OpenConnect VPN server is an SSL VPN server that is secure, small, fast and configurable. It implements the OpenConnect SSL VPN protocol and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel and uses the standard IETF security protocols to secure it. While there is some recent movement towards SAML compatibility in an OpenConnect client, this SAML authentication module specifically emulates the behaviour of a Cisco Anyconnect headend for compatibility with Anyconnect clients. It is tested with version 4.8. It has not been tested with Openconnect.
- Base: Alpine Latest
- Latest OpenConnect Server 1.0.0 + SAML support implemented by me, here
- SAML2 Authentication Support
- Size: 47.5MB
- Customizing the DNS servers used for queries over the VPN
- Supports tunneling all traffic over the VPN or tunneling only specific routes via split-include
- Create certs automatically using default or provided values, or drop your own certs in /config/certs
The container is available from the Docker registry and this is the simplest way to get it. It needs a fair few environment variables, so I suggest using docker-compose.
If you have not already done so, install docker-compose in accordance with its documentation.
In an empty directory, create a file called docker-compose.yaml and insert the below contents, substituting values suitable for your environment:
version: "3"
services:
ocserv:
container_name: ocserv
image: morganonbass/ocserv-saml:latest
ports:
- "443:443/tcp"
- "443:443/udp"
environment:
HOSTNAME: 'vpn.example.com'
LISTEN_PORT: 443
TUNNEL_MODE: 'split-include'
TUNNEL_ROUTES: '192.168.1.0/24, 192.168.69.0/24'
DNS_SERVERS: 192.168.1.1
DEFAULT_DOMAIN: 'internal.example.com'
SPLIT_DNS_DOMAINS: 'internal.example.com'
CLIENTNET: 192.168.248.0
CLIENTNETMASK: 255.255.255.128
volumes:
- './config/:/config/'
cap_add:
- NET_ADMIN
privileged: true
restart: unless-stopped
Then, create a directory called 'config' (or match your volume definition above if you differ from the example), and populate it with the following files:
| File | Required | Details |
|---|---|---|
idp-metadata.xml |
Yes | Your SAML identity provider supplies this |
idp-cert.pem |
Yes | Your SAML identity provider supplies this |
certs/server-cert.pem |
No | Our certificate, for SSL/TLS and signing SAML communications if needed |
certs/server-key.pem |
No | Key for above. If not supplied, a self signed cert will be generated |
Then, start the vpn service like so:
docker-compose up -d
On start, the docker entrypoint script will drop and populate the following using parameters supplied by docker-compose.yaml:
| File | Can I edit this? | Details |
|---|---|---|
ocserv.conf |
Knock yourself out | Ocserv configuration file. This will be autogenerated with parameters supplied in docker-compose.yaml |
sp-metadata.xml |
Nope | Our SAML service provider metadata file. Don't edit this, it emulates ASA behaviour for Anyconnect compatibility |
sso.conf |
Maybe, but why? | Ocserv SAML module configuration file. Just tells it where to find its own metadata files and certs, not much needs editing here |
On start, the server checks for the following files:
/config/certs/server-key.pem
/config/certs/server-cert.pem
If these do not exist, a self signed certificate will be created. You may of course place your own signed certificates at this location.
All of the relevant config files are in the /config volume. You may edit them to make use of more of Openconnect's features. Some advanced features include setting up site to site VPN links, User Groups, Proxy Protocol support and more.
| Variable | Required | Function | Example |
|---|---|---|---|
HOSTNAME |
Yes | Hostname, needed to construct SAML parameters | vpn.domain.com |
LISTEN_PORT |
No | Listening port for VPN connections | 443 |
DNS_SERVERS |
No | Comma delimited name servers | 8.8.8.8,8.8.4.4 |
TUNNEL_MODE |
No | Tunnel mode (all / split-include) | split-include |
TUNNEL_ROUTES |
No | Comma delimited tunnel routes in CIDR notation | 192.168.1.0/24 |
DEFAULT_DOMAIN |
No | Default domain to advertise to clients (DNS search scope) | internal.domain.com |
SPLIT_DNS_DOMAINS |
No | Comma delimited dns domains | internal.domain.com |
CLIENTNET |
No | Network from which to assign client IPs | 192.168.255.0 |
CLIENTNETMASK |
No | Client subnet mask | 255.255.255.0 |
| Volume | Required | Function | Example |
|---|---|---|---|
config |
Yes | OpenConnect config files | /your/config/path/:/config |
| Port | Proto | Required | Function | Example |
|---|---|---|---|---|
443 |
TCP | Yes | OpenConnect server TCP listening port | 443:443 |
443 |
UDP | Yes | OpenConnect server UDP listening port | 443:443/udp |
After a user successfully logins to the VPN a message will be logged in the docker log.
Example of login message:
[info] User bob Connected - Server: 192.168.1.165 VPN IP: 192.168.255.194 Remote IP: 107.92.120.188
Example of logoff message:
[info] User bob Disconnected - Bytes In: 175856 Bytes Out: 4746819 Duration:63
If you are having issues with this container please submit an issue on GitHub. Please provide logs, docker version and other information that can simplify reproducing the issue. Using the latest stable verison of Docker is always recommended. Support for older version is on a best-effort basis.