OpenConnect VPN Server Installation


OpenConnect VPN
For more information on OpenConnect VPN Server, visit infradead.org


Description:

OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure. OpenConnect is released under the GNU Lesser Public License, version 2.1. Like vpnc, OpenConnect is not officially supported by, or associated in any way with, Cisco Systems, Juniper Networks or Pulse Secure. It just happens to interoperate with their equipment.


Pre-Requisites:

Install the packages that are needed to support OpenConnect


   COMPATABILITY NOTICE:
These instructions are only compatible with Debian 8 Jessie   


apt-get update
sudo apt-get -y install xz-utils dbus build-essential pkg-config libgnutls28-dev \
libwrap0-dev libpam0g-dev libseccomp-dev libreadline-dev libnl-route-3-dev ufw libev4 \
libev-dev libprotobuf-c0-dev protobuf-c-compiler gnutls-bin git


Download OCServ:

cd /tmp
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.11.2.tar.xz
tar -xf ocserv-0.11.2.tar.xz
cd ocserv-0.11.2


Compile OCServ:

./configure --prefix=/usr/local --sysconfdir=/etc
make
make install


Create CA and Server Certificate:

1.    Create Cert Directory: 

cd ~
sudo mkdir certificates
cd certificates


2.    Create the CA Cert: 

cat > ca.tmpl << "EOF"
cn = "vpn.yourcompany.com"
organization = "Your Company"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
EOF



certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem


3.    Create a Server Cert: 

cat > server.tmpl << "EOF"
cn = "vpn.atlantean.systems"
organization = "Atlantean"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
EOF



certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem


4.    Copy the new Certs: 

sudo mkdir /etc/ocserv
sudo cp server-cert.pem server-key.pem /etc/ocserv
sudo cp /tmp/ocserv-0.11.2/doc/sample.config /etc/ocserv/config
cd /etc/ocserv


Set Configuration File:

Set the following values in the /etc/ocserv/config file based on your infrastructure.

auth = "plain[passwd=/etc/ocserv/.ocpasswd]"

try-mtu-discovery = true

listen-host = 1.2.3.4

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

max-clients = 8
max-same-clients = 2

dns = 8.8.8.8

# comment out all route fields
# route = 10.0.0.0/255.0.0.0
# route = 172.16.0.0/255.255.0.0
# route = 192.168.0.0/255.255.255.0
# route = fef4:db8:1000:1001::/64
# novim -route = 192.168.5.0/255.255.255.0

ipv4-network = 192.168.1.0


cisco-client-compat = true


Create VPN Users:

ocpasswd -c /etc/ocserv/.ocpasswd username


Setup Network Rules:

1.    Enable NAT: 

ocpasswd -c /etc/ocserv/.ocpasswd username


2.    Enable Ipv4 Forwarding:
Edit the /etc/sysctl.conf to enable IPv4 Forwarding by adding the following entry.

net.ipv4.ip_forward=1


Apply the new IPv4 Forwarding Rule.

sysctl -p /etc/sysctl.conf


3.    Add IPTables Rule: 

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


4.    Open necessary ports on the firewall: 

ufw allow 443
ufw allow 443/udp
sudo ufw allow out to any port 443

ufw allow 80
ufw allow 80/udp
sudo ufw allow out to any port 80

ufw allow 22
ufw allow 22/udp
sudo ufw allow out to any port 22


5.    Verify the firewall ruleset: 

sudo ufw status verbose


6.    Change the default forwarding policy:
Edit the /etc/default/ufw file to change the forwarding policy.

DEFAULT_FORWARD_POLICY="ACCEPT"


7.    Set NAT Rules:
Set NAT Rules to any routes that you want to be able to access through the VPN:

echo "*nat" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules

# Change NAT IP/subnet HERE accordingly to your ocserv.conf configs
echo "-A POSTROUTING -s 192.168.1.0/24 -d 10.12.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
echo "-A POSTROUTING -s 192.168.1.0/24 -d 10.13.0.0/24 -o eth1 -j MASQUERADE" >> /etc/ufw/before.rules

echo "COMMIT" >> /etc/ufw/before.rules


8.    Restart the firewall: 

ufw disable && sudo ufw enable


Generate Lets Encrypt Certificate:

1.    Backup the self signed certs: 

cd /etc/ocserv
mv server-key.pem server-key.selfsigned
mv server-cert.pem server-cert.selfsigned


2.    Pull the letsencrypt project: 

git clone https://github.com/letsencrypt/letsencrypt


3.    Generate the certificate: 

cd letsencrypt/
./letsencrypt-auto certonly --standalone -d vpn.yourcompany.com


4.    Copy the certs to the ocserv directory: 

cp /etc/letsencrypt/live/vpn.yourcompany.com/privkey.pem /etc/ocserv/server-key.pem
cp /etc/letsencrypt/live/vpn.yourcompany.com/fullchain.pem /etc/ocserv/server-cert.pem


Create the service unit file:

cat > /etc/systemd/system/ocserv.service << "EOF"
[Unit]
Description=OpenConnect VPN Service
After=network.target

[Service]
ExecStart=/usr/local/sbin/ocserv -c /etc/ocserv/config
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF


Enable Services:

systemctl enable ocserv.service
systemctl daemon-reload
systemctl start ocserv.service
systemctl status ocserv.service


Login:

Use the Cisco Anyconnect client, Juniper Pulse Client, or Open Connect client from another machine to test the new OpenConnect VPN Server.


Post Requisites:

NOTICE:
In some instances the unit file does not stop the service correctly.
If systemctl stop ocserv.service does not stop the service, use ps -elf | grep ocserv
to find the process, and use kill {pid} to kill the service.


References: