As an Iranian citizen, I always have trouble with censorship forced by our beloved government on one hand and foreign sanctions burden on another hand. They banned our IP, filtered our domain, drop MTProto and OpenVPN protocols and even removed our servers from their data centers, but we are always one step ahead :-)
To address these issues I start to use docker to ease the pain of installing and installing and installing the same applications again and again and again. In this way, I can change my host and deploy my applications on a new host in less than a minute. One of my favorite applications to bypass filter is Cisco AnyConnect. I like it because it relays traffic between clients and servers like OpenSSH and HTTPS. In this way, the government can't distinguish between Anyconnect traffic and HTTPS, as a result, they can't block AnyConnect traffic unless they block all HTTPS traffic.
There exist two ways of client authentication, with password or certificate. Password authentication is straightforward and it doesn't need complex configuration but configuration complexity of certificate authentication is rather high; You should understand how certificate works and generate certificate for every user. However, it saves you from having to type the password every time you want to connect. I tried to solve issue of configuration by introducing gcc
(generate client certificate) command. You can easily generate new certificate by typing gcc <username>
(more on that on section III).
In the section II I will show password authentication configuration and how you can add new clients. In section III I will use the same procedure to introduce certificate authentication. Some tricks to boost your network speed and minimize delay are provided in the final section.
Easiest ocserv
configuration is its password authentication. By passing some arguments at build time you can build your own docker image customized for your domain. Run the below command in root directory of this repo to build fresh ocserv
docker image with password authentication, customized for your domain. Description of build arguments are provided in Table. 1 .
$ docker build --build-arg ORGANIZATION="Example Corp" --build-arg DOMAIN=example.com -t anyconnect:password ./password/
After successful build run AnyConnect
image by:
$ docker run --name any-pass -it --privileged -p 4321:4321 anyconnect:password
Parsing plain auth method subconfig using legacy format
note: setting 'plain' as primary authentication method
note: setting 'file' as supplemental config option
root@a86f00e3e939:/etc/ocserv#
You will be directed to any-pass container bash. Create clients with:
root@a86f00e3e939:/etc/ocserv# ocpasswd -c /etc/ocserv/ocpasswd <username>
After setting up users and their password hit Ctrl-p Ctrl-q to detach from bash. To add more users in future, first execute a new bash on any-pass with:
$ docker exec -it any-pass /bin/bash
root@a86f00e3e939:/etc/ocserv#
and then create users as stated before and quit with exit
.
ARG | Meaning | Default |
---|---|---|
ORGANIZATION | Organization field in generated cetificates. | "Example Corp" |
DOMAIN | Certificate will generate for this domain | "example.com" |
Table. 1: description of password configuration build args
I don't know how you feel about typing your password every time you want to use VPN but I hate it. Certificate authentication comes to rescue. Although it is hard to setup and maintain certificates ocserv
, you can easily setup and run your own ocserv
with this container and enjoy joining your network with one click. To do so run the below command in root directory of this repo to build a fresh ocserv
docker image with certificate authentication customized for your domain. Description of build arguments provided in Table. 1 .
$ docker build --build-arg ORGANIZATION="Example Corp" --build-arg DOMAIN=example.com -t anyconnect:certificate ./certificate/
Easyest way to copy generated certificate outside of container is to use docker volumes. Create cert folder to store certs and pass it as a volume to docker container just like below:
$ cd /to/appropriate/location/
$ mkdir certs
$ docker run --name any-cert -it --privileged -v $(pwd)/certs:/certs -p 4321:4321 anyconnect:certificate
Parsing plain auth method subconfig using legacy format
note: setting 'plain' as primary authentication method
note: setting 'file' as supplemental config option
root@a86f00e3e939:/certs/#
You will directed to any-cert container bash. Create client certificates with gcc <username>
and provide certificate password and user password. For example:
root@a86f00e3e939:/certs# gcc john
Generating a 3072 bit RSA private key...
Generating a signed certificate...
X.509 Certificate Information:
....
Generating a PKCS #12 structure...
Loading private key list...
Loaded 1 private keys.
Enter a name for the key: john
Enter password:
Confirm password:
Enter plain ocpasswd password:
Enter password:
Re-enter password:
root@a86f00e3e939:/certs#
After generating clients certificates hit Ctrl-p Ctrl-q to detach from bash. To add more users in future, first execute a new bash on any-cert with:
$ docker exec -it any-cert /bin/bash
root@a86f00e3e939:/certs/#
and then create users as stated before and quit with exit
.
You can Boost Ubuntu Network Performance by Enabling TCP BBR. Before going forward, check your kernel version. It probably uses a 4.9 or higher kernel version. The following lines quoted from [4].
Once you have kernel 4.9 or above, edit sysctl.conf file.
$ sudo nano /etc/sysctl.confAdd the following two line at the end of the file.
net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbrSave and close the file. Then reload sysctl configurations.
sudo sysctl -pNow check the congestion control algorithm in use.
$ sysctl net.ipv4.tcp_congestion_control net.ipv4.tcp_congestion_control = bbrCongrats! You have successfully enabled TCP BBR on Ubuntu.
Get certificate's expiration date:
# openssl pkcs12 -in <certificate file name> -nodes -passin pass:"<password>" | openssl x509 -noout -enddate
Enable ip forwarding
# apt install iptables-persistent
# iptables -P FORWARD ACCEPT
# iptables-save > /etc/iptables/iptables.rules
# vim /etc/crontab ( add "* * * * * root iptables -P FORWARD ACCEPT" there)
[1] : https://lowendbox.com/blog/install-openconnect-server-on-ubuntu-16-04/
[2] : https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt
[3] : https://www.linuxbabe.com/ubuntu/certificate-authentication-openconnect-vpn-server-ocserv
[4] : https://www.linuxbabe.com/ubuntu/enable-google-tcp-bbr-ubuntu
[5] : https://github.com/sfc9982/AnyConnect-Server