To begin the setup, you must install OpenConnect on your server. This can be done by using the package manager available on your distribution.
For Ubuntu-based distributions, run the following commands:
sudo apt update
sudo apt install openconnect
For CentOS, you can use:
sudo yum install epel-release
sudo yum install openconnect
Once installed, verify that OpenConnect is available on your system by checking its version:
openconnect –version
Setting Up the VPN Server
OpenConnect does not include a dedicated server package in the same way as traditional VPN solutions like OpenVPN. Instead, it uses the ocserv package, which is OpenConnect’s own VPN server. To install and configure it, use the following commands:
For Ubuntu:
sudo apt install ocserv
For CentOS:
sudo yum install ocserv
Once installed, you need to configure ocserv to handle connections and ensure it is compatible with Cisco AnyConnect clients.
Configuring OpenConnect Server for Cisco Compatibility
Now that ocserv is installed, you can start the configuration process. Begin by editing the server configuration file:
sudo nano /etc/ocserv/ocserv.conf
In this configuration file, ensure the following key settings are configured to allow Cisco AnyConnect clients to connect:
# Enable SSL (this is the default)
ssl-protocols = TLSv1.2, TLSv1.3
# Set up the server to listen on the standard port
tcp-port = 443
# Allow AnyConnect clients
auth = “pam”
# Use system user authentication
user-profile = /etc/ocserv/ocserv.conf
# Enable compression for the VPN connection
compression = yes
Save and close the file after making these adjustments.
Setting Up Authentication
To authenticate users, you need to configure the PAM (Pluggable Authentication Modules) settings. Open the PAM configuration file for ocserv:
sudo nano /etc/pam.d/ocserv
Ensure that this file has the correct settings to authenticate using system accounts, which can be adjusted based on your specific security requirements. For most setups, the default configuration should suffice, which uses the local system users for authentication.
Starting and Enabling the OpenConnect VPN Server
After configuring the server, you can now start the ocserv service:
sudo systemctl start ocserv
To enable the service to start automatically at boot:
sudo systemctl enable ocserv
You can check the status of the ocserv service with:
sudo systemctl status ocserv
Testing the VPN Connection
Once the server is up and running, you can test the connection using a Cisco AnyConnect client or any OpenConnect-compatible VPN client. To connect, simply use the IP address or hostname of the VPN server and connect through the Cisco AnyConnect client, providing the appropriate credentials.
Firewall Configuration
If you’re running a firewall on your server, make sure to open port 443, which is the default for OpenConnect VPN traffic. For UFW (Uncomplicated Firewall) on Ubuntu, use:
sudo ufw allow 443/tcp
For firewalld on CentOS, use:
sudo firewall-cmd –zone=public –add-port=443/tcp –permanent
sudo firewall-cmd –reload
This will ensure that the OpenConnect server is accessible for incoming VPN connections.
Monitoring and Logging
To ensure everything is functioning properly, monitor the ocserv logs for any connection attempts and errors:
sudo journalctl -u ocserv
You can also check the general system logs for additional details:
sudo tail -f /var/log/syslog
These logs will help in troubleshooting connection issues or identifying any misconfigurations.
Conclusion
By following these steps, you have successfully set up an OpenConnect VPN server with compatibility for Cisco AnyConnect clients. This setup ensures secure communication with remote users, while benefiting from the open-source flexibility and scalability of OpenConnect.
