{"id":243,"date":"2024-03-18T08:51:06","date_gmt":"2024-03-18T08:51:06","guid":{"rendered":"https:\/\/blog.devops955.com\/swain\/?p=243"},"modified":"2024-03-18T08:51:06","modified_gmt":"2024-03-18T08:51:06","slug":"openconnect-vpn-server","status":"publish","type":"post","link":"https:\/\/blog.devops955.com\/swain\/2024\/03\/18\/openconnect-vpn-server\/","title":{"rendered":"Step-by-Step Building Your Corporate OpenConnect VPN Server"},"content":{"rendered":"
\n

Estimated reading time: 5 minutes<\/p>\n<\/blockquote>\n

Introduction<\/h1>\n

Introduction to OpenConnect<\/h2>\n

OpenConnect is an open-source software primarily used for establishing secure VPN connections. Initially, it was designed as a compatible alternative to the Cisco AnyConnect SSL VPN, but later added support for more VPN protocols, making it a versatile VPN client. OpenConnect supports standard SSL and DTLS protocols, which provide encrypted network connections, protecting data transmission in public networks. OpenConnect is compatible with multiple operating systems, including Linux, Windows, MacOS, etc., offering good cross-platform support, making it suitable for small and medium-sized businesses or individual use.
\nDue to its excellent compatibility, high security, and open-source nature, OpenConnect is an ideal choice for small and medium-sized businesses or individuals looking for a VPN solution without the need to pay licensing fees.<\/p>\n

Next, we will deploy an OpenConnect server on Ubuntu to provide services.<\/p>\n

Deployment of OpenConnect Server<\/h1>\n

Installation of OpenConnect<\/h2>\n

Deploying the OpenConnect service on Ubuntu is quite straightforward, but it is important to note that you need to install OpenConnect Server (ocserv)<\/strong>, not the client.
\nFirst, install ocserv:<\/p>\n

sudo apt install ocserv<\/code><\/pre>\n
Service Configuration<\/h2>\n
After installation, you can start configuring by editing the configuration file:<\/p>\n
sudo mv \/etc\/ocserv\/ocserv.conf \/etc\/ocserv\/ocserv.conf.back\nsudo vim \/etc\/ocserv\/ocserv.conf<\/code><\/pre>\n
In the file, you can specify the server's address, listening port, authentication method, etc. Below is a part of the configuration:<\/p>\n
# Authentication method, either password or certificate\nauth = "plain[passwd=\/etc\/ocserv\/userinfo]"\n#auth = "certificate"\n# Listening port\ntcp-port = 8443\nudp-port = 8443\n# Client IP range\nipv4-network = 10.0.0.0\/24\n# Bypass routing\nno-route = 192.168.0.0\/255.255.255.0\n# VPN routes to push\nroute = 172.16.0.0\/255.255.0.0\nroute = 192.168.0.0\/255.255.0.0\n# DNS to push\ndns = 8.8.8.8\n# Maximum number of clients and simultaneous logins\nmax-clients = 256\nmax-same-clients = 2\n# Domain name, for applying certificates later\ndefault-domain = vpn.yoursite.com\n# Location of certificates\nserver-cert = \/etc\/letsencrypt\/live\/vpn.yoursite.com\/fullchain.pem\nserver-key = \/etc\/letsencrypt\/live\/vpn.yoursite.com\/privkey.pem<\/code><\/pre>\n
After completing the main configurations, save and exit. If there are other options to configure, you can do so as needed.<\/p>\n
Certificate Application and User Creation<\/h2>\n
Once the configuration is complete, you can use certbot to apply for certificates (refer to the "Installing and Configuring Certbot" section of the previous article Setting Up a WordPress Website<\/a>). After obtaining the certificates, you need to create users for employee access:<\/p>\n
sudo ocpasswd -c \/etc\/ocserv\/userinfo username<\/code><\/pre>\n
Then, enter and confirm the password to complete user creation. Subsequently, users can use this username and password to access the company's internal network. It is important to note that the userinfo file must match the configuration<\/strong>.
\nIf needed, modifications can be made using the occtl tool. For deleting users, directly edit the userinfo<\/strong> file.<\/p>\n
Starting the Service<\/h2>\n
Ensure the configuration is correct and users have been created before starting the service:<\/p>\n
sudo systemctl start ocserv\nsudo systemctl enable ocserv<\/code><\/pre>\n
After starting, don't forget to configure the server's iptables to allow the relevant traffic:<\/p>\n
sudo iptables -A INPUT -p tcp --dport 8443 -j ACCEPT\nsudo iptables -A INPUT -p udp --dport 8443 -j ACCEPT\n# Similar to openvpn, add nat\nsudo iptables -t NAT -A POSTROUTING -s 10.0.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/pre>\n
Finally, ensure that kernel forwarding is enabled:<\/p>\n
echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward<\/code><\/pre>\n
Conclusion<\/h1>\n
By now, you should have successfully deployed an OpenConnect server, and employees can securely access the corporate intranet anytime, anywhere using the Cisco Secure Client (AnyConnect) or OpenConnect client. To deal with the complex internet environment, in addition to applying for certificates, it is also recommended to enable certificate-related security validation options on the client to further enhance security and avoid man-in-the-middle attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"
Estimated reading time: 5 minutes Introduction Introduction to OpenConnect OpenConnect is an open-source software primarily used for establishing secure VPN connections. Initially, it was designed as a compatible alternative to the Cisco AnyConnect SSL VPN, but later added support for more VPN protocols, making it a versatile VPN client. OpenConnect supports standard SSL and DTLS…<\/p>\n","protected":false},"author":3,"featured_media":256,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_jetpack_memberships_contains_paid_content":false},"categories":[4],"tags":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/blog.devops955.com\/swain\/wp-content\/uploads\/sites\/2\/2024\/03\/Oc.jpg","_links":{"self":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/243"}],"collection":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/comments?post=243"}],"version-history":[{"count":4,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/243\/revisions"}],"predecessor-version":[{"id":260,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/posts\/243\/revisions\/260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media\/256"}],"wp:attachment":[{"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/media?parent=243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/categories?post=243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.devops955.com\/swain\/wp-json\/wp\/v2\/tags?post=243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}