How to Set up an OpenConnect VPN Server

Set up an OpenConnect VPN Server

In this tutorial, you will need a server installed with Ubuntu 18, which we should you how to update, that should have at least 512 MB of RAM. In the case that you will use Let’s Encrypt SSL Certificates for your OpenConnect VPN server, you will also need a pointed domain to the Public IP address of your server. More on this below. Last, in this tutorial, you’ll be configuring inbound and outbound firewall rules.

Updating Your Server

To ensure that your server is up to date, you can use the apt-get -y update command.

Configuring Firewall Rules

Firewall rules define what kind of Internet traffic is allowed or blocked. You can think of it as an additional protection layer provided by your hosting provider to take control of your traffic.

20 – FTP
21 – FTP
22 – SSH
25 – SMTP/EMAIL
26 – SMTP
53 – BIND/DNS
80 – HTTP / Apache Web server
110 – POP3/EMAIL
143 – IMAP
443 – HTTPS / Apache Web server SSL
465 – SMTP/EMAIL SSL/TLS
873 – RSYNC
993 – IMAP/EMAIL SSL
995 – POP3/EMAIL SSL
3306 – MYSQL

Install OpenConnect VPN Server

We can start the installation of our VPN Server by using the apt-get -y install ocserv command to install OpenConnect VPN Server and its dependencies.

Generate SSL Certificates for OpenConnect VPN Server

You can use self-signed certificates or obtain a certificate from a trusted external certificate authority (CA). In this tutorial, i will explain how to generate Self-signed SSL certificates and Let’s Encrypt SSL Certificates (free & trusted). You can choose one of them to be used for your OpenConnect VPN Server.

Option 1: Generate Self-Signed SSL Certificates

We have to install GnuTLS package which we will use to create keys and certificates for the VPN server. To do this, use the apt-get -y install gnutls-bin command. Also, create a folder to build your certificates there by using the mkdir /root/certificates command. Then, navigate to the certificates directory: cd /root/certificates.

cn = "VPN CA"  
organization = "your organization"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
nano server.tmpl
cn = "YOUR SERVER IP or FQDN"  
organization = "your organization"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
mv server-cert.pem server-key.pem /etc/ocserv/

Option 2: Generate Let’s Encrypt SSL Certificates

Let’s Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a free SSL certificate within minutes. Certificates from Let’s Encrypt are trusted by most modern operating systems and browsers.

add-apt-repository -y ppa:certbot/certbot
_acme-challenge.vpn.yourdomain.com. 300 IN TXT "gfj9Xq...Rg85nM"
certbot certonly --manual --preferred-challenges dns -d vpn.yourdomain.com

Configuring OpenConnect VPN Server

Edit /etc/ocserv/ocserv.conf file by using the command below:

nano /etc/ocserv/ocserv.conf

Make the Following Changes to the File

By default, PAM authentication is enabled for the VPN users. In this tutorial, we will configure our VPN server to use password authentication for users. We can do that by commenting out this line:

auth = "pam[gid-min=1000]"
#auth = "pam[gid-min=1000]"
auth = "plain[/etc/ocserv/ocpasswd]"
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem
try-mtu-discovery
try-mtu-discovery = true
#tunnel-all-dns = true
tunnel-all-dns = true
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ipv4-network = 10.12.0.0
dns = 8.8.8.8
dns = 8.8.4.4
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:db6a::/64
no-route = 192.168.5.0/255.255.255.0
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fd91:6d87:7341:db6a::/64
#no-route = 192.168.5.0/255.255.255.0
# TCP and UDP port number
tcp-port = 443
udp-port = 443
nano /lib/systemd/system/ocserv.socket
@daily certbot renew --quiet && systemctl restart ocserv

Enable NAT and IP Forwarding

First, you need to know the name of your main network interface by using the ifconfig command. The output will look like the following:

iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE
apt-get -y install iptables-persistent
dpkg-reconfigure iptables-persistent
#net.ipv4.ip_forward=1
net.ipv4.ip_forward=1
sysctl -p

Create and Manage Users

In order to do that, we will use openconnect password (ocpasswd) utility. It allows the generation and handling of the password authentication used by OpenConnect VPN Server.

Adding a User

We can create users for our VPN by using the command below. For example we will create a user named “testuser”.

ocpasswd -c /etc/ocserv/ocpasswd testuser

Locking a User

Prevents the specified user from logging in by locking its password.

ocpasswd -c /etc/ocserv/ocpasswd -l username

Unlocking a User

Re−enables login for the specified user by unlocking its password.

ocpasswd -c /etc/ocserv/ocpasswd -u username

Deleting a User

Deletes the specified user from the VPN server.

ocpasswd -c /etc/ocserv/ocpasswd -d username

Connect to Your VPN Server

To start using your VPN, you can connect using any VPN client that is compatible with CISCO AnyConnect SSL VPN protocol.

Original Source

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store