Index: head/net/ocserv/Makefile =================================================================== --- head/net/ocserv/Makefile +++ head/net/ocserv/Makefile @@ -2,12 +2,11 @@ # $FreeBSD$ PORTNAME= ocserv -PORTVERSION= 1.1.1 -PORTREVISION= 1 +DISTVERSION= 1.1.2 CATEGORIES= net net-vpn security MASTER_SITES= ftp://ftp.infradead.org/pub/ocserv/ -MAINTAINER= ports@FreeBSD.org +MAINTAINER= otis@FreeBSD.org COMMENT= Server implementing the AnyConnect SSL VPN protocol LICENSE= GPLv2+ @@ -15,49 +14,47 @@ BUILD_DEPENDS= bash:shells/bash \ gsed:textproc/gsed -LIB_DEPENDS= liblz4.so:archivers/liblz4 \ - libiconv.so:converters/libiconv \ - libev.so:devel/libev \ - libtalloc.so:devel/talloc \ - libprotobuf-c.so:devel/protobuf-c \ +LIB_DEPENDS= libev.so:devel/libev \ libgnutls.so:security/gnutls \ - libtasn1.so:security/libtasn1 \ + libiconv.so:converters/libiconv \ + liblz4.so:archivers/liblz4 \ libnettle.so:security/nettle \ liboath.so:security/oath-toolkit \ - libpcl.so:devel/pcl + libpcl.so:devel/pcl \ + libprotobuf-c.so:devel/protobuf-c \ + libtalloc.so:devel/talloc \ + libtasn1.so:security/libtasn1 -USES= autoreconf cpe gperf libtool localbase ncurses \ - pathfix pkgconfig readline tar:xz +USES= autoreconf cpe gperf libtool localbase ncurses pathfix \ + pkgconfig readline tar:xz CPE_VENDOR= infradead +USE_RC_SUBR= ocserv GNU_CONFIGURE= yes -CONFIGURE_ARGS= --without-geoip \ - --without-http-parser \ - --disable-namespaces +CONFIGURE_ARGS= --disable-namespaces \ + --without-geoip \ + --without-http-parser USERS= _ocserv GROUPS= _ocserv -USE_RC_SUBR= ocserv - -PLIST_SUB= USERS="${USERS}" GROUPS="${GROUPS}" - -OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS - +PLIST_SUB= GROUPS="${GROUPS}" \ + USERS="${USERS}" PORTDOCS= AUTHORS ChangeLog NEWS README TODO PORTEXAMPLES= profile.xml sample.config sample.passwd -GSSAPI_USES= gssapi:mit +OPTIONS_DEFINE= DOCS EXAMPLES GSSAPI MAXMIND RADIUS + +MAXMIND_DESC= Use Maxmind GeoIP library + GSSAPI_LIB_DEPENDS= libkrb5support.so:security/krb5 +GSSAPI_USES= gssapi:mit GSSAPI_CONFIGURE_OFF= --without-gssapi - +MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb +MAXMIND_CONFIGURE_OFF= --without-maxmind RADIUS_LIB_DEPENDS= libradcli.so:net/radcli RADIUS_CONFIGURE_OFF= --without-radius -MAXMIND_DESC= Use Maxmind GeoIP library -MAXMIND_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb -MAXMIND_CONFIGURE_OFF= --without-maxmind - .include post-patch: @@ -65,13 +62,19 @@ ${WRKSRC}/src/main-user.c ${REINPLACE_CMD} 's|/usr/bin/ocserv\\-fw|${PREFIX}/bin/ocserv\\-fw|g' \ ${WRKSRC}/doc/ocserv.8 + ${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|g' \ + -e 's|%%ETCDIR%%|${ETCDIR}|g' \ + -e 's|%%USERS%%|${USERS}|g' \ + -e 's|%%GROUPS%%|${GROUPS}|g' \ + ${WRKSRC}/doc/sample.config .if "${PREFIX}" != "" && "${PREFIX}" != "/" && "${PREFIX}" != "/usr" ${REINPLACE_CMD} -E 's|^(#define DEFAULT_CFG_FILE ")(/etc/ocserv/ocserv.conf")|\1${PREFIX}\2|' ${WRKSRC}/src/config.c + ${REINPLACE_CMD} -E 's|^(#define DEFAULT_OCPASSWD ")(/etc/ocserv/ocpasswd")|\1${PREFIX}\2|' ${WRKSRC}/src/ocpasswd/ocpasswd.c .endif post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ocserv ${STAGEDIR}/var/run/ocserv - ${INSTALL_DATA} ${FILESDIR}/ocserv.conf ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample + ${INSTALL_DATA} ${WRKSRC}/doc/sample.config ${STAGEDIR}${PREFIX}/etc/ocserv/ocserv.conf.sample ${INSTALL_MAN} ${WRKSRC}/doc/*.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: Index: head/net/ocserv/distinfo =================================================================== --- head/net/ocserv/distinfo +++ head/net/ocserv/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1602242932 -SHA256 (ocserv-1.1.1.tar.xz) = 9c7aaf46e53e28cfa7be329b18f3951e7e851153ff6a27e946496fd4e8e5765a -SIZE (ocserv-1.1.1.tar.xz) = 818988 +TIMESTAMP = 1611791595 +SHA256 (ocserv-1.1.2.tar.xz) = 889ccdbe8e67d3bc2bc8713b7fbb5bd4e79228abc6054e88858cb4ad6d0245dd +SIZE (ocserv-1.1.2.tar.xz) = 824924 Index: head/net/ocserv/files/ocserv.conf =================================================================== --- head/net/ocserv/files/ocserv.conf +++ head/net/ocserv/files/ocserv.conf @@ -1,697 +0,0 @@ -### The following directives do not change with server reload. - -# User authentication method. To require multiple methods to be -# used for the user to login, add multiple auth directives. The values -# in the 'auth' directive are AND composed (if multiple all must -# succeed). -# Available options: certificate, plain, pam, radius, gssapi. -# Note that authentication methods utilizing passwords cannot be -# combined (e.g., the plain, pam or radius methods). - -# certificate: -# This indicates that all connecting users must present a certificate. -# The username and user group will be then extracted from it (see -# cert-user-oid and cert-group-oid). The certificate to be accepted -# it must be signed by the CA certificate as specified in 'ca-cert' and -# it must not be listed in the CRL, as specified by the 'crl' option. -# -# pam[gid-min=1000]: -# This enabled PAM authentication of the user. The gid-min option is used -# by auto-select-group option, in order to select the minimum valid group ID. -# -# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] -# The plain option requires specifying a password file which contains -# entries of the following format. -# "username:groupname1,groupname2:encoded-password" -# One entry must be listed per line, and 'ocpasswd' should be used -# to generate password entries. The 'otp' suboption allows one to specify -# an oath password file to be used for one time passwords; the format of -# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile -# -# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: -# The radius option requires specifying freeradius-client configuration -# file. If the groupconfig option is set, then config-per-user/group will be overridden, -# and all configuration will be read from radius. That also includes the -# Acct-Interim-Interval, and Session-Timeout values. -# -# See doc/README-radius.md for the supported radius configuration atributes. -# -# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900] -# The gssapi option allows one to use authentication methods supported by GSSAPI, -# such as Kerberos tickets with ocserv. It should be best used as an alternative -# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with -# tickets and without tickets to login. The default value for require-local-user-map -# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented -# to have been issued within the provided number of seconds. That option is used to -# restrict logins even if the KDC provides long time TGT tickets. - -#auth = "pam" -#auth = "pam[gid-min=1000]" -#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" -auth = "plain[passwd=./sample.passwd]" -#auth = "certificate" -#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" - -# Specify alternative authentication methods that are sufficient -# for authentication. That is, if set, any of the methods enabled -# will be sufficient to login, irrespective of the main 'auth' entries. -# When multiple options are present, they are OR composed (any of them -# succeeding allows login). -#enable-auth = "certificate" -#enable-auth = "gssapi" -#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" - -# Accounting methods available: -# radius: can be combined with any authentication method, it provides -# radius accounting to available users (see also stats-report-time). -# -# pam: can be combined with any authentication method, it provides -# a validation of the connecting user's name using PAM. It is -# superfluous to use this method when authentication is already -# PAM. -# -# Only one accounting method can be specified. -#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" - -# Use listen-host to limit to specific IPs or to the IPs of a provided -# hostname. -#listen-host = [IP|HOSTNAME] - -# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided -# hostname. if not set, listen-host will be used -#udp-listen-host = [IP|HOSTNAME] - -# When the server has a dynamic DNS address (that may change), -# should set that to true to ask the client to resolve again on -# reconnects. -#listen-host-is-dyndns = true - -# TCP and UDP port number -tcp-port = 443 -udp-port = 443 - -# Accept connections using a socket file. It accepts HTTP -# connections (i.e., without SSL/TLS unlike its TCP counterpart), -# and uses it as the primary channel. That option is experimental -# and it has many known issues. -# * It can only be combined with certificate authentication, when receiving -# channel information through proxy protocol (see listen-proxy-proto) -# * It cannot derive any keys needed for the DTLS session (hence no support for dtls-psk) -# * It cannot enforce the framing of the SSL/TLS packets, and that -# breaks assumptions held by several openconnect clients. -# This option is not recommended for use, and may be removed -# in the future. -# -#listen-clear-file = /var/run/ocserv-conn.socket - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = _ocserv -run-as-group = _ocserv - -# socket file used for IPC with occtl. You only need to set that, -# if you use more than a single servers. -#occtl-socket-file = /var/run/occtl.socket - -# socket file used for server IPC (worker-main), will be appended with .PID -# It must be accessible within the chroot environment (if any), so it is best -# specified relatively to the chroot directory. -socket-file = /var/run/ocserv-socket - -# The default server directory. Does not require any devices present. -#chroot-dir = /var/lib/ocserv - -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# The server-cert file may contain a single certificate, or -# a sorted certificate chain. -# There may be multiple server-cert and server-key directives, -# but each key should correspond to the preceding certificate. -# The certificate files will be reloaded when changed allowing for in-place -# certificate renewal (they are checked and reloaded periodically; -# a SIGHUP signal to main server will force reload). - -#server-cert = /etc/ocserv/server-cert.pem -#server-key = /etc/ocserv/server-key.pem -server-cert = ../tests/certs/server-cert.pem -server-key = ../tests/certs/server-key.pem - -# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 -# versions of GnuTLS for supporting DHE ciphersuites. -# Can be generated using: -# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem -#dh-params = /etc/ocserv/dh.pem - -# In case PKCS #11, TPM or encrypted keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only, and is the -# storage root key. -#pin-file = /etc/ocserv/pin.txt -#srk-pin-file = /etc/ocserv/srkpin.txt - -# The password or PIN needed to unlock the key in server-key file. -# Only needed if the