How to install ocserv ssl vpn server on CentOS 7 linux

September 29, 2019November 17, 2019

Ocserv (openconnect server) is a great ssl vpn server that simulate cisco anyconnect vpn server on ASAs. Today we are going to show you how to install ocserv ssl vpn server on CentOS 7 linux.

Ocserv has great capabilities that is suitable for your own private vpn server. Also you can use it to bypass internet censorship.
for more detailed information about features please refer to openconnect server website.

Here is our environment:

OS: CentOS 7 linux on VMWare.
IP Address: 192.168.26.128
SELinux: permissive mode
Firewall: CSF

1- Install epel repository

Ocserv is available in epel repository. so at first, we install epel:

# yum install epel-release

then update OS:

# yum update

note: if you faced error such the following, open /etc/yum.repos.d/epel.repo and change all “https” to “http”:

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again

2- Install ocserv

now it’s time to install ocserv. so, run:

# yum install ocserv gnutls-utils

create cert directory:

# mkdir /etc/ocserv/cert

then change directory to cert:

# cd /etc/ocserv/cert/

create template file:

# touch ca.tmpl

then put the following content in it:

cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key

now we should generate required certificates. so run the following command one by one:

# certtool --generate-privkey --outfile ca-key.pem
# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

then create server.tmpl file and put the following content in it:

# vim /etc/ocserv/server.tmpl

cn = "My server"
dns_name = "www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key
tls_www_server

then again issue the following command one by one:

# certtool --generate-privkey --outfile server-key.pem
# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template /etc/ocserv/server.tmpl --outfile server-cert.pem

now create ssl directory in /etc/ocserv:

# mkdir /etc/ocserv/ssl/

then copy server certificates into it:

cp ca-cert.pem server-key.pem server-cert.pem /etc/ocserv/ssl/

3- Configure ocserv

now it’s time to change some setting of ocserv in its config file. for authentication there are the following solution:

pam, password file, certificate, radius

Here we want to authenticate with password file. so open /etc/ocserv/ocserv.conf and find the following line:

auth = "pam"

comment it and uncomment the following:

auth = "plain[passwd=/etc/ocserv/sample.passwd,otp=./sample.otp]"

then change it:

auth = "plain[passwd=/etc/ocserv/passwd]"

also change the following line:

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt

to this:

server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem

uncomment this line:

#ipv4-network = 192.168.1.0/24

put these lines at the end of file:

dns = 8.8.8.8
dns = 4.2.2.4

4- Configure firewall and routing

Here we use csf. so port 443 needs to be opened in csf. for more information on how to open port in csf please refere to How to install CSF on CentOS 7 Linux.
then we should nat our private vpn range to server public ip. because here we use csf, we need to create csfpre.sh file and put nat rules in it.

so run the following commnad:

# vim /etc/csf/csfpre.sh

then put these lines in it. change “eno16777736” and “192.168.26.128” with your server’s public interface and ip address:

#!/bin/bash
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eno16777736 -j MASQUERADE

and reload csf:

# csf -r

furthermore, ip forwarding needs to be enabled. so open /etc/sysctl.conf:

# vim /etc/sysctl.conf

then put this line in it:

net.ipv4.ip_forward = 1

after that run the following:

# sysctl -p

5- Create vpn username and password.

as mentioned earlier, here we use authentication via password file. so we create password file:

# touch /etc/ocserv/passwd

then create your desired username and password. here we create “test” user with group named “default”:

# ocpasswd -c /etc/ocserv/passwd -g default test

6- Start Ocserv

Finally, start ocserv service:

# systemctl start ocserv
# systemctl enable ocserv

also make sure it is running:

# systemctl status ocserv

7- Install connection

for pc refere to Graphical OpenConnect client
for android refer to OpenConnect
for iOS refer to Cisco AnyConnect

13 thoughts on “How to install ocserv ssl vpn server on CentOS 7 linux”

I installed ocserv today and found your way to log in. Everything works fine on my mobile phone. But I can’t use it on my computer. Websites like google twitter youtube can’t be opened. Check out a lot of information. It won’t work. Can you help me? PLS

tuxtipsadmin says:
November 6, 2019 at 9:11 pm
Hi shaw, after ocserv connects on your computer, check if you have ping to google. if it can’t find google ip address, then you have DNS issue, if you see google ip address but don’t have reply, then maybe there is an issue with your computer firewall configuration. temporarily disablr firewall and test again.
Reply

Tuxtipsadmin
Thank you for your reply. I closed my local firewall or it can’t run normally. google facebook twitter can’t open these websites, but twitch can open normally.
PS: I use another ocserv and everything works fine.

tuxtipsadmin says:
November 7, 2019 at 8:54 pm
what is your OS and do you use client that i have mentioned in article?
Reply

I built a service with centos7
The computer is win7 X86
Client segment using Cisco AnyConnect Secure Mobility Client 4.8

tuxtipsadmin says:
November 8, 2019 at 8:05 am
instead of cisco anyconnect use this: https://openconnect.github.io/openconnect-gui/
Reply
1. shaw says:
  November 8, 2019 at 1:52 pm
  Tuxtipsadmin I have tried the openconnect client, still can’t solve this problem. I think it should be a bug of 0.12.5. I will return to the old version and try again. Thank you again for your reply.
  Reply
  1. TuxTips says:
    November 8, 2019 at 5:03 pm
    i dont think it’s a bug. it think it’s a matter related to your os configuration. you can test openconnect client on another computer.
    Reply

TuxTips follow your reminder. I found out when I checked the computer according to your opinion.
There is a http://*.*.*.*:8080/b.pac file in the local network connection. I turned it off and everything was solved.
Thank you very much for your help. You are the best.

TuxTips says:
November 9, 2019 at 4:01 pm
glad to see your problem has been solved.
Reply

i try all of step that you say
and i connect to my server but i can not connect to internet with client.

in my log s i saw that show DTLS handshake time out
DTLS handshake failed: resource temporarily unenviable

what should i do ?
can you help me ?

Hello
How and with what command can we see the list of users that we have already created in ocserv in Centos7?

Hello
How i can have and accounting service for ocserv?
i need to manage users
account duration and multi users