OpenConnect VPN

img/posts/openvpn.jpg

OpenConnect Installation

sudo apt install -y libpam0g-dev liblz4-dev libseccomp-dev \
    libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \
    libcjose-dev libjansson-dev liboath-dev \
    libprotobuf-c-dev libtalloc-dev libhttp-parser-dev protobuf-c-compiler \
    gperf iperf3 lcov libuid-wrapper libpam-wrapper libnss-wrapper \
    libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \
    gawk gnutls-bin iproute2 yajl-tools tcpdump libmaxminddb-dev \
    build-essential autogen pkg-config libpcl1-dev libev-dev libgeoip-dev  \
    libssl-dev libgnutls28-dev libsystemd-dev libwrap0-dev libcurl4-gnutls-dev
    
./configure --prefix=/data/ocserv 
    --with-local-talloc \
    --enable-oidc-auth \
    --enable-latency-stats \
    --with-seccomp-trap \
    --with-maxmind

ocserv.conf

auth = "plain[/etc/ocserv/ocpasswd]"
server-cert = /etc/ssl/certs/server-cert.pem
server-key = /etc/ssl/private/server-key.pem
isolate-workers = true
max-clients = 100
max-same-clients = 10
run-as-group = nogroup
keepalive = 32400
idle-timeout = 30000
dpd = 90 
mobile-dpd = 1800
isolate-workers = false
predictable-ips = false
try-mtu-discovery = true
compression = true
device = vpns
ipv4-network = 10.12.10.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = true
#route = 192.168.1.0/255.255.255.0

ocpasswd

sudo ocpasswd -c /etc/ocserv/ocpasswd username

Nat Table

touch /data/ocserv/iptables.sh
!#/bin/bash
iptables -t nat -A POSTROUTING -s 10.12.10.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -i vpns+ -j ACCEPT
iptables -A FORWARD -o vpns+ -j ACCEPT
sysctl -w net.ipv4.ip_forward=1

ocserv.service

[Unit]
Description=OpenConnect SSL VPN server
Documentation=man:ocserv(8)
After=network-online.target

[Service]
PrivateTmp=true
PIDFile=/run/ocserv.pid
Type=simple
ExecStartPre=/usr/bin/bash /data/ocserv/iptables.sh
ExecStart=/data/ocserv/sbin/ocserv --foreground --pid-file /run/ocserv.pid --config /data/ocserv/etc/ocserv.conf
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

occtl

occtl disconnect user [NAME]
occtl disconnect id [ID]
occtl unban ip [IP]
occtl reload
occtl show status
occtl show users 
occtl show ip bans
occtl show ip ban pointsPrints all the known IP addresses which have points
occtl show iroutes
occtl show sessions all
occtl show sessions valid
occtl show session [SID]Prints information on the specified session
occtl show user
occtl show id [ID]
occtl show events
occtl stop now

group

mkdir -p /etc/ocserv/group
touch /etc/ocserv/group/{Default,Admin,Public}
ocpasswd -c /etc/ocserv/ocpasswd -g Default USER

pac

proxy-url = http://ip/xxxx.pac

dns

default-domain = demo.com
dns = 8.8.8.8
tunnel-all-dns = true
split-dns = demon.com
OpenConnect

Read more