How to Set up an OpenConnect VPN Server

Image for post
Image for post

By Abdulaziz Gebril, Alibaba Cloud Community Blog author.

OpenConnect VPN server is an SSL VPN server follows the OpenConnect protocol and is compatible with CISCO’s AnyConnect SSL VPN protocol. It provides the user management interfaces and back-end configurations necessary in enterprise environments as well as some powerful security features.

In this tutorial, you will be learning how to set up an OpenConnect VPN server in the cloud.

Set up an OpenConnect VPN Server

In this tutorial, you will need a server installed with Ubuntu 18, which we should you how to update, that should have at least 512 MB of RAM. In the case that you will use Let’s Encrypt SSL Certificates for your OpenConnect VPN server, you will also need a pointed domain to the Public IP address of your server. More on this below. Last, in this tutorial, you’ll be configuring inbound and outbound firewall rules.

Updating Your Server

To ensure that your server is up to date, you can use the apt-get -y update command.

Configuring Firewall Rules

Firewall rules define what kind of Internet traffic is allowed or blocked. You can think of it as an additional protection layer provided by your hosting provider to take control of your traffic.

If your hosting provider asks you to configure the firewall rules of your traffic (Skip if not), you have to configure your firewall rules to allow your traffic though their network. Here is a list of mostly used default ports on servers:

20 – FTP
21 – FTP
22 – SSH
25 – SMTP/EMAIL
26 – SMTP
53 – BIND/DNS
80 – HTTP / Apache Web server
110 – POP3/EMAIL
143 – IMAP
443 – HTTPS / Apache Web server SSL
465 – SMTP/EMAIL SSL/TLS
873 – RSYNC
993 – IMAP/EMAIL SSL
995 – POP3/EMAIL SSL
3306 – MYSQL

The default ports used by OpenConnect VPN are the following:

ProtocolPortTCP443UDP443

Install OpenConnect VPN Server

We can start the installation of our VPN Server by using the apt-get -y install ocserv command to install OpenConnect VPN Server and its dependencies.

Generate SSL Certificates for OpenConnect VPN Server

You can use self-signed certificates or obtain a certificate from a trusted external certificate authority (CA). In this tutorial, i will explain how to generate Self-signed SSL certificates and Let’s Encrypt SSL Certificates (free & trusted). You can choose one of them to be used for your OpenConnect VPN Server.

Using Let’s Encrypt SSL Certificates is recommended, it’s secure and trusted certificate authority (CA). Be a ware that self-signed certificate is not trusted by operating systems, so the VPN client must skip certificate checking or confirm the certificate warning and allow the connection to be made to the VPN server.

Option 1: Generate Self-Signed SSL Certificates

We have to install GnuTLS package which we will use to create keys and certificates for the VPN server. To do this, use the apt-get -y install gnutls-bin command. Also, create a folder to build your certificates there by using the mkdir /root/certificates command. Then, navigate to the certificates directory: cd /root/certificates.

We need to create CA template with a file named ca.tmpl by using the nano ca.tmpl command. Then, put the following into the file and change “cn” and “organization” to your own.

cn = "VPN CA"  
organization = "your organization"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

Save the file and exit. Next, let’s generate the CA key and certificate. Use the command below:

certtool --generate-privkey --outfile ca-key.pem

Then use:

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

We also need to create Server template with a file named server.tmpl by using the following command:

nano server.tmpl

Then put the following into the file and change “cn” and “organization” to your own. The “cn” field must match the FQDN or IP address of your server.

cn = "YOUR SERVER IP or FQDN"  
organization = "your organization"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server

Save the file and exit. Then, let’s generate the Server key and certificate. Use the command below:

certtool --generate-privkey --outfile server-key.pem

Then use:

certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

Move certificates from certificates directory to the ocserv config directory.

mv server-cert.pem server-key.pem /etc/ocserv/

Option 2: Generate Let’s Encrypt SSL Certificates

Let’s Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a free SSL certificate within minutes. Certificates from Let’s Encrypt are trusted by most modern operating systems and browsers.

For this part, we are going to use Certbot which is EFF’s tool to obtain certs from Let’s Encrypt.

Before you begin, make sure you have a Fully Qualified Domain Name (FQDN) with a DNS A record pointing to the Public IP address of your server, Let’s Encrypt certificate authority will not issue certificates for IP address.

First, we will get the latest version of certbot from the official PPA by using the following command:

add-apt-repository -y ppa:certbot/certbot

Update our system with the apt-get -y update command, then install certbot tool using the apt-get -y install certbot command.

Let’s Encrypt validates that you control the domain(s) you are requesting a certificate for.

We are going to use the dns challenge to prove you have control over a domain, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge.

For example, for the hostname vpn.yourdomain.com, a zone file entry would look like:

_acme-challenge.vpn.yourdomain.com. 300 IN TXT "gfj9Xq...Rg85nM"

To start the process of generating Let’s Encrypt SSL Certificate, use the following command:

certbot certonly --manual --preferred-challenges dns -d vpn.yourdomain.com

And it’s easy from there.

