How do you set up an OpenConnect VPN server?

OpenConnect VPN server is an SSL VPN server follows the OpenConnect protocol and is compatible with CISCO‘s AnyConnect SSL VPN protocol. It provides the user management interfaces and back-end configurations necessary in enterprise environments as well as some powerful security features. Here are the step-by-step example to set up an OpenConnect VPN Server:

Updating Your Server

To ensure that your server is up to date, you can use the apt-get -y update command.

Configuring Firewall Rules

Firewall rules define what kind of Internet traffic is allowed or blocked. You can think of it as an additional protection layer provided by your hosting provider to take control of your traffic.

If your hosting provider asks you to configure the firewall rules of your traffic (Skip if not), you have to configure your firewall rules to allow your traffic though their network. Here is a list of mostly used default ports on servers:

  •  20   –   FTP
  •  21   –   FTP
  •  22   –   SSH
  •  25   –   SMTP/EMAIL
  •  26   –   SMTP
  •  53   –   BIND/DNS
  •  80   –   HTTP / Apache Web server
  •  110   –   POP3/EMAIL
  •  143   –   IMAP
  •  443   –   HTTPS / Apache Web server SSL
  •  465   –   SMTP/EMAIL SSL/TLS
  •  873   –   RSYNC
  •  993   –   IMAP/EMAIL SSL
  •  995   –   POP3/EMAIL SSL
  •  3306   –   MYSQL

The default port used by OpenConnect VPN is 443 (TCP and UDP).

For Alibaba Cloud customers, you can do that by Creating a security group and Adding security group rules to allow connections on these ports.

Install OpenConnect VPN Server

We can start the installation of our VPN Server by using the apt-get -y install ocserv command to install OpenConnect VPN Server and its dependencies.

Generate SSL Certificates for OpenConnect VPN Server

You can use self-signed certificates or obtain a certificate from a trusted external certificate authority (CA). In this tutorial, i will explain how to generate Self-signed SSL certificates and Let’s Encrypt SSL Certificates (free & trusted). You can choose one of them to be used for your OpenConnect VPN Server.

Using Let’s Encrypt SSL Certificates is recommended, it’s secure and trusted certificate authority (CA). Be a ware that self-signed certificate is not trusted by operating systems, so the VPN client must skip certificate checking or confirm the certificate warning and allow the connection to be made to the VPN server.

Make the Following Changes to the File

By default, PAM authentication is enabled for the VPN users. In this tutorial, we will configure our VPN server to use password authentication for users. We can do that by commenting out this line:

  1. auth = “pam[gid-min=1000]” 

To be like this:

  1. #auth = “pam[gid-min=1000]” 

Then add this line:

  1. auth = “plain[/etc/ocserv/ocpasswd]” 

Next, find the following lines:

  1. server-cert = /etc/pki/ocserv/public/server.crt
  2. server-key = /etc/pki/ocserv/private/server.key

In case you choose to use self-signed SSL certificate for your OpenConnect VPN Server, then replace these lines with:

  1. server-cert = /etc/ocserv/server-cert.pem
  2. server-key = /etc/ocserv/server-key.pem

In case you choose to use Let’s Encrypt SSL certificate for your OpenConnect VPN Server, then replace these lines with:

  1. server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
  2. server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem 

Next, we will enable MTU discovery by changing the value of:

  1. try-mtu-discovery

From false to true, to be like this:

  1. try-mtu-discovery = true 

Next, we will enable tunneling all DNS queries via the VPN server. We can do that by uncommenting this line:

  1. #tunnel-all-dns = true

To be like this:

  1. tunnel-all-dns = true 

Most home networks are using the range 192.168.1.0/24 as a private IP address range, to avoid IP address collision, we will use another private range 10.12.0.0/24 for our VPN. To do that, find the following lines:

  1. ipv4-network = 192.168.1.0
  2. ipv4-netmask = 255.255.255.0 

and change the value of ipv4-network to be like this:

  1. ipv4-network = 10.12.0.0 

Next, we will change the DNS resolver of our VPN by finding the dns field and replace it with the DNS resolver that you want. We can use Google DNS resolver like below:

  1. dns = 8.8.8.8
  2. dns = 8.8.4.4 

Next, comment out all route fields:

  1. route = 192.168.1.0/255.255.255.0
  2. #route = 192.168.5.0/255.255.255.0
  3. route = fd91:6d87:7341:db6a::/64
  4. no-route = 192.168.5.0/255.255.255.0 

To be like this:

  1. #route = 192.168.1.0/255.255.255.0
  2. #route = 192.168.5.0/255.255.255.0
  3. #route = fd91:6d87:7341:db6a::/64
  4. #no-route = 192.168.5.0/255.255.255.0 

The default port used by OpenConnect VPN is 443. Normally a port can only be used by one service. In case you want to use port 443 for another service such as running HTTPS websites on it, then you have to change ocserv listening port number to avoid conflicts.

You can do that by re-editing the /etc/ocserv/ocserv.conf file, then find the following lines and change 443 to the desired port number.

  1. # TCP and UDP port number
  2. tcp-port = 443
  3. udp-port = 443

Also edit /lib/systemd/system/ocserv.socket file:

  1. nano /lib/systemd/system/ocserv.socket 

Then, change ListenStream 443 and ListenDatagram 443 to the same port number, then run the systemctl daemon-reload command.

After making these changes, save the file and exit, then restart the OpenConnect VPN server for the changes to take effect. You can do this by running the systemctl restart ocserv command.

If you choose to use Let’s Encrypt SSL certificate for your OpenConnect VPN Server. We can Auto-Renew Let’s Encrypt Certificate by creating system task using the crontab -e

  1. Then, add the following line at the end of the file. It will renew the certificate and restart the VPN server to pick up new certificate and key file.@daily certbot renew –quiet && systemctl restart ocserv

Enable NAT and IP Forwarding

First, you need to know the name of your main network interface by using the ifconfig command.

From the above output you can see, it’s named eth0 on my server. Now use the command below to Enable NAT:

  1. iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE

Replace MAIN_INTERFACE_NAME with the name of your main network interface. Next, to make your iptables changes persist across server reboots, we will install iptables-persistent package using the following command:

  1. apt-get -y install iptables-persistent 

Then run the command:

  1. dpkg-reconfigure iptables-persistent 

Select YES and press enter at the dialog, so that the iptables settings will be re-applied automatically if the server reboots.

Next, we will allow IP forwarding by editing /etc/sysctl.conf file nano /etc/sysctl.conf, and then Uncomment this line:

  1. #net.ipv4.ip_forward=1 

To be like this:

  1. net.ipv4.ip_forward=1 

Save the file and exit, then use the command so that change can take effect.

  1. sysctl -p 

Create and Manage Users

In order to do that, you can use openconnect password (ocpasswd) utility. It allows the generation and handling of the password authentication used by OpenConnect VPN Server.

Connect to Your VPN Server

To start using your VPN, you can connect using any VPN client that is compatible with CISCO AnyConnect SSL VPN protocol.

Be the first to comment on "How do you set up an OpenConnect VPN server?"

Leave a comment

Your email address will not be published.