file is encrypted or a PKCS #11 object. This -# is an alternative method to pin-file. -#key-pin = 1234 - -# The SRK PIN for TPM. -# This is an alternative method to srk-pin-file. -#srk-pin = 1234 - -# The Certificate Authority that will be used to verify -# client certificates (public keys) if certificate authentication -# is set. -#ca-cert = /etc/ocserv/ca.pem -ca-cert = ../tests/certs/ca.pem - - -### All configuration options below this line are reloaded on a SIGHUP. -### The options above, will remain unchanged. Note however, that the -### server-cert, server-key, dh-params and ca-cert options will be reloaded -### if the provided file changes, on server reload. That allows certificate -### rotation, but requires the server key to remain the same for seamless -### operation. If the server key changes on reload, there may be connection -### failures during the reloading time. - -# ocserv 1.0.1 on FreeBSD does not currently support process isolation, -# because ocserv only supports Linux's seccomp system, but not capsicum(4). -#isolate-workers = false - -# A banner to be displayed on clients -#banner = "Welcome" - -# Limit the number of clients. Unset or set to zero for unlimited. -#max-clients = 1024 -max-clients = 16 - -# Limit the number of identical clients (i.e., users connecting -# multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 - -# When the server receives connections from a proxy, like haproxy -# which supports the proxy protocol, set this to obtain the correct -# client addresses. The proxy protocol would then be expected in -# the TCP or UNIX socket (not the UDP one). Although both v1 -# and v2 versions of proxy protocol are supported, the v2 version -# is recommended as it is more efficient in parsing. -#listen-proxy-proto = true - -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - -# Stats report time. The number of seconds after which each -# worker process will report its usage statistics (number of -# bytes transferred etc). This is useful when accounting like -# radius is in use. -#stats-report-time = 360 - -# Stats reset time. The period of time statistics kept by main/sec-mod -# processes will be reset. These are the statistics shown by cmd -# 'occtl show stats'. For daily: 86400, weekly: 604800 -# This is unrelated to stats-report-time. -server-stats-reset-time = 604800 - -# Keepalive in seconds -keepalive = 32400 - -# Dead peer detection in seconds. -# Note that when the client is behind a NAT this value -# needs to be short enough to prevent the NAT disassociating -# his UDP session from the port number. Otherwise the client -# could have his UDP connection stalled, for several minutes. -dpd = 90 - -# Dead peer detection for mobile clients. That needs to -# be higher to prevent such clients being awaken too -# often by the DPD messages, and save battery. -# The mobile clients are distinguished from the header -# 'X-AnyConnect-Identifier-Platform'. -mobile-dpd = 1800 - -# If using DTLS, and no UDP traffic is received for this -# many seconds, attempt to send future traffic over the TCP -# connection instead, in an attempt to wake up the client -# in the case that there is a NAT and the UDP translation -# was deleted. If this is unset, do not attempt to use this -# recovery mechanism. -switch-to-tcp-timeout = 25 - -# MTU discovery (DPD must be enabled) -try-mtu-discovery = false - -# If you have a certificate from a CA that provides an OCSP -# service you may provide a fresh OCSP status response within -# the TLS handshake. That will prevent the client from connecting -# independently on the OCSP server. -# You can update this response periodically using: -# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response -# Make sure that you replace the following file in an atomic way. -#ocsp-response = /etc/ocserv/ocsp.der - -# The object identifier that will be used to read the user ID in the client -# certificate. The object identifier should be part of the certificate's DN -# Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1, SAN(rfc822name) -cert-user-oid = 0.9.2342.19200300.100.1.1 - -# The object identifier that will be used to read the user group in the -# client certificate. The object identifier should be part of the certificate's -# DN. If the user may belong to multiple groups, then use multiple such fields -# in the certificate's DN. Useful OIDs are: -# OU (organizational unit) = 2.5.4.11 -#cert-group-oid = 2.5.4.11 - -# The revocation list of the certificates issued by the 'ca-cert' above. -# See the manual to generate an empty CRL initially. The CRL will be reloaded -# periodically when ocserv detects a change in the file. To force a reload use -# SIGHUP. -#crl = /etc/ocserv/crl.pem - -# Uncomment this to enable compression negotiation (LZS, LZ4). -#compression = true - -# Set the minimum size under which a packet will not be compressed. -# That is to allow low-latency for VoIP packets. The default size -# is 256 bytes. Modify it if the clients typically use compression -# as well of VoIP with codecs that exceed the default value. -#no-compress-limit = 256 - -# GnuTLS priority string; note that SSL 3.0 is disabled by default -# as there are no openconnect (and possibly anyconnect clients) using -# that protocol. The string below does not enforce perfect forward -# secrecy, in order to be compatible with legacy clients. -# -# Note that the most performant ciphersuites