AlmaLinuxRHEL Based

How To Install OpenConnect VPN on AlmaLinux 9

Install OpenConnect VPN on AlmaLinux 9

In today’s digital landscape, securing your online presence is more crucial than ever. Virtual Private Networks (VPNs) have become an essential tool for protecting your privacy and accessing restricted content. This guide will walk you through the process of installing and configuring OpenConnect VPN on AlmaLinux 9, providing you with a robust and flexible VPN solution.

Introduction to OpenConnect VPN

OpenConnect VPN, also known as ocserv, is an open-source implementation of the Cisco AnyConnect VPN protocol. It offers several advantages over traditional VPN solutions:

  • High performance and stability
  • Compatibility with a wide range of devices and operating systems
  • Strong encryption and security features
  • Easy setup and management

By following this guide, you’ll be able to set up your own OpenConnect VPN server on AlmaLinux 9, giving you complete control over your VPN infrastructure.

Prerequisites

Before we begin, ensure you have the following:

  • An AlmaLinux 9 server with root or sudo access
  • A basic understanding of Linux command-line operations
  • A stable internet connection
  • A domain name (optional, but recommended for SSL certificate setup)

Step 1: Updating the System

Start by updating your AlmaLinux 9 system to ensure you have the latest packages and security updates:

sudo dnf update -y

This command will fetch the latest package information and install any available updates.

Step 2: Installing EPEL Repository

The Extra Packages for Enterprise Linux (EPEL) repository contains additional packages not found in the default AlmaLinux repositories. Install it with the following command:

sudo dnf install epel-release -y

Step 3: Installing OpenConnect VPN Server

With the EPEL repository enabled, you can now install the OpenConnect VPN server package:

sudo dnf install ocserv -y

After the installation is complete, verify that ocserv was installed correctly by checking its version:

ocserv --version

You should see output displaying the installed version of ocserv.

Step 4: Configuring OpenConnect VPN Server

The main configuration file for ocserv is located at /etc/ocserv/ocserv.conf. We’ll need to modify this file to set up our VPN server according to our needs. Open the file in your preferred text editor:

sudo nano /etc/ocserv/ocserv.conf

Here are some key configurations you should consider:

Authentication Method

By default, ocserv uses PAM authentication. To use a separate password file for VPN users, find the following line:

#auth = "pam[gid-min=1000]"

Comment it out by adding a # at the beginning, and add the following line below it:

auth = "plain[passwd=/etc/ocserv/ocpasswd]"

Network Settings

Configure the IP range for VPN clients. Find and modify these lines:

ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0

You can adjust these values based on your network requirements.

DNS Settings

Set the DNS servers for VPN clients. Find and modify these lines:

dns = 8.8.8.8
dns = 1.1.1.1

You can use Google’s DNS (8.8.8.8) and Cloudflare’s DNS (1.1.1.1) as shown above, or specify your preferred DNS servers.

Routing

To route all client traffic through the VPN, comment out the following lines by adding # at the beginning:

#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0

Save the file and exit the text editor.

Step 5: Generating SSL Certificates

OpenConnect VPN requires SSL certificates for secure communication. You have two options: self-signed certificates or certificates from a trusted Certificate Authority (CA) like Let’s Encrypt.

Option 1: Self-Signed Certificates

To generate a self-signed certificate, use the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ocserv.key -out /etc/ssl/certs/ocserv.crt

Follow the prompts to enter your certificate information. Once complete, update the ocserv configuration file to use these certificates:

sudo nano /etc/ocserv/ocserv.conf

Find and modify these lines:

server-cert = /etc/ssl/certs/ocserv.crt
server-key = /etc/ssl/private/ocserv.key

Option 2: Let’s Encrypt Certificates

For a more secure setup, you can use Let’s Encrypt to obtain free, trusted SSL certificates. First, install Certbot:

sudo dnf install certbot

Then, obtain a certificate (replace example.com with your domain):

sudo certbot certonly --standalone -d vpn.example.com

Update the ocserv configuration file to use these certificates:

sudo nano /etc/ocserv/ocserv.conf

Find and modify these lines:

server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

Step 6: Creating VPN User Accounts

To create VPN user accounts, use the ocpasswd tool:

sudo ocpasswd -c /etc/ocserv/ocpasswd username

Replace “username” with the desired username. You’ll be prompted to enter and confirm a password for the user.

Step 7: Configuring Firewall and Network Settings

To allow VPN traffic, you need to open the necessary ports and enable IP forwarding.

Firewall Configuration

Open TCP and UDP port 443 (or your chosen port) using firewalld:

sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

IP Forwarding

Enable IP forwarding by editing the sysctl configuration:

sudo nano /etc/sysctl.conf

Add or uncomment the following line:

net.ipv4.ip_forward = 1

Apply the changes:

sudo sysctl -p

Step 8: Starting and Enabling OpenConnect VPN Server

Start the ocserv service and enable it to start on boot:

sudo systemctl start ocserv
sudo systemctl enable ocserv

Verify that the service is running:

sudo systemctl status ocserv

Step 9: Connecting to Your VPN

To connect to your new OpenConnect VPN server, you’ll need an OpenConnect-compatible client. Here are some options:

  • Linux: Use the openconnect command-line tool or NetworkManager with the OpenConnect plugin
  • Windows: Use the official Cisco AnyConnect client or an open-source alternative like OpenConnect GUI
  • macOS: Use the official Cisco AnyConnect client or an open-source alternative like OpenConnect GUI
  • iOS: Use the official Cisco AnyConnect app from the App Store
  • Android: Use the official Cisco AnyConnect app from the Google Play Store

To connect using the command-line tool on Linux, use:

sudo openconnect vpn.example.com

Replace vpn.example.com with your server’s domain or IP address.

Troubleshooting Tips

If you encounter issues while setting up or using your OpenConnect VPN, try these troubleshooting steps:

  • Check the ocserv logs for error messages: sudo journalctl -u ocserv
  • Verify that the firewall is configured correctly: sudo firewall-cmd --list-all
  • Ensure that IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward (should return 1)
  • Check that the SSL certificates are valid and properly configured
  • Verify that the user accounts are created correctly in the ocpasswd file

Congratulations! You have successfully installed OpenConnect. Thanks for using this tutorial for installing the OpenConnect on the AlmaLinux 9 system. For additional help or useful information, we recommend you check the official OpenConnect website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Back to top button