Setup OpenConnect Server On Ubuntu 22.04 with Let’s Encrypt
This tutorial is going to show you how to run your own VPN server by installing OpenConnect VPN server on Ubuntu 20.04. OpenConnect VPN server (ocserv) is an open-source implementation of Cisco AnyConnnect VPN protocol, which is widely used in businesses and universities. AnyConnect is an SSL-based VPN protocol that allows individual users to connect to a remote network.
Requirements
To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system)
You also need a domain name to enable HTTPS for OpenConnect VPN. I registered my domain name from NameCheap because the price is low, and they give whois privacy protection free for life.
Step 1: Install OpenConnect VPN Server on Ubuntu 22.04
Log into your Ubuntu 22.04 server. Then use apt to install the ocserv package from the default Ubuntu repository.
sudo apt-get update -y && apt-get upgrade -y sudo apt install ocserv
Once installed, the OpenConnect VPN server is automatically started. You can check its status with:
systemctl status ocserv
Sample output:
ocserv.service - OpenConnect SSL VPN server Loaded: loaded (/lib/systemd/system/ocserv.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-04-12 19:57:08 HKT; 12s ago Docs: man:ocserv(8) Main PID: 216409 (ocserv-main) Tasks: 2 (limit: 9451) Memory: 1.6M CGroup: /system.slice/ocserv.service ├─216409 ocserv-main └─216429 ocserv-sm
If it’s not running, then you can start it with:
sudo systemctl start ocserv
By default, OpenConnect VPN server listens on TCP and UDP port 443. If it’s being used by web server, then the VPN server would probably fail to start. We will see how to change the port in OpenConnect VPN configuration file later.
If there’s a firewall running on your server, then you will need to open port 80 and 443. For example, if you use UFW, then run the following command.
sudo ufw allow 80,443/tcp
Step 2: Install Let’s Encrypt Client (Certbot) on Ubuntu 22.04 Server
The gnutls-bin package installed along with ocserv provides tools to create your own CA and server certificate, but we will obtain and install Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up and trusted by VPN client software.
Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository.
sudo apt install certbot
Step 3: Obtain a Trusted TLS Certificate from Let’s Encrypt
I recommend using the standalone or webroot plugin to obtain TLS certificate for ocserv.
Standalone Plugin
If there’s no web server running on your Ubuntu 22.04 server and you want OpenConnect VPN server to use port 443, then you can use the standalone plugin to obtain TLS certificate from Let’s Encrypt. Run the following command. Don’t forget to set A record for your domain name.
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email you@eyourdomain.com -d vpn.yourdomain.com
Parameters Definition:
- certonly: Obtain a certificate but don’t install it.
- --standalone: Use the standalone plugin to obtain a certificate
- --preferred-challenges http: Perform http-01 challenge to validate our domain, which will use port 80.
- --agree-tos: Agree to Let’s Encrypt terms of service.
- --email: Email address is used for account registration and recovery.
- -d: Specify your domain name.