Connect with us

Hi, what are you looking for?

Latest

Set OpenConnect VPN Server (ocserv) to CentOS 8 / RHEL 8 with Let’s Encrypt

This tutorial shows you how to run your own VPN server by installing the OpenConnect VPN server on CentOS 8/RHEL 8. The OpenConnect VPN server, also called ocserv, is an open implementation of the Cisco AnyConnect VPN protocol, which is widely used in companies and universities. AnyConnect is an SSL-based VPN protocol that enables individual users to connect to an external network.

Why would you set up your own VPN server?

  • You can be a VPN service provider or a system administrator, and this requires you to set up your own VPN server.
  • You don’t trust the logging policies of VPN service providers, so you’re on your way to self-hosting.
  • You can use the VPN to implement the network security policy. For example, if you manage your own mail server, you can ask users to only connect to the IP address of the VPN server by creating a white list of IP addresses on the firewall. This way, your mail server is strictly protected against hackers.
  • Maybe you’re just curious about how the VPN server works.

Set OpenConnect VPN Server (ocserv) to CentOS 8 / RHEL 8 with Let’s Encrypt

OpenConnect VPN ServerFeatures

  • Light and fast. In my test I can watch YouTube 4K videos on the OpenConnect VPN. YouTube is blocked in my country (China)
  • Runs on Linux and most BSD servers
  • Compatible with Cisco AnyConnect client
  • There are OpenConnect client programs for Linux, MacOS, Windows and OpenWRT. For Android and iOS, you can use the Cisco AnyConnect client.
  • Supports password and certificate authentication
  • Supports RADIUS accounting.
  • Support for shared hosting (multiple domains)
  • Easy to set up

I especially like the fact that the end user can use OpenConnect VPN very easily and conveniently compared to other VPN technologies. When I install a Linux distribution on my computer and want to quickly unlock websites or hide my IP address, I simply run the following command to connect to my OpenConnect VPN server.

sudo openconnect – spn.mondomain.com

The Openconnect client software is available for Debian, Ubuntu, Fedora, RHEL, CentOS, Arch Linux and OpenSUSE. You can easily install it with the package manager.

sudo apt openconnect
install sudo dnf openconnect
install sudo pacman -S openconnect

Requirements

To follow this guide, you will need a VPS (Virtual Private Server) that has free access to blocked websites (outside your country or the Internet filtering system). I recommend Vultr VPS (This is my recommendation link. You can get $50 free credit when you create an account with Vultr through my referral link) They offer a high quality KVM VPS with 512M RAM for only $2.5 per month, ideal for your private VPN server. Once you have a VPS, install CentOS 8 on it and follow the instructions below.

You also need a domain name. I registered my domain name with NameCheap because the price is low and they offer free Whois privacy for life.

Pay attention: The new Vultr price plan $2.5/month only contains the IPv6 address. You can choose a $3.5 per month plan from the New York (NJ) data center to get an IPv4 and IPv6 address.

Step 1: Installing the OpenConnect VPN Server (ocserv) on CentOS 8

Connect to the CentOS 8 server via SSH. Then execute the following commands to install the ocserv package from the EPEL repository.

sudo dnf installed epel-release
sudo dnf installed ocserv

Step 2: Open ports in the firewall

The firewall under CentOS is enabled by default. In general ocserv is configured to listen on port 443, so to open port 443 TCP and UDP the following commands are executed.

sudo firewall-cmd –zone=public –permanent –add-port=443/tcp
sudo firewall-cmd –zone=public –permanent –add-port=443/udp

We also need to open TCP port 80 to get a TLS certificate from Let’s Encrypt.

sudo firewall-cmd –zone=public –permanent –add-port=80/tcp

Restart the firewall to allow the changes to take effect.

Restart sudo systemctl firewall

Step 3: Install the encryption client (Certbot) on CentOS 8 server.

The gnutls-utils package installed with ocserv provides the tools to create your own CA and server certificate, but we obtain and install a Let’s Encrypt certificate. The advantage of using Let’s Encrypt’s certificate is that it is free, easy to configure and trusted by the VPN client software.

