Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New role: SSL VPN server #32

Open
nmav opened this issue Aug 11, 2015 · 5 comments
Open

New role: SSL VPN server #32

nmav opened this issue Aug 11, 2015 · 5 comments
Assignees
Milestone

Comments

@nmav
Copy link

nmav commented Aug 11, 2015

A setup for a server is for it being a VPN concentrator handling logins to LAN via the Internet. It should be easy to setup OpenConnect VPN server for such a setup.

@nmav
Copy link
Author

nmav commented Aug 11, 2015

There are various set ups possible. That is get the accounting via Radius, via PAM, via GSSAPI (i.e., FreeIPA), or locally handled (via a custom password file).

@sgallagher
Copy link
Contributor

Can you tell me more about setting it up with FreeIPA? Do you have links on how to do that? That would be the ideal case, as we're trying to build up our roles such that they integrate with our domain controller (which is FreeIPA).

@sgallagher sgallagher self-assigned this Aug 18, 2015
@nmav
Copy link
Author

nmav commented Aug 19, 2015

Currently the steps to setup with FreeIPA are described in that blog:
https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/

Let me know if something is not clear.

@sgallagher sgallagher modified the milestone: Future Nov 10, 2015
@alxgrtnstrngl
Copy link
Contributor

@nmav What settings/config options would you like to have available for this role?

@nmav
Copy link
Author

nmav commented Jan 28, 2016

Hi, a minimal number of options would be:

  1. Authentication method out of:
  • pam
  • pam OR gssapi

The first would correspond to "auth = pam", the latter to "auth = pam\n enable-auth = gssapi"

  1. Listen-port (one option for TCP/UDP)
  2. max-clients
  3. network to be provided for IPv4 and IPv6 (corresponds to ipv4-network and ipv6-network)
  4. Routes to be provided to clients (IPv4 or IPv6 in route/mask format)
  5. DNS servers to be provided to clients (IPv4 or IPv6)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants