By Abdulaziz Gebril, Alibaba Cloud Community Blog author.
OpenConnect VPN server is an SSL VPN server follows the OpenConnect protocol and is compatible with CISCO's AnyConnect SSL VPN protocol. It provides the user management interfaces and back-end configurations necessary in enterprise environments as well as some powerful security features.
In this tutorial, you will be learning how to set up an OpenConnect VPN server in the cloud.
Don't have Alibaba Cloud account yet? Sign up to get $300 - $1200 Worth of Free Trial for your new Alibaba Cloud account.
In this tutorial, you will need a server installed with Ubuntu 18, which we should you how to update, that should have at least 512 MB of RAM. In the case that you will use Let's Encrypt SSL Certificates for your OpenConnect VPN server, you will also need a pointed domain to the Public IP address of your server. More on this below. Last, in this tutorial, you'll be configuring inbound and outbound firewall rules.
To ensure that your server is up to date, you can use the apt-get -y update command.
Firewall rules define what kind of Internet traffic is allowed or blocked. You can think of it as an additional protection layer provided by your hosting provider to take control of your traffic.
If your hosting provider asks you to configure the firewall rules of your traffic (Skip if not), you have to configure your firewall rules to allow your traffic though their network. Here is a list of mostly used default ports on servers:
20 – FTP
21 – FTP
22 – SSH
25 – SMTP/EMAIL
26 – SMTP
53 – BIND/DNS
80 – HTTP / Apache Web server
110 – POP3/EMAIL
143 – IMAP
443 – HTTPS / Apache Web server SSL
465 – SMTP/EMAIL SSL/TLS
873 – RSYNC
993 – IMAP/EMAIL SSL
995 – POP3/EMAIL SSL
3306 – MYSQL
The default ports used by OpenConnect VPN are the following:
| Protocol | Port |
|---|---|
| TCP | 443 |
| UDP | 443 |
For Alibaba Cloud customers, you can do that by Creating a security group and Adding security group rules to allow connections on these ports.
We can start the installation of our VPN Server by using the apt-get -y install ocserv command to install OpenConnect VPN Server and its dependencies.
You can use self-signed certificates or obtain a certificate from a trusted external certificate authority (CA). In this tutorial, i will explain how to generate Self-signed SSL certificates and Let's Encrypt SSL Certificates (free & trusted). You can choose one of them to be used for your OpenConnect VPN Server.
Using Let's Encrypt SSL Certificates is recommended, it’s secure and trusted certificate authority (CA). Be a ware that self-signed certificate is not trusted by operating systems, so the VPN client must skip certificate checking or confirm the certificate warning and allow the connection to be made to the VPN server.
We have to install GnuTLS package which we will use to create keys and certificates for the VPN server. To do this, use the apt-get -y install gnutls-bin command. Also, create a folder to build your certificates there by using the mkdir /root/certificates command. Then, navigate to the certificates directory: cd /root/certificates.
We need to create CA template with a file named ca.tmpl by using the nano ca.tmpl command. Then, put the following into the file and change “cn” and “organization” to your own.
cn = "VPN CA"
organization = "your organization"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
Save the file and exit. Next, let’s generate the CA key and certificate. Use the command below:
certtool --generate-privkey --outfile ca-key.pem
Then use:
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
We also need to create Server template with a file named server.tmpl by using the following command:
nano server.tmpl
Then put the following into the file and change “cn” and “organization” to your own. The "cn" field must match the FQDN or IP address of your server.
cn = "YOUR SERVER IP or FQDN"
organization = "your organization"
serial = 2
expiration_days = 3650
signing_key
encryption_key
tls_www_server
Save the file and exit. Then, let’s generate the Server key and certificate. Use the command below:
certtool --generate-privkey --outfile server-key.pem
Then use:
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
Move certificates from certificates directory to the ocserv config directory.
mv server-cert.pem server-key.pem /etc/ocserv/
Let's Encrypt is a free, automated, and open Certificate Authority (CA). It allows anyone to obtain a free SSL certificate within minutes. Certificates from Let's Encrypt are trusted by most modern operating systems and browsers.
For this part, we are going to use Certbot which is EFF's tool to obtain certs from Let's Encrypt.
Before you begin, make sure you have a Fully Qualified Domain Name (FQDN) with a DNS A record pointing to the Public IP address of your server, Let's Encrypt certificate authority will not issue certificates for IP address.
First, we will get the latest version of certbot from the official PPA by using the following command:
add-apt-repository -y ppa:certbot/certbot
Update our system with the apt-get -y update command, then install certbot tool using the apt-get -y install certbot command.
Let's Encrypt validates that you control the domain(s) you are requesting a certificate for.
We are going to use the dns challenge to prove you have control over a domain, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge.
For example, for the hostname vpn.yourdomain.com, a zone file entry would look like:
_acme-challenge.vpn.yourdomain.com. 300 IN TXT "gfj9Xq...Rg85nM"
To start the process of generating Let's Encrypt SSL Certificate, use the following command:
certbot certonly --manual --preferred-challenges dns -d vpn.yourdomain.com
And it's easy from there.
