OpenConnect VPN Server – ‘ocserv’

OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel, and uses the standard IETF security protocols to secure it. The server is implemented primarily for the GNU/Linux platform but its code is designed to be portable to other UNIX variants as well.

http://www.infradead.org/ocserv/manual.html

Setup Server

The setup was adopted from a github project named wppurking/ocserv-docker. Assuming that the server hostname is server.example.com

ssh you@server.example.com
./launch_ocserv.sh

My script to launch ocserv container is this:

cat ./launch_ocserv.sh
#!/bin/bash

OCSERV_GIT_DIR="ocserv-docker"
GITHUB_URL="https://github.com/wppurking/ocserv-docker.git"

echo "GET git clone"
if [ -d ocserv-docker ]
then
        echo "${OCSERV_GIT_DIR} exits"
else
        cd ~
        git clone ${GITHUB_URL}
fi

echo "LAUNCH ocserv container"
docker run -dt --privileged --name ocserv -v ~/ocserv-docker/ocserv:/etc/ocserv -p 443:443/tcp ocserv-docker

echo "CHECK container"
docker ps -aq | xargs docker logs

Clean default users

Remove the default users of the docker container

FILE="/etc/ocserv/ocpasswd"
SED_COMMAND=(sed -i '1,2d' ${FILE})
docker exec -it "$(docker ps -a | grep vpn_run | awk '{print $ 1}')" "${SED_COMMAND[@]}"

Add a new user

OCSERV_DOCKER_ID=$(docker ps -a | grep vpn_run | awk '{print $1}')
docker exec -it ${CSERV_DOCKER_ID} ocpasswd my_username

On Client

check openconnect version

You should have OpenConnect version v7.06 or higher :-)

openconnect --version

manually

Don’t use the –no-cert-check option it’s insecure, use –cafile or –servercert instead. The ca-cert.pem file it’s inside docker container in /opt/certs/ca-cert.pem. Thanks David Woodhouse for reminding me this :-)

sudo openconnect --cafile=ca-cert.pem server.example.com

automatically with a script

MY_USER="my_username"
MY_PASSWORD="my_password"
echo -n ${MY_PASSWORD} | sudo openconnect --cafile=ca-cert.pem --background -u ${MY_USER} --passwd-on-stdin server.example.com

optional

In case you have the following warning you can disable DTLS by adding the option –no-dtls warning “DTLS handshake failed: Resource temporarily unavailable