Configuring OpenConnect VPN Server

Edit /etc/ocserv/ocserv.conf file by using the command below:

nano /etc/ocserv/ocserv.conf

Make the Following Changes to the File

By default, PAM authentication is enabled for the VPN users. In this tutorial, we will configure our VPN server to use password authentication for users. We can do that by commenting out this line:

auth = "pam[gid-min=1000]"

To be like this:

#auth = "pam[gid-min=1000]"

Then add this line:

auth = "plain[/etc/ocserv/ocpasswd]"

Next, find the following lines:

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key

In case you choose to use self-signed SSL certificate for your OpenConnect VPN Server, then replace these lines with:

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

In case you choose to use Let’s Encrypt SSL certificate for your OpenConnect VPN Server, then replace these lines with:

server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem

Next, we will enable MTU discovery by changing the value of:

try-mtu-discovery

From false to true, to be like this:

try-mtu-discovery = true

Next, we will enable tunneling all DNS queries via the VPN server. We can do that by uncommenting this line:

#tunnel-all-dns = true

To be like this:

tunnel-all-dns = true

Most home networks are using the range 192.168.1.0/24 as a private IP address range, to avoid IP address collision, we will use another private range 10.12.0.0/24 for our VPN. To do that, find the following lines:

ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

and change the value of ipv4-network to be like this:

ipv4-network = 10.12.0.0

Next, we will change the DNS resolver of our VPN by finding the dns field and replace it with the DNS resolver that you want. We can use Google DNS resolver like below:

dns = 8.8.8.8
dns = 8.8.4.4

Next, comment out all route fields:

route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:db6a::/64
no-route = 192.168.5.0/255.255.255.0

To be like this:

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fd91:6d87:7341:db6a::/64
#no-route = 192.168.5.0/255.255.255.0

The default port used by OpenConnect VPN is 443. Normally a port can only be used by one service. In case you want to use port 443 for another service such as running HTTPS websites on it, then you have to change ocserv listening port number to avoid conflicts.

You can do that by re-editing the /etc/ocserv/ocserv.conf file, then find the following lines and change 443 to the desired port number.

# TCP and UDP port number
tcp-port = 443
udp-port = 443

Also edit /lib/systemd/system/ocserv.socket file:

nano /lib/systemd/system/ocserv.socket

Then, change ListenStream 443 and ListenDatagram 443 to the same port number, then run the systemctl daemon-reload command.

After making these changes, save the file and exit, then restart the OpenConnect VPN server for the changes to take effect. You can do this by running the systemctl restart ocserv command.

If you choose to use Let’s Encrypt SSL certificate for your OpenConnect VPN Server. We can Auto-Renew Let’s Encrypt Certificate by creating system task using the crontab -e

Then, add the following line at the end of the file. It will renew the certificate and restart the VPN server to pick up new certificate and key file.

@daily certbot renew --quiet && systemctl restart ocserv

Enable NAT and IP Forwarding

First, you need to know the name of your main network interface by using the ifconfig command. The output will look like the following:

Image for post
Image for post

From the above output you can see, it’s named eth0 on my server. Now use the command below to Enable NAT:

iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE

Replace MAIN_INTERFACE_NAME with the name of your main network interface. Next, to make your iptables changes persist across server reboots, we will install iptables-persistent package using the following command:

apt-get -y install iptables-persistent

Then run the command:

dpkg-reconfigure iptables-persistent

Select YES and press enter at the dialog, so that the iptables settings will be re-applied automatically if the server reboots.

Image for post
Image for post

Next, we will allow IP forwarding by editing /etc/sysctl.conf file nano /etc/sysctl.conf, and then Uncomment this line:

#net.ipv4.ip_forward=1

To be like this:

net.ipv4.ip_forward=1

Save the file and exit, then use the command so that change can take effect.

sysctl -p

Create and Manage Users

In order to do that, we will use openconnect password (ocpasswd) utility. It allows the generation and handling of the password authentication used by OpenConnect VPN Server.

Adding a User

We can create users for our VPN by using the command below. For example we will create a user named “testuser”.

ocpasswd -c /etc/ocserv/ocpasswd testuser

You will be asked to set a password for the user and to confirm it. We can use the same command to reset the password of the user.

Locking a User

Prevents the specified user from logging in by locking its password.

ocpasswd -c /etc/ocserv/ocpasswd -l username

Unlocking a User

Re−enables login for the specified user by unlocking its password.

ocpasswd -c /etc/ocserv/ocpasswd -u username

Deleting a User

Deletes the specified user from the VPN server.

ocpasswd -c /etc/ocserv/ocpasswd -d username

Connect to Your VPN Server

To start using your VPN, you can connect using any VPN client that is compatible with CISCO AnyConnect SSL VPN protocol.

The following links are some options:

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store