How to Install OpenConnect VPN Server on Ubuntu 22.04 (2023)

OpenConnect VPN also known asnoticeis a free, open-source VPN solution with enterprise-grade performance and features. It is based on the Cisco AnyConnect VPN protocol, which is widely used in the corporate sector. In this tutorial, you will learn how to install OpenConnect VPN server on an Ubuntu 22.04 machine. You will also learn how to use an OpenConnect client to connect to the server.

prerequisites

• A server running Ubuntu 22.04.

• A non-root user with sudo privileges.

• A fully qualified domain name (FQDN) such asvpn.example.com.

• Make sure everything is up to date.

  $ sudo apt update$ sudo apt upgrade

• Few packages your system needs.

  $ sudo apt install wget curl nano software-properties-common dirmngr apt-transport-https gnupg2 ca-certificates lsb-release ubuntu-keyring unzip -y

  Some of these packages may already be installed on your system.

Step 1 - Configure the Firewall

The first step is to configure the firewall. Ubuntu comes with ufw (Uncomplicated Firewall) by default.

Make sure the firewall is running.

$ sudo ufw status

You should get the following output.

Status: inactive

Allow the SSH port so that the firewall does not interrupt the current connection when activating it.

$ sudo ufw enable OpenSSH

Allow HTTP and HTTPS ports as well.

$ sudo ufw allow http$ sudo ufw allow https

Enable Firewall

$ sudo ufw enableCommand can break existing ssh connections. Continue with the (y|n) operation? yFirewall is active and activated at system startup

Check the firewall status again.

$ sudo ufw status

You should see similar output.

Status: activeTo Action From-- ------ ----OpenSSH ALLOW Anywhere80/tcp ALLOW Anywhere443 ALLOW AnywhereOpenSSH (v6) ALLOW Anywhere (v6)80/tcp (v6) ALLOW Anywhere (v6)443 (v6) ALLOW Em qualquer lugar (v6)

Step 2 - Install Git

Step 3 - Install OpenConnect

Ubuntu 22.04 ships with an older version (1.1.3) of OpenConnect. If you are satisfied with that, you can install it using the following command.

$ sudo apt install ocserv

However, for this tutorial, we will be installing the latest version (1.1.6) of OpenConnect. For that, we'll need to build it from source.

Install the necessary dependencies to compile the source code.

$ sudo apt install -y libgnutls28-dev libev-dev libpam0g-dev liblz4-dev libsecomp-dev \libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev \libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf \nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \gawk gnutls-bin iproute2 yajl-tools tcpdump autoconf automake

clone theocserv git repository.

$ git clone https://gitlab.com/openconnect/ocserv.git

Switch to the cloned directory.

$ cd ocserv

Generate configuration scripts.

$ autoconf -fvi

Compile the source code. Ignore any obsolete warnings.

$ ./configure && do

Install ocserv.

$ sudo make install

The files will be installed in/usr/local/bine/usr/local/sbindirectories. Copy the systemd service file.

$ sudo cp doc/systemd/standalone/ocserv.service /etc/systemd/system/ocserv.service

Open the service file for editing.

$ sudo nano /etc/systemd/system/ocserv.service

Change the path to the ocserv binary in the following line

$ ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf

to the next.

$ ExecStart=/usr/local/sbin/ocserv --foreground --pid-file /run/ocserv.pid --config /etc/ocserv/ocserv.conf

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Reload the system daemon.

$ sudo systemctl daemon-reload

Step 4 - Generate SSL certificates

We need to install Certbot to generate the SSL certificate. You can install Certbot using the Ubuntu repository or get the latest version using the Snapd tool. We will be using the Snapd version.

Ubuntu 22.04 comes with Snapd installed by default. Run the following commands to ensure your version of Snapd is up to date.

$ sudo snap install core && sudo snap refresh core

Install Certbot.

$ sudo snap install --classic certbot

Use the following command to ensure that the Certbot command can be executed by creating a symbolic link to the/usr/bindirectory.

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

There are two possibilities when it comes to generating an SSL certificate. If you don't have a web server running on your system, you can use the unattended method to generate the certificate. Run the following command to create the certificate using the standalone plugin for Certbot.

$ sudo certbot certonly --standalone --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m[email protected]-d vpn.example.com

The above command will download a certificate for the/etc/letsencrypt/live/vpn.example.comdirectory on your server.