Run the following command to install the Let’s Encrypt (certbot) client on CentOS 8

sudo dnf installation certbot

To check the version number, do the following

certbottic version

Taking samples:

certbot 1.0.0

Step 4: Obtain a trusted TLS certificate withencryption .

I recommend using a stand-alone plugin or Webroot to obtain a TLS certificate.

Stand-alone module

If your CentOS 8 server is not a web server and you want the OpenConnect VPN server to use port 443, you can use a standalone plug-in to obtain a Let’s Encrypt TLS certificate. Install the DNS record for vpn.example.com on the domain registrar’s website and then run the following command to obtain a certificate.

sudo certbot certonly –standalone –preferred challenges http –agree-tos –email [email protected] -d vpn.example.com

Explanation:

  • in an incomparable way: Get the certificate, but don’t install it.
  • –…autonomous: Use the stand-alone plug-in to obtain a certificate.
  • -preference – http problems : Call http-01 to test our domain, which will use port 80.
  • -I agree. -I agree: Accept that we encrypt the terms of use.
  • — …e-mail: The email address is used to register and restore your account.
  • -d : Enter your domain name.

As you can see on the following screenshot, I have successfully received the certificate.

Set OpenConnect VPN Server (ocserv) to CentOS 8 / RHEL 8 with Let’s Encrypt

Using the webroot plugin

If your CentOS 8 server has a web server that listens on ports 80 and 443, it is best to use the Webroot plugin to get the certificate because the Webroot plugin works with almost all web servers and we do not need to install the certificate on the web server.

First you need to create a virtual host for vpn.example.com.

Apache

If you are using an Apache web server, create a virtual host in /etc/httpd/conf.d/.

sudo nano /etc/httpd/conf.d/vpn.example.com.conf

And add the following lines to the file.

Server name vpn.example.com

Document root /var/wwwww/html/

Save the file and close it. Restart Apache to put the changes into effect.

sudo systemctl reboot httpd

Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate

sudo certbot certonly –webroot –agree-tos –email [email protected] -d vpn.example.com -w /var/ww/html/

Nginh

If you are using a Nginx web server, create a virtual host in /etc/nginx/conf.d/.

sudo nano /etc/nginx/conf.d/vpn.example.com.conf

Add the following lines to the folder.

server {
hear 80 ;
server_name vpn.example.com ;

root /usr/share/nginx/html/ ;

Location ~ /.known/acme-challenge {
allows everything;
}
}

Save the file and close it. Restart Nginx to make the changes take effect.

sudo systemctl restart nginx

Once you have created and enabled the virtual host, run the following command to obtain the Let’s encryption with the Webroot plugin certificate

sudo certbot certonly –webroot –agree-tos –email [email protected] -d vpn.example.com -w /usr/share/nginx/html/

Step 5: Changing the OpenConnect VPN ServerConfiguration file

Edit the ocserv configuration file.

sudo nano /etc/ocserv/ocserv.conf

Start setting the password authentication. Password authentication via PAM (Pluggable Authentication Modules) is enabled by default, allowing you to connect to VPN clients using CentOS system accounts. You can disable this behavior by responding to the following line.

auth = pam

If we want users to use separate VPN accounts to log in instead of system accounts, we need to add the following line to enable password authentication with the password file

auth = just [passwd=/etc/ocserv/ocpasswd]

After editing this configuration file we will see how the ocpasswd tool is used to create the /etc/ocserv/ocpasswd file, which contains a list of encrypted usernames and passwords.

Pay attention: Ocserv supports client certificate authentication, but Let’s Encrypt does not issue a client certificate. To enable certificate authentication, you must configure your own CA to issue a client certificate.

If you do not want ocserv to use TCP and UDP port 443 (there is a web server that uses port 443), look up the following two lines and change the port number. Leave them alone.

tcp connection = 443
udp connection = 443

Then look for the next two lines. We have to change them.

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key

Replace the default setting with the Let’s Encrypt server certificate path and server key file.

server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

It is recommended to enable LZ4 compression, so do not comment on the next line.

Compression = true

Then determine the maximum number of customers. The default value is 16. Set zero to unlimited.

max. customers = 0

Specify the number of devices from which the user can log in at the same time. 1. Default setting 2. Set zero to unlimited.

max. customers = 0

Then find the next line. Replace false with true to enable MTU detection, which can optimize VPN performance.

try-mtu-discovery = right

The following two options allow you to set how long the client can remain in standby mode before the connection is disconnected. If you want the customer to stay in contact indefinitely, please comment on these two options.

Idle time = 1200
mobile stop time = 2400

Then install the default domain vpn.example.com.

default domain = vpn.example.com

By default, the IPv4 network configuration is as follows This will cause problems because most home routers also set the IPv4 network range to 192.168.1.0/24.

#ipv4 network = 192.168.1.0
#ipv4 network mask = 255.255.255.0

We can use another set of private IP addresses (e.g. 10.10.10.0/24) to prevent a collision of IP addresses. So change the two lines above and change the value of the ipv4 network to 10.10.10.0.

ipv4 network = 10.10.10.0
network mask ipv4 = 255.255.255.0

Now comment on the next line to tunnel all DNS queries to the VPN.

Eternal Tunnel = where

Change the address of the DNS resolver. You can use Google’s public DNS server.

dns = 8.8.8.8
dns = 8.8.4.4.

or the Cloudflare public DNS server.

dns = 1,1,1
dns = 1,0,0,1

Pay attention: If you are a VPN provider, it is a good idea to use your own DNS resolver. If you have a DNS resolver running on the same server, enter DNS as

dns = 10.10.10.1

10.10.10.1 is the IP address of the OpenConnect VPN server on the VPN network. This slightly speeds up DNS queries for customers by eliminating network latency between the VPN server and the DNS resolver.

Then comment on all route settings (add a # at the beginning of the following lines), which will set the server as the default gateway for clients.

#Section = 10.10.10.0/255.255.255.0
#Section = 192.168.0.0/255.255.255.0.0
#Section = fef4:db8:1000:1001::/64

#Not gone = 192.168.5.0/255.255.255.0

Finally, scroll to the end of the file (in the Nano word processor, you can go to the end of the file by pressing Ctrl+W, and then Ctrl+V) and run the user profile option, because the XML file of the user profile is not required for OpenConnect clients, nor for the Cisco AnyConnect client on iOS and Android.

#User profile = profile.xml

Pay attention: If the user profile is enabled, the Cisco AnyConnect client under iOS generates the following error when connecting to the OpenConnect VPN server.

It was not possible to download the AnyConnect profile. Try again.

Save the file and close it.

Step 6: Create VPN Account

Now use the ocpasswd tool to generate VPN accounts.

sudo ocpasswd -c /etc/ocserv/ocpasswd username

You will be prompted to set a user password and the information will be stored in /etc/ocserv/ocpasswd. To reset the password, simply run the above command again.

We can start the service now.

ocserv forced departure

And activate the automatic start during charging.

activate sudo systemctl ocserv

You can check its status:

systemic perception

Taking samples:

ocserv.service – OpenConnect SSL VPN serverDownload: downloaded (/usr/lib/system/ocserv.service; enabled; vendor default: disabled)Active: active (running) with Fr 2020-01-03 19:04:53 CST; 15s agoDocs: man:ocserv(8)Main PID: 19851 (ocserv-main)Tasks: 2 (limit: 5061) memory: 3.2M
CGroup: /system.slice/ocserv.service
├─19851 ocserv-main
└─19853 ocserv-sm

Here’s a hint: If the above command is not executed immediately, you can press the Q key to regain control of the terminal.

By default, the OpenConnect VPN server listens on TCP and UDP port 443. When used by a web server, the VPN server cannot be started. We will see later how to make the OpenConnect VPN server and the web server use the same port.

