LowEndBox

Hosting Websites on Bare Minimum VPS/Dedicated Servers

Install OpenConnect Server on Ubuntu 16.04

Date/Time: May 23, 2017 @ 2:56 pm, by Abdu ssamad mk

This article will be showing how to install Openconnect server on Ubuntu 16.04 and connect to it using the Cisco Anyconnect client. OpenConnect server(ocserv) is a VPN server that connects through SSL. It is a secure, lightweight and fast connect server that can be installed on Linux environment. We will be guiding you through the simple installation of the OpenConnect server on Ubuntu in this article.

The demo installation is going to perform on a fresh Ubuntu 16.04 installed server having IP address 104.236.38.188. You’ll need to have a machine with Ubuntu installed with a user account having sudo access to it.

Before we start with installation, please update the Ubuntu repository by using the following command

sudo apt-get update

As the Ocserver is included in the Ubuntu package, no need of getting the package from the external source. You can simply use the apt-get command to install ocserv on Ubuntu 16.04.

Installing OCServ on Ubuntu 16.04

Once the package fetching completes, install ocserv using the following command

sudo apt-get install ocserv

This will even install the additional packages required for running the ocserver automatically. Just put “y” while asking for the confirmation of installation and wait till the installation completes to perform the further steps.

installing ocserv on Ubuntu 16.04

As we require to create keys and certificates, we need to install an additional package GnuTLS from Ubuntu repository. Just release the following command to install GnuTLS

sudo apt-get install gnutls-bin

install GnuTLS on Ubuntu 16.04

Creating Certificates

Now we will navigate to the ocserv directory and will create the keys and certificates

Use the following command to change the directory

cd /etc/ocserv

In this directory create a new file named ca.tmpl using the following command

sudo vi ca.tmpl

Now you will be in the vi editor where you can insert content after pressing the “insert” key.  Just paste the following content to the ca.tmpl file. Save and quit the vi editor using the keys Esc:wq

cn = “VPN CA”
organization = “Low End Box”
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key

Please note that you can change the cn and organization values with any value that you wish.

Once done, run the following command to generate a private key

sudo certtool –generate-privkey –outfile ca-key.pem

Now, generate a self-signed certificate using the following command

sudo certtool –generate-self-signed –load-privkey ca-key.pem \
–template ca.tmpl –outfile ca-cert.pem

generating self signed certificate

Now you need to create a new file named server.tmpl on the current directory using the following command

sudo vi server.tmpl

Insert the following data into the server.tmpl file after changing the cn value with your domain name or IP address. I have used my server IP address 104.236.38.188 in the example

cn = “104.236.38.188”
organization = “Low End Box”
expiration_days = 3650
signing_key
encryption_key
tls_www_server

Once you paste the values to the file, save and quite from the vi editor

Now create a private key for generating server certificate by using the following command

sudo certtool –generate-privkey –outfile server-key.pem

Create a server certificate by utilising the private key generated in the next step. Just use the below command in the putty box

sudo certtool –generate-certificate –load-privkey server-key.pem \
–load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem \
–template server.tmpl –outfile server-cert.pem

generate server key and certificate

 

Modify OCServ Configuration File

In the next step, you need to make some changes into the ocserv default configuration file. Open the configuration file using the below command and make below-listed changes to the file

sudo vim ocserv.conf

In the opened file make the following changes, for easy searching, you can use /search keyword in vi editor

Find the line auth = “pam[gid-min=1000]” and replace it with the following
auth = “plain[/etc/ocserv/ocpasswd]”

Replace these two lines
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
with the following lines
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

Change the value of
try-mtu-discovery from false to true
try-mtu-discovery = true

Change the DNS value from 192.168.1.2 to 8.8.8.8
dns = 8.8.8.8

Remove the lines or place a # in front of following lines
route = 10.10.10.0/255.255.255.0
route = 192.168.0.0/255.255.0.0
no-route = 192.168.5.0/255.255.255.0

After making these changes, save and quit the VI editor using the keys Esc:wq

Create Password Open Connect Server

Next, you need to create a password file with details. Use the following command

sudo ocpasswd -c /etc/ocserv/ocpasswd samad

replace the value “samad” with your desired username

It will ask for the password and confirmation of passwordsetting up password
You need to make changes in the system control configuration file to allow forwarding. To do so, open the file in vi editor by using the following command

sudo vim /etc/sysctl.conf

Uncomment the line by deleting the # from #net.ipv4.ip_forward=1.

It should look like below
net.ipv4.ip_forward=1

Save and exit the editor and activate the change by simply throwing the following command to putty box

sudo sysctl -p

 

IPTable Configuration

If the machine is new, you need to install the IP tables. Use the below command
sudo apt-get install iptables-persistent
installing IP tables

Now we will add SSL ports to the firewall’s accepted list. Just use the following commands for TCP and UDP connections respectively

sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp –dport 443 -j ACCEPT

Enable NAT by using the following command

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

Reconfigure the IP tables to make your changes persist across server reboots

sudo dpkg-reconfigure iptables-persistent
changing ip table configuration

I have found that the server is listening on port 443 before enabling the ocserver. The following command will list the list of sockets and can find the respective unit that is listening to the port
systemctl -all list-socketslistening to port
From the screenshot, you can see that the ocserv.socket is listening to the port 443, so I stopped it using the following command before continuing further.

sudo systemctl stop ocserv.socket

After killing you can enable ocserv by running the following command

sudo ocserv -c /etc/ocserv/ocserv.conf

You can verify that it is listening to 443 using the below command

sudo netstat -tulpn | grep 443

ocserver enabling

Download and Install Certificates

I have tried to connect to the open connect VPN server by using the Cisco’s any connect client. But it was unsuccessful as the certificate was not trusted. So, you need to install this certificate on your device to connect to the Open connect server
You can simply copy the key from the certificate file and save in a text file to install the certificate on your device. Alternatively, you can follow the below steps to get it via browser

Opening port 80 on firewall

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT

Install apache to render files via browser

sudo apt-get install apache2

Copy the ca-cert.pem file to default html directory

sudo cp /etc/ocserv/ca-cert.pem /var/www/html

Now the file will be available over, youripaddress/ca-cert.pem or you can delete the index.html file from the /var/www/html directory and can access the IP address on the browser to list the file and download it.

