Install OCSERV on Remote Server

Install OpenConnectSERVer on your remote server, configure it for your network access. Modified: 2023-07-15 09:20:55 Created: 2023-04-26 14:43:25 Tags: #openconnect #linux #network #proxy

Prepare the network environment for some non-existing websites¸.

1. Get a Remote Server

A remote server is a server which runs 7x24. It usually runs Linux. And here we have to install the service on it.

1.1 Remote Servers

Virtual Private Server:

Cloud Compute:

  • Oracle Cloud which offer always free with 2 compute instance.

For these services, you need a credit card from VISA or MASTERCARD.

1.2 Basic Configurations

Follow this post to configure.

2. Install & Configure OCSERV

2.1 OCSERV Config File

OCSERV requires a config file and here is an example.

Config File Example 
tcp-port = 9001
run-as-user = ocserv
run-as-group = ocserv
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
pre-login-banner = "welcome"
max-clients = 16
max-same-clients = 4
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 32400
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = example.com
dns = 1.1.1.1
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
ca-cert =  /etc/ocserv/ssl/ca-cert.pem
server-cert =  /etc/ocserv/ssl/server-cert.pem
server-key =  /etc/ocserv/ssl/server-key.pem
ipv4-network = 10.10.11.0/24
cert-user-oid = 2.5.4.3
cert-group-oid = 2.5.4.11
no-route = 10.10.10.0/24
no-route = 192.168.192.0/24

Save the config file as ocserv.conf. And you can get more details about OCSERV from the official website.

2.2 One-key Installation Script

Suppose your are running a RedHat distribution Linux(such as Rocky Linux), run the following script.

Install Script 
#! /bin/bash

# install open connect server
sudo dnf install epel-release -y
sudo dnf update
sudo dnf upgrade -y
sudo dnf install ocserv -y

# generate client certificate
echo -e 'cn = "client"
oranization = "run"
serial = 1
expiration_days = 3650
ca
signing_key
cert_signing_key
crl_signing_key' > ca.temp

certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.temp --outfile ca-cert.pem

# generate server certificate
echo -e 'cn = "china"
organization = "china_run"
expiration_days = 3650
signing_key
encryption_key
tls_www_server' > server.temp

certtool --generate-privkey --outfile server-key.pem
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.temp --outfile server-cert.pem

# move the certificates to the right place
sudo mkdir -p /etc/ocserv/ssl

sudo mv ca-key.pem /etc/ocserv/ssl
sudo mv ca-cert.pem /etc/ocserv/ssl
sudo mv server-key.pem /etc/ocserv/ssl
sudo mv server-cert.pem /etc/ocserv/ssl

# copy the configuration
sudo cp ocserv.conf /etc/ocserv/ocserv.conf

# enable ip forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf
sudo sysctl -p /etc/sysctl.d/60-custom.conf

# firewall configuration
sudo firewall-cmd --add-port=9001/tcp --zone=public --permanent
sudo firewall-cmd --add-port=9001/udp --zone=public --permanent
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.10.11.0/24" masquerade'
sudo firewall-cmd --reload

# add the user and password
echo "INPUT THE PASSWORD INFORMATION"
sudo ocpasswd -c /etc/ocserv/ocpasswd
echo "FINISH THE PASSWORD INFORMATION"

# start the service
sudo systemctl stop ocserv.service
sudo systemctl start ocserv.service
sudo systemctl enable ocserv.service

And save the script as install.sh and run:

bash ./install.sh

You have to type the user name and password to finish the installation.

2.3 Firewall Settings

Some VPS (such as Vultr) has extra firewall configurations. You have to open the port(here is 9001 on the vps site) on the website.

3. Client Connection

3.1 iOS/Android

AnyConnect which is avaiable in APP store even in China.

  • server address: your_server_ip:9001.
  • username and password: you set on the server.

3.2 Mac/Linux/Windows

AnyConnect for mac, but it takes you some efforts to find the package. Connecting is the same as iOS.

The alternative is OpenConnect, you can install via brew install openconnect. Connect via sudo openconnect your_server_ip:9001.

Now you can enjoy the REAL INTERNET!!!