Step 7: Enabling IP forwarding in the Linux kernel

To enable the VPN server to forward packets between the VPN client and the Internet, we need to enable IP forwarding. Edit the sysctl.conf file.

sudo nano /etc/sysctl.conf

Add the following line at the end of this file.

net.ipv4.ip_forward = 1

Save the file and close it. Then apply the changes using the command below. The -p option unloads the sysctl parameters from /etc/sysctl.conf. This team will save our changes when the system reboots.

sudo sysctl -p

Step 8: Configuring the IP address Masking in the firewall

Run the following command to enable masking of IP addresses in the server firewall.

sudo firewall-cmd –zone=permanent –add-masquerade
sudo systemctl reboot firewall

So you can hide your VPN network from the outside world. For example, the Internet can only see the IP of your VPN server, but not the IP of your VPN client, just like your home router hides your own home network.

The OpenConnect VPN server is now ready to accept client connections.

Install and use the OpenConnect VPN client on the CentOS 8/Fedoradesktop.

To install the OpenConnect VPN command line client on the Fedora desktop, run the following command.

sudo dnf open connect installation

Under CentOS 8, the EPEL repository must be enabled in order to install the customer.

sudo dnf installed epel-release
sudo dnf installed open connection

You can then connect to the VPN server from the command line, as shown below The -b flag causes it to run in the background after the connection is established.

sudo openconnect – spn.example.com

By default, the openconnect client sends a request to port 443 on the server. If you have configured another port for the server, you can add a port number.

sudo openconnect – spn.example.com:Port number

You will be prompted to enter your VPN username and password. If the connection is successful, you will see the following message.

Reply received from CONTRACT : HTTP/1.1 200 Connected
CSTP. DPD 90, Keepalive 32400
Connected as 10.10.50.139 using SSL + lz4
in the background; pid 2137
DTLS connection established (using GnuTLS). Encryption set (DTLS1.2)-(PSK)-(AES-256-GCM).

If the connection failed, you can check the ocserv log to know why. (You may have typed the password incorrectly).

sudo journaltcl -eu ocserv

To close the connection, you must perform the connection:

Shipspin connection

Use the following syntax to start the client non-interactively.

echo -n password | sudo openconnect -b vpn.example.com -u username –passwd-on-stdin

If you have successfully connected to the VPN server but your public IP address does not change, forwarding IP addresses or masking IP addresses will not work.

Automatic connection at system startup

We can create a system service box so that the OpenConnect VPN Client automatically connects to the server at startup.

sudo nano /etc/system/openconnect.service

Add the following lines to the folder. Replace the text in red.

Unit]
Description=open VPN client connection
Na=network-online.target
Wants=network-online.target

service]
Type= Simple
ExecStart=/bin/bash -c ‘/bin/echo -n password | /usr/sbin/openconnect vpn.example.com -u username –passwd-on-stdin’
KillSignal=SIGINT
Restart=Always
RestartSec=2.

Configuration]
WantedBy=Multi-user.destination

Save the file and close it. Then turn on the service to start it at the time of startup.

activate sudo systemctl sudo systemctl openconnect.service

Explanation of the content of the :

  • After=network-online.target and Wants=network-online.target start this service after the network error.
  • In fact, this service can still work before the network fails. We add Restart=always and RestartSec=2 to restart this service in 2 seconds if it fails.
  • Systemd does not detect pipe bypass. So, in the ExecStart directive, we will put the command in single quotes and execute it in a bash shell.
  • Since the OpenConnect VPN Client runs in the background as a system service, there is no need to add the -b flag to the open-connect command.
  • The KillSignal directive instructs Systemd to give a SIGINT signal when a command is given to stop or open the connection. It performs a clean shutdown by ending the session and restoring the DNS server settings and the Linux kernel routing table.

To start this Systemd service immediately, launch

sudo systemctl start open connection

To terminate this System D service, do the following

sudo systemctl stop open connection

Client with OpenConnect GUI for Windows and MacOS

You can download it from the Github page of the OpenConnect GUI.