Install Certificate on Windows 7

You need to install it on your device, the below steps will show you how to install certificate on Windows

  • open command prompt
  • type mmc and hit enter
  • File -> add remove snap-in
  • Select certificates and add
  • Select computer account -> next -> finish
  • Select certificates(local computer) -> OK
  • Expand certificates from left menu
  • Right click on trusted Root certificate Authorities -> all tasks-> import -> next
  • Browse the file you have downloaded
  • Choose “All file” in the browser window and choose the downloaded file
  • Click Next -> Finish
  • Now you have installed certificate on your Windows machine

Install AnyConnect and connect to Openconnect Server

Now you need to download Cisco AnyConnect Secure mobility client for your machine and install it.

After installation, open it and provide the IP address or domain name you have configured in the certificate and click on the connect button

cisco anyconnect connect window

It will ask for the username. Use the username that is configured earlier

username

In the next step, you need authenticate using password.

password

Now you will be connected to the Openconnect server using Cisco AnyConnect client

connected

You can check your current IP address by just googling What is my IP

whatismyip

Hope you were able to follow the steps and installed OpenConnect server on Ubuntu 16.04.

19 Comments

  1. Milkboy:

    how is Openconnect Compared to openvpn?
    in terms of sercurity & performance/lightweightness

    May 24, 2017 @ 3:14 am | Reply
  2. I installed ocserv last week. I just requested a Let’s Encrypt certificate, to save all the trouble of downloading and installing self-signed CA certificate on clients.

    May 24, 2017 @ 3:41 am | Reply
  3. newbieinlinux:

    Would be nice to see this tutorial with letsencrypt and also how to set up a cron job for autorenewal.

    May 26, 2017 @ 4:03 am | Reply
  4. Installing self-signed certificate onto client is insecure: if your VPS is compromised, attacker can use the private to generate new certificates imposing as your bank, etc. The client machine would trust such certificates.
    I’ve written the steps of installing ocserv with Let’s Encrypt certificate.
    https://yoursunny.com/t/2017/ocserv-letsencrypt/

    June 3, 2017 @ 4:46 pm | Reply
  5. I regularly visit your site and find a lot of interesting information.
    Not only good posts but also great comments.
    Thank you and look forward to your page growing stronger.

    June 19, 2017 @ 4:17 am | Reply
  6. Your writing very well and provide a lot of useful information. But if you tap water more than half as compared to another article, I would definitely be great

    June 19, 2017 @ 4:19 am | Reply
  7. steerpike:

    Tried on debian but it did not go well. Had to change the repositories to include stretch but the problem came with iptables and nat does not exist. Tried a reboot but no luck.
    I did like your tutorial – very clear, accurate and I got a long way through it.

    July 2, 2017 @ 2:28 pm | Reply
  8. The knowledge you share really changes me in life, I sincerely thank you for the things you have done, sure your blog will help more people. Sincerely thanks

    July 19, 2017 @ 10:18 pm | Reply
  9. I’ve struggled with this for a long time :( thanks for sharing, it’s really helpful <3

    July 20, 2017 @ 12:15 am | Reply
  10. I’ve been looking for that for a long time. Thanks

    July 28, 2017 @ 5:45 am | Reply
  11. Very helpful advice in this particular post! It’s the little changes that make the largest changes. Thanks for sharing!

    August 4, 2017 @ 2:45 am | Reply
  12. Your writing very well and provide a lot of useful information.

    August 4, 2017 @ 5:25 am | Reply
  13. I was excited to find this site. I wanted to thank you for your time for this wonderful read!! I definitely savored every little bit of it and I have you book marked to check out new things in your web site.

    August 25, 2017 @ 4:22 am | Reply
  14. It’s great because of the knowledge you share with us, I will always follow your blog and will share your blog with my friends

    August 29, 2017 @ 12:11 am | Reply
  15. I regularly visit your site and find a lot of interesting information. thanks for sharing, it’s really helpful <3

    September 22, 2017 @ 2:57 am | Reply
  16. shoazab abbas:

    pam_auth_pass: Authentication failure
    need help

    September 23, 2017 @ 1:40 am | Reply
  17. wonder if there is a similar tutorial about installing openconnect server on centos 7?

    October 1, 2017 @ 3:27 pm | Reply
  18. how is Openconnect Compared to openvpn?
    in terms of sercurity & performance/lightweightness

    October 31, 2017 @ 12:29 pm | Reply
  19. ALI:

    HI people! I have same problems with opening socket.
    ocserv[4812]: error opening socket: Operation not permitted
    ocserv[4812]: GnuTLS error (at worker-vpn.c:466): GnuTLS internal error.
    ocserv[4807]: main: 2XX.XX.XX.XX:51505 user disconnected (rx: 0, tx: 0)
    ocserv[4813]: error opening socket: Operation not permitted
    ocserv[4813]: GnuTLS error (at worker-vpn.c:466): GnuTLS internal error.
    Can you help me?

    November 9, 2017 @ 5:51 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *