Install epel repository. Ocserv is available in epel repository. So at first, we install epel: # yum install.
NAME
OpenConnect VPN server, aka ocserv, is an open-source implementation of the Cisco AnyConnnect VPN protocol, which is widely-used in businesses and universities. AnyConnect is a SSL-based VPN protocol that allows individual users to connect to a remote network. Why Set Up Your Own VPN Server? NAME¶ ocserv - OpenConnect VPN server SYNOPSIS¶ ocserv options-c config. Openconnect VPN server (ocserv) is a VPN server compatible with the openconnect VPN client. It follows the AnyConnect VPN protocol which is used by several CISCO routers. Enable elliptic curves with GnuTLS 3.2.9+, where there is a workaround for certain firewalls that fail with client hellos between 256 and 512 bytes. Add padding when sending password, to avoid leakage of password and username length. Add support for DTLS 1.2 and AES-GCM when connecting to ocserv.
ocserv
- OpenConnect VPN server
SYNOPSIS
ocservoptions -c [config]
Openconnect VPN server (ocserv) is a VPN server compatible with theopenconnect VPN client. It follows the AnyConnect VPN protocol whichis used by several CISCO routers.
DESCRIPTION
This a standalone server that reads a configuration file (see below for more details),and waits for client connections. Log messages are redirected to daemon facility.
The server maintains two connections/channels with the client. The main VPNchannel is established over TCP, HTTP and TLS. This is the control channel as wellas the backup data channel. After its establishment a UDP channel using DTLSis initiated which serves as the main data channel. If the UDP channel failsto establish or is temporarily unavailable the backup channel over TCP/TLSis being used.
This server supports multiple authentication methods,including PAM and certificate authentication. Authenticated users areassigned an unprivileged worker process and obtain a networking (tun) deviceand an IP from a configurable pool of addresses.
Once authenticated, the server provides the client with an IP address and a listof routes that it may access. In order to allow high-speed transfers theserver does not process or filter packets. It is expected that the server hasor will set up any required routes or firewall rules.
It is possible to separate users into groups, which are either present on theircertificate, or presented on login for the user to choose. That way a user maytake advantage of the different settings that may apply per group. See thecomments on the configuration file for more information.
It is also possible to run hostname-based virtual servers which could supportdifferent authentication methods. When multiple virtual servers are presentclients are distinguished by the advertised server name over TLS (SNI).Clients which do not support or sent SNI, are directed to the defaultserver.
OPTIONS
Do not fork server into background.
Enable verbose network debugging information. num must be between zeroand 9999.
Specify the configuration file for the server.
Test the provided configuration file and exit. A successful exit error codeindicates a valid configuration.
Specify a PID file for the server.
Display usage information and exit.
Output version of program and exit.
AUTHENTICATION
Users can be authenticated in multiple ways, which are explained in the followingparagraphs. Connected users can be managed using the occtl tool.
Password authentication
If your system supports Pluggable Authentication Modules (PAM), thenocserv will take advantage of it to password authenticate its users.Otherwise a plain password file similar to the UNIX password file is also supported.In that case the 'ocpasswd' tool can be used for its management.Note that password authentication can be used in conjunction with certificateauthentication.
GSSAPI authentication
ocserv will take advantage of the MIT Kerberos project GSSAPI libraries, andallow authentication using any method GSSAPI supports. That is, mainly, Kerberosauthentication. That is often more useful to be combined with PAM or otherpassword authentication methods so that a fallback mechanism can be used whenGSSAPI fails (e.g., when the user doesn't already have a Kerberos ticket). TheGSSAPI authentication is implemented using SPNEGO over HTTP (RFC4559).
Public key (certificate) authentication
Public key authentication allows the user to be authenticatedby the possession of the private key that corresponds to a knownto the server public key. That allows the usage of common smartcards for user authentication.
In ocserv, a certificate authority (CA) is used to sign the clientcertificates. That certificate authority can be local, used only by theserver to sign its user's known public keys which are then given tousers in a form of certificates. That authority need also provide a CRLto allow the server to reject the revoked clients (see ca-cert, crl).
In certificate authentication each client presents a certificate and signsdata provided by the server, as part of TLS authentication, to prove hispossession of the corresponding private key.The certificate need also contain user identifying information,for example, the user ID of the client must be embedded in the certificate'sDistinguished Name (DN), i.e., in the Common Name, or UID fields. For theserver to read the name, the cert-user-oid configuration optionmust be set.
The following examples demonstrate how to use certtool from GnuTLS togenerate such CA.
Generating the CA
Generating a local server certificate
The following example generates the server key and certificatepair. The key generated is an RSA one, but different typescan be used by specifying the 'ecdsa' or 'dsa' options tocerttool.
From this point the clients need ca-cert.pem to be able to securelyconnect to the server.
Note that it is a better practice to use two separate RSA keys, onewith the signing_key option and another with the encryption_key.
Generating an external CA-signed server certificate
At this point you need to provide the server-cert.csr to your CA,and they will send you the server certificate.
Generating the client certificates
Note that it is recommended to leave detailed personal information out of thecertificate as it is sent in clear during TLS authentication. The followingprocess generates a certificate and converts it to PKCS #12 that is protectedby a PIN and most clients are able to import (the 3DES cipher is used inthe example because it is supported by far more devices thanAES).
Revoking a client certificate
To revoke the previous client certificate, i.e., preventing the user fromaccessing the VPN resources prior to its certificate expiration, use:
After that you may want to notify ocserv of the new CRL by usingthe HUP signal, or wait for it to reload it.
When there are no revoked certificates an empty revocation listshould be generated as follows.
IMPLEMENTATION NOTES
Note that while this server utilizes privilege separation and allauthentication occurs on the security module, this does not apply for TLS clientcertificate authentication. That is due to TLS protocol limitation.
NETWORKING CONSIDERATIONS
In certain setups, where a firewall may be blocking ICMP responses, setting theMSS of TCP connections to MTU will eliminate the 'black hole' connection issues.See http://lartc.org/howto/lartc.cookbook.mtu-mss.html for instructionsto enable it on a Linux system.
FILES
ocserv's configuration file format
By default, if no other file is specified, ocserv looks for its configurationfile at /etc/ocserv/ocserv.conf. An example configuration file follows.
SEE ALSO
occtl(8), ocpasswd(8), openconnect(8)
COPYRIGHT
Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights reserved.This program is released under the terms of the GNU General Public License, version 2.
AUTHORS
Written by Nikos Mavrogiannopoulos. Many people havecontributed to it.
Introduction
OCserv is the OpenConnect VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well. From Ubuntu 16.04 onward, OCserv is included in the standard Ubuntu repositories, so you do not need to compile it from source. In this tutorial the iOS 12.2 client, which could be an iPad or an iPhone, will connect to the VPN server using the Cisco AnyConnect VPN client.
Install packages on server
Log on to your server and install the OCserv package:
We will also need the GnuTLS package, since we use the GnuTLS utilities to generate our public key infrastructure (keys and certificates):
Build and Install
We can use self-signed certificates or using a purchased commercial certificate from CA certificate providers, such as Comodo, StartSSL, WoSign and etc.
Make CA certificate and server certificate
The GnuTLS certificate tool (certtool
) allows you to specify the fields for your certificates in a configuration template file.
Start by creating a configuration template file for your Certificate Authority (CA) certificate:
Press the I key on your keyboard to enter insert mode.
Enter the following fields into the CA configuration file, customizing the values as you prefer:
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Now generate a key and certificate for your CA, using the CA configuration template file you just created:
Now create a server certificate template file:
Press the I key on your keyboard to enter insert mode.
Enter the following fields into the server configuration file. Note that in the common name (cn
) field, you must specify your actual server IP address or hostname (shown as vpn.xuri.me
in the example that follows):
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Generate the server key and certificate, using the configuration template file:
Use commercial certificate
For example I use WoSign Free SSL Certificates. I got 1_vpn.xuri.me_bundle.crt
and 2_vpn.xuri.me.key
two files. Convert .crt
certificate to .pem
format:
Convert .key
file to .pem
format:
Put server-cert.pem
and server-key.pem
on path /etc/ocserv/
, and set file permission 600
.
If you are use CA certificates issued by StartSSL, you have got certificate cert.crt
file, I some case you should create certificate chain and merge sub certificate and root certificate like this:
Generate Certificates with Let's Encrypt
Confirm the port in the file /lib/systemd/system/ocserv.socket
not used by other program, and generate certificates by certbot
:
Select 1 and input domain name, certificates file located at /etc/letsencrypt/live/vpn.xuri.me/fullchain.pem
, /etc/letsencrypt/live/vpn.xuri.me/privkey.pem
.
Configure the OpenConnect VPN server
Edit the OCserv sample configuration file that is provided in /etc/ocserv
:
Use the editor to comment out (#
) the default values and replace them with those shown in the example that follows:
When you have finished entering the above, escape from insert mode, write the file to disk, and quit the editor.
Create user id and password
Generate a user id and password that you will use to authenticate from AnyConnect to OCserv. For example, if you want your user id to be xuri
:
You will be prompted to enter a password twice. The password will not be displayed on your terminal:
Enable packet forwarding
Apolloone. Allow forwarding in the Linux kernel by editing the system control configuration file:
Delete the #
sign at the start to uncomment the line:
Write the file to disk and quit the editor, and make this change active now:
Open firewall
Open the server firewall for SSL:
Enable network address translation (NAT):
Assuming you have already installed iptables-persistent
, reconfigure it to make your changes persist across server reboots:
Start OpenConnect VPN server
Check that nothing is already listening on port 443:
The command sudo lsof -i
then showed systemd listening to port 443 on IPv6. I do not know why systemd was doing this. The command systemctl -all list-sockets
showed the related unit as ocserv.socket. The solution was to issue the command sudo systemctl stop ocserv.socket
.
Start OCserv:
or
Check that it is now listening on port 443 with the command:
Optimization
Add ocserv
to system service:
Write the following script in the configuration file:
Now we can use service ocserv start
and service ocserv stop
to control the service.
Smart shunt
Set up no-route
in the configuration file by your own rules.
Make CA certificate available for download
Your client such as Mac, iPad or iPhone needs to be able to validate the server certificate. To allow it to do this, you must install your CA certificate on the iPad or iPhone as a trusted root certificate. The first step in this is to make the CA certificate available for download from your server.
Open the firewall so that you can reach the server from a browser:
Install Apache:
Copy the CA certificate into the web root folder:
Download and install CA certificate
Connect OCserv on Mac
Download and install Cisco AnyConnect Secure Mobility Client for OS X with last version. Add your server IP address (e.g. vpn.xuri.me
):
Enter your username:
Enter your password:
Connect to VPN
Connect OCserv on mobile client
Now go to your iOS device (iPad or iPhone).
Open the Safari browser.
Browse to the location of the CA certificate at your server’s IP address. For example, if your server is located at vpn.xuri.me
, then in Safari you would browse to:
Follow the prompts to install the CA certificate as a 'Profile' on your iOS 12.2 device.
Once the 'Profile' (i.e., certificate) is installed, tap on Done:
Install AnyConnect on iOS 12.2 client
On your iPad or iPhone, open the the App Store, and search for Cisco AnyConnect or desktop client.
Configure AnyConnect on iOS 12.2 client
Open the AnyConnect app.
Tap on Connections.
Tap on Add VPN Connection.
- Description is whatever you want
- Server Address is your server IP address (e.g.
vpn.xuri.me
)
Tap Save.
Connect to VPN
Now connect from your iPad or iPhone to your VPN.
You will be prompted to enter your username (the one you set up with ocpasswd
a few minutes ago, for example, xuri
):
You will be prompted to enter your password (the one you set up for that username when you invoked ocpasswd
):
The AnyConnect VPN toggle goes green when you are connected:
(Also, if you log on to your server and use a command such as sudo tail /var/log/syslog
, you will see messages such as sec-mod: initiating session for user 'xuri'
.)
Troubleshooting
Ocserv Client Windows
Client get error: The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.
Ocserv Client Certificate
Add MTU settings mtu = 1480
in the configuration file and restart the service.