Installing OpenConnect VPN Server on Ubuntu 16.04/17.10
sudo apt install ocserv
Installing Let’s Encrypt Client (Certbot) on Ubuntu 16.04/17.10 Server
sudo apt install ocserv sudo apt install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt update sudo apt install certbot
Obtaining a TLS Certificate from Let’s Encrypt
certbot certonly --standalone -d ocserv.example.com
Editing OpenConnect VPN Server Configuration File
sudo nano /etc/ocserv/ocserv.conf
auth = "plain[/etc/ocserv/ocpasswd]" tcp-port = 443 udp-port = 443 run-as-user = nobody run-as-group = daemon socket-file = /var/run/ocserv-socket server-cert = /etc/letsencrypt/live/ocserv.ml/fullchain.pem server-key = /etc/letsencrypt/live/ocserv.ml/privkey.pem ca-cert = /etc/letsencrypt/live/ocserv.ml/chain.pem max-clients = 8 max-same-clients = 0 try-mtu-discovery = true device = vpns dns = 8.8.8.8 dns = 8.8.4.4 cisco-client-compat = true default-domain = ocserv.example.com tunnel-all-dns = true
Then comment out all the route directives (add # symbol at the beginning of the following four lines), which will set the server as the default gateway for the clients.
route = 10.10.10.0/255.255.255.0 route = 192.168.0.0/255.255.0.0 route = fef4:db8:1000:1001::/64 no-route = 192.168.5.0/255.255.255.0
Fixing DTLS Handshake Failure
DTLS handshake failed: Resource temporarily unavailable, try again.
sudo cp /lib/systemd/system/ocserv.service /etc/systemd/system/ocserv.service sudo nano /etc/systemd/system/ocserv.service
Comment out the following two lines.
Requires=ocserv.socket Also=ocserv.socket
sudo systemctl daemon-reload sudo systemctl stop ocserv.socket sudo systemctl disable ocserv.socket sudo systemctl restart ocserv.service
Creating VPN Accounts
sudo ocpasswd -c /etc/ocserv/ocpasswd username
Enable IP Forwarding
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
sudo sysctl -p
Configure Firewall for IP Masquerading
ifconfig
sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
Preserving Iptables Rules
apt-get install iptables-persistent
If apt-get install iptables-persistent has no effect, run dpkg-reconfigure iptables-persistent instead
Or do it manually :
By default, iptables ruls are lost after reboot. To preserve them, you can switch to root user and then save your rules to a file.
su - iptables-save > /etc/iptables.rules
nano /etc/systemd/system/iptables-restore.service
[Unit] Description=Packet Filtering Framework Before=network-pre.target Wants=network-pre.target [Service] Type=oneshot ExecStart=/sbin/iptables-restore /etc/iptables.rules ExecReload=/sbin/iptables-restore /etc/iptables.rules RemainAfterExit=yes [Install] WantedBy=multi-user.target
sudo systemctl daemon-reload sudo systemctl enable iptables-restore
Install and Use OpenConnect VPN client on Ubuntu 16.04/17.10 Desktop
sudo apt install openconnect
sudo openconnect -b vpn.example.com:port-number
-b flag will make it run in the background after connection is established
sudo pkill openconnect
sudo apt install network-manager-openconnect network-manager-openconnect-gnome
References
https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt
https://yoursunny.com/t/2017/ocserv-letsencrypt/
https://lowendbox.com/blog/install-openconnect-server-on-ubuntu-16-04/
https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules