Skip to content

Install AnyConnect compatible VPN Ocserv on Debian

homepage-banner

Introduction

In today’s world, privacy and security are of the utmost importance. With the rise of cyberattacks and data breaches, it is crucial to have a secure way of accessing the internet. One way to achieve this is by using a VPN. OpenConnect VPN server (ocserv) is a VPN server that is compatible with the OpenConnect VPN client. It follows the AnyConnect VPN protocol, which is used by several Cisco routers.

Manual Installation

Preparation

apt-get install libgnutls28-dev libwrap0-dev \
                libpam0g-dev liblz4-dev libseccomp-dev \
                libreadline-dev libnl-route-3-dev \
                libkrb5-dev build-essential pkg-config \
                gnutls-bin libev-dev libev-dev ocserv \
                protobuf-compiler libprotobuf-dev -y

Download & Compile

wget ftp://ftp.infradead.org/pub/ocserv/ocserv-1.1.7.tar.xz
tar Jxf ocserv-1.1.7.tar.xz
cd ocserv-1.1.7
./configure
make && make install
## Optional
## ln -sf /usr/local/sbin/ocserv /usr/sbin/ocserv

Modify ocserv.conf

  • Default config location: /etc/ocserv/ocserv.conf
  • Default auth method is auth = "pam[gid-min=1000]"
  • Add user and password with the following command
sudo useradd ocserv
sudo passwd ocserv

Output like

root@localhost:/etc/ocserv# sudo useradd ocserv
root@localhost:/etc/ocserv# sudo passwd ocserv
New password:
Retype new password:
passwd: password updated successfully
  • Config your own certificate if you already got one, or refer this guide to get a free SSL certificate for your IP.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Post installation

Turn on ip_forward for port 443 if you run Ocserv on default port.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPT

manual start ocserv

ocserv -f -d 4

Output

root@localhost:/etc/ocserv# ocserv -f -d 4
note: vhost:default: setting 'pam' as primary authentication method
note: setting 'file' as supplemental config option
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[14453]: main: Starting 1 instances of ocserv-sm
ocserv[14453]: main: created sec-mod socket file (/run/ocserv.socket.48e1aa85.0)
ocserv[14453]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[14453]: main: initialized ocserv 1.1.7
ocserv[14454]: sec-mod: reading supplemental config from files
ocserv[14454]: sec-mod: loaded 1 keys
ocserv[14454]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.48e1aa85.0)

Install with apt-get

sudo apt-get update
sudo apt-get install ocserv

Use systemd to start ocserv

systemctl start ocserv

Connect with Client

Ocserv is compatible with AnyConnect VPN protocol, in mobile devices, could use AnyConnect to connect your service.

For command line connect, could use openconnect command in your terminal.

openconnect https://ip_of_your_server

Output

root@localhost:~# openconnect https://192.46.227.168
POST https://192.46.227.168/
Connected to 192.46.227.168:443
ocserv[14924]: main: map worker serving remote address 192.46.227.168:35812 to secmod instance 0
note: vhost:default: setting 'pam' as primary authentication method
ocserv[14915]: sec-mod: received request from pid 14924 and uid 0
ocserv[14915]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[14924]: worker: 192.46.227.168 accepted connection
SSL negotiation with 192.46.227.168
ocserv[14915]: sec-mod: received request from pid 14924 and uid 65534
ocserv[14915]: sec-mod: cmd [size=38] sm: sign hash
Server certificate verify failed: signer not found

Certificate from VPN server "192.46.227.168" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:61NgrDVX7qaBo4PU6FhnNLMPx5Zae5wvLebzc/Tt24s=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
ocserv[14924]: worker: 192.46.227.168 TLS handshake completed
ocserv[14924]: worker: 192.46.227.168 sending message 'session info' to main
ocserv[14914]: main:192.46.227.168:35812 main received worker's message 'session info' of 66 bytes
Connected to HTTPS on 192.46.227.168 with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
ocserv[14924]: worker: 192.46.227.168 HTTP processing: Host: 192.46.227.168
ocserv[14924]: worker: 192.46.227.168 HTTP processing: User-Agent: Open AnyConnect VPN Agent v8.10-2+b1
ocserv[14924]: worker: 192.46.227.168 User-agent: 'Open AnyConnect VPN Agent v8.10-2+b1'
ocserv[14924]: worker: 192.46.227.168 Detected OpenConnect v4 or newer
ocserv[14924]: worker: 192.46.227.168 HTTP processing: Accept: */*
ocserv[14924]: worker: 192.46.227.168 HTTP processing: Accept-Encoding: identity
ocserv[14924]: worker: 192.46.227.168 HTTP processing: X-Transcend-Version: 1
ocserv[14924]: worker: 192.46.227.168 HTTP processing: X-Aggregate-Auth: 1
ocserv[14924]: worker: 192.46.227.168 HTTP processing: X-AnyConnect-Platform: linux-64
ocserv[14924]: worker: 192.46.227.168 HTTP processing: X-Support-HTTP-Auth: true
ocserv[14924]: worker: 192.46.227.168 HTTP processing: X-Pad: 0000000000000000000000000000000000000000000
ocserv[14924]: worker: 192.46.227.168 HTTP processing: Content-Type: application/xml; charset=utf-8
ocserv[14924]: worker: 192.46.227.168 HTTP processing: Content-Length: 213
ocserv[14924]: worker: 192.46.227.168 HTTP POST /
ocserv[14924]: worker: 192.46.227.168 POST body: '<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init"><version who="vpn">v8.10-2+b1</version><device-id>linux-64</device-id><group-access>https://192.46.227.168</group-access></config-auth>
'
ocserv[14924]: worker: 192.46.227.168 cannot find 'group-select' in client XML message
ocserv[14924]: worker: 192.46.227.168 cannot find 'group-select' in client XML message
ocserv[14924]: worker: 192.46.227.168 failed reading groupname
ocserv[14924]: worker: 192.46.227.168 cannot find 'username' in client XML message
ocserv[14924]: worker: 192.46.227.168 failed reading username
ocserv[14924]: worker: 192.46.227.168 HTTP sending: 200 OK
XML POST enabled
Please enter your username.
Username:ocserv
POST https://192.46.227.168/auth

Conclusion

Ocserv is a powerful and versatile VPN server that offers a high level of security and flexibility. Whether you are looking to provide remote access to a corporate network or simply want to protect your online privacy, ocserv is a great option. While setting up the server can be a bit complex, there are plenty of resources available online to help. Overall, ocserv is a great choice for anyone looking for a secure and customizable VPN solution.

Reference

  • https://ocserv.gitlab.io/www/
  • https://ocserv.gitlab.io/www/manual.html
Small world. Big idea!
  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • No personal information is collected
  • Made with Material for MkDocs and generative AI tools
  • Copyright issue feedback me#imzye.com, replace # with @
  • Get latest SRE news and discuss on Discord Channel