OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server.
ocserv:
image: vimagick/ocserv
ports:
- "4443:443/tcp"
- "4443:443/udp"
environment:
- VPN_DOMAIN=vpn.easypi.info
- VPN_NETWORK=10.20.30.0
- VPN_NETMASK=255.255.255.0
- LAN_NETWORK=192.168.0.0
- LAN_NETMASK=255.255.0.0
- VPN_USERNAME=username
- VPN_PASSWORD=password
cap_add:
- NET_ADMIN
restart: always
⚠️ Please choose a strong password to protect VPN service.- These environment variables are used to generate config files/keys.
- VPN accounts can be managed via ocpasswd command.
- VPN status can be viewed via
occtlcommand- You can edit the config file /etc/ocserv/ocserv.conf, then restart service.
$ docker-compose up -d
$ docker-compose exec ocserv bash
>>> cd /etc/ocserv/
>>> echo 'no-route = 1.2.3.4/32' >> ocserv.conf
>>> ocpasswd -c ocpasswd username
Enter password: ******
Re-enter password: ******
>>> exit
$ docker-compose restart
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/client.p12 .
$ docker cp ocserv_ocserv_1:/etc/ocserv/certs/server-cert.pem .
$ docker-compose logs -fTo remove the password protection of client.p12:
mv client.p12 client.p12.orig
openssl pkcs12 -in client.p12.orig -nodes -out tmp.pem
openssl pkcs12 -export -in tmp.pem -out client.p12 -passout pass:
rm tmp.pem
⚠️ Apple's Keychain Access will refuse to open it with no passphrase.
There are two auth types:
- 👎 passwd: type everytime
- 👍 certificate: import once
AnyConnect ->
Connection ->
Add New VPN Connection... ->
Advanced Preferences... ->
Certificate ->
Import ->
File System: client.p12
❓ Android client show warning dialog:
Certificate is not yet valid.(WHY?)
client.p12 and server-cert.pem can be imported into keychain.