are the moment are the ones -# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and -# in addition require no padding, thus taking full advantage of the MTU. -# For that to be taken advantage of, the openconnect client must be -# used, and the server must be compiled against GnuTLS 3.2.7 or later. -# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance -# difference with AES_128_CBC_SHA1 (the default for anyconnect clients) -# in your system. - -tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" - -# More combinations in priority strings are available, check -# http://gnutls.org/manual/html_node/Priority-Strings.html -# E.g., the string below enforces perfect forward secrecy (PFS) -# on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128" - -# That option requires the established DTLS channel to use the same -# cipher as the primary TLS channel. This cannot be combined with -# listen-clear-file since the ciphersuite information is not available -# in that configuration. Note also, that this option implies that -# dtls-legacy option is false; this option cannot be enforced -# in the legacy/compat protocol. -#match-tls-dtls-ciphers = true - -# The time (in seconds) that a client is allowed to stay connected prior -# to authentication -auth-timeout = 240 - -# The time (in seconds) that a client is allowed to stay idle (no traffic) -# before being disconnected. Unset to disable. -#idle-timeout = 1200 - -# The time (in seconds) that a client is allowed to stay connected -# Unset to disable. When set a client will be disconnected after being -# continuously connected for this amount of time, and its cookies will -# be invalidated (i.e., re-authentication will be required). -#session-timeout = 86400 - -# The time (in seconds) that a mobile client is allowed to stay idle (no -# traffic) before being disconnected. Unset to disable. -#mobile-idle-timeout = 2400 - -# The time (in seconds) that a client is not allowed to reconnect after -# a failed authentication attempt. -min-reauth-time = 300 - -# Banning clients in ocserv works with a point system. IP addresses -# that get a score over that configured number are banned for -# min-reauth-time seconds. By default a wrong password attempt is 10 points, -# a KKDCP POST is 1 point, and a connection is 1 point. Note that -# due to difference processes being involved the count of points -# will not be real-time precise. -# -# Score banning cannot be reliably used when receiving proxied connections -# locally from an HTTP server (i.e., when listen-clear-file is used). -# -# Set to zero to disable. -max-ban-score = 80 - -# The time (in seconds) that all score kept for a client is reset. -ban-reset-time = 1200 - -# In case you'd like to change the default points. -#ban-points-wrong-password = 10 -#ban-points-connection = 1 -#ban-points-kkdcp = 1 - -# Cookie timeout (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. That cookie will be invalidated if not -# used within this timeout value. This cookie remains valid, during -# the user's connected time, and after user disconnection it -# remains active for this amount of time. That setting should allow a -# reasonable amount of time for roaming between different networks. -cookie-timeout = 300 - -# If this is enabled (not recommended) the cookies will stay -# valid even after a user manually disconnects, and until they -# expire. This may improve roaming with some broken clients. -#persistent-cookies = true - -# Whether roaming is allowed, i.e., if true a cookie is -# restricted to a single IP address and cannot be re-used -# from a different IP. -deny-roaming = false - -# ReKey time (in seconds) -# ocserv will ask the client to refresh keys periodically once -# this amount of seconds is elapsed. Set to zero to disable (note -# that, some clients fail if rekey is disabled). -rekey-time = 172800 - -# ReKey method -# Valid options: ssl, new-tunnel -# ssl: Will perform an efficient rehandshake on the channel allowing -# a seamless connection during rekey. -# new-tunnel: Will instruct the client to discard and re-establish the channel. -# Use this option only if the connecting clients have issues with the ssl -# option. -rekey-method = ssl - -# Script to call when a client connects and obtains an IP. -# The following parameters are passed on the environment. -# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client), -# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL -# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client), -# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6 -# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and -# ID (a unique numeric ID); REASON may be "connect" or "disconnect". -# In addition the following variables OCSERV_ROUTES (the applied routes for this -# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client), -# will contain a space separated list of routes or DNS servers. A version -# of these variables with the 4 or 6 suffix will contain only the IPv4 or -# IPv6 values. The connect script must return zero as exit code, or the -# client connection will be refused. - -# The disconnect script will receive the additional values: STATS_BYTES_IN, -# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes -# output from the tun device, and the duration of the session in seconds. - -#connect-script = /usr/bin/myscript -#disconnect-script = /usr/bin/myscript - -# UTMP -# Register the connected clients to utmp. This will allow viewing -# the connected clients using the command 'who'. -#use-utmp = true - -# Whether to enable support for the occtl tool (i.e., either through D-BUS, -# or via a unix socket). -use-occtl = true - -# PID file. It can be overridden in the command line. -pid-file = /var/run/ocserv.pid - -# Set the protocol-defined priority (SO_PRIORITY) for packets to -# be sent. That is a number from 0 to 6 with 0 being the lowest -# priority. Alternatively this can be used to set the IP Type- -# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). -# This can be set per user/group or globally. -#net-priority = 3 - -# Set the VPN worker process into a specific cgroup. This is Linux -# specific and can be set per user/group or globally. -#cgroup = "cpuset,cpu:test" - -# -# Network settings -# - -# The name to use for the tun device -device = vpns - -# Whether the generated IPs will be predictable, i.e., IP stays the -# same for the same user when possible. -predictable-ips = true - -# The default domain to be advertised -default-domain = example.com - -# The pool of addresses that leases will be given from. If the leases -# are given via Radius, or via the explicit-ip? per-user config option then -# these network values should contain a network with at least a single -# address that will remain under the full control of ocserv (that is -# to be able to assign the local part of the tun device address). -# Note that, you could use addresses from a subnet of your LAN network if you -# enable [proxy arp in the LAN interface](http://ocserv.gitlab.io/www/recipes-ocserv-pseudo-bridge.html); -# in that case it is recommended to set ping-leases to true. -ipv4-network = 192.168.1.0 -ipv4-netmask = 255.255.255.0 - -# An alternative way of specifying the network: -#ipv4-network = 192.168.1.0/24 - -# The IPv6 subnet that leases will be given from. -#ipv6-network = fda9:4efe:7e3b:03ea::/48 - -# Specify the size of the network to provide to clients. It is -# generally recommended to provide clients with a /64 network in -# IPv6, but any subnet may be specified. To provide clients only -# with a single IP use the prefix 128. -#ipv6-subnet-prefix = 128 -#ipv6-subnet-prefix = 64 - -# Whether to tunnel all DNS queries via the VPN. This is the default -# when a default route is set. -#tunnel-all-dns = true - -# The advertized DNS server. Use multiple lines for -# multiple servers. -# dns = fc00::4be0 -dns = 192.168.1.2 - -# The NBNS server (if any) -#nbns = 192.168.1.3 - -# The domains over which the provided DNS should be used. Use -# multiple lines for multiple domains. -#split-dns = example.com - -# Prior to leasing any IP from the pool ping it to verify that -# it is not in use by another (unrelated to this server) host. -# Only set to true, if there can be occupied addresses in the -# IP range for leases. -ping-leases = false - -# Use this option to set a link MTU value to the incoming -# connections. Unset to use the default MTU of the TUN device. -# Note that the MTU is negotiated using the value set and the -# value sent by the peer. -#mtu = 1420 - -# Unset to enable bandwidth restrictions (in bytes/sec). The -# setting here is global, but can also be set per user or per group. -#rx-data-per-sec = 40000 -#tx-data-per-sec = 40000 - -# The number of packets (of MTU size) that are available in -# the output buffer. The default is low to improve latency. -# Setting it higher will improve throughput. -#output-buffer = 10 - -# Routes to be forwarded to the client. If you need the -# client to forward routes to the server, you may use the -# config-per-user/group or even connect and disconnect scripts. -# -# To set the server as the default gateway for the client just -# comment out all routes from the server, or use the special keyword -# 'default'. - -route = 10.10.10.0/255.255.255.0 -route = 192.168.0.0/255.255.0.0 -#route = fef4:db8:1000:1001::/64 -#route = default - -# Subsets of the routes above that will not be routed by -# the server. - -no-route = 192.168.5.0/255.255.255.0 - -# Note the that following two firewalling options currently are available -# in Linux systems with iptables software. - -# If set, the script /usr/local/bin/ocserv-fw will be called to restrict -# the user to its allowed routes and prevent him from accessing -# any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw -# --removeall. This option can be set globally or in the per-user configuration. -#restrict-user-to-routes = true - -# This option implies restrict-user-to-routes set to true. If set, the -# script /usr/local/bin/ocserv-fw will be called to restrict the user to -# access specific ports in the network. This option can be set globally -# or in the per-user configuration. -#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" - -# You could also use negation, i.e., block the user from accessing these ports only. -#restrict-user-to-ports = "!