OpenConnect: Difference between revisions

Run commands as root/sudo

apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

certbot certonly --standalone --preferred-challenges tls-sni -d {domain.tld} 
certbot certonly --standalone -d {domain.tld}
apt-get install ocserv

• /etc/ocserv/ocserv.conf

auth = "plain[/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/{domain.tld}/fullchain.pem
server-key = /etc/letsencrypt/live/{domain.tld}/privkey.pem
max-clients = 8
max-same-clients = 0
try-mtu-discovery = true
device = vpns
ipv4-network = 192.168.91.0/28
dns = 8.8.8.8
cisco-client-compat = true

ocpasswd -c /etc/ocserv/ocpasswd MYUSER

systemctl restart ocserv

iptables -t nat -A POSTROUTING -s 192.168.91.0/28 -j SNAT --to-source X.X.X.X(Server Public IP)
iptables -t nat -A POSTROUTING -j MASQUERADE

apt-get install iptables-persistent

/etc/init.d/netfilter-persistent reload

• /etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl -p

• Auto renew update

Edit /etc/cron.d/certbot and append this to the end of the certbot command

--standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

or add to crontab as root

@monthly /usr/bin/certbot renew --standalone --pre-hook "service ocserv stop" --post-hook "service ocserv start"

Build It

cd /opt
wget -4 ftp://ftp.infradead.org/pub/ocserv/ocserv-0.12.1.tar.xz

apt-get install pkg-config nettle-dev libgnutls28-dev libev-dev libgeoip-dev libwrap0-dev liblz4-dev \
libnss-wrapper libpam-wrapper libsocket-wrapper libreadline-dev libnl-3-dev libnl-route-3-dev libpam0g-dev libseccomp-dev

./configure
make