Skip to content

Install AnyConnect compatible VPN Ocserv on Debian



In today’s world, privacy and security are of the utmost importance. With the rise of cyberattacks and data breaches, it is crucial to have a secure way of accessing the internet. One way to achieve this is by using a VPN. OpenConnect VPN server (ocserv) is a VPN server that is compatible with the OpenConnect VPN client. It follows the AnyConnect VPN protocol, which is used by several Cisco routers.

Manual Installation


apt-get install libgnutls28-dev libwrap0-dev \
                libpam0g-dev liblz4-dev libseccomp-dev \
                libreadline-dev libnl-route-3-dev \
                libkrb5-dev build-essential pkg-config \
                gnutls-bin libev-dev libev-dev ocserv \
                protobuf-compiler libprotobuf-dev -y

Download & Compile

tar Jxf ocserv-1.1.7.tar.xz
cd ocserv-1.1.7
make && make install
## Optional
## ln -sf /usr/local/sbin/ocserv /usr/sbin/ocserv

Modify ocserv.conf

  • Default config location: /etc/ocserv/ocserv.conf
  • Default auth method is auth = "pam[gid-min=1000]"
  • Add user and password with the following command
sudo useradd ocserv
sudo passwd ocserv

Output like

root@localhost:/etc/ocserv# sudo useradd ocserv
root@localhost:/etc/ocserv# sudo passwd ocserv
New password:
Retype new password:
passwd: password updated successfully
  • Config your own certificate if you already got one, or refer this guide to get a free SSL certificate for your IP.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Post installation

Turn on ip_forward for port 443 if you run Ocserv on default port.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW --dport 443 -j ACCEPT

manual start ocserv

ocserv -f -d 4


root@localhost:/etc/ocserv# ocserv -f -d 4
note: vhost:default: setting 'pam' as primary authentication method
note: setting 'file' as supplemental config option
listening (TCP) on
listening (TCP) on [::]:443...
listening (UDP) on
listening (UDP) on [::]:443...
ocserv[14453]: main: Starting 1 instances of ocserv-sm
ocserv[14453]: main: created sec-mod socket file (/run/ocserv.socket.48e1aa85.0)
ocserv[14453]: main: initializing control unix socket: /var/run/occtl.socket
ocserv[14453]: main: initialized ocserv 1.1.7
ocserv[14454]: sec-mod: reading supplemental config from files
ocserv[14454]: sec-mod: loaded 1 keys
ocserv[14454]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.48e1aa85.0)

Install with apt-get

sudo apt-get update
sudo apt-get install ocserv

Use systemd to start ocserv

systemctl start ocserv

Connect with Client

Ocserv is compatible with AnyConnect VPN protocol, in mobile devices, could use AnyConnect to connect your service.

For command line connect, could use openconnect command in your terminal.

openconnect https://ip_of_your_server


root@localhost:~# openconnect
Connected to
ocserv[14924]: main: map worker serving remote address to secmod instance 0
note: vhost:default: setting 'pam' as primary authentication method
ocserv[14915]: sec-mod: received request from pid 14924 and uid 0
ocserv[14915]: sec-mod: cmd [size=57] sm: sign
note: setting 'file' as supplemental config option
ocserv[14924]: worker: accepted connection
SSL negotiation with
ocserv[14915]: sec-mod: received request from pid 14924 and uid 65534
ocserv[14915]: sec-mod: cmd [size=38] sm: sign hash
Server certificate verify failed: signer not found

Certificate from VPN server "" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:61NgrDVX7qaBo4PU6FhnNLMPx5Zae5wvLebzc/Tt24s=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
ocserv[14924]: worker: TLS handshake completed
ocserv[14924]: worker: sending message 'session info' to main
ocserv[14914]: main: main received worker's message 'session info' of 66 bytes
Connected to HTTPS on with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
ocserv[14924]: worker: HTTP processing: Host:
ocserv[14924]: worker: HTTP processing: User-Agent: Open AnyConnect VPN Agent v8.10-2+b1
ocserv[14924]: worker: User-agent: 'Open AnyConnect VPN Agent v8.10-2+b1'
ocserv[14924]: worker: Detected OpenConnect v4 or newer
ocserv[14924]: worker: HTTP processing: Accept: */*
ocserv[14924]: worker: HTTP processing: Accept-Encoding: identity
ocserv[14924]: worker: HTTP processing: X-Transcend-Version: 1
ocserv[14924]: worker: HTTP processing: X-Aggregate-Auth: 1
ocserv[14924]: worker: HTTP processing: X-AnyConnect-Platform: linux-64
ocserv[14924]: worker: HTTP processing: X-Support-HTTP-Auth: true
ocserv[14924]: worker: HTTP processing: X-Pad: 0000000000000000000000000000000000000000000
ocserv[14924]: worker: HTTP processing: Content-Type: application/xml; charset=utf-8
ocserv[14924]: worker: HTTP processing: Content-Length: 213
ocserv[14924]: worker: HTTP POST /
ocserv[14924]: worker: POST body: '<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init"><version who="vpn">v8.10-2+b1</version><device-id>linux-64</device-id><group-access></group-access></config-auth>
ocserv[14924]: worker: cannot find 'group-select' in client XML message
ocserv[14924]: worker: cannot find 'group-select' in client XML message
ocserv[14924]: worker: failed reading groupname
ocserv[14924]: worker: cannot find 'username' in client XML message
ocserv[14924]: worker: failed reading username
ocserv[14924]: worker: HTTP sending: 200 OK
XML POST enabled
Please enter your username.


Ocserv is a powerful and versatile VPN server that offers a high level of security and flexibility. Whether you are looking to provide remote access to a corporate network or simply want to protect your online privacy, ocserv is a great option. While setting up the server can be a bit complex, there are plenty of resources available online to help. Overall, ocserv is a great choice for anyone looking for a secure and customizable VPN solution.


Leave a message

  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • Made with Material for MkDocs and improve writing by generative AI tools
  • Copyright issue feedback, replace # with @