ocserv: allow enabling proxy ARP

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

net/ocserv/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ocserv
 PKG_VERSION:=0.10.9
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_USE_MIPS16:=0
 
 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)

net/ocserv/README

@@ -1,17 +1,86 @@
+Setting up OpenConnect VPN server
+=================================
+
 The openconnect server expects to be configured using the uci interface.
 
 It is recommended to setup a dynamic DNS address with openwrt prior
 to starting the server. That is because during the first startup
 a certificate file which contain the setup dynamic DNS name will be
-created.
+created. You can always regenerate the certificate by deleting
+/etc/ocserv/server-key.pem.
+
+There are two approaches to setup the VPN. The proxy-arp approach (1)
+which provides clients with addresses of the LAN, and the "forwarding"
+approach (2) which provides clients with addresses of a separate private
+network. The former is suitable when you have "roadwarrior" type of clients
+connecting to the LAN, and the latter when you may need to connect
+multiple networks with the LAN.
+
+
+1. Proxy-ARP Approach
+=====================
+
+[This option is available since ocserv-0.10.9-2 package]
+
+To setup a server the provides access to LAN with network address
+10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
+The following setup will assign the upper 62 addresses for VPN use.
+
+```
+----/etc/config/ocserv-------------------------------------------
+config ocserv 'config'
+	option port '443'
+	option dpd '120'
+	option max_clients '8'
+	option max_same '2'
+	option netmask '255.255.255.192'
+	option ipaddr '10.100.2.192'
+	option auth 'plain'
+	option default_domain 'lan'
+	option compression '1'
+	option proxy_arp '1'
+	option ping_leases '1'
+	option enable '1'
+
+config dns
+	option ip '10.100.2.1'
+
+config routes
+	option ip '10.100.2.0'
+	option netmask '255.255.255.0'
+
+config ocservusers
+	option name 'test'
+	option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
+
+-----------------------------------------------------------------
+```
+
+This setup re-utilizes the addresses assigned to LAN for the VPN clients.
+To ensure that there are no conflicts with the DHCP server use the following
+commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
+which is below the first VPN assigned address (10.100.2.192).
+
+```
+# uci set dhcp.lan.start=100
+# uci set dhcp.lan.limit=91
+```
+
+For simple networks like that you may also leave the 'netmask' and 'ipaddr'
+fields empty and ocserv on startup will set the necessary values.
+
+
+2. Forwarding Approach
+======================
 
 To setup a server the provides access to LAN with network address
 10.100.2.0/255.255.255.0 using the VPN address range
 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
 
+```
 ----/etc/config/ocserv-------------------------------------------
 config ocserv 'config'
-	option port '4443'
+	option port '443'
 	option dpd '120'
 	option max_clients '8'
 	option max_same '2'
@@ -34,19 +103,21 @@ config ocservusers
 	option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
 
 -----------------------------------------------------------------
+```
 
-This configuration also adds the user "test" with password "test". The
-password is specified in the crypt(3) format.
 
-The server can be enabled and started using:
-# /etc/init.d/ocserv enable
-# /etc/init.d/ocserv start
+Setting up the firewall
+=======================
 
+Since the connected users will be assigned to other interfaces than the LAN
+one, it is required to assign the VPN clients to an interface, and enable
+forwarding for them. That is, you should setup an unmanaged interface (e.g.,
+called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
+interfaces). Then a zone called vpn should be setup to handle interactions
+with lan. An example, which alls all forwarding between LAN and VPN clients,
+follows.
 
-To simplify firewall configuration, you should setup an unmanaged interface
-(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone
-called vpn should be setup to handle interactions with lan. An example
-follows:
+```
 ----/etc/config/network------------------------------------------
 config interface 'vpn'
         option proto 'none'
@@ -74,17 +145,35 @@ config rule
         option target 'ACCEPT'
         option src 'wan'
         option proto 'tcp'
-        option dest_port '4443'
+        option dest_port '443'
         option name 'vpn'
 
 config rule
         option target 'ACCEPT'
         option src 'wan'
         option proto 'udp'
-        option dest_port '4443'
+        option dest_port '443'
         option name 'vpn'
 -----------------------------------------------------------------
+```
+
+Note, that the last two rules, enable connections to port 443 from the
+Internet. That is the port used by OpenConnect VPN.
+
+
+Starting the server
+===================
+
+Note that both configurations above add the user "test" with password "test". The
+password is specified in the crypt(3) format.
+
+The server can be enabled and started using:
+# /etc/init.d/ocserv enable
+# /etc/init.d/ocserv start
 
+For any custom configuration options of ocserv you may add values in
+/etc/ocserv/ocserv.conf.local.
 
 There is a luci plugin to allow configuring the server from
 the web environment; see the package luci-app-ocserv.
+

net/ocserv/files/ocserv.conf.template

@@ -275,7 +275,7 @@ ipv4-netmask = |NETMASK|
 
 # Prior to leasing any IP from the pool ping it to verify that
 # it is not in use by another (unrelated to this server) host.
-ping-leases = false
+ping-leases = |PING_LEASES|
 
 # Unset to assign the default MTU of the device
 # mtu = 

net/ocserv/files/ocserv.init

@@ -13,11 +13,47 @@ setup_config() {
 	config_get udp          $1 udp "1"
 	config_get auth         $1 auth "plain"
 	config_get cisco_compat $1 cisco_compat "1"
-	config_get ipaddr       $1 ipaddr "192.168.100.0"
-	config_get netmask      $1 netmask "255.255.255.0"
+	config_get ipaddr       $1 ipaddr ""
+	config_get netmask      $1 netmask ""
 	config_get ip6addr      $1 ip6addr ""
+	config_get proxy_arp    $1 proxy_arp "0"
+	config_get ping_leases  $1 ping_leases "0"
 	config_get default_domain  $1 default_domain ""
 
+	# Enable proxy arp, and make sure that ping leases is set to true in that case,
+	# to prevent conflicts.
+	if test "$proxy_arp" = 1;then
+		local ip
+		# IP address is empty. Auto-configure LAN + VPN.
+		if test -z "$ipaddr";then
+			local mask
+			mask=$(uci get network.lan.netmask)
+			if test "$mask" = "255.255.255.0";then
+				uci set dhcp.lan.start=100
+				uci set dhcp.lan.limit=91
+			fi
+			ip=$(uci get network.lan.ipaddr)
+			ipaddr="$(echo $ip|cut -d . -f1,2,3).192"
+			netmask="255.255.255.192"
+			uci set ocserv.config.ipaddr="$ipaddr"
+			uci set ocserv.config.netmask="$netmask"
+			uci commit
+		fi
+
+		if test -z "$ip6addr";then
+			ip6addr=$(uci get network.lan.ip6addr 2>/dev/null)
+			test -n "$ip6addr" && uci set ocserv.config.ip6addr="$ip6addr"
+			uci commit
+		fi
+
+		ping_leases=1
+		test -n "$ipaddr" && sysctl -w "net.ipv4.conf.$(uci get network.lan.ifname).proxy_arp"=1 >/dev/null
+		test -n "$ip6addr" && sysctl -w "net.ipv6.conf.$(uci get network.lan.ifname).proxy_ndp"=1 >/dev/null
+	else
+		test "$ipaddr" = "" && ipaddr="192.168.100.0"
+		test "$netmask" = "" && ipaddr="255.255.255.0"
+	fi
+
 	enable_default_domain="#"
 	enable_udp="#"
 	enable_compression="#"
@@ -25,6 +61,8 @@ setup_config() {
 	test $predictable_ips = "1" && predictable_ips="true"
 	test $cisco_compat = "0" && cisco_compat="false"
 	test $cisco_compat = "1" && cisco_compat="true"
+	test $ping_leases = "0" && ping_leases="false"
+	test $ping_leases = "1" && ping_leases="true"
 	test $udp = "1" && enable_udp=""
 	test $compression = "1" && enable_compression=""
 	test -z $default_domain && enable_default_domain=""
@@ -47,6 +85,7 @@ setup_config() {
 	    -e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
 	    -e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
 	    -e "s/|CISCO_COMPAT|/$cisco_compat/g" \
+	    -e "s/|PING_LEASES|/$ping_leases/g" \
 	    -e "s/|UDP|/$enable_udp/g" \
 	    -e "s/|COMPRESSION|/$enable_compression/g" \
 	    -e "s/|IPV4ADDR|/$ipaddr/g" \
@@ -164,3 +203,4 @@ start_service() {
 	procd_set_param respawn
 	procd_close_instance
 }
+