Ocserv Client



Install epel repository. Ocserv is available in epel repository. So at first, we install epel: # yum install. Version of ocserv used: debian stable backports: 1.1.2-1bpo10+1 (Not affected: 1.1.1-1bpo10+1, so a regression in 1.1.2) Client used: Unknown. Distributor of ocserv Debian. How reproducible: About 1 in 40 clients. Details epoll reports a 'ready-for-read' event for fd 5 (the UDP connection), but ocserv doesn. Like many orgs, my employer had a sudden and dramatic increase in the number of people working remotely as a result of the Covid-19 pandemic. This exceeded the capacity of our Cisco Anyconnect headends in a few places, and procuring larger hardware in many locations proved difficult as supply chains apparently unravelled. OpenConnect (ocserv) is an open-source implementation of the Cisco AnyConnect VPN protocol. This video is showing how to install and configure OpenConnect Se. NAME¶ ocserv - OpenConnect VPN server SYNOPSIS¶ ocserv options-c config. Openconnect VPN server (ocserv) is a VPN server compatible with the openconnect VPN client. It follows the AnyConnect VPN protocol which is used by several CISCO routers.

Install OpenConnect VPN server on KVM

07 Feb 2020 - by 'Maurits van der Schee'

In a previous post I have shown how to add an IPsec IKEv2 VPN to your (Ubuntu 18.04) KVM setup. In this post I will show you how to add and configure OpenConnect VPN. I will show how to install the VPN endpoint on a virtual machine, as a replacement for the VPN installation that we did in the previous post. OpenConnect may be easier to setup and maintain, but it is not clientless on Windows 10 and does require a (user-friendly and free) VPN client.

Install OpenConnect (ocserv)

First you need to install the OpenConnect VPN software (on Ubuntu 18.04):

The config file for this software is '/etc/ocserv.conf'.

Configure forwarding on the gateway

In this tutorial I assume that you are running the VPN server as a guest on your KVM host machine and that the KVM host machine is running UFW.

Add the following to '/etc/ufw/before.rules' in the 'nat' chain (as explained in the pevious post) on the KVM host:

Note that in this example '1.2.3.4' is the public IP address of the KVM host and '10.0.122.8' is the (private and only) IP address of the VPN server.

Forward port 80 on the webserver

If you run a webserver you have probably forwarded port 80 to this webserver. Since we want to use 'certbot' we need to configure a proxy forward for the specific hostame of your VPN server. We use 'mod_proxy_http' for this.

Then add the following in '/etc/apache2/sites-available/100-vpncertbot.conf'

Replace '10.0.122.8' with the internal IP address of your VPN server and 'vpn.tqdev.com' with the hostname you use for your VPN server.

Configure Lets Encrypt automatic certificate renewal

Ocserv Client

To install the latest 'certbot' you may run:

A text file will open with some configuration options. Add your hook on the last line:

Save and close the file, then run a 'certbot dry run' to make sure the syntax is ok:

This command should give a warning:

And otherwise run correct, printing:

Showing that certbot configuration is correct.

Client

OpenConnect configuration

We configure OpenConnect by editing the file '/etc/ocserv.conf' so that it has the following content:

Make sure the 'leftid' matches your hostname prefixed with an 'at' sign (which means: don't resolve). Adjust the 'leftsubnet' to match with your private network and the 'rightsourceip' with the (virtual) ip addresses you want to give to clients connecting to your VPN server.

If you want to capture all traffic and set the default route over the VPN tunnel, you need to set:

Using the command 'ocpasswd' you can add users to the file '/etc/ocserv/ocpasswd':

The password is not stored in plain text. If you want to know who is connected, run:

Ocserv Client

Use 'occtl help' for other management features.

Add DNS support for guests

You probably noted the 'default-domain = kvm' line in the config. It allows VPN clients (and virtual machines) to contact each other by name. This configuration is called 'split-DNS'. In order to add it you must edit the network configuration using:

Look for the line:

Add a domain configuration on the line before it, like this:

Now this setting allows the named virtual machine 'maurits-cloud' to be reached by other virtual machines on the hostname 'maurits-cloud.kvm'.

This will NOT be effective until you destroy and start the network.

Set up IP forwarding

Add the following lines to the end of the file '/etc/sysctl.conf' to make your Linux machine act as an IPv4 router:

Note that the 'proxy_arp' is an alternative for masquerading all traffic on the VPN host. Now you need to run:

This command reloads sysctl config file and makes the settings effective.

Fixing DTLS Handshake Failure

Although connecting might succeed, it may connect slow and you may encounter the following message in the (sys)log:

To fix this error, we need to edit the '/lib/systemd/system/ocserv.service' file. First copy it from the '/lib/systemd/system/' directory to '/etc/systemd/system/' directory. This avoids your modifications from being overridden or reverted by a package update.

Comment out the following two lines:

and:

Save and close the file. Then reload systemd and restart ocserv service.

The ocserv systemd service won’t output any message if it fails to restart, so we need to check the status to make sure it’s actually running.

It should show 'active (running)'.

Installing the client on Ubuntu

If you are connecting from Windows 10, then you need to install external client software for this VPN connection.

If you use Ubuntu, then you also need to install a client. You can do so by running:

If you don't see the VPN option marked 'openconnect' in the network manager applet, then you may have to log out and in for it to appear.

Next: Installing IKEv1 L2TP VPN

In the next post I will show you how to add an IKEv1 L2TP to your KVM setup. I will show how to install the VPN endpoint on a virtual machine, as a replacement for the VPN installation that we did in this (and previous) post. IKEv1 L2TP may be easier to configure than IKEv2 and also does not require a VPN client on Windows 10.

PS: Liked this article? Please share it on Facebook,Twitteror LinkedIn.

NAME

ocserv - OpenConnect VPN server

SYNOPSIS

ocservoptions -c [config]

Openconnect VPN server (ocserv) is a VPN server compatible with theopenconnect VPN client. It follows the AnyConnect VPN protocol whichis used by several CISCO routers.

DESCRIPTION

This a standalone server that reads a configuration file (see below for more details),and waits for client connections. Log messages are redirected to daemon facility.

The server maintains two connections/channels with the client. The main VPNchannel is established over TCP, HTTP and TLS. This is the control channel as wellas the backup data channel. After its establishment a UDP channel using DTLSis initiated which serves as the main data channel. If the UDP channel failsto establish or is temporarily unavailable the backup channel over TCP/TLSis being used.

This server supports multiple authentication methods,including PAM and certificate authentication. Authenticated users areassigned an unprivileged worker process and obtain a networking (tun) deviceand an IP from a configurable pool of addresses.

Once authenticated, the server provides the client with an IP address and a listof routes that it may access. In order to allow high-speed transfers theserver does not process or filter packets. It is expected that the server hasor will set up any required routes or firewall rules.

It is possible to separate users into groups, which are either present on theircertificate, or presented on login for the user to choose. That way a user maytake advantage of the different settings that may apply per group. See thecomments on the configuration file for more information.

It is also possible to run hostname-based virtual servers which could supportdifferent authentication methods. When multiple virtual servers are presentclients are distinguished by the advertised server name over TLS (SNI).Clients which do not support or sent SNI, are directed to the defaultserver.

OPTIONS

Windows
-f, --foreground:

Do not fork server into background.

-d, --debug=num:

Enable verbose network debugging information. num must be between zeroand 9999.

-c, --config=FILE:

Specify the configuration file for the server.

-t, --test-config:

Test the provided configuration file and exit. A successful exit error codeindicates a valid configuration.

-p, --pid-file=FILE:

Specify a PID file for the server.

-h, --help:

Display usage information and exit.

-v, --version:

Output version of program and exit.