Then if you have a server running on your system you can use the webroot plugin or the Nginx or Apache plugins if you are using them. For Nginx or Apache servers, just run the command below.

$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m[email protected]-d vpn.example.com

or

$ sudo certbot certonly --apache --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m[email protected]-d vpn.example.com

If you have a different server, we will need to use the webroot plugin. To do this, create the web root directory.

$ sudo mkdir -p /var/www/ocserv

Set the server as the owner of the web root directory. In our case, we are usingwww dataas server user.

$ sudo chown www-data:www-data /var/www/ocserv -R

Then configure your server to serve the domainvpn.example.comno/var/www/ocservdirectory. Restart the server. Then generate the certificate using the following command.

$ sudo certbot certonly --webroot --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m[email protected]-d vpn.example.com

Check the Certbot renewal scheduler service.

$ sudo systemctl list-timers

You will findsnap.certbot.renew.serviceas one of the services scheduled to run.

NEXT LEFT LAST UNIT PAST ACTIVE WEDNESDAY 2023-04-19 10:31:47 UTC 2h 55min left Wed 2023-04-19 03:31:58 UTC 4h 3min ago ua-timer.timer ua-timer.serviceWed 2023- 04-19 12:02:42 UTC 4h 26min left Wed 2023-04-19 03:19:20 UTC 4h 16min ago motd-news.timer motd-news.serviceWed 2023-04-19 18:19:56 UTC 10h left Wed 2023- 04-19 07:19:52 UTC 16min ago apt-daily.timer apt-daily.serviceWed 2023-04-19 22:51:00 UTC 15h left n/a n/a snap.certbot.renew.timer snap .certbot. renew.service

Test the process to verify that the SSL renewal is working fine.

$ sudo certbot renew --dry-run

If you don't see any errors, you're all set. Your certificate will automatically renew.

Step 5 - Configure OpenConnect

If you installed ocserv using APT, the configuration file should already be available on/etc/ocserv/ocserv.conflocation. But if you created the package from source, we need to copy the configuration file.

Create the directory for the configuration file.

$ sudo mkdir /etc/ocserv

Copy the config file.

$ sudo cp /home/username/ocserv/doc/sample.config /etc/ocserv/ocserv.conf

Open the file for editing.

$ sudo nano /etc/ocserv/ocserv.conf

Change theauthenticationparameter value to the following. This will allow users to use separate VPN accounts.

auth = "simples[passwd=/etc/ocserv/ocpasswd]"

By default, OpenConnect uses TCP and UDP port 443. We will only be using the TCP port for connection, so disable the UDP port by commenting it out.

tcp-port = 443#udp-port = 443

If you have a web server running on port 443, change the TCP port value by changing the value.

tcp port = 8443

Then find the variablescrt-servereserver keyand change their values ​​as follows.

server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pemserver-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

Set the maximum number of allowed clients. Default value is 16. Set to 0 for unlimited.

maximum clients = 16

Set the number of devices a user can use at the same time. Default value is 2. Set to 0 for unlimited.

max-same-customers = 2

By default, OpenConnect sends keepalive packets every 9 hours (32,400 seconds). That's a very high value. Set it to 60 seconds to reduce the chance of your VPN connection dropping.

stay alive = 60

Change the value oftry-mtu-discoveryforTRUEto enable MTU discovery. It can optimize VPN performance.

try-mtu-discovery = true

Configure how long a client can be idle before being disconnected by uncommenting the following variables. If you want the client to stay connected indefinitely, leave it as it is.

idle-timeout=1200mobile-idle-timeout=1800

Set the default domain name for OpenConnect VPN.

default domain = vpn.example.com

Change the default IPv4 setting to avoid IP address collision. we are going to use10.10.10.0like the value.

rede ipv4 = 10.10.10.0

Uncomment the following line to tunnel all DNS queries through the VPN.

tunnel-all-dns = true

Change the DNS resolver to Google DNS. Add the second entry as well.

dns = 8.8.8.8dns = 8.8.4.4

Comment out all route parameters by adding the hash symbol (#) in front of it.

