ocservice: CLI Tool for Automating ocserv and easy-rsa
ocservice is a set of bash scripts for operational management of the ocserv VPN server. The tool integrates with easy-rsa for PKI operations, automating client certificate generation, revocation, and CRL updates. It supports cert, plain, and both authorization modes without additional services like Docker or databases.
The scripts run from the command line, displaying server status (uptime, sessions, traffic, errors) each time the main menu is called. This simplifies monitoring without separate occtl commands.
Key Features
The main script ocservice provides a menu with current status: active sessions, RX/TX traffic, banned IPs, authorization errors.
Generating Client Certificates
gen-client creates a user with a certificate:
- Prompts for name, validity period, connection limit.
- Generates a certificate via easy-rsa.
- Exports to .p12 with a password.
- Logs data for client delivery.
Users with Passwords
gen-login uses ocpasswd to create accounts in plain mode. Available only when password authorization is enabled.
User Management Center
user-center displays a table:
| User | Online | Cert Expiry | Ban Points | Limit |
|------|--------|-------------|------------|-------|
For each:
- Connection details.
- Editing config-per-user.
- Kicking sessions.
- Resetting ban points.
- Deletion with cert revocation and CRL update.
Installation and Setup
Clone the repository and run the installer:
git clone https://github.com/Ilyntiy/ocservice.git
cd ocservice
chmod +x install.sh
sudo ./install.sh
The installer:
- Parses paths from ocserv.conf (ocpasswd, config-per-user).
- Identifies camouflage URL if enabled.
- Prompts for installation prefix, authorization mode, server address.
- Creates ocservice.conf.
- Copies scripts to ~/bin/.
- Configures /etc/sudoers.d/ocservice with permissions for occtl, ocpasswd, journalctl, systemctl.
Technical Implementation
Configuration
A single ocservice.conf is sourced on each run. Supports arbitrary ocserv paths (/opt, home directory).
Permissions
Minimal sudo rules only for necessary commands, without full root access.
Camouflage
Automatically reads camouflage_secret from ocserv.conf to generate URLs with tokens.
PKI Operations
- Cert revocation: easyrsa revoke.
- CRL update: easyrsa gen-crl.
- ocserv reads crl.pem directly from pki/.
System Requirements
- ocserv from source.
- easy-rsa 3.x.
- openssl.
- use-occtl = true in ocserv.conf.
Development Plans
- Auto-generation of names from a database.
- Backup of configs, certs, users.
- Cert renewal without recreation.
- Expiration notifications.
- Telegram bot for management.
Key Points
- Full integration with easy-rsa: gen .p12, revoke, CRL without manual commands.
- Three authorization modes without extra infrastructure.
- Server status in menu, user-center with actions (kick, edit config).
- Installation in 4 commands with auto sudo setup.
- Only standard tools, no Docker/databases.
— Editorial Team
No comments yet.