Back to Home

ocservice for ocserv: VPN management from CLI

ocservice automates ocserv VPN management via bash scripts with easy-rsa integration. Supports cert/plain authorization, .p12 generation, cert revocation, user-center. Installation without Docker, minimal dependencies.

ocservice: CLI manager for ocserv VPN
Advertisement 728x90

ocservice: CLI Tool for Automating ocserv and easy-rsa

ocservice is a set of bash scripts for operational management of the ocserv VPN server. The tool integrates with easy-rsa for PKI operations, automating client certificate generation, revocation, and CRL updates. It supports cert, plain, and both authorization modes without additional services like Docker or databases.

The scripts run from the command line, displaying server status (uptime, sessions, traffic, errors) each time the main menu is called. This simplifies monitoring without separate occtl commands.

Key Features

The main script ocservice provides a menu with current status: active sessions, RX/TX traffic, banned IPs, authorization errors.

Google AdInline article slot

Generating Client Certificates

gen-client creates a user with a certificate:

  • Prompts for name, validity period, connection limit.
  • Generates a certificate via easy-rsa.
  • Exports to .p12 with a password.
  • Logs data for client delivery.

Users with Passwords

gen-login uses ocpasswd to create accounts in plain mode. Available only when password authorization is enabled.

User Management Center

user-center displays a table:

Google AdInline article slot

| User | Online | Cert Expiry | Ban Points | Limit |

|------|--------|-------------|------------|-------|

For each:

Google AdInline article slot
  • Connection details.
  • Editing config-per-user.
  • Kicking sessions.
  • Resetting ban points.
  • Deletion with cert revocation and CRL update.

Installation and Setup

Clone the repository and run the installer:

git clone https://github.com/Ilyntiy/ocservice.git
cd ocservice
chmod +x install.sh
sudo ./install.sh

The installer:

  • Parses paths from ocserv.conf (ocpasswd, config-per-user).
  • Identifies camouflage URL if enabled.
  • Prompts for installation prefix, authorization mode, server address.
  • Creates ocservice.conf.
  • Copies scripts to ~/bin/.
  • Configures /etc/sudoers.d/ocservice with permissions for occtl, ocpasswd, journalctl, systemctl.

Technical Implementation

Configuration

A single ocservice.conf is sourced on each run. Supports arbitrary ocserv paths (/opt, home directory).

Permissions

Minimal sudo rules only for necessary commands, without full root access.

Camouflage

Automatically reads camouflage_secret from ocserv.conf to generate URLs with tokens.

PKI Operations

  • Cert revocation: easyrsa revoke.
  • CRL update: easyrsa gen-crl.
  • ocserv reads crl.pem directly from pki/.

System Requirements

  • ocserv from source.
  • easy-rsa 3.x.
  • openssl.
  • use-occtl = true in ocserv.conf.

Development Plans

  • Auto-generation of names from a database.
  • Backup of configs, certs, users.
  • Cert renewal without recreation.
  • Expiration notifications.
  • Telegram bot for management.

Key Points

  • Full integration with easy-rsa: gen .p12, revoke, CRL without manual commands.
  • Three authorization modes without extra infrastructure.
  • Server status in menu, user-center with actions (kick, edit config).
  • Installation in 4 commands with auto sudo setup.
  • Only standard tools, no Docker/databases.

— Editorial Team

Advertisement 728x90

Read Next