Add ocserv role
Create a self-signed CA, set up group configs, add script to allow new connections through the firewall. In the base debian role, drop the default nftables forward chain with drop policy because it clashes with this. If you enable forwarding on a debian host, make sure to configure the firewall.
This commit is contained in:
parent
a1c7be8184
commit
cf6b682cf8
9 changed files with 177 additions and 8 deletions
25
roles/ocserv/files/ocserv-script
Normal file
25
roles/ocserv/files/ocserv-script
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -x
|
||||
|
||||
[ -n "$DEVICE" ] || exit 1
|
||||
[ -n "$USERNAME" ] || exit 2
|
||||
[ -n "$IP_REMOTE" ] || exit 3
|
||||
|
||||
chain="inet ocserv client-${USERNAME}"
|
||||
remote_ip="${IP_REMOTE%/*}"
|
||||
|
||||
case "${REASON}" in
|
||||
connect)
|
||||
nft "add chain ${chain} { type filter hook forward priority filter; policy accept; }"
|
||||
nft "flush chain ${chain}" # in case it already existed and not empty
|
||||
if [ -n "$OCSERV_ROUTES" ] ; then
|
||||
# convert netmask to prefix len, e.g. /255.0.0.0 to /8 and replace spaces with commas
|
||||
routes="$(netmask $OCSERV_ROUTES | paste -s -d ',' | tr -d '[:space:]')"
|
||||
nft "add rule ${chain} iif ${DEVICE} ip saddr ${remote_ip} ip daddr { ${routes} } mark set 0x100"
|
||||
fi
|
||||
;;
|
||||
disconnect)
|
||||
nft "delete chain ${chain}"
|
||||
;;
|
||||
esac
|
||||
Loading…
Add table
Add a link
Reference in a new issue