diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..3e0f830 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,13 @@ +services: + + ocserv: + build: + context: . + dockerfile: ubuntu.dockerfile + volumes: + - ./ocserv.conf:/etc/ocserv/ocserv.conf + privileged: true + restart: always + ports: + - 444:443/tcp + - 444:443/udp diff --git a/ocserv.conf b/ocserv.conf index a3853e0..5424749 100644 --- a/ocserv.conf +++ b/ocserv.conf @@ -189,7 +189,7 @@ max-clients = 16 # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 +# max-same-clients = 2 # When the server receives connections from a proxy, like haproxy # which supports the proxy protocol, set this to obtain the correct @@ -225,14 +225,14 @@ keepalive = 32400 # needs to be short enough to prevent the NAT disassociating # his UDP session from the port number. Otherwise the client # could have his UDP connection stalled, for several minutes. -dpd = 90 +dpd = 86400 # Dead peer detection for mobile clients. That needs to # be higher to prevent such clients being awaken too # often by the DPD messages, and save battery. # The mobile clients are distinguished from the header # 'X-AnyConnect-Identifier-Platform'. -mobile-dpd = 1800 +mobile-dpd = 86400 # If using DTLS, and no UDP traffic is received for this # many seconds, attempt to send future traffic over the TCP @@ -318,7 +318,7 @@ tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-1 # The time (in seconds) that a client is allowed to stay connected prior # to authentication -auth-timeout = 240 +auth-timeout = 86400 # The time (in seconds) that a client is allowed to stay idle (no traffic) # before being disconnected. Unset to disable. @@ -716,4 +716,4 @@ dtls-legacy = true #ipv4-network = 192.168.2.0 #ipv4-netmask = 255.255.255.0 -#cert-user-oid = 0.9.2342.19200300.100.1.1 \ No newline at end of file +#cert-user-oid = 0.9.2342.19200300.100.1.1 diff --git a/ubuntu.dockerfile b/ubuntu.dockerfile new file mode 100644 index 0000000..d444686 --- /dev/null +++ b/ubuntu.dockerfile @@ -0,0 +1,62 @@ +FROM ubuntu:24.04 + +ENV OCSERV_VERSION 1.3.0 +ENV CA_CN SAMPLE CA +ENV CA_ORG Big Corp +ENV SRV_CN SAMPLE server +ENV SRV_ORG MyCompany +RUN set -ex \ + && apt-get update \ + && apt-get install -y \ + build-essential pkg-config \ + libgnutls28-dev libev-dev \ + libpam0g-dev liblz4-dev libseccomp-dev \ + libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \ + libcurl4-gnutls-dev libcjose-dev libjansson-dev liboath-dev \ + libprotobuf-c-dev libtalloc-dev node-undici protobuf-c-compiler \ + gperf iperf3 lcov libuid-wrapper libpam-wrapper libnss-wrapper \ + libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \ + gawk gnutls-bin iproute2 yajl-tools tcpdump \ + ronn \ + wget tar ipcalc-ng libjemalloc2 iptables \ + && wget ftp://ftp.infradead.org/pub/ocserv/ocserv-$OCSERV_VERSION.tar.xz \ + && mkdir -p /etc/ocserv \ + && tar xf ocserv-$OCSERV_VERSION.tar.xz \ + && rm ocserv-$OCSERV_VERSION.tar.xz \ + && cd ocserv-$OCSERV_VERSION \ + && ./configure \ + && make \ + && make install \ + && cd .. \ + && rm -rf ocserv-$OCSERV_VERSION \ + && mkdir -p /etc/ocserv/certs \ + && cd /etc/ocserv/certs \ + && certtool --generate-privkey --outfile ca-key.pem \ + && touch ca.tmpl \ + && echo "cn = $CA_CN" >> ca.tmpl \ + && echo "organization = $CA_ORG" >> ca.tmpl \ + && echo "serial = 1" >> ca.tmpl \ + && echo "expiration_days = -1" >> ca.tmpl \ + && echo "ca" >> ca.tmpl \ + && echo "signing_key" >> ca.tmpl \ + && echo "cert_signing_key" >> ca.tmpl \ + && echo "crl_signing_key" >> ca.tmpl \ + && certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem \ + && certtool --generate-privkey --outfile server-key.pem \ + && touch server.tmpl \ + && echo "cn = $SRV_CN" >> server.tmpl \ + && echo "organization = $SRV_ORG" >> server.tmpl \ + && echo "expiration_days = -1" >> server.tmpl \ + && echo "signing_key" >> server.tmpl \ + && echo "encryption_key" >> server.tmpl \ + && echo "tls_www_server" >> server.tmpl \ + && certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem \ + && touch /etc/ocserv/ocpasswd +WORKDIR /etc/ocserv +COPY ocserv.conf /etc/ocserv/ocserv.conf +COPY entrypoint.sh /entrypoint.sh +EXPOSE 443/tcp +EXPOSE 443/udp +ENV LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2 +ENTRYPOINT ["sh", "/entrypoint.sh"] +CMD ["ocserv", "-c", "/etc/ocserv/ocserv.conf", "-f"]