How To Install OpenConnect VPN on AlmaLinux 9
In today’s digital landscape, securing your online presence is more crucial than ever. Virtual Private Networks (VPNs) have become an essential tool for protecting your privacy and accessing restricted content. This guide will walk you through the process of installing and configuring OpenConnect VPN on AlmaLinux 9, providing you with a robust and flexible VPN solution.
Introduction to OpenConnect VPN
OpenConnect VPN, also known as ocserv, is an open-source implementation of the Cisco AnyConnect VPN protocol. It offers several advantages over traditional VPN solutions:
- High performance and stability
- Compatibility with a wide range of devices and operating systems
- Strong encryption and security features
- Easy setup and management
By following this guide, you’ll be able to set up your own OpenConnect VPN server on AlmaLinux 9, giving you complete control over your VPN infrastructure.
Prerequisites
Before we begin, ensure you have the following:
- An AlmaLinux 9 server with root or sudo access
- A basic understanding of Linux command-line operations
- A stable internet connection
- A domain name (optional, but recommended for SSL certificate setup)
Step 1: Updating the System
Start by updating your AlmaLinux 9 system to ensure you have the latest packages and security updates:
sudo dnf update -y
This command will fetch the latest package information and install any available updates.
Step 2: Installing EPEL Repository
The Extra Packages for Enterprise Linux (EPEL) repository contains additional packages not found in the default AlmaLinux repositories. Install it with the following command:
sudo dnf install epel-release -y
Step 3: Installing OpenConnect VPN Server
With the EPEL repository enabled, you can now install the OpenConnect VPN server package:
sudo dnf install ocserv -y
After the installation is complete, verify that ocserv was installed correctly by checking its version:
ocserv --version
You should see output displaying the installed version of ocserv.
Step 4: Configuring OpenConnect VPN Server
The main configuration file for ocserv is located at /etc/ocserv/ocserv.conf
. We’ll need to modify this file to set up our VPN server according to our needs. Open the file in your preferred text editor:
sudo nano /etc/ocserv/ocserv.conf
Here are some key configurations you should consider:
Authentication Method
By default, ocserv uses PAM authentication. To use a separate password file for VPN users, find the following line:
#auth = "pam[gid-min=1000]"
Comment it out by adding a # at the beginning, and add the following line below it:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
Network Settings
Configure the IP range for VPN clients. Find and modify these lines:
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
You can adjust these values based on your network requirements.
DNS Settings
Set the DNS servers for VPN clients. Find and modify these lines:
dns = 8.8.8.8
dns = 1.1.1.1
You can use Google’s DNS (8.8.8.8) and Cloudflare’s DNS (1.1.1.1) as shown above, or specify your preferred DNS servers.
Routing
To route all client traffic through the VPN, comment out the following lines by adding # at the beginning:
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#no-route = 192.168.5.0/255.255.255.0
Save the file and exit the text editor.
Step 5: Generating SSL Certificates
OpenConnect VPN requires SSL certificates for secure communication. You have two options: self-signed certificates or certificates from a trusted Certificate Authority (CA) like Let’s Encrypt.
Option 1: Self-Signed Certificates
To generate a self-signed certificate, use the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ocserv.key -out /etc/ssl/certs/ocserv.crt
Follow the prompts to enter your certificate information. Once complete, update the ocserv configuration file to use these certificates:
sudo nano /etc/ocserv/ocserv.conf
Find and modify these lines:
server-cert = /etc/ssl/certs/ocserv.crt
server-key = /etc/ssl/private/ocserv.key
Option 2: Let’s Encrypt Certificates
For a more secure setup, you can use Let’s Encrypt to obtain free, trusted SSL certificates. First, install Certbot:
sudo dnf install certbot
Then, obtain a certificate (replace example.com with your domain):
sudo certbot certonly --standalone -d vpn.example.com
Update the ocserv configuration file to use these certificates:
sudo nano /etc/ocserv/ocserv.conf
Find and modify these lines:
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
Step 6: Creating VPN User Accounts
To create VPN user accounts, use the ocpasswd tool:
sudo ocpasswd -c /etc/ocserv/ocpasswd username
Replace “username” with the desired username. You’ll be prompted to enter and confirm a password for the user.
Step 7: Configuring Firewall and Network Settings
To allow VPN traffic, you need to open the necessary ports and enable IP forwarding.
Firewall Configuration
Open TCP and UDP port 443 (or your chosen port) using firewalld:
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
IP Forwarding
Enable IP forwarding by editing the sysctl configuration:
sudo nano /etc/sysctl.conf
Add or uncomment the following line:
net.ipv4.ip_forward = 1
Apply the changes:
sudo sysctl -p
Step 8: Starting and Enabling OpenConnect VPN Server
Start the ocserv service and enable it to start on boot:
sudo systemctl start ocserv
sudo systemctl enable ocserv
Verify that the service is running:
sudo systemctl status ocserv
Step 9: Connecting to Your VPN
To connect to your new OpenConnect VPN server, you’ll need an OpenConnect-compatible client. Here are some options:
- Linux: Use the
openconnect
command-line tool or NetworkManager with the OpenConnect plugin - Windows: Use the official Cisco AnyConnect client or an open-source alternative like OpenConnect GUI
- macOS: Use the official Cisco AnyConnect client or an open-source alternative like OpenConnect GUI
- iOS: Use the official Cisco AnyConnect app from the App Store
- Android: Use the official Cisco AnyConnect app from the Google Play Store
To connect using the command-line tool on Linux, use:
sudo openconnect vpn.example.com
Replace vpn.example.com with your server’s domain or IP address.
Troubleshooting Tips
If you encounter issues while setting up or using your OpenConnect VPN, try these troubleshooting steps:
- Check the ocserv logs for error messages:
sudo journalctl -u ocserv
- Verify that the firewall is configured correctly:
sudo firewall-cmd --list-all
- Ensure that IP forwarding is enabled:
cat /proc/sys/net/ipv4/ip_forward
(should return 1) - Check that the SSL certificates are valid and properly configured
- Verify that the user accounts are created correctly in the ocpasswd file
Congratulations! You have successfully installed OpenConnect. Thanks for using this tutorial for installing the OpenConnect on the AlmaLinux 9 system. For additional help or useful information, we recommend you check the official OpenConnect website.