OpenConnect server, or ocserv, is a VPN Server that communicates over SSL. By design, its goal is to become a secure, lightweight, and fast VPN Server. OpenConnect server uses the OpenConnect SSL VPN protocol. At the time of writing, it also has experimental compatibility with clients that use the AnyConnect SSL VPN protocol.
This article will show you how to install and set up ocserv on Ubuntu 14.04 x64.
Since Ubuntu 14.04 does not ship with ocserv, we must download and compile the source code. The latest stable version of ocserv is 0.9.2.
Download ocserv from the official site.
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.9.2.tar.xz
tar -xf ocserv-0.9.2.tar.xz
cd ocserv-0.9.2Next, install the compile dependencies.
apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-devCompile and install ocserv.
./configure
make
make installA sample config file is placed under the directory ocser-0.9.2/doc. We will use this file as a template. At first, we have to make our own CA cert and server cert.
cd ~
apt-get install gnutls-bin
mkdir certificates
cd certificatesWe create a CA template file (ca.tmpl) with the content similar to the following. You can set your own CN and the organization's.
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key Then, generate a CA key and CA cert.
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pemNext, create a local server certificate template file (server.tmpl) with the content below. Please pay attention to the CN field; it must match the DNS name or IP address of your server.
cn = "you domain name or ip"
organization = "MyCompany"
expiration_days = 3650
signing_key
encryption_key
tls_www_serverThen, generate the server key and certificate.
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pemCopy the key, certificate, and config file to the ocserv config directory.
mkdir /etc/ocserv
cp server-cert.pem server-key.pem /etc/ocserv
cd ~/ocserv-0.9.2/doc
cp sample.config /etc/ocserv/config
cd /etc/ocservEdit the config file under /etc/ocserv. Uncomment or modify the fields described below.
auth = "plain[/etc/ocserv/ocpasswd]"try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
dns = 8.8.8.8
# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0
cisco-client-compat = trueGenerate a user that will be used to log in to ocserv.
ocpasswd -c /etc/ocserv/ocpasswd usernameEnable NAT.
iptables -t nat -A POSTROUTING -j MASQUERADEEnable IPv4 forwarding. Edit the file /etc/sysctl.conf.
net.ipv4.ip_forward=1Apply this modification.
sysctl -p /etc/sysctl.confFirst, start ocserv.
ocserv -c /etc/ocserv/configThen, install Cisco AnyConnect on any of your devices, such as an iPhone, an iPad, or an Android device. Since we used a self-signed server key and certificate, we have to uncheck the option that prevents insecure servers. This option is located in the settings of AnyConnect. At this point, we can set up a new connection with the domain name or IP address of our ocserv and the username/password that we created.
Connect and enjoy!