How to Set up an OpenConnect VPN Server

Set up an OpenConnect VPN Server

Updating Your Server

Configuring Firewall Rules

20 – FTP
21 – FTP
22 – SSH
25 – SMTP/EMAIL
26 – SMTP
53 – BIND/DNS
80 – HTTP / Apache Web server
110 – POP3/EMAIL
143 – IMAP
443 – HTTPS / Apache Web server SSL
465 – SMTP/EMAIL SSL/TLS
873 – RSYNC
993 – IMAP/EMAIL SSL
995 – POP3/EMAIL SSL
3306 – MYSQL

Install OpenConnect VPN Server

Generate SSL Certificates for OpenConnect VPN Server

Option 1: Generate Self-Signed SSL Certificates

cn = "VPN CA"  
organization = "your organization"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
nano server.tmpl
cn = "YOUR SERVER IP or FQDN"  
organization = "your organization"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
mv server-cert.pem server-key.pem /etc/ocserv/

Option 2: Generate Let’s Encrypt SSL Certificates

add-apt-repository -y ppa:certbot/certbot
_acme-challenge.vpn.yourdomain.com. 300 IN TXT "gfj9Xq...Rg85nM"
certbot certonly --manual --preferred-challenges dns -d vpn.yourdomain.com

Configuring OpenConnect VPN Server

nano /etc/ocserv/ocserv.conf

Make the Following Changes to the File

auth = "pam[gid-min=1000]"
#auth = "pam[gid-min=1000]"
auth = "plain[/etc/ocserv/ocpasswd]"
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem
try-mtu-discovery
try-mtu-discovery = true
#tunnel-all-dns = true
tunnel-all-dns = true
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ipv4-network = 10.12.0.0
dns = 8.8.8.8
dns = 8.8.4.4
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:db6a::/64
no-route = 192.168.5.0/255.255.255.0
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fd91:6d87:7341:db6a::/64
#no-route = 192.168.5.0/255.255.255.0
# TCP and UDP port number
tcp-port = 443
udp-port = 443
nano /lib/systemd/system/ocserv.socket
@daily certbot renew --quiet && systemctl restart ocserv

Enable NAT and IP Forwarding

iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE
apt-get -y install iptables-persistent
dpkg-reconfigure iptables-persistent
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1
sysctl -p

Create and Manage Users

Adding a User

ocpasswd -c /etc/ocserv/ocpasswd testuser

Locking a User

ocpasswd -c /etc/ocserv/ocpasswd -l username

Unlocking a User

ocpasswd -c /etc/ocserv/ocpasswd -u username

Deleting a User

ocpasswd -c /etc/ocserv/ocpasswd -d username

Connect to Your VPN Server

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com