#route = 10.10.10.0/255.255.255.0#route = 192.168.0.0/255.255.0.0#route = fef4:db8:1000:1001::/64#route = default# Subsets of the above routes that will not be routed by # the server.#no-route = 192.168.5.0/255.255.255.0

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Step 6 - Start the OpenConnect Server

Start the OpenConnect VPN server.

$ sudo systemctl start ocserv

Check the status of the service.

$ sudo systemctl status ocserv

You will get similar output.

? ocserv.service - OpenConnect SSL VPN server Loaded: loaded (/etc/systemd/system/ocserv.service; disabled; vendor default: enabled) Active: active (running) since Thu 2023-04-20 08:52:18 UTC; 2s ago Docs: man:ocserv(8) Main PID: 19965 (ocserv-main) Tasks: 2 (limit: 1026) Memory: 1.4M CPU: 9ms CGroup: /system.slice/ocserv.service ??19965 ocserv- main ??19966 ocserv-sm Apr 20 08:52:18 openconnect ocserv[19965]: note: ignoring configuration option 'pid-file'Apr 20 08:52:18 openconnect ocserv[19965]: note: vhost: default: setting 'plain ' as primary authentication methodApr 20 08:52:18 openconnect ocserv[19965]: error connecting to socket sec-mod '/var/run/ocserv-socket.a4413bc9': No such file or directoryApr 20 08:52:18 openconnect ocserv [19965]: note: setting 'file' as supplementary configuration option Apr 20 08:52:18 openconnect ocserv[19965]: listening (TCP) at 0.0.0.0:443.. .Apr 20 08:52:18 openconnect ocserv[19965 ]: listening (TCP) on [::]:443...Apr 20 08:52:18 openconnect ocserv[19966]:ocserv[19966]:sec- mod: reading supplementary configuration files Apr 20 08:52:18 openconnect ocserv[19966]: sec-mod: reading supplemental configuration filesApr 20 08:52:18 openconnect ocserv[19966]: ocserv[19966]: sec-mod : sec-mod initialized (socket: /var/run/ocserv-socket .a4413bc9.0) Apr 20 08:52:18 openconnect ocserv[19966]: sec-mod: sec-mod initialized (socket: /var/run /ocserv-socket.a4413bc9.0)

If you see the error related to connecting tosec-mod socket, ignore this. It's normal. It will initialize the file if it doesn't find it.

Step 7 - Create VPN accounts

You can create VPN accounts using theocpasswdUtility. Run the following command to create a new VPN account.

$ sudo ocpasswd -c /etc/ocserv/ocpasswd username Enter password: Retype password:

The password will be saved in/etc/ocserv/ocpasswdfile. To reset the password foruser name, run the above command again. Run the above command with a different user to create another account.

Step 8 - Enable IP Forwarding

In order for the VPN server to route packets between the client and the Internet, you need to enable IP forwarding by running the following command.

$ echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf

Run the following commands to allow the TCP BBR algorithm to increase TCP speed.

$ echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf$ echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf

Make the changes permanent using the following command.

$ sudo sysctl -p /etc/sysctl.d/60-custom.conf

Step 9 - Configure IP Masquerading

The next step is to configure IP masquerading on the firewall so that the VPN server works as a virtual router for clients. Find the server's primary network interface name.

$ ip addr

You will get similar output.

1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0. 0.1/8 lo scope host valid_lft forever preferred_lft forever inet6 ::1/128 valid_lft scope host forever preferred_lft forever2: enp1s0:mtu 1500 qdisc fq qlen group default UP state 1000 link/ether 56:00 :04:67:7e:79 brd ff:ff:ff:ff:ff:ff inet 95.179.138.135/23 metric 100 brd 95.179.139.255 scope dynamic global enp1s0 valid_lft 66999sec lft_preferred 66999sec inet6 2a05:f480:1400:23 81:5400 :4ff:fe67:7e79/64 global dynamic scope mngtmpaddr noprefixroute valid_lft 2591657sec lft_preferred 604457sec inet6 fe8 0::5400:4ff:fe67:7e79/64 link do scope valid_lft forever preferred_lft forever

In our case,enp1s0is the name of the interface. Add the iptables command to a UFW configuration file by opening it for editing.

$ sudo nano /etc/ufw/before.rules

Add the following lines at the end of the file. To replaceenp1s0in code with your network interface.

