How to install ocserv ssl vpn server on CentOS 7 linux

Ocserv (openconnect server) is a great ssl vpn server that simulate cisco anyconnect vpn server on ASAs. Today we are going to show you how to install ocserv ssl vpn server on CentOS 7 linux.

Ocserv has great capabilities that is suitable for your own private vpn server. Also you can use it to bypass internet censorship.
for more detailed information about features please refer to openconnect server website.

Here is our environment:

OS: CentOS 7 linux on VMWare.
IP Address:
SELinux: permissive mode
Firewall: CSF

1- Install epel repository

Ocserv is available in epel repository. so at first, we install epel:

# yum install epel-release

then update OS:

# yum update

note: if you faced error such the following, open /etc/yum.repos.d/epel.repo and change all “https” to “http”:

Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again

2- Install ocserv

now it’s time to install ocserv. so, run:

# yum install ocserv gnutls-utils

create cert directory:

# mkdir /etc/ocserv/cert

then change directory to cert:

# cd /etc/ocserv/cert/

create template file:

# touch ca.tmpl

then put the following content in it:

cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1

now we should generate required certificates. so run the following command one by one:

# certtool --generate-privkey --outfile ca-key.pem
# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

then create server.tmpl file and put the following content in it:

# vim /etc/ocserv/server.tmpl
cn = "My server"
dns_name = ""
organization = "MyCompany"
expiration_days = -1

then again issue the following command one by one:

# certtool --generate-privkey --outfile server-key.pem
# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template /etc/ocserv/server.tmpl --outfile server-cert.pem

now create ssl directory in /etc/ocserv:

# mkdir /etc/ocserv/ssl/

then copy server certificates into it:

cp ca-cert.pem server-key.pem server-cert.pem /etc/ocserv/ssl/

3- Configure ocserv

now it’s time to change some setting of ocserv in its config file. for authentication there are the following solution:

pam, password file, certificate, radius

Here we want to authenticate with password file. so open /etc/ocserv/ocserv.conf and find the following line:

auth = "pam"

comment it and uncomment the following:

auth = "plain[passwd=/etc/ocserv/sample.passwd,otp=./sample.otp]"

then change it:

auth = "plain[passwd=/etc/ocserv/passwd]"

also change the following line:

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt

to this:

server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem

uncomment this line:

#ipv4-network =

put these lines at the end of file:

dns =
dns =

4- Configure firewall and routing

Here we use csf. so port 443 needs to be opened in csf. for more information on how to open port in csf please refere to How to install CSF on CentOS 7 Linux.
then we should nat our private vpn range to server public ip. because here we use csf, we need to create file and put nat rules in it.

so run the following commnad:

# vim /etc/csf/

then put these lines in it. change “eno16777736” and “” with your server’s public interface and ip address:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eno16777736 -j MASQUERADE

and reload csf:

# csf -r

furthermore, ip forwarding needs to be enabled. so open /etc/sysctl.conf:

# vim /etc/sysctl.conf

then put this line in it:

net.ipv4.ip_forward = 1

after that run the following:

# sysctl -p

5- Create vpn username and password.

as mentioned earlier, here we use authentication via password file. so we create password file:

# touch /etc/ocserv/passwd

then create your desired username and password. here we create “test” user with group named “default”:

# ocpasswd -c /etc/ocserv/passwd -g default test

6- Start Ocserv

Finally, start ocserv service:

# systemctl start ocserv
# systemctl enable ocserv

also make sure it is running:

# systemctl status ocserv

7- Install connection

for pc refere to Graphical OpenConnect client
for android refer to OpenConnect
for iOS refer to Cisco AnyConnect