Setup OpenConnect VPN Server (ocserv) on Ubuntu 20.04 using Let’s Encrypt
-🖥️-
This tutorial will show you how to run your own VPN server by installing OpenConnect VPN Server on Ubuntu 20.04. OpenConnect VPN server, also known as ok serv, is an open source implementation of the Cisco AnyConnnect VPN protocol, which is widely used in businesses and universities. AnyConnect is an SSL-based VPN protocol that allows individual users to connect to a remote network.
Noticeable: This tutorial also works on Ubuntu 20.10 and Ubuntu 21.04.
Why are you setting up your own VPN server?
- Maybe you are a VPN service provider or a system administrator, which requires you to set up our VPN server.
- You don’t trust the no-logs policy of VPN service providers, so you have to go the self-hosting route.
- You can use a VPN to implement a network security policy. For example, if you run your own email server, you can require users to login only from the IP address of the VPN server by creating a whitelist of the IP address in the firewall. Thus, your email server is hardened to prevent hacking activities.
- Perhaps you are just interested to know how a VPN server works.
OpenConnect VPN Server Features
- Lightweight and fast. In my testing, I can watch 4K YouTube videos using OpenConnect VPN. YouTube is blocked in my country (China).
- Runs on Linux and most BSD servers.
- Compatible with Cisco AnyConnect Client
- There is an OpenConnect client for Linux, macOS, Windows, and OpenWRT. For Android and iOS, you can use the Cisco AnyConnect client.
- Supports password authentication and certificate authentication
- Supports RADIUS accounting.
- Supports virtual hosting (multiple domains).
- Easy to set up
I especially like the fact that compared to other VPN technologies, it is very easy and convenient for the end user to use OpenConnect VPN. When I install a Linux distro on my computer and want to quickly unblock websites or hide my IP address, I install the OpenConnect client and connect to the server using just two lines of command:
sudo apt install openconnect sudo openconnect -b vpn.mydomain.com
There is also an OpenConnect VPN client for Fedora, RHEL, CentOS, Arch Linux, and OpenSUSE. You can easily install it with your package manager.
sudo dnf install openconnect sudo yum install openconnect sudo pacman -S openconnect
requirements
To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (outside your country or internet filtering system). I recommend Kamatera VPS, which features the following:
- 30 days free trial.
- Starts at $4 per month (1 GB of RAM)
- High performance VPS based on KVM
- 9 data centers around the world, including the United States, Canada, the United Kingdom, Germany, the Netherlands, Hong Kong and Israel.
Follow the tutorial linked below to create a Linux VPS server in Kamatera.
Once you have a VPS server running Ubuntu 20.04, follow the instructions below.
You also need a domain name to enable HTTPS for OpenConnect VPN. I registered my domain name from NameCheap because the price is low and they offer free whois privacy protection for life.
Step 1: Install OpenConnect VPN Server on Ubuntu 20.04
Log in to your Ubuntu 20.04 server. Then use apt to install the ocserv package from the default Ubuntu repository.
sudo apt update sudo apt install ocserv
Once installed, the OpenConnect VPN server is automatically launched. You can check their status by:
systemctl status ocserv
Sample output:
â—Ź ocserv.service – OpenConnect SSL VPN server loaded: loaded (/lib/systemd/system/ocserv.service; enabled; resource preset: enabled) active: active (running) since Sunday, April 12, 2020, 19:00 :57:08 HKST; 12 seconds ago Docs: man: ocserv (8) Main PID: 216409 (ocserv-main) Tasks: 2 (limit: 9451) Memory: 1.6M CGroup: /system.slice/ocserv.service ├─216409 ocserv-main └─ 216429 ocserv-sm
Tip: If the above command is not immediately terminated, you can press the Q key to regain control of the device.
If it’s not running, you can start with:
sudo systemctl start ocserv
By default, the OpenConnect VPN server listens on TCP and UDP port 443. If it is used by the web server, the VPN server will probably fail to start. We’ll see how to change the port in the OpenConnect VPN configuration file later.
If there is a firewall running on your server, you will need to open ports 80 and 443. For example, if you are using UFW, run the following command.
sudo ufw allow 80443 / tcp
Step 2: Install Let’s Encrypt Client (Certbot) on Ubuntu 20.04 Server
The gnutls-bin package installed with ocserv provides tools to generate your own CA and server certificate, but we will get and install the Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it is free, easy to set up, and trusted by the VPN client software.
Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository.
sudo apt install certbot
To check the version number, run
certbot – version
Sample output:
Sirtbot 0.40.0
Step 3: Get a trusted TLS certificate from Let’s Encrypt
I recommend using the standalone plugin or webroot to get the TLS certificate for ocserv.
standalone plugin
If there is no web server running on Ubuntu 20.04 and you want the OpenConnect VPN server to use port 443, you can use the standalone plug-in to get a TLS certificate from Let’s Encrypt. Run the following command. Don’t forget to set a record for your domain name.
sudo certbot certonly –standalone –preferred-challenges http –agree-tos –email [email protected] -d-vpn.example.com
where:
- Sure: get a certificate but don’t install it.
- –standalone: ​​Use standalone plugin to get certification
- –preferred-challenges http: Perform an http-01 challenge to validate our domain, which will use port 80.
- –agree-tos: Agree to Let’s Encrypt Terms of Service.
- – Email: The email address is used to register and restore the account.
- -d: Specify your domain name.