# NAT table rules*nat:POSTROUTING ACCEPT [0:0]-A POSTROUTING -s 10.10.10.0/24 -o enp1s0 -j ​​MASQUERADE# End each table with the line 'COMMIT' or these rules will not be processedCOMMIT

Locate the following lines in the file.

# ok código icmp para FORWARD-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT-A ufw-before-forward -p icmp --icmp-type echo-request -j ACEITAR

Paste the following lines after it.

# allow forwarding to trusted network-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Restart the firewall.

$ sudo systemctl reiniciar ufw

You can check the Masquerade rule using the following command.

$ sudo iptables -t nat -L POSTROUTING

You will get the following output.

Chain POSTROUTING (policy ACCEPT)target prot opt ​​source destinationMASQUERADE all -- 10.10.10.0/24 anywhere

Step 10 - Connect using the OpenConnect Client

We will install the OpenConnect Client on an Ubuntu 22.04 machine. Run the following command to install the client.

$ sudo apt install openconnect

Then connect to the VPN server using the following command. O-bflag causes the client to run in the background as soon as the connection is established.

$ sudo openconnect -b vpn.example.com:443

You will be asked to enter your VPN username and password. Enter the credentials created in step 7.

POST https://vpn.example.com/Connected to 95.179.138.135:443 SSL negotiation with vpn.example.com Connected to HTTPS on vpn.example.com with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-( ECDSA- SECP256R1-SHA256)-(AES-256-GCM)XML POST EnabledPlease enter your username.Username:navjotPOST https://vpn.example.com/authPlease enter your password.Password:POST https://vpn.example.com/ authentication

You will see the following output on a successful connection. DTLS is disabled because we disabled UDP.

Got CONNECT response: HTTP/1.1 200 CONNECTEDCSTP connected. DPD 90, Keepalive 60No DTLS addressSet up UDP failed; using SSL insteadSet to 192.168.1.13, with SSL connected and DTLS disabledContinuing in the background; pid 1650

Run the following command to break the connection.

$ sudo pkill openconnect

Let's create some systemd scripts for OpenConnect. The first script is to make the client connect automatically on system startup.

Create and open the service file for editing.

$ sudo nano /etc/systemd/system/openconnect.service

Paste the following code into it.

[Unit] Description=OpenConnect VPN Client After=network-online.target systemd-resolved.service Wants=network-online.target[Service] Type=simples ExecStart=/bin/bash -c '/bin/echo -n password | /usr/sbin/openconnect vpn.example.com -u nome de usuário --passwd-on-stdin' KillSignal=SIGINT Restart=sempre RestartSec=2[Install] WantedBy=multi-user.target

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Enable the service.

$ sudo systemctl habilitar openconnect.service

Start the service.

$ sudo systemctl start openconnect.service

To restart your VPN connection automatically when your PC comes out of sleep state, you need to create another systemd script.

Create and open the restart script for editing.

$ sudo nano /etc/systemd/system/openconnect-restart.service

Paste the following code into it.

[Unit]Description=Reinicie o cliente OpenConnect ao retomar de suspendAfter=suspend.target[Service]Type=simpleExecStart=/bin/systemctl --no-block restart openconnect.service[Install]WantedBy=suspend.target

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Enable the service.

$ sudo systemctl enable openconnect-restart.service

We can also create a service to restart the VPN connection automatically when it drops. Create and open the VPN verification service for editing.

$ sudo nano /etc/systemd/system/openconnect-check.service

Paste the following code into it.

[Unit]Description=OpenConnect VPN Connectivity CheckerAfter=openconnect.service[Service]Type=simpleExecStart=/bin/bash -c 'for ((; ; )) do (ping -c9 10.10.10.1 || systemctl restart openconnect) concluído' [Instalar]WantedBy=multi-user.target

Save the file by pressingCtrl + Xand enteringYwhen solicited.

Enable and start the service.

$ sudo systemctl enable enable openconnect-check.service --now

This will run the ping command forever to check the VPN connection. If it crashes, it will automatically restart OpenConnect.

you can downloadOpenConnect GUI Clientsif you want. However, they haven't been updated for quite some time. If you want an updated GUI client, you can visit theOpenConnect GUI GitLab Repositoryand compile it yourself.

Conclusion

This concludes our tutorial on installing an OpenConnect VPN server on an Ubuntu 22.04 server and using the command line client to connect to it. If you have any questions, post them in the comments below.