Ever need access to your home network, but you are somewhat locked into the Cisco AnyConnect client for some reason?  OpenConnect Server is a great alternative to OpenVPN for these situations, and the OpenConnect client is commonly used on Linux distros to connect to Cisco AnyConnect servers.  In my case, I use a combination of Windows, Mac, and Linux some of which are rather locked down.

In my case, I setup a single-purpose Ubuntu 16.04 LTS VM for this running the bare minimum of Ubuntu, OpenSSH for remote support, and occserv.  I won’t detail the step-by-step of the OS install as there are hundreds of howtos which can walk you through it.  Remember: This server is internet exposed – lock it down tight!

Once you have the base server setup, run the following to get ocserv installed:

sudo apt update && sudo apt install ocserv gnutls-bin

Now, you will need to setup either a self-signed certificate or purchase a third-party certificate.  As a security professional, I would strongly encourage you to purchase a third-party cert simply for the added protection.  In my case, I created a self-signed cert for now with the intention of coming back later to correct the issue.

cd /etc/ocserv
sudo nano ca.tmpl

Then create the certificate template similar to the format below:

cn=”YourOrgNameCA”
organization=”YourOrgName”
serial=1
expiration_days=3650
ca
signing_key
cert_signing_key
crl_signing_key

Once you have your template completed, run the certtool and generate your CA certificate:

sudo certtool –generate-privkey –outfile ca-key.pem # generates the private key
sudo certtool –generate-self-signed –load-privkey ca-key.pem –template ca.tmpl –outfile ca-cert.pem

Next, you will need to create the server certificate template:

sudo nano server.tmpl

Create the template similar to below – your CN should match the host address of your vpn server.

cn=”vpn.yourorgname.blah”
organization=”YourOrgName”
expiration_days=3650
signing_key
encryption_key
tls_www_server

Next, generate the private and public keys for your server:

sudo certtool –generate-privkey –outfile server-key.pem
sudo certtool –generate-certificate –load-privkey server-key.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-key.pem –template server.tmpl –outfile server-cert.pem

Now that your certificates have been created, it’s time to configure ocserv

cp ocserv.conf ocserv.conf.original # just in case you screw up 🙂
nano ocserv.conf

Since we are going to use PAM authentication (local Ubuntu user accounts), we need to comment out everything but the PAM module (see below).

#auth = “pam”
auth = “pam[gid-min=1000]”
#auth = “plain[passwd=./sample.passwd,otp=./sample.otp]”
#auth = “plain[passwd=./sample.passwd]”
#auth = “certificate”
#auth = “radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]”
##auth = “plain[/etc/ocserv/ocpasswd]”

Then find the server-cert/server-key stanza and ensure they are pointing to your public/private key pair.

server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem