อ้างอิง http://www.subvs.co.uk/ssl_vpn_on_ubuntu

SSL-Explorer is a nice user-friendly VPN app that only needs java and a web browser on the client to run. It is thus a LOT easier to get users onto it, as it requires no software to configure and run, the only thing they may need to do is install the latest jdk version. This howto describes how to install on Ubuntu 6.0.6 LTS (server version), but will work on [insert your distro here] with a couple of modifications (most likely just package management and package names).

The really nifty thing about this is that road warriors will be able to connect from just about anywhere, I dont know of any hotels or internet cafes that block https! This beats a lot of other vpn solutions because there are more and more places blocking ports. Here is how to install ssl explorer on Ubuntu (6.0.6 Dapper)

Prepare the server

Do a standard install of ubuntu 6.0.6 LTS from the server cd. We need jdk on the server, you can now do this with apt if you have the multiverse repo enabled (edit /etc/apt/sources.list and uncomment the multiverse line)

apt-get install sun-java5-jdk ant 

Download SSL-Explorer from http://www.sshtools.com/showSslExplorerCommunity.do and untar

tar zxvf  sslexplorer-0.2.7_02-src.tar.gz #(Your version may be newer of course) cd  sslexplorer-0.2.7_02 sudo ant install 

This will compile the whole lot and eventually ask you to point your browser to http://yourhost:28080. Go there and follow the steps to configure your server. You can also choose to install the enterprise edition, which offers some more advanced features. Once you have finished, go back to the console and it should say "BUILD SUCCESSFUL".

Start up the server again by typing

sudo ant run 

in the sslexplorer directory,w ait a bit, then connect to https://yourhost - remember it may take a bit of time to start up, this confused me, and I thought there were errors and ended up reinstalling. Once you are happy, you can make it run on each boot by running

sudo ant install-service

This chucks rc files in the right places, now you can control it with sudo /etc/init.d/sslexplorer {start|stop|restart}

The rest of the configuration is fairly basic, you may want to get a CA signed certificate, I just used one from CACert - another good thing to do is "Enable HTTP redirect", this is in the "server" section when you log in as admin. If you dont do this, users will complain that the vpn is not working because they are using http:// instead of https:// - unless you feel like explaining https to hundreds of users, just enable this (you may not be able to because of a shortage of external ips etc, but do it if you can)

Clients need to have a Java runtime environment installed on the computers they are connecting from, again I used the Sun JRE because the app was developed with this, but you may find another that works OK.

AD Authentication

SSL Explorer can also do AD authentication, and its pretty easy. You will need to tell it to use AD during setup, theres not a way to change after setup. The steps are pretty simple:

• Create an AD service account, like sslexplorer
• Give the setup all the details it asks for, they are pretty self explanatory (Domain, DC hostname etc)
• Choose an admin user

Upgrading

Upgrading ssl explorer from an earlier version is reasonably painless as well, from the SSL-Explorer knowledge base: http://3sp.com/kb/idx/87/245/article/How_can_I_upgrade_to_a_newer_release_of_the_Community_Edition_source_code.html  . I found I had to stop the sslexplorer service, remove the service links, copy the old db and conf directories over to the new location, then run from there. After doing that, install the service links again, pointing to the new location:

cd ssl-explorer-0.2.7 sudo /etc/init.d/sslexplorer stop sudo ant uninstall-service cd .. tar zxvf ssl-explorer-0.2.9 cd ssl-explorer-0.2.9_4 cp /opt/ssl-explorer-0.2.7/sslexplorer/db /opt/sslexplorer-0.2.9_4/sslexplorer/ cp /opt/ssl-explorer-0.2.7/sslexplorer/conf /opt/sslexplorer-0.2.9_4/sslexplorer/ sudo ant start #Make sure it runs ok sudo ant install-service