Ocserv (openconnect server) is a great ssl vpn server that simulate cisco anyconnect vpn server on ASAs. Today we are going to show you how to install ocserv ssl vpn server on CentOS 7 linux.
Ocserv has great capabilities that is suitable for your own private vpn server. Also you can use it to bypass internet censorship.
for more detailed information about features please refer to openconnect server website.
Here is our environment:
OS: CentOS 7 linux on VMWare.
IP Address: 192.168.26.128
SELinux: permissive mode
1- Install epel repository
Ocserv is available in epel repository. so at first, we install epel:
# yum install epel-release
then update OS:
# yum update
note: if you faced error such the following, open /etc/yum.repos.d/epel.repo and change all “https” to “http”:
Cannot retrieve metalink for repository: epel/x86_64. Please verify its path and try again
2- Install ocserv
now it’s time to install ocserv. so, run:
# yum install ocserv gnutls-utils
create cert directory:
# mkdir /etc/ocserv/cert
then change directory to cert:
# cd /etc/ocserv/cert/
create template file:
# touch ca.tmpl
then put the following content in it:
cn = "VPN CA" organization = "Big Corp" serial = 1 expiration_days = -1 ca signing_key cert_signing_key crl_signing_key
now we should generate required certificates. so run the following command one by one:
# certtool --generate-privkey --outfile ca-key.pem # certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
then create server.tmpl file and put the following content in it:
# vim /etc/ocserv/server.tmpl
cn = "My server" dns_name = "www.example.com" organization = "MyCompany" expiration_days = -1 signing_key encryption_key tls_www_server
then again issue the following command one by one:
# certtool --generate-privkey --outfile server-key.pem # certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template /etc/ocserv/server.tmpl --outfile server-cert.pem
now create ssl directory in /etc/ocserv:
# mkdir /etc/ocserv/ssl/
then copy server certificates into it:
cp ca-cert.pem server-key.pem server-cert.pem /etc/ocserv/ssl/
3- Configure ocserv
now it’s time to change some setting of ocserv in its config file. for authentication there are the following solution:
pam, password file, certificate, radius
Here we want to authenticate with password file. so open /etc/ocserv/ocserv.conf and find the following line:
auth = "pam"
comment it and uncomment the following:
auth = "plain[passwd=/etc/ocserv/sample.passwd,otp=./sample.otp]"
then change it:
auth = "plain[passwd=/etc/ocserv/passwd]"
also change the following line:
server-cert = /etc/pki/ocserv/public/server.crt server-key = /etc/pki/ocserv/private/server.key ca-cert = /etc/pki/ocserv/cacerts/ca.crt
server-cert = /etc/ocserv/ssl/server-cert.pem server-key = /etc/ocserv/ssl/server-key.pem ca-cert = /etc/ocserv/ssl/ca-cert.pem
uncomment this line:
#ipv4-network = 192.168.1.0/24
put these lines at the end of file:
dns = 18.104.22.168 dns = 22.214.171.124
4- Configure firewall and routing
Here we use csf. so port 443 needs to be opened in csf. for more information on how to open port in csf please refere to How to install CSF on CentOS 7 Linux.
then we should nat our private vpn range to server public ip. because here we use csf, we need to create csfpre.sh file and put nat rules in it.
so run the following commnad:
# vim /etc/csf/csfpre.sh
then put these lines in it. change “eno16777736” and “192.168.26.128” with your server’s public interface and ip address:
#!/bin/bash iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eno16777736 -j MASQUERADE
and reload csf:
# csf -r
furthermore, ip forwarding needs to be enabled. so open /etc/sysctl.conf:
# vim /etc/sysctl.conf
then put this line in it:
net.ipv4.ip_forward = 1
after that run the following:
# sysctl -p
5- Create vpn username and password.
as mentioned earlier, here we use authentication via password file. so we create password file:
# touch /etc/ocserv/passwd
then create your desired username and password. here we create “test” user with group named “default”:
# ocpasswd -c /etc/ocserv/passwd -g default test
6- Start Ocserv
Finally, start ocserv service:
# systemctl start ocserv # systemctl enable ocserv
also make sure it is running:
# systemctl status ocserv