(tcp(443), tcp(80))" - -# When set to true, all client's iroutes are made visible to all -# connecting clients except for the ones offering them. This option -# only makes sense if config-per-user is set. -#expose-iroutes = true - -# Groups that a client is allowed to select from. -# A client may belong in multiple groups, and in certain use-cases -# it is needed to switch between them. For these cases the client can -# select prior to authentication. Add multiple entries for multiple groups. -# The group may be followed by a user-friendly name in brackets. -#select-group = group1 -#select-group = group2[My special group] - -# The name of the (virtual) group that if selected it would assign the user -# to its default group. -#default-select-group = DEFAULT - -# Instead of specifying manually all the allowed groups, you may instruct -# ocserv to scan all available groups and include the full list. -#auto-select-group = true - -# Configuration files that will be applied per user connection or -# per group. Each file name on these directories must match the username -# or the groupname. -# The options allowed in the configuration files are dns, nbns, -# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route, -# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, -# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, -# restrict-user-to-routes, user-profile, cgroup, stats-report-time, -# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, -# split-dns and session-timeout. -# -# Note that the 'iroute' option allows one to add routes on the server -# based on a user or group. The syntax depends on the input accepted -# by the commands route-add-cmd and route-del-cmd (see below). The no-udp -# is a boolean option (e.g., no-udp = true), and will prevent a UDP session -# for that specific user or group. The hostname option will set a -# hostname to override any proposed by the user. Note also, that, any -# routes, no-routes, DNS or NBNS servers present will overwrite the global ones. - -#config-per-user = /usr/local/etc/ocserv/config-per-user/ -#config-per-group = /usr/local/etc/ocserv/config-per-group/ - -# When config-per-xxx is specified and there is no group or user that -# matches, then utilize the following configuration. -#default-user-config = /usr/local/etc/ocserv/defaults/user.conf -#default-group-config = /usr/local/etc/ocserv/defaults/group.conf - -# The system command to use to setup a route. %{R} will be replaced with the -# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. -# -# The following example is from linux systems. %{R} should be something -# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute). - -#route-add-cmd = "ip route add %{R} dev %{D}" -#route-del-cmd = "ip route delete %{R} dev %{D}" - -# This option allows one to forward a proxy. The special keywords '%{U}' -# and '%{G}', if present will be replaced by the username and group name. -#proxy-url = http://example.com/ -#proxy-url = http://example.com/%{U}/ - -# This option allows you to specify a URL location where a client can -# post using MS-KKDCP, and the message will be forwarded to the provided -# KDC server. That is a translation URL between HTTP and Kerberos. -# In MIT kerberos you'll need to add in realms: -# EXAMPLE.COM = { -# kdc = https://ocserv.example.com/KdcProxy -# http_anchors = FILE:/etc/ocserv-ca.pem -# } -# In some distributions the krb5-k5tls plugin of kinit is required. -# -# The following option is available in ocserv, when compiled with GSSAPI support. - -#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT" -#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88" -#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88" -#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88" - -# Client profile xml. This can be used to advertise alternative servers -# to the client. A minimal file can be: -# -# -# -# -# VPN Server name -# localhost -# -# -# -# -# Other fields may be used by some of the CISCO clients. -# This file must be accessible from inside the worker's chroot. -# Note that enabling this option is not recommended as it will allow -# the worker processes to open arbitrary files (when isolate-workers is -# set to true). -#user-profile = profile.xml - -# -# The following options are for (experimental) AnyConnect client -# compatibility. - -# This option will enable the pre-draft-DTLS version of DTLS, and -# will not require clients to present their certificate on every TLS -# connection. It must be set to true to support legacy CISCO clients -# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true. -cisco-client-compat = true - -# This option allows one to disable the DTLS-PSK negotiation (enabled by default). -# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate -# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the -# DTLS channel to negotiate its ciphers and the DTLS protocol version. -#dtls-psk = false - -# This option allows one to disable the legacy DTLS negotiation (enabled by default, -# but that may change in the future). -# The legacy DTLS uses a pre-draft version of the DTLS protocol and was -# from AnyConnect protocol. It has several limitations, that are addressed -# by the dtls-psk protocol supported by openconnect 7.08+. -dtls-legacy = true - -#Advanced options - -# Option to allow sending arbitrary custom headers to the client after -# authentication and prior to VPN tunnel establishment. You shouldn't -# need to use this option normally; if you do and you think that -# this may help others, please send your settings and reason to -# the openconnect mailing list. The special keywords '%{U}' -# and '%{G}', if present will be replaced by the username and group name. -#custom-header = "X-My-Header: hi there" - - - -# An example virtual host with different authentication methods serviced -# by this server. - -[vhost:www.example.com] -auth = "certificate" - -ca-cert = ../tests/certs/ca.pem - -# The certificate set here must include a 'dns_name' corresponding to -# the virtual host name. - -server-cert = ../tests/certs/server-cert-secp521r1.pem -server-key = ../tests/certs/server-key-secp521r1.pem - -ipv4-network = 192.168.2.0 -ipv4-netmask = 255.255.255.0 - -cert-user-oid = 0.9.2342.19200300.100.1.1 Index: head/net/ocserv/files/patch-doc_sample.config =================================================================== --- head/net/ocserv/files/patch-doc_sample.config +++ head/net/ocserv/files/patch-doc_sample.config @@ -1,26 +1,97 @@ ---- doc/sample.config.orig 2020-09-20 19:49:01 UTC +--- doc/sample.config.orig 2020-12-03 22:31:10 UTC +++ doc/sample.config @@ -19,7 +19,7 @@ # This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # -# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] -+# plain[passwd=/usr/local/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] ++# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp] # The plain option requires specifying a password file which contains # entries of the following format. # "username:groupname1,groupname2:encoded-password" -@@ -110,8 +110,8 @@ udp-port = 443 +@@ -28,7 +28,7 @@ + # an oath password file to be used for one time passwords; the format of + # the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile + # +-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: ++# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]: + # The radius option requires specifying freeradius-client configuration + # file. If the groupconfig option is set, then config-per-user/group will be overridden, + # and all configuration will be read from radius. That also includes the +@@ -47,10 +47,10 @@ + + #auth = "pam" + #auth = "pam[gid-min=1000]" +-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]" +-auth = "plain[passwd=./sample.passwd]" ++#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]" ++auth = "plain[passwd=%%ETCDIR%%/sample.passwd]" + #auth = "certificate" +-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]" ++#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]" + + # Specify alternative authentication methods that are sufficient + # for authentication. That is, if set, any of the methods enabled +@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]" + # PAM. + # + # Only one accounting method can be specified. +-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]" ++#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]" + + # Use listen-host to limit to specific IPs or to the IPs of a provided + # hostname. +@@ -96,8 +96,8 @@ udp-port = 443 # The user the worker processes will be run as. This should be a dedicated # unprivileged user (e.g., 'ocserv') and no other services should run as this # user. -run-as-user = nobody -run-as-group = daemon -+run-as-user = _ocserv -+run-as-group = _ocserv ++run-as-user = %%USERS%% ++run-as-group = %%GROUPS%% # socket file used for IPC with occtl. You only need to set that, # if you use more than a single servers. -@@ -180,15 +180,9 @@ ca-cert = ../tests/certs/ca.pem +@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket + # certificate renewal (they are checked and reloaded periodically; + # a SIGHUP signal to main server will force reload). + +-#server-cert = /etc/ocserv/server-cert.pem +-#server-key = /etc/ocserv/server-key.pem +-server-cert = ../tests/certs/server-cert.pem +-server-key = ../tests/certs/server-key.pem ++server-cert = %%ETCDIR%%/server-cert.pem ++server-key = %%ETCDIR%%/server-key.pem + + # Diffie-Hellman parameters. Only needed if for old (pre 3.6.0 + # versions of GnuTLS for supporting DHE ciphersuites. + # Can be generated using: +-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem +-#dh-params = /etc/ocserv/dh.pem ++# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem ++#dh-params = %%ETCDIR%%/dh.pem + + # In case PKCS #11, TPM or encrypted keys are used the PINs should be available + # in files. The srk-pin-file is applicable to TPM keys only, and is the + # storage root key. +-#pin-file = /etc/ocserv/pin.txt +-#srk-pin-file = /etc/ocserv/srkpin.txt ++#pin-file = %%ETCDIR%%/pin.txt ++#srk-pin-file = %%ETCDIR%%/srkpin.txt + + # The password or PIN needed to unlock the key in server-key file. + # Only needed if the file is encrypted or a PKCS #11 object. This +@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem + # The Certificate Authority that will be used to verify + # client certificates (public keys) if certificate authentication + # is set. +-#ca-cert = /etc/ocserv/ca.pem +-ca-cert = ../tests/certs/ca.pem ++ca-cert = %%ETCDIR%%/ca.pem + + + ### All configuration options below this line are reloaded on a SIGHUP. +@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem ### failures during the reloading time. @@ -39,40 +110,84 @@ # A banner to be displayed on clients after connection #banner = "Welcome" -@@ -553,15 +547,15 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -255,7 +246,7 @@ try-mtu-discovery = false + # You can update this response periodically using: + # ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response + # Make sure that you replace the following file in an atomic way. +-#ocsp-response = /etc/ocserv/ocsp.der ++#ocsp-response = %%ETCDIR%%/ocsp.der + + # The object identifier that will be used to read the user ID in the client + # certificate. The object