ocserv error: vhost, you cannot mix multiple authentication method
0
votes
0
answers
796
views
I'm trying to install ocserv *(OpenConnect VPN Server)*, using script from this repository , on CentOS 8.1. Script automatically sets up server, certificate, user list and other settings.
After
install.sh is run *(script content is below)*, i check the logs using journalctl -u ocserv, and this is the output:
Starting OpenConnect SSL VPN server...
Started OpenConnect SSL VPN server.
note: skipping 'pid-file' config option
error: cannot open file /etc/letsencrypt/live/208.xx.xx.xx/fullchain>
Parsing plain auth method subconfig using legacy format
error: vhost:default: you cannot mix multiple authentication method>
ocserv.service: Main process exited, code=exited, status=1/FAILURE
ocserv.service: Failed with result 'exit-code'.error: vhost:default: you cannot mix multiple authentication method, which is located in the source code here . There is also this error error: cannot open file /etc/letsencrypt/live.. about certificate, not sure if it is important.
Where is vhost:default config file (about multiple authentication) is located at & how to fix this? Or am i misinterpreting the errors?
**PS**:
*If you need output of any command, let me know in the comments*
install.sh script
#!/bin/bash
# openconnect/anyconnect server (ocserv) installer in centos + let's ecnrypt
#
# bash install.sh -f username-list-file -n host-name -e email-address
usage()
{
echo "usage:"
echo "bash install.sh -f username-list-file -n host-name -e email-address"
}
###### Main
LIST=""
HOST_NAME=""
EMAIL_ADDR=""
if [[ $(dnf -q check-update | wc -l) > 0 ]] ; then
echo 'You must be updated before this script.'
echo 'Run: yum update'
exit
fi
while [[ $1 != "" ]]; do
case $1 in
-f | --list ) shift
LIST=$1
;;
-n | --hostname ) shift
HOST_NAME=$1
;;
-e | --email ) shift
EMAIL_ADDR=$1
;;
-h | --help ) usage
exit
;;
* ) usage
exit 1
esac
echo $1;
shift
done
if [[ $HOST_NAME == "" ]] || [[ $EMAIL_ADDR == "" ]] || [[ $LIST == "" ]] ; then
usage
exit
fi
echo '[10% ] Start installation...'
yum -q update -y > /dev/null &
wait
yum install epel-release -y > /dev/null &
wait
yum repolist enabled > /dev/null &
wait
yum -q update --assumeno > /dev/null &
wait
yum install iptables-services -y > /dev/null &
wait
yum install ocserv certbot -y > /dev/null &
wait
echo '[20% ] Request a valid certificate...'
certbot certonly --standalone --non-interactive --preferred-challenges http --agree-tos --email $EMAIL_ADDR -d $HOST_NAME &
wait
echo '[30% ] Changing the default settings...'
sed -i 's/auth = "pam"/#auth = "pam"\nauth = "plain\[\/etc\/ocserv\/ocpasswd]"/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/try-mtu-discovery = false/try-mtu-discovery = true/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#dns = 192.168.1.2/dns = 1.1.1.1\ndns = 8.8.8.8/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#tunnel-all-dns = true/tunnel-all-dns = true/' /etc/ocserv/ocserv.conf & # != = DNS Leak
wait
sed -i "s/server-cert = \/etc\/pki\/ocserv\/public\/server.crt/server-cert=\/etc\/letsencrypt\/live\/$HOST_NAME\/fullchain.pem/" /etc/ocserv/ocserv.conf &
wait
sed -i "s/server-key = \/etc\/pki\/ocserv\/private\/server.key/server-key=\/etc\/letsencrypt\/live\/$HOST_NAME\/privkey.pem/" /etc/ocserv/ocserv.conf &
wait
sed -i 's/ipv4-network = 192.168.1.0/ipv4-network = 192.168.2.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#ipv4-network = 192.168.1.0/ipv4-network = 192.168.2.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/#ipv4-netmask = 255.255.255.0/ipv4-netmask = 255.255.255.0/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/max-clients = 16/max-clients = 128/' /etc/ocserv/ocserv.conf &
wait
sed -i 's/max-same-clients = 2/max-same-clients = 4/' /etc/ocserv/ocserv.conf &
wait
#sed -i 's/#mtu = 1420/mtu = 1420/' /etc/ocserv/ocserv.conf &
#sed -i 's/#route = default/route = default/' /etc/ocserv/ocserv.conf & # for use server like gateway = IP Leak
sed -i 's/no-route = 192.168.5.0\/255.255.255.0/#no-route = 192.168.5.0\/255.255.255.0/' /etc/ocserv/ocserv.conf &
wait
#sed -i 's/udp-port = 443/#udp-port = 443/' /etc/ocserv/ocserv.conf & # if there is a problem with DTLS/UDP
wait
echo '[40% ] Adding iptables items...'
iptables -I INPUT -p tcp --dport 22 -j ACCEPT & # SSH port
wait
iptables -I INPUT -p tcp --dport 443 -j ACCEPT &
wait
iptables -I INPUT -p udp --dport 443 -j ACCEPT &
wait
iptables -I INPUT -p udp --dport 53 -j ACCEPT &
wait
iptables -t nat -A POSTROUTING -j MASQUERADE &
wait
iptables -I FORWARD -d 192.168.2.0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &
wait
iptables -A FORWARD -s 192.168.2.0 -j ACCEPT &
wait
echo '[50% ] Activating the ip_forward feature...'
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf &
#echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
wait
sysctl -p & # apply wihout rebooting
wait
echo '[60% ] Adding users...'
echo ''
if [[ $LIST != "" ]] ; then
while read -r -a line; do
if [[ "${line}" != "" ]] ; then
echo " For user ${line} password updated with ${line[1] }"
echo "${line[1] }" | ocpasswd -c /etc/ocserv/ocpasswd "${line}" &
wait
fi
done /dev/null &
wait
systemctl disable ocserv.socket > /dev/null &
wait
echo '[80% ] Start ocserv service...'
systemctl restart ocserv.service > /dev/null &
wait
#systemctl status ocserv.service &
#wait
#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT & # Allow SSH port. Is this port really configured?
#iptables -P INPUT DROP & # If you have not ACCEPT the SSH port connection before, do not run this command!
#wait
echo '[90% ] Persistent iptables rules...'
iptables-save > /etc/iptables.rules &
wait
systemctl enable iptables &
wait
service iptables save &
wait
systemctl start iptables &
wait
echo '[100% ] Your VPN server is ready to use.'
echo ''
echo 'Please check the ocserv logs with: journalctl -u ocserv'
echo ''
Asked by Jemshit
(101 rep)
Jul 17, 2023, 04:09 PM