ID.
+#auth = "pam[gid-min=1000]"
+
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
@@ -122,11 +126,18 @@ auth-timeout = 40
# a failed authentication attempt.
#min-reauth-time = 2
-# Cookie validity time (in seconds)
-# Once a client is authenticated he's provided a cookie with
-# which he can reconnect. This option sets the maximum lifetime
-# of that cookie.
-cookie-validity = 86400
+# Cookie timeout (in seconds)
+# which he can reconnect. That cookie will be invalided if not
+# used within this timeout value. On a user disconnection, that
+# cookie will also be active for this time amount prior to be
+# invalid. That should allow a reasonable amount of time for roaming
+# between different networks.
+cookie-timeout = 300
+
+# Whether roaming is allowed, i.e., if true a cookie is
+# restricted to a single IP address and cannot be re-used
+# from a different IP.
+deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
@@ -154,6 +165,14 @@ rekey-method = ssl
# UTMP
use-utmp = false
+# Whether to enable support for the occtl tool (i.e., either through D-BUS,
+# or via a unix socket).
+use-occtl = true
+
+# socket file used for IPC with occtl. You only need to set that,
+# if you use more than a single servers.
+occtl-socket-file = /var/run/occtl.socket
+
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
@@ -193,6 +212,10 @@ run-as-group = ocserv
# The name of the tun device
device = vpns
+# Whether the generated IPs will be predictable, i.e., IP stays the
+# same for the same user when possible.
+predictable-ips = true
+
# The default domain to be advertised
default-domain = example.com
@@ -257,14 +280,42 @@ route = 192.168.5.0/255.255.255.0
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
-# The system command to use to setup a route. %R will be replaced with the
-# route/mask and %D with the (tun) device.
+# When config-per-xxx is specified and there is no group or user that
+# matches, then utilize the following configuration.
+
+#default-user-config = /etc/ocserv/defaults/user.conf
+#default-group-config = /etc/ocserv/defaults/group.conf
+
+# Groups that a client is allowed to select from.
+# A client may belong in multiple groups, and in certain use-cases
+# it is needed to switch between them. For these cases the client can
+# select prior to authentication. Add multiple entries for multiple groups.
+#select-group = group1
+#select-group = group2[My group 2]
+#select-group = tost[The tost group]
+
+# The name of the group that if selected it would allow to use
+# the assigned by default group.
+#default-select-group = DEFAULT
+
+# Instead of specifying manually all the allowed groups, you may instruct
+# ocserv to scan all available groups and include the full list. That
+# option is only functional on plain authentication.
+#auto-select-group = true
+
+# The system command to use to setup a route. %{R} will be replaced with the
+# route/mask and %{D} with the (tun) device.
#
-# The following example is from linux systems. %R should be something
+# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24
-#route-add-cmd = "ip route add %R dev %D"
-#route-del-cmd = "ip route delete %R dev %D"
+#route-add-cmd = "ip route add %{R} dev %{D}"
+#route-del-cmd = "ip route delete %{R} dev %{D}"
+
+# This option allows to forward a proxy. The special strings '%{U}'
+# and '%{G}', if present will be replaced by the username and group name.
+#proxy-url = http://example.com/
+#proxy-url = http://example.com/%{U}/%{G}/hello
#
# The following options are for (experimental) AnyConnect client
diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init
index 559ec80..3f661ed 100644
--- a/net/ocserv/files/ocserv.init
+++ b/net/ocserv/files/ocserv.init
@@ -8,11 +8,14 @@ start() {
user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
group_exists ocserv 72 || group_add ocserv 72
+ hostname=`uci get ddns.myddns.domain`
+ [ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
+
[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
echo "Generating CA certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile
/etc/ocserv/ca-key.pem >/dev/null 2>&1
- echo "cn=`uci get system.@system[0].hostname` CA"
>/etc/ocserv/pki/ca.tmpl
+ echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
echo "ca" >>/etc/ocserv/pki/ca.tmpl
@@ -28,7 +31,7 @@ start() {
echo "Generating server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile
/etc/ocserv/server-key.pem >/dev/null 2>&1
- echo "cn=`uci get system.@system[0].hostname`"
>/etc/ocserv/pki/server.tmpl
+ echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
echo "serial=2" >>/etc/ocserv/pki/server.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
echo "signing_key" >>/etc/ocserv/pki/server.tmpl
--
1.9.2
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
