Skip to content

ocserv: support custom server SSL certificate #29638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jacklovell wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ocserv: support custom server SSL certificate #29638

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion net/ocserv/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

PKG_NAME:=ocserv
PKG_VERSION:=1.4.1
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_BUILD_FLAGS:=no-mips16

PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
Expand Down
27 changes: 26 additions & 1 deletion net/ocserv/README
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ It is recommended to setup a dynamic DNS address with openwrt prior
to starting the server. That is because during the first startup
a certificate file which will contain the dynamic DNS name will be
created. You can always regenerate the certificate by deleting
/etc/ocserv/server-key.pem.
/etc/ocserv/server-key.pem. Alternatively, an externally-supplied
certificate may be provided (obtained for example from Let's Encrypt
using the acme package); this too will require the server's DNS name
to match that of the certicate.

There are two approaches to setup the VPN. The proxy-arp approach (1)
which provides clients with addresses of the LAN, and the "forwarding"
Expand Down Expand Up @@ -179,6 +182,28 @@ config rule
Note, that the last two rules, enable connections to port 443 from the
Internet. That is the port used by OpenConnect VPN.

Using an externally-supplied server certificate
===============================================

By default, a self-signed SSL certificate is used to identify the server.
A certificate obtained by an external Certificate Authority (such as
Let's Encrypt) may be used instead.

First, obtain the certificate and private key (for example using acme):
it will be installed somewhere like `/etc/acme/<your-dns-name>`. The two
relevant files are <your-dns-name>.key for the private key, and
fullchain.cer for the certificate containing the full chain of trust.

Then add the following configuration to the ocserv configuration file:

```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option server_key <path-to-server-key.key>
option server_cert <path-to-fullchain-cert.cer>
```



Starting the server
===================
Expand Down
4 changes: 2 additions & 2 deletions net/ocserv/files/ocserv.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,8 +99,8 @@ try-mtu-discovery = false
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
server-cert = |SERVER_CERT|
server-key = |SERVER_KEY|

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
Expand Down
8 changes: 6 additions & 2 deletions net/ocserv/files/ocserv.init
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ setup_config() {
config_get ping_leases $1 ping_leases "0"
config_get split_dns $1 split_dns "0"
config_get default_domain $1 default_domain ""
config_get server_cert $1 server_cert "/etc/ocserv/server-cert.pem"
config_get server_key $1 server_key "/etc/ocserv/server-key.pem"

# Enable proxy arp, and make sure that ping leases is set to true in that case,
# to prevent conflicts.
Expand Down Expand Up @@ -103,6 +105,8 @@ setup_config() {
-e "s~|NETMASK|~$netmask~g" \
-e "s~|IPV6ADDR|~$ip6addr~g" \
-e "s~|ENABLE_IPV6|~$enable_ipv6~g" \
-e "s~|SERVER_CERT|~$server_cert~g" \
-e "s~|SERVER_KEY|~$server_key~g" \
/etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf

test -f /etc/ocserv/ocserv.conf.local && cat /etc/ocserv/ocserv.conf.local >> /var/etc/ocserv.conf
Expand Down Expand Up @@ -170,9 +174,9 @@ start_service() {
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
}

#generate server certificate/key
#generate default server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating server certificate..."
logger -t ocserv "Generating default server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
Expand Down
Loading