• UID1605
  • Fans1
  • Follows1
  • Posts3

Alibaba Cloud Tech Share - Install OpenConnect VPN Server for Cisco AnyConnect on Ubuntu 16.04 x64

More Posted time:Jan 19, 2017 12:38 PM
Alibaba Cloud Tech Share - Install OpenConnect VPN Server for Cisco AnyConnect on Ubuntu 16.04 x64
in this tutorial i want to install OpenConnect VPN server in Ubuntu 16.04 x64. OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure.
OpenConnect server, also known as ocserv. you can use OpenConnect to have secure connect in many platform like Linux,Windows,Android, ...
OpenConnect is released under the GNU Lesser Public License, version 2.1.

OpenConnect original site

Installing ocserv
ocserv not exists in ubuntu package and must be compiled from source code.
we will have to download the source code and compile it. The latest stable version of ocserv is 0.9.2.
[saeed@localhost ~]$ tar -xf ocserv-0.9.2.tar.xz
[saeed@localhost ~]$ cd ocserv-0.9.2

Next, install the compile dependencies.
[saeed@localhost ocserv-0.9.2]$ sudo apt-get install build-essential pkg-config libgnutls28-dev libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-dev

Compile and install ocserv.
[saeed@localhost ocserv-0.9.2]$ ./configure
[saeed@localhost ocserv-0.9.2]$ make
[saeed@localhost ocserv-0.9.2]$ sudo make install

Configuring ocserv

A sample config file is placed under the directory ocser0.9.2/doc. We will use this file as a template. At first, we have to make our own CA cert and server cert.
[saeed@localhost ocserv-0.9.2]$ cd ~
[saeed@localhost ~]$ sudo apt-get install gnutls-bin
[saeed@localhost ~]$ mkdir certificates
[saeed@localhost ~]$ cd certificates

We create a CA template file (ca.tmpl) with the content similar to the following. You can set your own "cn" and "organization".
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = 3650

Then, generate a CA key and CA cert.
[saeed@localhost certificates]$ certtool --generate-privkey --outfile ca-key.pem
[saeed@localhost certificates]$ certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

Next, create a local server certificate template file (server.tmpl) with the the content below. Please pay attention to the "cn" field, it must match the DNS name or IP address of your server.
cn = "you domain name or ip"
organization = "MyCompany"
expiration_days = 3650

Then, generate the server key and certificate.
[saeed@localhost certificates]$ certtool --generate-privkey --outfile server-key.pem
[saeed@localhost certificates]$ certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

Copy the key, certificate, and config file to the ocserv config directory.
[saeed@localhost ~]$ mkdir /etc/ocserv
[saeed@localhost ~]$ cp server-cert.pem server-key.pem /etc/ocserv
[saeed@localhost ~]$ cd ~/ocserv-0.9.2/doc
[saeed@localhost ~]$ cp sample.config /etc/ocserv/config
[saeed@localhost ~]$ cd /etc/ocserv

Edit the config file under /etc/ocserv. Uncomment or modify the fields described below.
auth = "plain[/etc/ocserv/ocpasswd]"

try-mtu-discovery = true

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

dns =

# comment out all route fields
#route =
#route =
#route = fef4:db8:1000:1001::/64
#no-route =

cisco-client-compat = true

Generate a user that will be used to login to ocserv.
[saeed@localhost ~]$ ocpasswd -c /etc/ocserv/ocpasswd username

Enable NAT.
[saeed@localhost ~]$ iptables -t nat -A POSTROUTING -j MASQUERADE

Enable IPv4 forwarding. Edit the file /etc/sysctl.conf.
[saeed@localhost ~]$ net.ipv4.ip_forward=1

Apply this modification.
[saeed@localhost ~]$ sysctl -p /etc/sysctl.conf

Start ocserv and connect using Cisco AnyConnect

First, start ocserv.
ocserv -c /etc/ocserv/config

Then, install Cisco AnyConnect on any of your devices, such as iPhone, iPad, or an Android device. Since we used a self-signed server key and certificate, we have to uncheck the option which prevents insecure servers. This option is located in the settings of AnyConnect. At this point, we can setup a new connection with the domain name or IP address of our ocserv and the username/password that we created.

Connect and enjoy!
[saeed edited the post at Jan 19, 2017 16:28 PM]

  • UID1605
  • Fans1
  • Follows1
  • Posts3
1st Reply#
Posted time:Jan 19, 2017 12:44 PM
error and bad format
error and bad format

  • UID1605
  • Fans1
  • Follows1
  • Posts3
2nd Reply#
Posted time:Jan 19, 2017 12:47 PM
have many bug in forum editor
my first post is in html format and editor not support this.

Post banned
Post banned
  • UID214
  • Fans5
  • Follows15
  • Posts357
3rd Reply#
Posted time:Jan 19, 2017 14:27 PM
Sorry, the user is banned