AUTHENTICATION

Users can be authenticated in multiple ways, which are explained in the followingparagraphs. Connected users can be managed using the occtl tool.

Password authentication

If your system supports Pluggable Authentication Modules (PAM), thenocserv will take advantage of it to password authenticate its users.Otherwise a plain password file similar to the UNIX password file is also supported.In that case the 'ocpasswd' tool can be used for its management.Note that password authentication can be used in conjunction with certificateauthentication.

GSSAPI authentication

ocserv will take advantage of the MIT Kerberos project GSSAPI libraries, andallow authentication using any method GSSAPI supports. That is, mainly, Kerberosauthentication. That is often more useful to be combined with PAM or otherpassword authentication methods so that a fallback mechanism can be used whenGSSAPI fails (e.g., when the user doesn't already have a Kerberos ticket). TheGSSAPI authentication is implemented using SPNEGO over HTTP (RFC4559).

Public key (certificate) authentication

Public key authentication allows the user to be authenticatedby the possession of the private key that corresponds to a knownto the server public key. That allows the usage of common smartcards for user authentication.

In ocserv, a certificate authority (CA) is used to sign the clientcertificates. That certificate authority can be local, used only by theserver to sign its user's known public keys which are then given tousers in a form of certificates. That authority need also provide a CRLto allow the server to reject the revoked clients (see ca-cert, crl).

In certificate authentication each client presents a certificate and signsdata provided by the server, as part of TLS authentication, to prove hispossession of the corresponding private key.The certificate need also contain user identifying information,for example, the user ID of the client must be embedded in the certificate'sDistinguished Name (DN), i.e., in the Common Name, or UID fields. For theserver to read the name, the cert-user-oid configuration optionmust be set.

The following examples demonstrate how to use certtool from GnuTLS togenerate such CA.

Generating the CA

Generating a local server certificate

The following example generates the server key and certificatepair. The key generated is an RSA one, but different typescan be used by specifying the 'ecdsa' or 'dsa' options tocerttool.

From this point the clients need ca-cert.pem to be able to securelyconnect to the server.

Note that it is a better practice to use two separate RSA keys, onewith the signing_key option and another with the encryption_key.

Generating an external CA-signed server certificate

Client

At this point you need to provide the server-cert.csr to your CA,and they will send you the server certificate.

Generating the client certificates

Note that it is recommended to leave detailed personal information out of thecertificate as it is sent in clear during TLS authentication. The followingprocess generates a certificate and converts it to PKCS #12 that is protectedby a PIN and most clients are able to import (the 3DES cipher is used inthe example because it is supported by far more devices thanAES).

Revoking a client certificate

To revoke the previous client certificate, i.e., preventing the user fromaccessing the VPN resources prior to its certificate expiration, use:

After that you may want to notify ocserv of the new CRL by usingthe HUP signal, or wait for it to reload it.

When there are no revoked certificates an empty revocation listshould be generated as follows.

IMPLEMENTATION NOTES

Note that while this server utilizes privilege separation and allauthentication occurs on the security module, this does not apply for TLS clientcertificate authentication. That is due to TLS protocol limitation.

NETWORKING CONSIDERATIONS

In certain setups, where a firewall may be blocking ICMP responses, setting theMSS of TCP connections to MTU will eliminate the 'black hole' connection issues.See http://lartc.org/howto/lartc.cookbook.mtu-mss.html for instructionsto enable it on a Linux system.

FILES

ocserv's configuration file format

Ocserv Client

By default, if no other file is specified, ocserv looks for its configurationfile at /etc/ocserv/ocserv.conf. An example configuration file follows.

SEE ALSO

occtl(8), ocpasswd(8), openconnect(8)

COPYRIGHT

Copyright (C) 2013-2018 Nikos Mavrogiannopoulos and others, all rights reserved.This program is released under the terms of the GNU General Public License, version 2.

AUTHORS

Ocserv Android Client

Written by Nikos Mavrogiannopoulos. Many people havecontributed to it.