電訊茶室 - Powered by Discuz! Board

標題: Openconnect server in DD-wrt / optware with cert auth (update 25/9) [打印本頁]

作者: zotac 時間: 2016-9-22 17:27 標題: Openconnect server in DD-wrt / optware with cert auth (update 25/9)

本帖最後由 zotac 於 2016-9-25 03:29 編輯

小弟在Buffalo G300NH v1 DD-wrt 17798a 裝了optware Barrier Breaker 14.07 (snapshots 無法安裝), 並成功安裝了ocserv 0.8.9, 設定後但在iphone ios 9.3.5 anyconnect client 無法連接, 煩請各位高手睇吓小弟的設定那里出錯, 謝! (update 23/9 revise ocserv.conf & IPv4 address, able to connect to HK openconnect server with internet access, update 24/9, able to use 10.10.0.0/24 by update firewall rule, able to use occtl to view occserv status in ssh, update 25/9, auth = cert OK)

================================================================================
install optware Barrier Breaker 14.07 in dd-wrt 17798a for Buffalo G300NH v1 (update 24/9)
因為dd-wrt 17798a official firmware太舊了, 不能安裝snapshots / Chaos Calmer 15.05, 升級最新版dd-wrt用webupgrade九成九會變磚, 所以只能張就吓用previous stable release Barrier Breaker 14.07, DD-wrt 17798a openssl version is 0.98, no need to worry about the heartbleed bug

1. Jffs2 setup
go to router admin / management, enable jffs2, clean, reboot
putty
cd /jffs
mkdir etc root opt tmp
chmod 755 etc root opt tmp
mount -o bind /jffs/opt /opt
mount -o bind /jffs/etc /etc
mount -o bind /jffs/root /tmp/root
(you will have read/write enabled etc root opt for later installation of optware)

2 install optware opkg & dependent lib
cd /jffs/tmp
wget http://downloads.openwrt.org/bar ... 9.33.2-1_ar71xx.ipk
wget http://downloads.openwrt.org/bar ... linaro-1_ar71xx.ipk
wget http://downloads.openwrt.org/bar ... 5b846d-7_ar71xx.ipk

install opkg:
ipkg -d /opt install opkg_9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7_ar71xx.ipk
# install package to run opkg first time
wget http://downloads.openwrt.org/bac ... .3+cs-42_ar71xx.ipk
wget http://downloads.openwrt.org/bac ... .30.1-42_ar71xx.ipk
ipkg  -d /opt install libgcc_4.8-linaro-1_ar71xx.ipk
ipkg  -d /opt install libc_0.9.33.2-1_ar71xx.ipk

edit opkg.conf:
vi /opt/etc/opkg.conf
src/gz base http://downloads.openwrt.org/bar ... neric/packages/base
src/gz packages http://downloads.openwrt.org/bar ... c/packages/packages
src/gz routing http://downloads.openwrt.org/bar ... ic/packages/routing
src/gz telephony http://downloads.openwrt.org/bar ... /packages/telephony
src/gz management http://downloads.openwrt.org/bar ... packages/management
dest root /opt
dest ram /tmp
lists_dir ext /opt/var/opkg-lists
option overlay_root / overlay

set lib/bin path for opkg
export LD_LIBRARY_PATH='/opt/lib:/opt/usr/lib:/lib:/usr/lib'
export PATH='/opt/bin:/opt/usr/bin:/opt/sbin:/opt/usr/sbin:/bin:/sbin:/usr/sbin:/usr/bin'

# run opkg
opkg -f /opt/etc/opkg.conf update
opkg -f /opt/etc/opkg.conf list

Then you'll have optware Barrier Breaker 14.07 installed

edit startup script in router admin / management /command
#! /bin/sh
mount -o bind /jffs/root /tmp/root
mount -o bind /jffs/etc /etc
mount -o bind /jffs/opt /opt
(make sure you have chmod 755 /jffs/root before your mount to /tmp/root and reboot, otherwise you'll get access denied when you login to router admin GUI and root by telnet/ssh after reboot)

3. install ocserv
reboot router, 又入返putty

run 任何optware program 前都要reset LIB/Bin Path:
export LD_LIBRARY_PATH='/opt/lib:/opt/usr/lib:/lib:/usr/lib'
export PATH='/opt/bin:/opt/usr/bin:/opt/sbin:/opt/usr/sbin:/bin:/sbin:/usr/sbin:/usr/bin'

# install ocserv:
opkg -f /opt/etc/opkg.conf install ocserv

咁就裝好ocserv server啦!