As you can see from the following screenshot, you have successfully obtained the certificate.
Use the webroot plugin
If your Ubuntu 20.04 server has a web server that listens on ports 80 and 443, it’s a good idea to use the webroot plugin for a certificate because the webroot plugin works with almost every web server and we don’t need to install a certificate in the webserver.
First, you need to create a virtual host for vpn.example.com.
apache
If you are using Apache, then
sudo nano /etc/apache2/sites-available/vpn.example.com.conf
And paste the following lines into the file.
Save and close the file. Then create a web root directory.
sudo mkdir / var / www / ocserv
Set www-data (the Apache user) as the owner of the web root.
sudo chown www-data: www-data / var / www / ocserv -R
Enable this virtual host.
sudo a2ensite vpn.example.com
Reload Apache for the changes to take effect.
Download sudo systemctl Apache 2
Once the virtual host is created and enabled, run the following command to get the Let’s Encrypt certificate using the webroot plugin.
sudo certbot sure – webroot –agree-tos –email [email protected] -d vpn.example.com -w / var / www / ocserv
Nginx
If you are using Nginx, then
sudo nano /etc/nginx/conf.d/vpn.example.com.conf
Paste the following lines into the file.
server listening 80; server_name vpn.example.com ; root /var/www/ocserv/; location ~/.well-known/acme-challenge allow all;
Save and close the file. Then create a web root directory.
sudo mkdir -p / var / www / ocserv
Set www-data (the Nginx user) as the owner of the web root.
sudo chown www-data: www-data / var / www / ocserv -R
Reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Once the virtual host is created and enabled, run the following command to get the Let’s Encrypt certificate using the webroot plugin.
sudo certbot sure – webroot –agree-tos –email [email protected] -d vpn.example.com -w / var / www / ocserv
Step 4: Edit the OpenConnect VPN server configuration file
Edit the main ocserv configuration file.
sudo nano /etc/ocserv/ocserv.conf
First, we need to configure password authentication. By default, password authentication is enabled through PAM (Packable Authentication Modules), allowing you to use Ubuntu system accounts to log in from VPN clients. This behavior can be disabled by commenting outside the next line.
authentication = “bam[gid-min=1000]”
If we want users to use separate VPN accounts instead of system accounts to log in, we need to add the following line to enable password authentication with a password file.
authentication = “normal[passwd=/etc/ocserv/ocpasswd]”
After we’ve finished editing this configuration file, we’ll see how to use the ocpasswd tool to create the /etc/ocserv/ocpasswd file, which contains a list of encrypted usernames and passwords.
Noticeable: Ocserv supports client certificate authentication, but Let’s Encrypt does not issue a client certificate. You need to set up your Certificate Authority (CA) to issue a client certificate.
Then, if you don’t want ocserv to use TCP and UDP port 443, find the next two lines and change the port number. Otherwise, leave them alone.
TCP port = 443 udp port = 443
Then find the next two lines. We need to change them.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem server-key = /etc/ssl/private/ssl-cert-snakeoil.key
Replace the default with the Let’s Encrypt server path, server certificate, and server key file.
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
Then set the maximum number of clients. The default setting is 128. Set to zero for an unlimited number.
Max customer = 128
Set the number of devices a user can log in from at the same time. The default setting is 2. Set to zero for an unlimited number.
Max – same customer = 2
By default, Keepalive packets are sent every 300 seconds (5 minutes). I prefer to use a short time (30 seconds) to reduce the chance of the VPN connection dropping.
sustain life = 30
Next, find the next line. Change from false to true to enable MTU detection, which can improve VPN performance.
try-mtu-discovery = Error
You can set the time the client is allowed to remain idle before disconnecting via the following two parameters. If you prefer the customer to stay in touch indefinitely, comment on these two parameters.
idle timeout = 1200 mobile-idle-timeout = 1800
Next, set the default domain to vpn.example.com.
default domain = vpn.example.com
The IPv4 network configuration is as follows by default. This will cause problems because many home routers also set the IPv4 network range to 192.168.1.0/24.
ipv4-network=192.168.1.0 ipv4-netmask=255.255.255.0
We can use another private IP address range (10.10.10.0/24) to avoid IP address collision, so change the value of IPv4 network to
ipv4 network = 10.10.10.0
Now uncomment the next line to connect all DNS queries via VPN.
tunnel-all-dns = true
The default DNS resolver addresses are as follows, which is a good thing.
dns = 8.8.8.8 dns = 1.1.1.1
Noticeable: If you are a VPN service provider, it is a good idea to run your DNS resolver on the same server. If there is a DNS resolver running on the same server, specify DNS as
dns = 10.10.10.1
10.10.10.1 is the IP address of the OpenConnect VPN server in the VPN LAN. This will slightly speed up DNS lookups for clients because network latency between the VPN server and the DNS resolver is eliminated.
Then comment out all the path parameters (add the # symbol at the beginning of the next 4 lines), which will set the server as the default gateway for clients.
Path = 10.0.0.0/8 Path = 172.16.0.0/12 Path = 192.168.0.0/16 No Path = 192.168.5.0/255.255.255.0
Save and close the file and restart the VPN server for the changes to take effect.
restart sudo systemctl ocserv
Step 5: Create VPN Accounts
Now use the ocpasswd tool to create VPN accounts.
sudo ocpasswd -c /etc/ocserv/ocpasswd username
You are…
[ad_1]
Don’t forget to share this post with friends !
