Connect with us

Hi, what are you looking for?


Setup OpenConnect VPN Server (ocserv) on Ubuntu 20.04 using Let’s Encrypt

Setup OpenConnect VPN Server (ocserv) on Ubuntu 20.04 using Let’s Encrypt


This tutorial will show you how to run your own VPN server by installing OpenConnect VPN Server on Ubuntu 20.04. OpenConnect VPN server, also known as ok serv, is an open source implementation of the Cisco AnyConnnect VPN protocol, which is widely used in businesses and universities. AnyConnect is an SSL-based VPN protocol that allows individual users to connect to a remote network.

Noticeable: This tutorial also works on Ubuntu 20.10 and Ubuntu 21.04.

Why are you setting up your own VPN server?

  • Maybe you are a VPN service provider or a system administrator, which requires you to set up our VPN server.
  • You don’t trust the no-logs policy of VPN service providers, so you have to go the self-hosting route.
  • You can use a VPN to implement a network security policy. For example, if you run your own email server, you can require users to login only from the IP address of the VPN server by creating a whitelist of the IP address in the firewall. Thus, your email server is hardened to prevent hacking activities.
  • Perhaps you are just interested to know how a VPN server works.

OpenConnect VPN Server Features

  • Lightweight and fast. In my testing, I can watch 4K YouTube videos using OpenConnect VPN. YouTube is blocked in my country (China).
  • Runs on Linux and most BSD servers.
  • Compatible with Cisco AnyConnect Client
  • There is an OpenConnect client for Linux, macOS, Windows, and OpenWRT. For Android and iOS, you can use the Cisco AnyConnect client.
  • Supports password authentication and certificate authentication
  • Supports RADIUS accounting.
  • Supports virtual hosting (multiple domains).
  • Easy to set up

I especially like the fact that compared to other VPN technologies, it is very easy and convenient for the end user to use OpenConnect VPN. When I install a Linux distro on my computer and want to quickly unblock websites or hide my IP address, I install the OpenConnect client and connect to the server using just two lines of command:

sudo apt install openconnect sudo openconnect -b

There is also an OpenConnect VPN client for Fedora, RHEL, CentOS, Arch Linux, and OpenSUSE. You can easily install it with your package manager.

sudo dnf install openconnect sudo yum install openconnect sudo pacman -S openconnect


To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (outside your country or internet filtering system). I recommend Kamatera VPS, which features the following:

  • 30 days free trial.
  • Starts at $4 per month (1 GB of RAM)
  • High performance VPS based on KVM
  • 9 data centers around the world, including the United States, Canada, the United Kingdom, Germany, the Netherlands, Hong Kong and Israel.

Follow the tutorial linked below to create a Linux VPS server in Kamatera.

Once you have a VPS server running Ubuntu 20.04, follow the instructions below.

Discover  Top 5 Free VPNs for Pubg Mobile Lite (2021)

You also need a domain name to enable HTTPS for OpenConnect VPN. I registered my domain name from NameCheap because the price is low and they offer free whois privacy protection for life.

Step 1: Install OpenConnect VPN Server on Ubuntu 20.04

Log in to your Ubuntu 20.04 server. Then use apt to install the ocserv package from the default Ubuntu repository.

sudo apt update sudo apt install ocserv

Once installed, the OpenConnect VPN server is automatically launched. You can check their status by:

systemctl status ocserv

Sample output:

● ocserv.service – OpenConnect SSL VPN server loaded: loaded (/lib/systemd/system/ocserv.service; enabled; resource preset: enabled) active: active (running) since Sunday, April 12, 2020, 19:00 :57:08 HKST; 12 seconds ago Docs: man: ocserv (8) Main PID: 216409 (ocserv-main) Tasks: 2 (limit: 9451) Memory: 1.6M CGroup: /system.slice/ocserv.service ├─216409 ocserv-main └─ 216429 ocserv-sm

Tip: If the above command is not immediately terminated, you can press the Q key to regain control of the device.

If it’s not running, you can start with:

sudo systemctl start ocserv

By default, the OpenConnect VPN server listens on TCP and UDP port 443. If it is used by the web server, the VPN server will probably fail to start. We’ll see how to change the port in the OpenConnect VPN configuration file later.

If there is a firewall running on your server, you will need to open ports 80 and 443. For example, if you are using UFW, run the following command.

sudo ufw allow 80443 / tcp

Step 2: Install Let’s Encrypt Client (Certbot) on Ubuntu 20.04 Server

The gnutls-bin package installed with ocserv provides tools to generate your own CA and server certificate, but we will get and install the Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it is free, easy to set up, and trusted by the VPN client software.

Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository.

sudo apt install certbot

To check the version number, run

certbot – version

Sample output:

Sirtbot 0.40.0

Step 3: Get a trusted TLS certificate from Let’s Encrypt

I recommend using the standalone plugin or webroot to get the TLS certificate for ocserv.

standalone plugin

If there is no web server running on Ubuntu 20.04 and you want the OpenConnect VPN server to use port 443, you can use the standalone plug-in to get a TLS certificate from Let’s Encrypt. Run the following command. Don’t forget to set a record for your domain name.

sudo certbot certonly –standalone –preferred-challenges http –agree-tos –email [email protected]


  • Sure: get a certificate but don’t install it.
  • –standalone: ​​Use standalone plugin to get certification
  • –preferred-challenges http: Perform an http-01 challenge to validate our domain, which will use port 80.
  • –agree-tos: Agree to Let’s Encrypt Terms of Service.
  • – Email: The email address is used to register and restore the account.
  • -d: Specify your domain name.
Discover  VPN: Shuttle VPN - Secure VPN Proxy - Fast VPN for Android

As you can see from the following screenshot, you have successfully obtained the certificate.

