PAC

PAC Version #

PAC is recommend version.

In this version, when you connected the ocserv server, the ocserv server will push a proxy auto config and the route tables to your devices. That need your devices have Private-side proxy support.

Platforms #

Your can check the details from this article:

AnyConnect Mobile Platforms Feature Matrix

Supported #

  • Windows 7/8/10
  • MacOS 10.11 or later
  • Universal Windows Platform
  • Apple iOS
  • ChromeOS 51 or later
  • BlackBerry OS 10.2 or later
  • Android 11 or later

Deployment #

Create Config # 

mkdir acray && cd acray
touch docker-compose.yaml && nano docker-compose.yaml
  • docker-compose.yaml
version: '2'

volumes:
  acray-per-group:
  acray-certs:

services:
  acray:
    image: acray:release
    hostname: acray-pac
    container_name: acray-pac
    restart: always
    environment:
    - PORT=999
    - VPN_DOMAIN=example.com
    - VPN_IP=1.2.3.4
    - VPN_NETWORK=100.64.2.0
    - VPN_NETMASK=255.255.255.0
    - V2RAY_SERVER=v2ray.example.com
    - V2RAY_PORT=443
    - V2RAY_ID=4049dc7a-3aca-4882-aa75-fa9b9a86091f
    - V2RAY_ALTERID=64
    - V2RAY_PATH=ray
    - OC_GENERATE_KEY=false
    - RADIUS_SERVER=radius.example.com
    - RADIUS_SHAREKEY=yourradiussharekey
    - PAC_URL=https://contentstor.blob.core.windows.net/public/pub-socks5.pac
    ports:
    - 999:999
    - 1080:1080
    - 1087:1087
    volumes:
    - acray-certs:/etc/ocserv/certs
    - acray-per-group:/etc/ocserv/config-per-group
    cap_add:
    - NET_ADMIN

Build a Docker Image # 

touch Dockerfile && touch ocserv.conf
  • Dockerfile
FROM public.ecr.aws/motofansd/acray:stable
COPY ocserv.conf /etc/ocserv/ocserv.conf
  • ocserv.conf

In most cases, you just need to modify route to change the route tables to be pushed, but you must to add the proxy server address in the PAC file.

I suggest you can set the address of vpn gateway as your proxy server address in PAC file, add route the vpn network to ARCay.

Don’t modify other ENV in this file. the startup scripts will sed this file to change the ENV.

auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]”

tcp-port = 999
run-as-user = nobody
run-as-group = nogroup
socket-file = /var/run/ocserv-socket
pid-file = /var/run/ocserv.pid

server-cert = /etc/ocserv/certs/motofans.club.crt
server-key = /etc/ocserv/certs/motofans.club.key
ca-cert = /etc/ocserv/certs/ca-cert.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"

isolate-workers = false
max-clients = 16
max-same-clients = 3
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
mobile-idle-timeout = 2400
auth-timeout = 240
idle-timeout = 1200
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 86400
persistent-cookies = true
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true

device = vpns
predictable-ips = true
default-domain = motofans.club
ipv4-network = 100.64.5.0
ipv4-netmask = 255.255.255.0
dns = 119.29.29.29
dns = 8.8.8.8
ping-leases = true

cisco-client-compat = true
dtls-legacy = ture

route=100.64.0.0/255.192.0.0
route=172.31.255.0/255.255.255.0

# For Pac Proxy
  • Build and TAG
docker build . -t acray:release

Create PAC file #

The PAC file will be pushed to your devices, it’s the proxy rules. You need to set the proxy server address in PAC file into the address of vpn gateway.

Example of PAC File

Startup ACRay #

You should put your certificate Files into volume of acray-certs, in this case is /var/lib/docker/volumes/acray-certs/_data

docker-compose up -d

Then you can download anyconnet client and connect to.