By Abdulaziz Gebril, Alibaba Cloud Community Blog author.
OpenConnect VPN server is an SSL VPN server follows the OpenConnect protocol and is compatible with CISCO's AnyConnect SSL VPN protocol. It provides the user management interfaces and back-end configurations necessary in enterprise environments as well as some powerful security features.
In this tutorial, you will be learning how to set up an OpenConnect VPN server in the cloud.
Don't have Alibaba Cloud account yet? Sign up to get $300 - $1200 Worth of Free Trial for your new Alibaba Cloud account.
In this tutorial, you will need a server installed with Ubuntu 18, which we should you how to update, that should have at least 512 MB of RAM. In the case that you will use Let's Encrypt SSL Certificates for your OpenConnect VPN server, you will also need a pointed domain to the Public IP address of your server. More on this below. Last, in this tutorial, you'll be configuring inbound and outbound firewall rules.
To ensure that your server is up to date, you can use the
apt-get -y update command.
Firewall rules define what kind of Internet traffic is allowed or blocked. You can think of it as an additional protection layer provided by your hosting provider to take control of your traffic.
If your hosting provider asks you to configure the firewall rules of your traffic (Skip if not), you have to configure your firewall rules to allow your traffic though their network. Here is a list of mostly used default ports on servers:
20 – FTP 21 – FTP 22 – SSH 25 – SMTP/EMAIL 26 – SMTP 53 – BIND/DNS 80 – HTTP / Apache Web server 110 – POP3/EMAIL 143 – IMAP 443 – HTTPS / Apache Web server SSL 465 – SMTP/EMAIL SSL/TLS 873 – RSYNC 993 – IMAP/EMAIL SSL 995 – POP3/EMAIL SSL 3306 – MYSQL
The default ports used by OpenConnect VPN are the following:
We can start the installation of our VPN Server by using the
apt-get -y install ocserv command to install OpenConnect VPN Server and its dependencies.
You can use self-signed certificates or obtain a certificate from a trusted external certificate authority (CA). In this tutorial, i will explain how to generate Self-signed SSL certificates and Let's Encrypt SSL Certificates (free & trusted). You can choose one of them to be used for your OpenConnect VPN Server.
Using Let's Encrypt SSL Certificates is recommended, it’s secure and trusted certificate authority (CA). Be a ware that self-signed certificate is not trusted by operating systems, so the VPN client must skip certificate checking or confirm the certificate warning and allow the connection to be made to the VPN server.
We have to install GnuTLS package which we will use to create keys and certificates for the VPN server. To do this, use the
apt-get -y install gnutls-bin command. Also, create a folder to build your certificates there by using the
mkdir /root/certificates command. Then, navigate to the certificates directory:
We need to create CA template with a file named ca.tmpl by using the
nano ca.tmpl command. Then, put the following into the file and change “cn” and “organization” to your own.
cn = "VPN CA" organization = "your organization" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key
Save the file and exit. Next, let’s generate the CA key and certificate. Use the command below:
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
We also need to create Server template with a file named server.tmpl by using the following command:
Then put the following into the file and change “cn” and “organization” to your own. The "cn" field must match the FQDN or IP address of your server.
cn = "YOUR SERVER IP or FQDN" organization = "your organization" serial = 2 expiration_days = 3650 signing_key encryption_key tls_www_server
Save the file and exit. Then, let’s generate the Server key and certificate. Use the command below:
certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
Move certificates from certificates directory to the ocserv config directory.
mv server-cert.pem server-key.pem /etc/ocserv/
Let's Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a free SSL certificate within minutes. Certificates from Let's Encrypt are trusted by most modern operating systems and browsers.
For this part, we are going to use Certbot which is EFF's tool to obtain certs from Let's Encrypt.
Before you begin, make sure you have a Fully Qualified Domain Name (FQDN) with a DNS A record pointing to the Public IP address of your server, Let's Encrypt certificate authority will not issue certificates for IP address.
First, we will get the latest version of certbot from the official PPA by using the following command:
add-apt-repository -y ppa:certbot/certbot
Update our system with the
apt-get -y update command, then install certbot tool using the
apt-get -y install certbot command.
Let's Encrypt validates that you control the domain(s) you are requesting a certificate for.
We are going to use the dns challenge to prove you have control over a domain, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge.
For example, for the hostname
vpn.yourdomain.com, a zone file entry would look like:
_acme-challenge.vpn.yourdomain.com. 300 IN TXT "gfj9Xq...Rg85nM"
To start the process of generating Let's Encrypt SSL Certificate, use the following command:
certbot certonly --manual --preferred-challenges dns -d vpn.yourdomain.com
And it's easy from there.
Edit /etc/ocserv/ocserv.conf file by using the command below:
By default, PAM authentication is enabled for the VPN users. In this tutorial, we will configure our VPN server to use password authentication for users. We can do that by commenting out this line:
auth = "pam[gid-min=1000]"
To be like this:
#auth = "pam[gid-min=1000]"
Then add this line:
auth = "plain[/etc/ocserv/ocpasswd]"
Next, find the following lines:
server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key
In case you choose to use self-signed SSL certificate for your OpenConnect VPN Server, then replace these lines with:
server-cert = /etc/ocserv/server-cert.pem server-key = /etc/ocserv/server-key.pem
In case you choose to use Let's Encrypt SSL certificate for your OpenConnect VPN Server, then replace these lines with:
server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem
Next, we will enable MTU discovery by changing the value of:
From false to true, to be like this:
try-mtu-discovery = true
Next, we will enable tunneling all DNS queries via the VPN server. We can do that by uncommenting this line:
#tunnel-all-dns = true
To be like this:
tunnel-all-dns = true
Most home networks are using the range 192.168.1.0/24 as a private IP address range, to avoid IP address collision, we will use another private range 10.12.0.0/24 for our VPN. To do that, find the following lines:
ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0
and change the value of ipv4-network to be like this:
ipv4-network = 10.12.0.0
Next, we will change the DNS resolver of our VPN by finding the dns field and replace it with the DNS resolver that you want. We can use Google DNS resolver like below:
dns = 188.8.131.52 dns = 184.108.40.206
Next, comment out all route fields:
route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 route = fd91:6d87:7341:db6a::/64 no-route = 192.168.5.0/255.255.255.0
To be like this:
#route = 192.168.1.0/255.255.255.0 #route = 192.168.5.0/255.255.255.0 #route = fd91:6d87:7341:db6a::/64 #no-route = 192.168.5.0/255.255.255.0
The default port used by OpenConnect VPN is 443. Normally a port can only be used by one service. In case you want to use port 443 for another service such as running HTTPS websites on it, then you have to change ocserv listening port number to avoid conflicts.
You can do that by re-editing the /etc/ocserv/ocserv.conf file, then find the following lines and change 443 to the desired port number.
# TCP and UDP port number tcp-port = 443 udp-port = 443
Also edit /lib/systemd/system/ocserv.socket file:
ListenStream 443 and
ListenDatagram 443 to the same port number, then run the
systemctl daemon-reload command.
After making these changes, save the file and exit, then restart the OpenConnect VPN server for the changes to take effect. You can do this by running the
systemctl restart ocserv command.
If you choose to use Let's Encrypt SSL certificate for your OpenConnect VPN Server. We can Auto-Renew Let’s Encrypt Certificate by creating system task using the
Then, add the following line at the end of the file. It will renew the certificate and restart the VPN server to pick up new certificate and key file.
@daily certbot renew --quiet && systemctl restart ocserv
First, you need to know the name of your main network interface by using the
ifconfig command. The output will look like the following:
From the above output you can see, it’s named eth0 on my server. Now use the command below to Enable NAT:
iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE
MAIN_INTERFACE_NAME with the name of your main network interface. Next, to make your iptables changes persist across server reboots, we will install iptables-persistent package using the following command:
apt-get -y install iptables-persistent
Then run the command:
Select YES and press enter at the dialog, so that the iptables settings will be re-applied automatically if the server reboots.
Next, we will allow IP forwarding by editing /etc/sysctl.conf file
nano /etc/sysctl.conf, and then Uncomment this line:
To be like this:
Save the file and exit, then use the command so that change can take effect.
In order to do that, we will use openconnect password (ocpasswd) utility. It allows the generation and handling of the password authentication used by OpenConnect VPN Server.
We can create users for our VPN by using the command below. For example we will create a user named "testuser".
ocpasswd -c /etc/ocserv/ocpasswd testuser
You will be asked to set a password for the user and to confirm it. We can use the same command to reset the password of the user.
Prevents the specified user from logging in by locking its password.
ocpasswd -c /etc/ocserv/ocpasswd -l username
Re−enables login for the specified user by unlocking its password.
ocpasswd -c /etc/ocserv/ocpasswd -u username
Deletes the specified user from the VPN server.
ocpasswd -c /etc/ocserv/ocpasswd -d username
To start using your VPN, you can connect using any VPN client that is compatible with CISCO AnyConnect SSL VPN protocol.
The following links are some options:
Alibaba Clouder - August 2, 2019
Alibaba Clouder - August 19, 2020
Alibaba Clouder - April 7, 2021
Alibaba Clouder - January 11, 2021
Alibaba Clouder - August 9, 2018
Alibaba Clouder - July 6, 2021
An online computing service that offers elastic and secure virtual cloud servers to cater all your cloud hosting needs.Learn More
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.Learn More
A global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud networkLearn More
More Posts by Alibaba Clouder