Edit /etc/ocserv/ocserv.conf file by using the command below:
nano /etc/ocserv/ocserv.conf
By default, PAM authentication is enabled for the VPN users. In this tutorial, we will configure our VPN server to use password authentication for users. We can do that by commenting out this line:
auth = "pam[gid-min=1000]"
To be like this:
#auth = "pam[gid-min=1000]"
Then add this line:
auth = "plain[/etc/ocserv/ocpasswd]"
Next, find the following lines:
server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
In case you choose to use self-signed SSL certificate for your OpenConnect VPN Server, then replace these lines with:
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
In case you choose to use Let's Encrypt SSL certificate for your OpenConnect VPN Server, then replace these lines with:
server-cert = /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem
Next, we will enable MTU discovery by changing the value of:
try-mtu-discovery
From false to true, to be like this:
try-mtu-discovery = true
Next, we will enable tunneling all DNS queries via the VPN server. We can do that by uncommenting this line:
#tunnel-all-dns = true
To be like this:
tunnel-all-dns = true
Most home networks are using the range 192.168.1.0/24 as a private IP address range, to avoid IP address collision, we will use another private range 10.12.0.0/24 for our VPN. To do that, find the following lines:
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
and change the value of ipv4-network to be like this:
ipv4-network = 10.12.0.0
Next, we will change the DNS resolver of our VPN by finding the dns field and replace it with the DNS resolver that you want. We can use Google DNS resolver like below:
dns = 8.8.8.8
dns = 8.8.4.4
Next, comment out all route fields:
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
route = fd91:6d87:7341:db6a::/64
no-route = 192.168.5.0/255.255.255.0
To be like this:
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fd91:6d87:7341:db6a::/64
#no-route = 192.168.5.0/255.255.255.0
The default port used by OpenConnect VPN is 443. Normally a port can only be used by one service. In case you want to use port 443 for another service such as running HTTPS websites on it, then you have to change ocserv listening port number to avoid conflicts.
You can do that by re-editing the /etc/ocserv/ocserv.conf file, then find the following lines and change 443 to the desired port number.
# TCP and UDP port number
tcp-port = 443
udp-port = 443
Also edit /lib/systemd/system/ocserv.socket file:
nano /lib/systemd/system/ocserv.socket
Then, change ListenStream 443 and ListenDatagram 443 to the same port number, then run the systemctl daemon-reload command.
After making these changes, save the file and exit, then restart the OpenConnect VPN server for the changes to take effect. You can do this by running the systemctl restart ocserv command.
If you choose to use Let's Encrypt SSL certificate for your OpenConnect VPN Server. We can Auto-Renew Let’s Encrypt Certificate by creating system task using the crontab -e
Then, add the following line at the end of the file. It will renew the certificate and restart the VPN server to pick up new certificate and key file.
@daily certbot renew --quiet && systemctl restart ocservFirst, you need to know the name of your main network interface by using the ifconfig command. The output will look like the following:
From the above output you can see, it’s named eth0 on my server. Now use the command below to Enable NAT:
iptables -t nat -A POSTROUTING -o MAIN_INTERFACE_NAME -j MASQUERADE
Replace MAIN_INTERFACE_NAME with the name of your main network interface. Next, to make your iptables changes persist across server reboots, we will install iptables-persistent package using the following command:
apt-get -y install iptables-persistent
Then run the command:
dpkg-reconfigure iptables-persistent
Select YES and press enter at the dialog, so that the iptables settings will be re-applied automatically if the server reboots.
Next, we will allow IP forwarding by editing /etc/sysctl.conf file nano /etc/sysctl.conf, and then Uncomment this line:
#net.ipv4.ip_forward=1
To be like this:
net.ipv4.ip_forward=1
Save the file and exit, then use the command so that change can take effect.
sysctl -p
In order to do that, we will use openconnect password (ocpasswd) utility. It allows the generation and handling of the password authentication used by OpenConnect VPN Server.
We can create users for our VPN by using the command below. For example we will create a user named "testuser".
ocpasswd -c /etc/ocserv/ocpasswd testuser
You will be asked to set a password for the user and to confirm it. We can use the same command to reset the password of the user.
Prevents the specified user from logging in by locking its password.
ocpasswd -c /etc/ocserv/ocpasswd -l username
Re−enables login for the specified user by unlocking its password.
ocpasswd -c /etc/ocserv/ocpasswd -u username
Deletes the specified user from the VPN server.
ocpasswd -c /etc/ocserv/ocpasswd -d username
To start using your VPN, you can connect using any VPN client that is compatible with CISCO AnyConnect SSL VPN protocol.
The following links are some options:
How to Backup and Restore MySQL Database with mysqldump Command
2,605 posts | 747 followers
FollowAlibaba Clouder - August 2, 2019
Alibaba Clouder - August 19, 2020
Alibaba Clouder - April 7, 2021
Alibaba Clouder - January 11, 2021
Alibaba Clouder - August 9, 2018
Alibaba Clouder - July 6, 2021
2,605 posts | 747 followers
Follow
ECS(Elastic Compute Service)
Elastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn More
VPN Gateway
VPN Gateway is an Internet-based service that establishes a connection between a VPC and your on-premise data center.
Learn More
CEN
A global network for rapidly building a distributed business system and hybrid cloud to help users create a network with enterprise level-scalability and the communication capabilities of a cloud network
Learn MoreMore Posts by Alibaba Clouder