Content Self Hosted Ubuntu Ubuntu Desktop Ubuntu Server VPN

Set up OpenConnect VPN Server (ocserv) on Ubuntu 16.04/17.10 with Let’s Encrypt

install openconnect ubuntu server

This tutorial goes to point out you the best way to set up OpenConnect VPN server on Ubuntu 16.04/17.10. OpenConnect VPN server, aka ocserv, is an open-source implementation of Cisco AnyConnnect VPN protocol, which is well-liked amongst companies and universities. AnyConnect is a SSL-based VPN protocol that permits particular person customers to hook up with a distant community.

Options of OpenConnect VPN server:

  • Light-weight and quick. In my check, I can watch YouTube in 4k with OpenConnect VPN. YouTube is blocked in my nation.
  • Suitable with Cisco AnyConnect shopper
  • Helps password authentication and certificates authentication
  • Straightforward to set up

I notably like that undeniable fact that in comparison with different VPN applied sciences, it is rather straightforward and handy for the end-user to make use of OpenConnect VPN. Every time I set up a Debian-based Linux distro on my pc and need to shortly unblock web sites or disguise my IP tackle, I set up OpenConnect shopper and hook up with the server with simply two strains of instructions:

sudo apt set up openconnect

sudo openconnect -b

The gnutls-bin software program package deal supplies instruments to create your personal CA and server certificates, however we’ll acquire and set up Let’s Encrypt certificates. The benefit of utilizing Let’s Encrypt certificates is that it’s free, simpler to set up and trusted by VPN shopper software program.


To comply with this tutorial, you’ll need:

  • A VPS (Digital Personal Server) that may entry blocked web sites freely (Outdoors of your nation or Web filtering system) and a website identify. For VPS, I like to recommend Vultr. They provide 512M reminiscence excessive efficiency KVM VPS for simply $2.5 per thirty days, which is ideal in your personal VPN server.
  • Then set up Ubuntu 16.04 or 17.10 on your VPS.

Putting in OpenConnect VPN Server on Ubuntu 16.04/17.10

Log into your Ubuntu 16.04/17.10 server. Then use apt to put in the ocserv package deal,which is included in Ubuntu repository since 16.04.

sudo apt set up ocserv

As soon as put in, the OpenConnect VPN server is routinely began. You’ll be able to verify its standing with:

systemctl standing ocserv

Pattern output:

● ocserv.service – OpenConnect SSL VPN server
Loaded: loaded (/lib/systemd/system/ocserv.service; enabled; vendor preset: enabled
Lively: lively (operating) since Thu 2017-11-30 05:45:07 UTC; 11s in the past
Docs: man:ocserv(eight)
Major PID: 19235 (ocserv-main)
CGroup: /system.slice/ocserv.service
├─19235 ocserv-main
└─19242 ocserv-secm

If it’s not operating, then you can begin it with:

sudo systemctl begin ocserv

By default OpenConnect VPN server listens on TCP and UDP port 443. If it’s being utilized by net server, then the VPN server can’t be began. We’ll see find out how to change the port in OpenConnect VPN configuration file later.

Putting in Let’s Encrypt Shopper (Certbot) on Ubuntu 16.04/17.10 Server

Run the next instructions to put in the newest model of certbot from the official PPA. software-properties-common is required if you wish to set up packages from PPA. It might be lacking on your Ubuntu server.

sudo apt set up software-properties-common

sudo add-apt-repository ppa:certbot/certbot

sudo apt replace

sudo apt set up certbot

To verify model quantity, run

certbot –version

Pattern output:


Acquiring a TLS Certificates from Let’s Encrypt

Standalone Plugin

If there’s no net server operating on your Ubuntu 16.04/17.10 server and also you need OpenConnect VPN server to make use of port 443, then you should use the standalone plugin to acquire TLS certificates from Let’s Encrypt. Run the next command. Don’t overlook to set A document on your area identify.

sudo certbot certonly –standalone –preferred-challenges http –agree-tos –email your-email-address -d


  • certonly: Acquire a certificates however don’t set up it.
  • –standalone: Use the standalone plugin to acquire a certificates
  • –preferred-challenges http: Carry out http-01 problem to validate our area, which can use port 80. By default the standalone plugin will carry out tls-sni problem, which makes use of port 443. Since port 443 is already utilized by OpenConnect VPN server, we have to change the default conduct.
  • –agree-tos: Comply with Let’s Encrypt phrases of service.
  • –email: E mail handle is used for account registration and restoration.
  • -d: Specify your area identify.

As you’ll be able to see the from the next screenshot, I efficiently obtained the certificates.

install openconnect ubuntu server

Utilizing webroot Plugin

In case your Ubuntu 16.04/17.10 server has an internet server listening on port 80 and 443, and also you need OpenConnect VPN server to make use of a special port, then it’s a good suggestion to make use of the webroot plugin to acquire a certificates as a result of the webroot plugin works with just about each net server and we don’t want to put in the certificates within the net server.

First, it’s essential to create a digital host for


In case you are utilizing Apache, then

sudo nano /and so on/apache2/sites-available/

And paste the next strains into the file.

<VirtualHost *:80>

DocumentRoot /var/www/

Save and shut the file. Then create the online root listing.

sudo mkdir /var/www/

Set www-data (Apache consumer) because the proprietor of the online root.

sudo chown www-data:www-data /var/www/ -R

Allow this digital host.

sudo a2ensite

Reload Apache for the modifications to take impact.

sudo systemctl reload apache

As soon as digital host is created and enabled, run the next command to acquire Let’s Encrypt certificates utilizing webroot plugin.

sudo certbot certonly –webroot –agree-tos –email your-email-address -d -w /var/www/


In case you are utilizing Nginx, then

sudo nano /and so on/nginx/conf.d/

Paste the next strains into the file.

pay attention 80;

root /var/www/;

location ~ /.well-known/acme-challenge
permit all;

Save and shut the file. Then create the online root listing.

sudo mkdir /var/www/

Set www-data (Nginx consumer) because the proprietor of the online root.

sudo chown www-data:www-data /var/www/ -R

Reload Nginx for the modifications to take impact.

sudo systemctl reload nginx

As soon as digital host is created and enabled, run the next command to acquire Let’s Encrypt certificates utilizing webroot plugin.

sudo certbot certonly –webroot –agree-tos –email your-email-address -d -w /var/www/

Modifying OpenConnect VPN Server Configuration File

Edit ocserv configuration file.

sudo nano /and so on/ocserv/ocserv.conf

First, configure password authentication. By default, password authentication by means of PAM (Pluggable Authentication Modules) is enabled, which lets you use Ubuntu system accounts to login from VPN shoppers. This conduct may be disabled by commenting out the next line.

auth = “pam[gid-min=1000]”

If we would like customers to make use of separate VPN accounts as an alternative of system accounts to login, we have to add the next line to the file to allow password authentication with a plain password file.

auth = “plain[passwd=/etc/ocserv/ocpasswd]”

After ending modifying this config file, we’ll see the best way to use ocpasswd device to generate the /and so on/ocserv/ocpasswd file, which accommodates an inventory of usernames and encoded passwords.

Word: Ocserv helps shopper certificates authentication, however since we’re utilizing Let’s Encrypt, which doesn’t situation shopper certificates, we will’t use certificates authentication.

Subsequent, in the event you don’t need ocserv to make use of TCP and UDP port 443, then discover the next two strains and alter the port quantity. In any other case depart them alone.

tcp-port = 443
udp-port = 443

Then discover the next two strains. We have to modifications them.

server-cert = /and so on/ssl/certs/ssl-cert-snakeoil.pem
server-key = /and so forth/ssl/personal/ssl-cert-snakeoil.key

Exchange the default setting with the trail of Let’s Encrypt server certificates and server key file.

server-cert = /and so on/letsencrypt/stay/
server-key = /and so forth/letsencrypt/stay/

Then, set the maximal variety of shoppers. Default is 16. Set to zero for limitless.

max-clients = 16

Set the variety of units a consumer is ready to login from on the similar time. Default is 2. Set to zero for limitless.

max-same-clients = 2

Subsequent, discover the next line. Change false to true to allow MTU discovery, which may optimize VPN efficiency.

try-mtu-discovery = false

After that, set the default area to

default-domain =

Uncomment the next line to tunnel all DNS queries by way of the VPN.

tunnel-all-dns = true

Change DNS server tackle

dns = eight.eight.eight.eight

Then remark out all of the route directives (add # image at first of the next 4 strains), which can set the server because the default gateway for the shoppers.

route =
route =
route = fef4:db8:1000:1001::/64

no-route =

Save and shut the file  Then restart the VPN server for the modifications to take impact.

sudo systemctl restart ocserv

Fixing DTLS Handshake Failure

On Ubuntu 16.04 and Ubuntu 17.10, ocserv daemon ocserv.socket doesn’t respect “listen-host” worth from configuration file, which can trigger the next error when shoppers hook up with VPN server.

DTLS handshake failed: Useful resource briefly unavailable, attempt once more.

To repair this error, we have to edit the ocserv.service file. We first copy the unique file in /lib/systemd/system/ listing to /and so on/systemd/system/ listing, then edit it, as a result of we don’t need new model of ocserv package deal to override our modifications. (To study extra about systemd unit information, run man systemd.unit.)

sudo cp /lib/systemd/system/ocserv.service /and so forth/systemd/system/ocserv.service
sudo nano /and so on/systemd/system/ocserv.service

Remark out the next two strains.



Save and shut the file. Then reload systemd

sudo systemctl daemon-reload

Cease ocserv.socket and disable it.

sudo systemctl cease ocserv.socket

sudo systemctl disable ocserv.socket

Restart ocserv service.

sudo systemctl restart ocserv.service

Creating VPN Accounts

Now use the ocpasswd device to generate VPN accounts.

sudo ocpasswd -c /and so forth/ocserv/ocpasswd username

You’ll be requested to set a password for the consumer and the knowledge can be saved to /and so on/ocserv/ocpasswd file.

Allow IP Forwarding

To ensure that the VPN server to route packets between VPN shopper and the surface world, we have to allow IP forwarding. Edit sysctl.conf file.

sudo nano /and so forth/sysctl.conf

Add the next line on the finish of this file.

internet.ipv4.ip_forward = 1

Save and shut the file. Then apply the modifications with the under command. The -p choice will load sysctl settings from /and so forth/sysctl.conf file. This command will protect our modifications throughout system reboots.

sudo sysctl -p

Configure Firewall for IP Masquerading

Discover the identify of your server’s foremost community interface.

ip addr

As you possibly can see, it’s named ens3 on my Ubuntu server.

openconnect ubuntu command line

Then run the next command to configure IP masquerading. Substitute ens3 with your personal community interface identify.

sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

The above command append (-A) a rule to the top of of POSTROUTING chain of nat desk. It’ll hyperlink your digital personal community with the Web. And in addition disguise your community from the surface world. So the Web can solely see your VPN server’s IP, however can’t see your VPN shopper’s IP, identical to your house router hides your personal residence community.

Open Port 443 in Firewall

Run the next command to open TCP and UDP port 443. In case you configured a unique port for ocserv, then open your most popular port.

sudo iptables -I INPUT -p tcp –dport 443 -j ACCEPT

sudo iptables -I INPUT -p udp –dport 443 -j ACCEPT

Preserving Iptables Guidelines

By default, iptables ruls are misplaced after reboot. To protect them, you possibly can change to root consumer after which save your guidelines to a file.

su –

iptables-save > /and so forth/iptables.guidelines

Then create a systemd service file.

nano /and so forth/systemd/system/iptables-restore.service

Put the next strains into the file.

[Unit] Description=Packet Filtering Framework
Earlier than=network-pre.goal

[Service] Sort=oneshot
ExecStart=/sbin/iptables-restore /and so on/iptables.guidelines
ExecReload=/sbin/iptables-restore /and so forth/iptables.guidelines

[Install] WantedBy=multi-user.goal

Save and shut the file. Then reload systemd daemon and allow iptables-restore service.

sudo systemctl daemon-reload

sudo systemctl allow iptables-restore

Keep in mind to save lots of iptables guidelines to the file after making modifications.

The way to Set up and Use OpenConnect VPN shopper on Ubuntu 16.04/17.10 Desktop

Run the next command to put in OpenConnect VPN command line shopper on Ubuntu desktop.

sudo apt set up openconnect

You possibly can Hook up with VPN from the command line like under. -b flag will make it run within the background after connection is established.

sudo openconnect -b

You may be requested to enter VPN username and password. If connection is efficiently established, you will notice the next message.

Obtained CONNECT response: HTTP/1.1 200 CONNECTED
CSTP related. DPD 90, Keepalive 32400
Related tun0 as, utilizing SSL
Established DTLS connection (utilizing GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-256-GCM).

To cease the connection, run:

sudo pkill openconnect

To run the shopper non-interactively, use the next syntax.

echo -n password | sudo openconnect -b -u username –passwd-on-stdin

If you wish to use Community Supervisor to handle VPN connection, then you definitely additionally want to put in these packages.

sudo apt set up network-manager-openconnect network-manager-openconnect-gnome

Auto-Join on System Startup

To let OpenConnect VPN shopper mechanically hook up with the server at boot time, we will create a systemd service unit.

sudo nano /and so on/systemd/system/openconnect.service

Put the next strains to the file. Exchange the purple textual content.

[Unit] Description=OpenConnect VPN Shopper

[Service] Sort=easy
ExecStart=/bin/bash -c ‘/bin/echo -n password | /usr/sbin/openconnect -u username –passwd-on-stdin’
ExecStop=/usr/bin/pkill openconnect
Restart=all the time

[Install] WantedBy=multi-user.goal

Save and shut the file. Then allow this service so that it’ll begin at boot time.

sudo systemctl allow openconnect.service

Rationalization of the file content material:

  • After=network-online.goal and Needs=network-online.goal make this service run after community is up.
  • In actuality, this service can nonetheless run earlier than community is up. We add Restart=all the time and RestartSec=2 to restart this service after 2 seconds if this service fails.
  • Systemd doesn’t recognise pipe redirection. So within the ExecStart directive, we wrap the comand in single quotes and run it with the Bash shell.
  • Since OpenConnect VPN shopper will run as a systemd service, which runs within the background, there’s no want so as to add -b flag to the openconnect command.


OpenConnect VPN is fairly quick. I can use it to observe 4k movies on YouTube.

ocserv letsencrypt

Auto-Renew Let’s Encrypt Certificates

Edit root consumer’s crontab file.

sudo crontab -e

Add the next line on the finish of the file. It’s essential to restart ocserv service for the VPN server to select up new certificates and key file.

@day by day certbot renew –quiet && systemctl restart ocserv


OpenConnect by default makes use of TLS over UDP protocol (DTLS) to realize quicker velocity, however UDP can’t present dependable transmission. TCP is slower than UDP however can present dependable transmission. One optimization tip I may give you is to disable DTLS, use normal TLS (over TCP), then allow TCP BBR to spice up TCP velocity.

To disable DTLS, remark out (add # image at first) the next line in ocserv configuration file.

udp-port = 443

Save and shut the file. Then restart ocserv service.

sudo systemctl restart ocserv.service

To allow TCP BBR, please take a look at the next tutorial.

In my check, normal TLS with TCP BBR enabled is 2 occasions quicker than DTLS.


Notice that in case you are utilizing OpenVZ VPS, be sure to allow the TUN digital networking gadget in VPS management panel.

In case you encounter any drawback, then examine OpenConnect VPN server log.

sudo journalctl -xe -u ocserv.service

I discovered that if I modify port 443 to a unique port, the Web filtering system of my nation will block this VPN connection.

Let OpenConnect VPN server and net server use port 443 on the similar time

Usually a port can solely be utilized by one course of. Nevertheless, we will use HAproxy (Excessive Availability Proxy) and SNI (Server Identify Indication) to make ocserv and Apache/Nginx use port 443 on the similar time.

First, edit ocserv configuration file.

sudo nano /and so on/ocserv/ocserv.conf

Remark out the next line. It will permit ocserv to acquire the shopper IP tackle as an alternative of HAproxy IP tackle.

listen-proxy-proto = true

Then discover the next line.

#listen-host = [IP|HOSTNAME]

Change it to

listen-host =

It will make ocserv pay attention on as a result of later HAproxy might want to pay attention on the general public IP handle. Save and shut the file. Then restart ocserv.

sudo systemctl restart ocserv

Subsequent, we additionally have to make the online server pay attention on localhost solely, as an alternative of listening on public IP tackle. Should you use Nginx, edit the server block file.

sudo nano /and so on/nginx/conf.d/

Within the SSL server block, discover the next directive.

pay attention 443 ssl;

Change it to

pay attention ssl;

This time we make it pay attention on as a result of is already taken by ocserv. Save and shut the file. Then restart Nginx.

sudo systemctl restart nginx

Now set up HAproxy.

sudo apt set up haproxy

Edit configuration file.

sudo nano /and so forth/haproxy/haproxy.cfg

Copy and paste the next strains to the top of the file. Substitute with the general public IP tackle of your server. Exchange with the area identify utilized by ocserv and with the area identify utilized by your net server.

frontend www-https
mode tcp
tcp-request inspect-delay 5s
tcp-request content material settle for if req_ssl_hello_type 1
default_backend bk_ssl_default

backend bk_ssl_default
mode tcp
use-server vpn if req_ssl_sni -i
use-server net if req_ssl_sni -i

choice ssl-hello-chk
server vpn send-proxy-v2
server net verify

Save and shut the file. Then restart HAproxy.

sudo systemctl restart haproxy

Within the configuration above, we utilized the SNI (Server Identify Indication) function in TLS to distinguish VPN visitors and regular HTTPS visitors. When is within the TLS Shopper Howdy, HAProxy redirect visitors to ocserv. When is within the TLS Shopper Hiya, HAProxy redirect visitors to net server.

That’s it! I hope this tutorial helped you put in and configure OpenConnect VPN on Ubuntu 16.04 and Ubuntu 17.10. As all the time, for those who discovered this publish helpful, then subscribe to our free publication.

Price this tutorial

[Total: 22 Average: 4.7]

(perform(d, s, id)
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
(doc, ‘script’, ‘facebook-jssdk’));