Install OpenConnect Ubuntu. Openconnect Ubuntu 20.04 is one of the Open Source software that can be used to create a Private Network or Virtual Private Network (VPN). VPN is usually used to get a secure, private (private) Internet network, and can access the local network through the public. VPN can provide secure access to the server or website to be accessed, and the data exchange that occurs will be difficult for third parties to see.
Openconnect VPN server (ocserv) is an open source Linux SSL VPN server designed for organizations that require remote access VPN with enterprise user management and control.
Ubuntu 20.04 OpenConnect Features
- Stable, lightweight, doesn’t take up resources, and fast
- Linux Support
- Cisco AnyConnect compatible client
- Client Support for OS Windows, Linux, MacOS, Android and iOS.
- Support Radius
- Easy configuration
Here we will document the installation steps of “Install OpenConnect Ubuntu 20.04” as a VPN easily and quickly
Step 1 – Install OpenConnect Ubuntu 20.04
Before installing, we must enable Forward Packet, which can open packets between the VPN Client and the Internet
nano /etc/sysctl.confAdd the following lines to the sysctl.conf file
net.ipv4.ip_forward = 1
Exit and save, to apply changes use the following command or we can Restart on Linux Ubuntu 20.04
sudo sysctl -p
SSH login into the Ubuntu 20.04 server, before starting the installation of OpenConnect Ubuntu 20.04 you should Update the Ubuntu 20.04 OS.
apt update
apt install ocservAfter the OS Update and Install OpenConnect is successful and complete, check the service status of the OpenConnect, use the following command
systemctl status ocservOutput
● ocserv.service - OpenConnect SSL VPN server
Loaded: loaded (/lib/systemd/system/ocserv.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-01-27 16:34:34 UTC; 11h ago
Docs: man:ocserv(8)
Main PID: 16231 (ocserv-main)
Tasks: 2 (limit: 4611)
Memory: 1.7M
CGroup: /system.slice/ocserv.service
├─16231 ocserv-main
└─16232 ocserv-sm
Jan 27 16:34:34 vpn ocserv[16231]: note: setting 'pam' as primary authentication method
Jan 27 16:34:34 vpn ocserv[16231]: error connecting to sec-mod socket '/run/ocserv.socket.6e7ad8b1': No such file or directory
Jan 27 16:34:34 vpn ocserv[16231]: note: setting 'file' as supplemental config option
Jan 27 16:34:34 vpn ocserv[16231]: listening (TCP) on 0.0.0.0:443...
Jan 27 16:34:34 vpn ocserv[16231]: listening (TCP) on [::]:443...
Jan 27 16:34:34 vpn ocserv[16231]: listening (UDP) on 0.0.0.0:443...
Jan 27 16:34:34 vpn ocserv[16231]: listening (UDP) on [::]:443...
Jan 27 16:34:34 vpn ocserv[16231]: main: initialized ocserv 0.12.6
Jan 27 16:34:34 vpn ocserv[16232]: sec-mod: reading supplemental config from files
Jan 27 16:34:34 vpn ocserv[16232]: sec-mod: sec-mod initialized (socket: /run/ocserv.socket.6e7ad8b1)The ports used by the Ubuntu 20.04 OpenConnect service are TCP and UDP ports 443 by default. If port 443 has been used by the Webserver, it is possible that the Service Ocserv will fail to run. But we can change the port when configuring OpenConnect Ubuntu 20.04 later.
Allow TCP/UDP ports in Ubuntu 20.04 firewall
ufw allow 80,443/tcpStep 2 – Configure Install OpenConnect Ubuntu 20.04
Edit the ocserv.conf file for OpenConnect 20.04 configuration
sudo nano /etc/ocserv/ocserv.conf
First, configure Password Authentication. By default Password authentication using PAM. This can be disabled by putting a “#” (Comment) on auth
#auth = "pam[gid-min=1000]"
And if you want to create a separate User and Password with the Ubuntu 20.04 OS System, you can add the following line to the Ubuntu 20.04 OpenConnect Configuration
auth = "plain[passwd=/etc/ocserv/ocpasswd]"Remove the comment “#” on the line udp-port
tcp-port = 443
#udp-port = 443Set the Maximum Client used, by default it uses 128 Client, the Client can adjust the number needed. Here we use 20 clients
max-clients = 20Also set the number of devices that can be used by each user, the default used by OpenConnect Ubuntu 20.04 is only 2 devices, here we also use 2 devices, usually for PC/Laptops and for Smartphones.
max-same-clients = 2
Keepalive packets are used every 300 seconds or 5 minutes, this can also be changed as needed and for system security as well.
keepalive = 30
Enable MTU to optimize performance of VPN “Install OpenConncet Ubuntu 20.04”
try-mtu-discovery = true
We can also set the Timeout of this Ubuntu 20.04 OpenConnect VPN. This is used to set the time the Client is allowed to stay connected if the connection is problematic or the connection is unstable
idle-timeout=1200
mobile-idle-timeout=1800After that enter the Domain name that will be used for VPN OpenConnect Ubuntu 20.04
default-domain = vpn.dixmata.comReplace dixmata.com with the domain you are using
Set the Network that will be used for the OpenConnect Ubuntu 20.04 Private IP, by default the IP used is 192.168.1.0, we recommend not using that IP, because some devices such as modems use that IP.
ipv4-network = 172.29.10.1
ipv4-netmask = 255.255.255.0Uncomment the tunnel all DNS
tunnel-all-dns = true
Fill in the DNS Server according to what you are using, here we use CloudFlare and Google DNS Servers
dns = 8.8.8.8
dns = 1.1.1.1In the route line, put a # or Comment Out on the following line, so that the OpenConnect server is used as a Gateway. So the Public IP that we use on the server becomes our Gateway or IP Address Identity.
#route = 10.0.0.0/8 #route = 172.16.0.0/12 #route = 192.168.0.0/16 #route = fd00::/8 #route = default #no-route = 192.168.5.0/255.255.255.0
Then exit and save the configuration. Do a restart on the service Ocsev or OpenConnect
systemctl restart ocservStep 3 – Generate SSL Certificate With Let’s Encrypt
For Generate SSL we can use Cerbot to get an SSL Certificate for free. If there is no Certbot on Ubuntu, we have to install Certbot first
apt install certbotFor complete documentation of Let’s Encrypt installation, check the link below
Source : Install Let’s Encrypt Ubuntu 20.04
Generate SSL Standalone
Use the following command to do Generate Certificate
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email [email protected] -d vpn.dixmata.com
Remember, change the domain or subdomain, according to what you are using. If you succeed in Generate SSL to Install OpenConnect Ubuntu 20.04, it will appear as shown below
Step 4 – Setup SSL Let’s Encrypt to OpenConnect
Reopen the Secure configuration file on Install OpenConnect Ubuntu 20.04, here we will input the Certificate and Private Key that we generated earlier.
nano /etc/ocserv/ocserv.confLook for the server-cert and server-key line, then enter the location of the stored SSL Cert and Key.
server-cert = /etc/letsencrypt/live/vpn.dixmata.com/fullchain.pem server-key = /etc/letsencrypt/live/vpn.dixmata.com/privkey.pem
Then restart the service ocserv.
systemctl restart ocservStep 5 – Setup Ubuntu Firewall/UFW OpenConnect
We also need to close some unused ports for security and only open ports that are used in Install OpenConnect Ubuntu 20.04.
apt install ufwAllow Port 22 and 443, i.e. SSH and HTTPS ports. For SSH the default uses port 22, and if you change the SSH port, for UFW/Firewall must adjust according to the port that has been changed. UFW/Firewall configuration can be checked in UFW Allow Port
ufw allow 22/tcp
ufw allow 443/tcpStep 6 – Setup Incognito IP with Firewall/UFW
Here we use the UFW firewall to set IP masking, so that the IP that is read is the Ubuntu 20.04 OpenConnect IP. To disguise we need to add a rule to the file before.rule
nano /etc/ufw/before.rules
Do not forget to change the IP Address according to the IP used in the setup on ocserv.conf.
And we also need to rename the Network Interface can be seen using the ip addr command
ip addr ens8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 86:e4:36:68:03:77 brd ff:ff:ff:ff:ff:ff
inet 134.315.210.87/24 brd 134.315.210.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 2001:df0:3e80:0:84e4:36ff:fe68:377/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 2591966sec preferred_lft 604766sec
inet6 fe80::84e4:36ff:fe68:377/64 scope link
valid_lft forever preferred_lft forever
Add the following rule, copy the rule under Rule “allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above” or can be copied at the end of the line.
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 172.29.10.0/24 -o ens8 -j MASQUERADE # End each table with the 'COMMIT' line or these rules won't be processed COMMIT
Then allow for Forward packet, add the following line. Add below the line “ok icmp code for FORWARD” rule. And remember to change the IP Address according to the setup file ocserv.conf
# allow forwarding for trusted network
-A ufw-before-forward -s 172.29.10.0/24 -j ACCEPT
-A ufw-before-forward -d 172.29.10.0/24 -j ACCEPT
Enable UFW in the configuration file in nano /etc/ufw/ufw.conf, by changing ENABLED = yes.
# /etc/ufw/ufw.conf
#
# Set to yes to start on boot. If setting this remotely, be sure to add a rule
# to allow your remote connection before starting ufw. Eg: 'ufw allow 22/tcp'
ENABLED=yes
# Please use the 'ufw' command to set the loglevel. Eg: 'ufw logging medium'.
# See 'man ufw' for details.
LOGLEVEL=low
Save and Close, then Enable UFW.
ufw enableThen restart the UFW service to set the previously added Rule.
systemctl restart ufwSee the list or List Rule that we created earlier, the output of the Rule that we created is as follows
iptables -t nat -L POSTROUTINGOutput
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 172.29.10.0/24 anywhere
Step 7 – Create OpenConnect VPN Account
For OpenConnect VPN accounts, you can use Radius or manually use the ocpassword generator tool
ocpasswd -c /etc/ocserv/ocpasswd username
Step 8 – Install and Use OpenConnect Ubuntu Client
To use or connect a VPN Server, we need a client, namely OpenConnect Client and Cisco AnyConnect. Here’s how to connect OpenConnect Client to OpenConnect VPN Server.
OpenConnect Client Windows
Download OpenConnect Client dan Install -> Donwload OpenConnect Client
Install and Open the OpenConnect Client Application, > Click the “Wheel” icon > New profile
Then fill in, Name = VPN Name
Gateway = VPN Domain/Subdomain > Save & Connect
fill in the Username and Password, which have been created in Step: 7
Install AnyConnect Client Windows
Download AnyConnect Client dan Install -> Download Cisco AnyConnect Client
Install and open the Cisco Anyconnect application > Fill in Domain/Subdomain
Fill in Username and Password
Install OpenConnect Client Ubuntu 20.04
Run the following command to install OpenConnect on Client Ubuntu 20.04
apt install openconnectWe can make a VPN connection using the command below, using the -b option to run in the background.
openconnect -b https://vpn.dixmata.comOutput
POST https://vpn.dixmata.com/
Connected to 134.315.210.87:443
SSL negotiation with vpn.dixmata.com
Connected to HTTPS on vpn.dixmata.com
XML POST enabled
Please enter your username.
Username:username
POST https://vpn.dixmata.com/auth
Please enter your password.
Password:
POST https://vpn.dixmata.com/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 60, Keepalive 300
Set up UDP failed; using SSL instead
Connected as 172.29.10.155, using SSL + LZ4, with DTLS + LZ4 disabled
Continuing in background; pid 57265We can also run OpenConnect Non-Interactively
echo -n password | sudo openconnect -b https://vpn.dixmata.com -u username --passwd-on-stdin
Setup OpenConnect AutoConnect on Startup
We can make OpenConnect run Automatically when the server starts booting.
nano /etc/systemd/system/openconnect.service
[Unit]
Description=Connect to VPN
After=network.target
[Service]
Type=simple
Environment=password=correcthorsebatterystaple
ExecStart=/bin/sh -c 'echo password | sudo openconnect -u username --passwd-on-stdin vpn.dixmata.com'
Restart=always
[Install]
WantedBy=multi-user.targetLalu lakukan restart pada Service
sudo systemctl daemon-reload
sudo systemctl enable openconnect.service
sudo systemctl start openconnect.serviceSource : OpenConnect Website
