Vincec's Dimension

AnyConnect Server(Ocserv) & Client(Openwrt, Linux, Windows & Mac) Configuares

Word count: 1,150 / Reading time: 7 min
2019/08/02 Share

Server(Ocserv) Setup

1
2
3
4
5
6
7
8
9
10
11
12
#Distro is in Debain
sudo apt-get install ocserv
# package is quite new in apt-get

sudo apt-get install gnutls-bin

# Check staus
systemctl status ocserv

# Start & restart Serive
sudo systemctl start ocserv.service
sudo systemctl restart ocserv.service

Config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
mkdir /etc/ocserv
cd /etc/ocserv

ocpasswd A_USER_NAME
# ocpasswd -c /etc/ocserv/.ocpasswd username

# Create certificates
cat << _EOF_ > ca.tmpl
cn = "fff"
organization = "fff"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

cat << _EOF_ > server.tmpl
cn = "YOUR DNS OR VPS IP ADDRESS"
organization = "fff"
expiration_days = 3650
signing_key
encryption_key
tls_www_server
_EOF_

certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

Modify with /etc/ocserv/ocserv.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# EDIT config file as follow:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem

tcp-port = 443
udp-port = 443

dns = 8.8.8.8
dns = 8.8.4.4

# comment out all route fields
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0

try-mtu-discovery = true
cisco-client-compat = true

###################### END EDIT CONFIG

# More can check
# https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-16-04-17-10-lets-encrypt
# https://github.com/iMeiji/shadowsocks_install/wiki/OpenConnect-VPN-server

Sample Config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# EDIT /etc/sysctl.conf as follow:
net.ipv4.ip_forward=1
###################### END EDIT /etc/sysctl.conf
# Apply changes to sysctl
sysctl -p /etc/sysctl.conf

# Config iptables
iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE

# OR
#iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# iptables start
sudo service iptables start

# Run debuggable process to test evertything. Remove `-f -d 1` to run it as daemon
ocserv --config=/etc/ocserv/config -f -d 1

Setup Network Rules(options)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Add IPTables Rule
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Open necessary ports on the firewall
ufw allow 443
ufw allow 443/udp
sudo ufw allow out to any port 443

ufw allow 80
ufw allow 80/udp
sudo ufw allow out to any port 80

ufw allow 22
ufw allow 22/udp
sudo ufw allow out to any port 22

# Verify the firewall ruleset
sudo ufw status verbose

# Change the default forwarding policy
DEFAULT_FORWARD_POLICY="ACCEPT"

# Set NAT Rules
# Set NAT Rules to any routes that you want to be able to access through the VPN
echo "*nat" >> /etc/ufw/before.rules
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules

# Change NAT IP/subnet HERE accordingly to your ocserv.conf configs
echo "-A POSTROUTING -s 192.168.1.0/24 -d 10.12.0.0/24 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules
echo "-A POSTROUTING -s 192.168.1.0/24 -d 10.13.0.0/24 -o eth1 -j MASQUERADE" >> /etc/ufw/before.rules

echo "COMMIT" >> /etc/ufw/before.rules

# Restart the firewall
ufw disable && sudo ufw enable

# Force start ufw
sudo /etc/init.d/ufw force-reload

Setting up Your Own CA (Certificate Authority) - Manual

1
2
3
4
5
6
7
sudo apt install gnutls-bin
sudo mkdir /etc/ocserv/ssl/
cd /etc/ocserv/ssl/

...
# Check more
#https://www.linuxbabe.com/ubuntu/certificate-authentication-openconnect-vpn-server-ocserv

Client

Openwrt Openconnect



1
2
3
4
5
6
7
8
opkg update
opkg install luci-proto-openconnect openconnect

# Add interface with OpenConnect(CISCO)

# get SHA1has fingerprint of a server
#gnutls-cli --insecure globalprotect.gateway.server.com
openssl s_client -connect vpn.example.com:443 -showcerts 2>/dev/null </dev/null | awk '/-----BEGIN/,/-----END/ { print $0 }' | openssl x509 -noout -fingerprint -sha1 | sed 's/Fingerprint=//' | sed 's/://g'

linux Anyconnect & Openconnect

KDE

直接网络 connection 中设置添加 Cisco AnyConnect Compatible VPN (openconnect), 按提示操作即可

Add Cisco AnyConnect Compatible VPN (openconnect) in connection of the setting. Then following the instruction.

Note: If Meet vpn plugin missing (I met in KDE Neon)

1
2
#install openconnect and network-manager-openconnect
sudo apt-get install openconnect network-manager-openconnect

non-KDE / 非 KDE

sh Link

1
2
3
4
5
6
7
8
$ chmod 755 vpnsetup.sh
$ sudo ./vpnsetup.sh

#Fedora 20
$ sudo yum install pangox-compat

#Ubuntu 17
$ sudo apt install libpangox-1.0-0

openconnect

1
2
3
4
openconnect https://vpn.mycompany.com/
openconnect -b vpn.mydomain.com
openconnect -c certificate.pem https://vpn.mycompany.com/
openconnect -c pkcs11:id=X_%b04%c3%85%d4u%e7%0b%10v%08%c9%0dA%8f%3bl%df https://vpn.mycompany.com/

Windows Anyconnect

Link

Mac Anyconnect

Link


Reference

Other Reference

CATALOG
  1. 1. Server(Ocserv) Setup
    1. 1.1. Config
    2. 1.2. Setup Network Rules(options)
    3. 1.3. Setting up Your Own CA (Certificate Authority) - Manual
  2. 2. Client
    1. 2.1. Openwrt Openconnect
    2. 2.2. linux Anyconnect & Openconnect
      1. 2.2.1. KDE
      2. 2.2.2. non-KDE / 非 KDE
      3. 2.2.3. openconnect
    3. 2.3. Windows Anyconnect
    4. 2.4. Mac Anyconnect
  3. 3. Reference
    1. 3.1. Other Reference
    2. 3.2. Nginx Related Reference