=========================================================================
setup ocserv:
用certtool gen 咗ca, server cert / key, ocserv.conf 里設定了用auth = plain, 用ocpasswd set 咗個user/pwd, 再在router admin>firewall script,打開了port 443.

ocserv.conf:
listen-host-is-dyndns = false
# auth = "certificate" (changed to use cert auth on 25/9)
auth = "plain[/opt/etc/ocserv/ocpasswd]"
max-clients = 4
max-same-clients = 2
tcp-port = 443
udp-port = 443
auth-timeout = 40
cookie-timeout = 300
rekey-time = 172800
keepalive = 32400
dpd = 240
mobile-dpd = 1800
server-cert = /opt/etc/ocserv/server-cert.pem
server-key = /opt/etc/ocserv/server-key.pem
ca-cert = /opt/etc/ocserv/ca-cert.pem
# route = default
# dns = 10.10.0.1 (don't use, as ocserv0.8.9 may random assign 10.10.0.x as LAN IP other than 10.10.0.1, updated 24/9)
dns = 8.8.8.8
dns = 8.8.4.4
device = vpns
try-mtu-discovery = false
cisco-client-compat = true
rekey-method = ssl
# run-as-user = ocserv (removed, or to use "root")
# run-as-group = ocserv (removed)
# ipv4-network = 192.168.1.0 (changed to 10.10.0.0 on 24/9)
ipv4-network = 10.10.0.0 (update on 24/9))
ipv4-netmask = 255.255.255.0
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
use-occtl = true (updated on 24/9, enable using occtl to view ocserv status in ssh)
cctl-socket-file = /var/run/occtl.socket

router startup script: (revised)
#! /bin/sh
mount -o bind /jffs/root /tmp/root
mount -o bind /jffs/etc /etc
mount -o bind /jffs/opt /opt
export LD_LIBRARY_PATH='/opt/lib:/opt/usr/lib:/lib:/usr/lib'
export PATH='/opt/bin:/opt/usr/bin:/opt/sbin:/opt/usr/sbin:/bin:/sbin:/usr/sbin:/usr/bin'
ocserv -c /opt/etc/ocserv/ocserv.conf

router firewall script: (revised to 10.10.0.0 on 24/9)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -I FORWARD -i vpns+ -s 10.10.0.0/24 -j ACCEPT
iptables -I INPUT -i vpns+ -s 10.10.0.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.10.0.0/24 -o eth1 -j MASQUERADE (newly added to enable internet access by client, dd-wrt use eth1 for WAN instead of eth0, update 24/9)

changed to 10.10.0.0 on 24/9, removed below
iptables -I FORWARD -i vpns+ -s 192.168.1.0/24 -j ACCEPT
iptables -I INPUT -i vpns+ -s 192.168.1.0/24 -j ACCEPT
removed below 23/9
iptables -I FORWARD -i vpns+ -s 10.10.0.0/24 -j ACCEPT
iptables -I INPUT -i vpns+ -s 10.10.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT

在深圳以中移動香港一卡兩號LTE測試, 連接失敗 (test failed on 22/9)
IOS error log:
[VPN]<Error>-connection attempt has timed out.  Please verify internet connectivity.

於putty login router command line test ocserv:
root@DD-WRT:/# ocserv -f -c /opt/etc/ocserv/ocserv.conf -d 1
Skipping unknown option 'cctl-socket-file'
Unknown user: ocserv (problem due to  run-as-user = ocserv, removed as per CKLeea advise, many thanks!)

Update connection successful (23/9):
after remove the run-as-user = ocserv, as per CKLeea advise and change IPv4 network to 192.168.1.0, successfully connected to HK opennect server with internet access
成功啟動ocserv:
root@DD-WRT:/opt/etc/ocserv# ocserv -f -c /opt/etc/ocserv/ocserv.conf -d 1
Skipping unknown option 'cctl-socket-file'
listening (TCP) on 0.0.0.0:443...
listening (UDP) on 0.0.0.0:443...
ocserv[2570]: main: initialized ocserv 0.8.9
ocserv[2571]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.2570)
ocserv[2571]: sec-mod: received request from pid 2570 and uid 0
ocserv[2571]: sec-mod: cmd [size=#55#] sm: sign

delete: [23/9, test by China mobile LTE / 中国电信固网 in PRC, 現時只能以ip-v4 network 192.168.1.0設定連線, 如用10.10.0.0能夠連線, 但client無法上網, 仲未搞掂firewall rule如何把10.10.0.0連線後把web traffic經過router上網, 還請各位大神指點firewall rule應該點搞, Thanks!]

update on 24/9:
IOS client successfully connected to ocserv with internet access
oscerv conf: changed IP-v4 to 10.10.0.0/24,
adding firewall rule: iptables -t nat -I POSTROUTING -s 10.10.0.0/24 -o eth1 -j MASQUERADE
oscerv conf: dns use 8.8.8.8 - instead of 10.10.0.1 since ocserv 0.8.9 may random assign LAN IP other than 10.10.0.1 (in my case is 10.10.0.40) , that make client connected successfully to ocserv but without web access, you need to define dns server in ocserv.conf i.e. 8.8.8.8, don't use 192.168.1.1 as it may crash with client lan

下一步會試玩client用cert auth. 遲D再報告!

update on 25/9
又係putty
vi client.tmpl
   cn = client (試過cn名可以任改, 但unit一定要係users, 如果唔係會auth fail)
   unit = "users"
   expiration_days = -1 (咁你張user cert的期限係, 一萬年)
   signing_key
   tls_www_client

certtool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile user-cert.pem
(user key/cert 名都可以改, 例如iphone-key/cert.pem, 咁你就可以發出好多張不同的user cert比唔同用戶/機同時login)

用winscp抄ca-cert.pem, user-key.pem user-cert.pem 到PC
喺PC入cmd用openssl改張user-cert做p12, openssl-win32 google搵吓就有
c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -certfile ca-cert.pem -out user-cert.p12, 記住改password
跟手email 張user-cert.p12到iphone, 用mail收, 先可以加入profile, gmail app 係唔得
到anyconnect app > VPN connection > advance > certificate > 選取剛才加入的client cert, save & connect, 咁就大功告成啦!
如用automatic, 我就試過一直咁auth fail = no cert, 唔知係咪個ocserv版本太舊? 定係之前試用是auth=plain之故?

作者: ckleea 時間: 2016-9-22 17:45

run-as-user = ocserv
run-as-group = ocserv

改為其他user 如 root

你上面的log 是ocserv不能成功啟動

作者: milanolarry 時間: 2016-9-23 12:59

吾多明樓主係行 cert 定 password。見你 server 個 config 就寫清楚曬 D cert 既 location，但 auth 果度你就 disable 左 cert。

# auth = "certificate"
auth = "plain[/opt/etc/ocserv/ocpasswd]"

作者: tomleehk 時間: 2016-10-7 00:13

本帖最後由 tomleehk 於 2016-10-7 00:31 編輯

我之前試過,只有 Chaos Calmer 15.05 (ocserv_0.10.8-1) 先至work, 可以用certificate authentication,可以用ID/Password authentication

Barrier Breaker 14.07 就算喺用最簡單的ID/Password authentication 都喺唔work

我個人認為超初你喺面對同一情况,不過慶幸你揾到 D 改動方法去解決

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/)