Swain's Blog

Swain
四维

There is nothing about me

Step-by-Step Building Your Corporate OpenConnect VPN Server

Posted on by Swain

Estimated reading time: 5 minutes

Introduction

Introduction to OpenConnect

OpenConnect is an open-source software primarily used for establishing secure VPN connections. Initially, it was designed as a compatible alternative to the Cisco AnyConnect SSL VPN, but later added support for more VPN protocols, making it a versatile VPN client. OpenConnect supports standard SSL and DTLS protocols, which provide encrypted network connections, protecting data transmission in public networks. OpenConnect is compatible with multiple operating systems, including Linux, Windows, MacOS, etc., offering good cross-platform support, making it suitable for small and medium-sized businesses or individual use.
Due to its excellent compatibility, high security, and open-source nature, OpenConnect is an ideal choice for small and medium-sized businesses or individuals looking for a VPN solution without the need to pay licensing fees.

Next, we will deploy an OpenConnect server on Ubuntu to provide services.

Deployment of OpenConnect Server

Installation of OpenConnect

Deploying the OpenConnect service on Ubuntu is quite straightforward, but it is important to note that you need to install OpenConnect Server (ocserv), not the client.
First, install ocserv:

sudo apt install ocserv

Service Configuration

After installation, you can start configuring by editing the configuration file:

sudo mv /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.back
sudo vim /etc/ocserv/ocserv.conf

In the file, you can specify the server's address, listening port, authentication method, etc. Below is a part of the configuration:

# Authentication method, either password or certificate
auth = "plain[passwd=/etc/ocserv/userinfo]"
#auth = "certificate"
# Listening port
tcp-port = 8443
udp-port = 8443
# Client IP range
ipv4-network = 10.0.0.0/24
# Bypass routing
no-route = 192.168.0.0/255.255.255.0
# VPN routes to push
route = 172.16.0.0/255.255.0.0
route = 192.168.0.0/255.255.0.0
# DNS to push
dns = 8.8.8.8
# Maximum number of clients and simultaneous logins
max-clients = 256
max-same-clients = 2
# Domain name, for applying certificates later
default-domain = vpn.yoursite.com
# Location of certificates
server-cert = /etc/letsencrypt/live/vpn.yoursite.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.yoursite.com/privkey.pem

After completing the main configurations, save and exit. If there are other options to configure, you can do so as needed.

Certificate Application and User Creation

Once the configuration is complete, you can use certbot to apply for certificates (refer to the "Installing and Configuring Certbot" section of the previous article Setting Up a WordPress Website). After obtaining the certificates, you need to create users for employee access:

sudo ocpasswd -c /etc/ocserv/userinfo username

Then, enter and confirm the password to complete user creation. Subsequently, users can use this username and password to access the company's internal network. It is important to note that the userinfo file must match the configuration.
If needed, modifications can be made using the occtl tool. For deleting users, directly edit the userinfo file.

Starting the Service

Ensure the configuration is correct and users have been created before starting the service:

sudo systemctl start ocserv
sudo systemctl enable ocserv

After starting, don't forget to configure the server's iptables to allow the relevant traffic:

sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 8443 -j ACCEPT
# Similar to openvpn, add nat
sudo iptables -t NAT -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

Finally, ensure that kernel forwarding is enabled:

echo 1 > /proc/sys/net/ipv4/ip_forward

Conclusion

By now, you should have successfully deployed an OpenConnect server, and employees can securely access the corporate intranet anytime, anywhere using the Cisco Secure Client (AnyConnect) or OpenConnect client. To deal with the complex internet environment, in addition to applying for certificates, it is also recommended to enable certificate-related security validation options on the client to further enhance security and avoid man-in-the-middle attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *