Page MenuHomeVyOS Platform

Extend ocserv support to allow for per-group configs
Open, Requires assessmentPublicFEATURE REQUEST

Description

We have adapted our Vyos to extend ocserv to look for group membership in RADIUS authentication, and then apply a group specific ocserv config (mainly around only allowing certain subnet access on a per group/user basis)

This was done by editing the base template files in our Vyos install.

We would like to make this a normal function, by submitting code to make this a configure command.

Essentially extend the supported commands, contribute the python scripts to implement the changes, and adapt the base files to support this.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Config syntax change (migratable)
Issue type
Feature (new functionality)

Event Timeline

@SquirePug Can you share more details, which templates and parameters did you edit?

@SquirePug Can you share more details, which templates and parameters did you edit?

Hello,

I am the dev working on behalf of the @SquirePug. For our particular installation the template that was edited was located at

/usr/share/vyos/templates/ocserv/ocserv_config.tmpl

And the addition I made was the following two lines hardcoded into the template.

config-per-group = /etc/ocserv/config-per-group
default-group-config = /etc/ocserv/defaults/group.conf

I wasn't able to configure this directory via the cli using any of the

set vpn openconnect ...

commands so I browsed the source in order to see how it was generating the open connect configuration file and found the various config functions in vpn_openconnect.py and the template functions said file referenced which lead me to searching for the ocserv_config.tmpl file. This config allows us to pass groups in our RADIUS response to ocserv and forward routes on a per group level.

I am interested in contributing new commands listed below to optionally enable/disable group based configs and configure the directory for the per group configs, and the default group file:

set vpn openconnect config-per-group-mode <enabled|disabled> (default disabled)
set vpn openconnect config-per-group-directory <directory>
set vpn openconnect default-group-config <file>

If I could get some feedback as to whether this would be a welcome addition I can start working on a PR sometime soon, and I'll post an overview on how I plan to implement said commands.

Regards,
Jamie

For this we create text files as the group-config includes (they contain route and other per group config directives, generally around security).

Should we default the location of these files to somewhere in /config/ocserv/group-configs ?

Is there a preference on how to handle these additional end admin user created text files?

From memory, only files in /config persist after an update/upgrade?