Speed

The OpenConnect VPN is quite fast. I can use it to watch 4k videos on YouTube.

Set OpenConnect VPN Server (ocserv) to CentOS 8 / RHEL 8 with Let’s Encrypt

Automatic update certificate Encryption

Modify the root user’s crontab file.

The centre of the ship’s crown

Add the following line to the end of the file to start a daily cron job. If the certificate expires after 30 days, the certbot will try to extend it. You need to restart ocserv so that the VPN server can retrieve the new certificate and key file.

Daily certbot renewal –quiet && systemctl restart ocserv

Optimization

By default, OpenConnect is set to TLS over UDP (DTLS) for higher speeds, but UDP cannot provide reliable transmission. TCP is slower than UDP, but can provide a reliable transmission. An optimization tip I can give you is to disable DTLS, use default TLS (over TCP) and then enable TCP BBR to increase TCP speed.

You can also disable DTLS to bypass firewall restrictions as DTLS uses UDP port 443. The TLS standard uses TCP port 443.

To disable DTLS, comment the following line in the ocserv configuration file (add # at the beginning)

udp connection = 443

Save the file and close it. Then restart support.

sudo systemctl Restart ocserv.service

To activate the TCP BBR, please refer to the following training material. It is written for Ubuntu, but also works for CentOS.

In my test a standard TLS with TCP BBR enabled is twice as fast as the DTLS.

Troubleshooting

If you are using an OpenVZ VPS, you must enable the TUN of the virtual network device in the VPS control panel. (If you use a Vultr VPS, you have a KVM-based VPS, so you don’t have to worry).

If you have a problem, check the OpenConnect VPN server log.

sudo journalctl -eu ocserv.service

I discovered that when I change port 443 to another port, the big Chinese firewall blocks this VPN connection.

Let the OpenConnect VPN server and the web server use port 443 at the same time

Normally a port can only be used by one process. However, we can use HAproxy (High Availability Proxy) and SNI (Server Name Indication) so that ocserv and Apache/Nginx use port 443 at the same time.

Start editing the ocserv configuration file.

sudo nano /etc/ocserv/ocserv.conf

Find the next line.

#listen-host = [IP|HOSTNAME]

Trade them in for

Listening host = 127.0.0.1

This forces ocserv to listen to 127.0.0.1, because HAproxy later has to listen to the public IP address.

Then add the next line. This allows ocserv to get the customer’s IP address instead of the HAproxy IP address.

Proxy Listing Protocol = Truth

Save the file and close it. Restart ocserv to make the changes take effect.

sudo systemctl restart ocserv

Then we also need to make sure that the web server only listens to the local host instead of the public IP address. If you use Nginx, change the server block file.

sudo nano /etc/nginx/conf.d/www.example.com.conf

Look for the following statement in the SSL server block.

Listen to 443 ssl;

Trade them in for

Listen to 127.0.0.2:443 ssl

This time we let him hear 127.0.0.2:443, because 127.0.0.1:443 is already in progress. Save the file and close it. Then restart the Nginx.

sudo systemctl restart nginx

Install HAproxy now.

sudo dnf installation of proxygas coating

Edit the configuration file.

ship nano /etc/haproxy/haproxy.cfg

Copy the following lines and paste them at the end of the file. Replace 12.34.56.78 with the public IP address of your server. Replace vpn.example.com by the domain name used by ocserv and www.example.com by the domain name used by your web server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }

use_backend ocserv if { req_ssl_sni -i vpn.example.com }
use_backend nginx if { req_ssl_sni -i www.example.com }
use_backend nginx if { req_ssl_sni -i example.com }

default_backend ocserv

ocserv
Backend mode tcp
Option ssl-hello-chk
Server ocserv 127.0.0.1:443 Send proxy-v2

nginx
backend mode tcp
option ssl-hello-chk
server nginx 127.0.0.2:443 check

Save the file and close it. Then restart HAproxy.

gaproxy to restart the sudoctl system

In the above configuration we used the SNI (Server Name Indication) function in TLS to distinguish VPN traffic from normal HTTPS traffic.

  • If vpn.example.com is in the TLS Hello client, HAProxy redirects traffic to the ocserv backend.
  • If www.example.com is in the customer’s TLS greeting, HAProxy redirects traffic to the nginx backend.
  • If the client does not provide a server name in the TLS hello client, HAproxy uses the default backend (ocserv).

You can test this setting with the openssl tool. First execute the following command several times.

echo | openssl s_client – Connect your server IP:443 | grep subject

We didn’t specify a server name in the above command, so HAproxy always sends the request to the default backend (ocserv) and sends the certificate to the client. Then execute the following two commands.

echo | openssl s_client -server name www.example.com – connect your server-IP:443 | grep subject

echo | openssl s_client -server name vpn.example.com – connect your server-IP:443 | grep subject

We have now entered a server name in the commands, so HAproxy will forward the request accordingly. Note that Cisco AnyConnect TLS does not support NIS. It is therefore preferable to install ocserv as the default backend in the HAProxy configuration file.

When encrypting the certificate upgrade of your site it is recommended to use http-01 instead of tls-alpn-01, because HAproxy on port 443 listens for a public IP address and can disrupt the upgrade process.

sudo certbot renewal-prefred-challenges http-01

HAproxyError correction

If your Nginx web server does not appear in your browser and you see the following messages in the Haproxy log (/var/log/haproxy.log)

The nginx/nginx DOWN server, reason : Socket failure, information: Restore the connection via a peer-to-peer interface

the nginx backend has no server available!

Invalid layer 6 reaction

This may be because your internal Nginx web server uses a TLS certificate with an OCSP extension that needs to be sewn in. Nginx does not send OCSP connection information with the first HTTP request. For this to work, you must add the resolver to your Nginx virtual host configuration, as shown below.

{
….
ssl_trusted_certificate /etc/letsencrypt/live/www.example/chain.pem;
ssl_stapling an;
ssl_stapling_verify an ;

Resolver 8.8.8 . }

Save the file and close it. Then restart the Nginx.

sudo systemctl restart nginx

We will also consider removing the backend server check in HAproxy. Then change.

Check the nginx server 127.0.0.2:443

The…

nginx server 127.0.0.2:443

Save the file and close it. Then restart HAproxy.

gaproxy to restart the sudoctl system

How to deactivate TLS 1.0 and TLS 1.1 in the oxerver?

The PCI board has approved TLS 1.0 out of 30. The main streaming web browsers TLS 1.0 and TLS 1.1 will be closed in June 2018 and in 2020. We should do the same with the VPN server. Edit the main configuration file.

sudo nano /etc/ocserv/ocserv.conf

Find the next line:

tls priorities = NORMAL:%SERVER_PRECEDENCE:%COMPAT:-TOWARD-SSL3.0

To disable TLS 1.0 and TLS 1.1 on the OpenConnect VPN server, replace them:

tls priorities = NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-Towards-SSL3.0:-ARCFOUR-128:-TWARDS-TLS1.0:-TWARDS-TLS1.1

Save the file and close it. Then restart the ocserv.

sudo systemctl restart ocserv

From now on, the ocserv only accepts TLS 1.2. For more information on setting the TLS parameter in ocserv, see the GnuTLS priority rules.

To check if TLS 1.0 is supported on your OpenConnect VPN server run the following command.

openssl s_client – connect vpn.your-domain.com:443 -tls1

And check TLS 1.1

openssl s_client – connect vpn.your-domain.com:443 -tls1_1

If the following message appears in the output, it means that the TLS version is not supported.

New, (NO), digit (NO)
Safe restart NOT supported

per user or group

Ocserv allows per user and per configuration group. To enable this feature, you must comment the following two lines in /etc/ocserv/ocserv.conf

config per-user = /etc/ocserv/config per-user/
config per-group = /etc/ocserv/config per-group/

Save the file and close it. Then create a configuration folder for each user and group.

sudo mkdir /etc/ocserv/config by user/
sudo mkdir /etc/ocserv/config by group/

Then you can create a file in these two folders. For example, create a user1 file to enable the user configuration for user1.

sudo nano /etc/ocserv/configuration per user/user1

You can also create a Group1 file to allow a custom configuration for a group called Group1.

sudo nano /etc/ocserv/configuration per group/group1

You can add something similar to what’s below.

distance = 10.10.10.0/255.255.255.0

This means that after User1 connects to this VPN server, only traffic is routed to the 10.10.10.0/24 network via the VPN server. Traffic to other IP addresses is routed via the source gateway. I use it to connect my other VPS (Virtual Private Server) to this VPN server.

Save the file and close it. Restart ocserv to make the changes take effect.

How to set up VPN Relay?

Assuming there are two servers: Server A and Server B.

  • You have a good connection to server A. The latency is very low and no packets are interrupted.
  • You have a bad connection to server B. The latency is high and the packet is down.
  • The connection between server A and server B is good.

Of course you want to install the VPN on server A. But what if you want the Internet to see your traffic from the IP address of server B? Well, you can install ocserv VPN on server B and then configure HAProxy on server A for proxy traffic between your computer and server B.

Install HAProxy on server A.

sudo dnf installation of proxygas coating

Edit the main configuration file.

ship nano /etc/haproxy/haproxy.cfg

Position the front and rear as before. Replace 12.34.56.78 with the public IP address of server A. Replace 12.34.56.79 with the public IP address of server B.

frontend https
bind 12.34.56.78:443
mode tcp
tcp request inspect-delay 5s
tcp request tcprequest accept content if { req_ssl_hello_type 1 }

use_backend ocserv as { req_ssl_sni -i vpn.example.com }.

default_backend ocserv

ocserv
Backend mode tcp
Option ssl-hello-chk
Server ocserv 12.34.56.79:443 Send proxy-v2

Save the file and close it. On server B, you must configure ocserv to wait for a public IP address and activate the proxy protocol as before. Then change the A picture on vpn.example.com. You must indicate the IP address of server A.

Restart HAProxy and Ocserv and it should work.

How to run two copies of Ocserv on the same server

Copy the binary file to a new file.

ship cp /usr/sbin/ocserv /usr/sbin/ocserv2

Copy the configuration file to a new file.

sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv2.conf

Edit the second configuration file.

sudo nano /etc/ocserv/ocserv2.conf

You can use different server certificates, listen to the host, port number, IP address range, DNS server address, and so on.

Copy the Systemd service module to a new file.

sudo cp /usr/lib/system/ocserv.service /etc/system/ocserv2.service

Edit the file.

sudo nano /etc/system/ocserv2.service

Change the configuration file from /etc/ocserv/ocserv.conf to /etc/ocserv/ocserv2.conf. Save the file and close it. Then restart the system.

restart sudo systemctl demons

Start the second ocserv instance.

sudo systemctl start ocserv2

Activate automatic start during charging.

sudo systemctl enables ocserv2

Packaging

Let’s go, let’s go, let’s go, let’s go! I hope this guide has helped you install and configure the OpenConnect VPN on the CentOS 8/RHEL 8 server. As always, if you find this message useful, subscribe to our free newsletter for more tips and tricks. Take care of yourself.

Evaluate this training manual.

On second thought: 2 On average: 5]openconnect config file example,openconnect server centos 7,ocserv certificate authentication,ocserv tunnel-all-dns,centos 7 ssl vpn server,ocserv split tunnel,openconnect pulse secure,ocserv letsencrypt

You May Also Like

Hosting

Introduction In previous articles we have talked about images of dockers, the origin and functioning of dockers and the dockers’ hub. In this document...

Latest

Linux desktops are good in many ways, but like Windows they are not known as the most efficient battery. This does not mean that...

Latest

The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades:...

Hosting

To secure your AWS assets, follow these AWS Identity and Access Management (IAM) guidelines. Locking the Root User Access Key for AWSAccount You use...