Use the webroot plugin

If your Ubuntu 20.04 server has a web server that listens on ports 80 and 443, it’s a good idea to use the webroot plugin for a certificate because the webroot plugin works with almost every web server and we don’t need to install a certificate in the webserver.

First, you need to create a virtual host for


If you are using Apache, then

sudo nano /etc/apache2/sites-available/

And paste the following lines into the file.

ServerName DocumentRoot/var/www/ocserv

Save and close the file. Then create a web root directory.

sudo mkdir / var / www / ocserv

Set www-data (the Apache user) as the owner of the web root.

sudo chown www-data: www-data / var / www / ocserv -R

Enable this virtual host.

sudo a2ensite

Reload Apache for the changes to take effect.

Download sudo systemctl Apache 2

Once the virtual host is created and enabled, run the following command to get the Let’s Encrypt certificate using the webroot plugin.

sudo certbot sure – webroot –agree-tos –email [email protected] -d -w / var / www / ocserv


If you are using Nginx, then

sudo nano /etc/nginx/conf.d/

Paste the following lines into the file.

server listening 80; server_name ; root /var/www/ocserv/; location ~/.well-known/acme-challenge allow all;

Save and close the file. Then create a web root directory.

sudo mkdir -p / var / www / ocserv

Set www-data (the Nginx user) as the owner of the web root.

sudo chown www-data: www-data / var / www / ocserv -R

Reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Once the virtual host is created and enabled, run the following command to get the Let’s Encrypt certificate using the webroot plugin.

sudo certbot sure – webroot –agree-tos –email [email protected] -d -w / var / www / ocserv

Step 4: Edit the OpenConnect VPN server configuration file

Edit the main ocserv configuration file.

sudo nano /etc/ocserv/ocserv.conf

First, we need to configure password authentication. By default, password authentication is enabled through PAM (Packable Authentication Modules), allowing you to use Ubuntu system accounts to log in from VPN clients. This behavior can be disabled by commenting outside the next line.

authentication = “bam[gid-min=1000]”

If we want users to use separate VPN accounts instead of system accounts to log in, we need to add the following line to enable password authentication with a password file.

authentication = “normal[passwd=/etc/ocserv/ocpasswd]”

After we’ve finished editing this configuration file, we’ll see how to use the ocpasswd tool to create the /etc/ocserv/ocpasswd file, which contains a list of encrypted usernames and passwords.

Noticeable: Ocserv supports client certificate authentication, but Let’s Encrypt does not issue a client certificate. You need to set up your Certificate Authority (CA) to issue a client certificate.

Discover  3 Ways to Setup a VPN on the Router (Including the Pros and Cons)

Then, if you don’t want ocserv to use TCP and UDP port 443, find the next two lines and change the port number. Otherwise, leave them alone.

TCP port = 443 udp port = 443

Then find the next two lines. We need to change them.

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Replace the default with the Let’s Encrypt server path, server certificate, and server key file.

server-cert = /etc/letsencrypt/live/ server-key = /etc/letsencrypt/live/

Then set the maximum number of clients. The default setting is 128. Set to zero for an unlimited number.

Max customer = 128

Set the number of devices a user can log in from at the same time. The default setting is 2. Set to zero for an unlimited number.

Max – same customer = 2

By default, Keepalive packets are sent every 300 seconds (5 minutes). I prefer to use a short time (30 seconds) to reduce the chance of the VPN connection dropping.

sustain life = 30

Next, find the next line. Change from false to true to enable MTU detection, which can improve VPN performance.

try-mtu-discovery = Error

You can set the time the client is allowed to remain idle before disconnecting via the following two parameters. If you prefer the customer to stay in touch indefinitely, comment on these two parameters.

idle timeout = 1200 mobile-idle-timeout = 1800

Next, set the default domain to

default domain =

The IPv4 network configuration is as follows by default. This will cause problems because many home routers also set the IPv4 network range to

ipv4-network= ipv4-netmask=

We can use another private IP address range ( to avoid IP address collision, so change the value of IPv4 network to

ipv4 network =

Now uncomment the next line to connect all DNS queries via VPN.

tunnel-all-dns = true

The default DNS resolver addresses are as follows, which is a good thing.

dns = dns =

Noticeable: If you are a VPN service provider, it is a good idea to run your DNS resolver on the same server. If there is a DNS resolver running on the same server, specify DNS as

dns = is the IP address of the OpenConnect VPN server in the VPN LAN. This will slightly speed up DNS lookups for clients because network latency between the VPN server and the DNS resolver is eliminated.

Then comment out all the path parameters (add the # symbol at the beginning of the next 4 lines), which will set the server as the default gateway for clients.

Path = Path = Path = No Path =

Save and close the file and restart the VPN server for the changes to take effect.

restart sudo systemctl ocserv

Step 5: Create VPN Accounts

Now use the ocpasswd tool to create VPN accounts.

sudo ocpasswd -c /etc/ocserv/ocpasswd username

You are…

Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...


ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Avira Free Antivirus Review for Mac / Windows and Android are the most common targets for malware programmers, but that doesn’t mean macOS is...


Avira Free Security Review You need antivirus protection on all of your devices, whether you’ve budgeted for it or not. If ready cash is...