identifier should be part of the certificate's DN +@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1 + # See the manual to generate an empty CRL initially. The CRL will be reloaded + # periodically when ocserv detects a change in the file. To force a reload use + # SIGHUP. +-#crl = /etc/ocserv/crl.pem ++#crl = %%ETCDIR%%/crl.pem + + # Uncomment this to enable compression negotiation (LZS, LZ4). + #compression = true +@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0 # Note the that following two firewalling options currently are available # in Linux systems with iptables software. -# If set, the script /usr/bin/ocserv-fw will be called to restrict -+# If set, the script /usr/local/bin/ocserv-fw will be called to restrict ++# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict # the user to its allowed routes and prevent him from accessing # any other routes. In case of defaultroute, the no-routes are restricted. -# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw -+# All the routes applied by ocserv can be reverted using /usr/local/bin/ocserv-fw ++# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw # --removeall. This option can be set globally or in the per-user configuration. #restrict-user-to-routes = true # This option implies restrict-user-to-routes set to true. If set, the -# script /usr/bin/ocserv-fw will be called to restrict the user to -+# script /usr/local/bin/ocserv-fw will be called to restrict the user to ++# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to # access specific ports in the network. This option can be set globally # or in the per-user configuration. #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()" -@@ -609,13 +603,13 @@ no-route = 192.168.5.0/255.255.255.0 +@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0 # hostname to override any proposed by the user. Note also, that, any # routes, no-routes, DNS or NBNS servers present will overwrite the global ones. -#config-per-user = /etc/ocserv/config-per-user/ -#config-per-group = /etc/ocserv/config-per-group/ -+#config-per-user = /usr/local/etc/ocserv/config-per-user/ -+#config-per-group = /usr/local/etc/ocserv/config-per-group/ ++#config-per-user = %%ETCDIR%%/config-per-user/ ++#config-per-group = %%ETCDIR%%/config-per-group/ # When config-per-xxx is specified and there is no group or user that # matches, then utilize the following configuration. -#default-user-config = /etc/ocserv/defaults/user.conf -#default-group-config = /etc/ocserv/defaults/group.conf -+#default-user-config = /usr/local/etc/ocserv/defaults/user.conf -+#default-group-config = /usr/local/etc/ocserv/defaults/group.conf ++#default-user-config = %%ETCDIR%%/defaults/user.conf ++#default-group-config = %%ETCDIR%%/defaults/group.conf # The system command to use to setup a route. %{R} will be replaced with the # route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device. +@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0 + # In MIT kerberos you'll need to add in realms: + # EXAMPLE.COM = { + # kdc = https://ocserv.example.com/KdcProxy +-# http_anchors = FILE:/etc/ocserv-ca.pem ++# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem + # } + # In some distributions the krb5-k5tls plugin of kinit is required. + # +@@ -701,13 +692,13 @@ dtls-legacy = true + [vhost:www.example.com] + auth = "certificate" + +-ca-cert = ../tests/certs/ca.pem ++ca-cert = %%ETCDIR%%/ca.pem + + # The certificate set here must include a 'dns_name' corresponding to + # the virtual host name. + +-server-cert = ../tests/certs/server-cert-secp521r1.pem +-server-key = ../tests/certs/server-key-secp521r1.pem ++server-cert = %%ETCDIR%%/server-cert-secp521r1.pem ++server-key = %%ETCDIR%%/server-key-secp521r1.pem + + ipv4-network = 192.168.2.0 + ipv4-netmask = 255.255.255.0 Index: head/net/ocserv/files/patch-src_main-ban.c =================================================================== --- head/net/ocserv/files/patch-src_main-ban.c +++ head/net/ocserv/files/patch-src_main-ban.c @@ -0,0 +1,20 @@ +--- src/main-ban.c.orig 2021-01-26 17:01:03 UTC ++++ src/main-ban.c +@@ -403,8 +403,8 @@ static bool test_local_ipv6(struct sockaddr_in6 * remo + unsigned index = 0; + + for (index = 0; index < 4; index ++) { +- uint32_t l = local->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; +- uint32_t r = remote->sin6_addr.s6_addr32[index] & network->sin6_addr.s6_addr32[index]; ++ uint32_t l = local->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; ++ uint32_t r = remote->sin6_addr.__u6_addr.__u6_addr32[index] & network->sin6_addr.__u6_addr.__u6_addr32[index]; + if (l != r) + return false; + } +@@ -443,4 +443,4 @@ void if_address_cleanup(main_server_st * s) + + s->if_addresses = NULL; + s->if_addresses_count = 0; +-} +\ No newline at end of file ++} Index: head/net/ocserv/files/patch-src_occtl_occtl.c =================================================================== --- head/net/ocserv/files/patch-src_occtl_occtl.c +++ head/net/ocserv/files/patch-src_occtl_occtl.c @@ -1,6 +1,6 @@ ---- src/occtl/occtl.c.orig 2018-01-14 16:25:24 UTC +--- src/occtl/occtl.c.orig 2020-08-06 18:51:31 UTC +++ src/occtl/occtl.c -@@ -249,7 +249,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha +@@ -264,7 +264,7 @@ static int handle_help_cmd(CONN_TYPE * conn, const cha static int handle_reset_cmd(CONN_TYPE * conn, const char *arg, cmd_params_st *params) { rl_reset_terminal(NULL);