New role: SSL VPN server

[nmav]

A setup for a server is for it being a VPN concentrator handling logins to LAN via the Internet. It should be easy to setup OpenConnect VPN server for such a setup.

[nmav]

There are various set ups possible. That is get the accounting via Radius, via PAM, via GSSAPI (i.e., FreeIPA), or locally handled (via a custom password file).

[sgallagher]

Can you tell me more about setting it up with FreeIPA? Do you have links on how to do that? That would be the ideal case, as we're trying to build up our roles such that they integrate with our domain controller (which is FreeIPA).

[nmav]

Currently the steps to setup with FreeIPA are described in that blog:
https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/

Let me know if something is not clear.

[alxgrtnstrngl]

@nmav What settings/config options would you like to have available for this role?

[nmav]

Hi, a minimal number of options would be:

1. Authentication method out of:

• pam
• pam OR gssapi

The first would correspond to "auth = pam", the latter to "auth = pam\n enable-auth = gssapi"

1. Listen-port (one option for TCP/UDP)
2. max-clients
3. network to be provided for IPv4 and IPv6 (corresponds to ipv4-network and ipv6-network)
4. Routes to be provided to clients (IPv4 or IPv6 in route/mask format)
5. DNS servers to be provided to clients (IPv4 or IPv6)