Page MenuHomeVyOS Platform
Create Task
Maniphest T4625

Update ocserv to current revision (1.1.6)
Closed, ResolvedPublicENHANCEMENT
Actions

Description

VyOS appears to use the upstream debian ocserv package @ version 1.1.2. This is somewhat dated, and v1.1.6 builds just fine in the vyos-build Docker container from the Debian salsa repo (https://salsa.debian.org/debian/ocserv.git):

vyos@svl-vy00:~$ ocserv -v
ocserv 1.1.6

Compiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.7.1

It runs great inside the system:

vyos@svl-vy00:~$ show openconnect-server sessions 
Interface    Username    IP             Remote IP       RX       TX      State      Uptime
-----------  ----------  -------------  --------------  -------  ------  ---------  --------
sslvpn0      testuser   192.168.0.28  10.0.0.20  47.8 MB  9.6 MB  connected  20h:56m

Probably best to keep key services (especially ones designed to service requests from the evil WAN) up-to-date, especially as we beef up the CLI to cover the server's feature set.

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Package upgrade

Related Objects

Event Timeline

sempervictus created this task.Aug 18 2022, 11:44 PM
Viacheslav added a comment.Aug 19 2022, 2:49 AM

There is an example of how we build ocserv for 1.3 https://github.com/vyos/vyos-build/commit/2e1eac5980720d060834540e717f4f8a1189b9b0

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus.Aug 29 2022, 7:03 AM
sempervictus added a comment.Aug 29 2022, 11:26 AM

@Viacheslav - how does the bug around which you were working manifest itself? I just pulled the 1.1.6 sources and built from that repo using the same command as the Jenkinsfile. Happy to test for whatever condition was being fixed in the local build

Viacheslav added a comment.Aug 29 2022, 12:10 PM

This bug was in T4241, client couldn't connect to openconnect server and logs from the server site like:

Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44480 user disconnected (reason: unspecified, rx: 0, tx: 0)
Feb 16 19:46:03 r4 ocserv[2409]: main:192.168.122.1:44482 user disconnected (reason: unspecified, rx: 0, tx: 0)
^C

It was tested with self-signed certificates.

Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Feb 28 2023, 5:03 PM

For 1.4

vyos@r14# run show version all | match ocser
ii  ocserv                               1.1.6-3                          amd64        OpenConnect VPN server compatible with Cisco AnyConnect VPN
[edit]
vyos@r14#
Viacheslav changed the task status from Open to In progress.Feb 28 2023, 5:06 PM
Viacheslav claimed this task.
Viacheslav added a comment.Feb 28 2023, 5:35 PM

PR for 1.3 https://github.com/vyos/vyos-build/pull/316

Viacheslav changed the task status from In progress to Needs testing.Feb 28 2023, 6:09 PM
sempervictus added a comment.Mar 1 2023, 12:05 AM

Currently digging through a bug with ocserv upstream maintainers, might get a 1.1.7 once we fix that or atleast a 1.1.6-4.
Aside from the weird Duo+RADIUS thing, the version noted in this issue currently runs great.

Viacheslav closed this task as Resolved.Mar 3 2023, 12:36 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.3) board.

VyOS 1.3-stable-202303030442 Works as expected

vyos@r1# run show conf com | match open
set vpn openconnect authentication mode 'radius'
set vpn openconnect authentication radius server 192.168.122.14 key 'vyos-secret'
set vpn openconnect listen-ports tcp '4433'
set vpn openconnect listen-ports udp '4433'
set vpn openconnect network-settings client-ip-settings subnet '100.64.12.0/24'
set vpn openconnect ssl ca-cert-file '/config/auth/ca.crt'
set vpn openconnect ssl cert-file '/config/auth/server.crt'
set vpn openconnect ssl key-file '/config/auth/server.key'
[edit]
vyos@r1# 
[edit]
vyos@r1# run show version all | match ocser
ii  ocserv                               1.1.6-3                        amd64        OpenConnect VPN server compatible with Cisco AnyConnect VPN
[edit]
vyos@r1# 
[edit]
vyos@r1# run show openconnect-server sessions 
interface    username    ip             remote IP        RX      TX         state      uptime
-----------  ----------  -------------  ---------------  ------  ---------  ---------  --------
sslvpn0      foo         100.64.12.225  192.168.122.205  1.3 KB  152 bytes  connected  55s
[edit]
vyos@r1#
dmbaturin mentioned this in 1.3.3.May 19 2023, 1:04 PM