Installing ocserv (OpenConnect Server) on CentOS 7 with Certificate Authentication

Although the title reads CentOS 7, this post actually applies to most RedHat releases.
On CentOS 6, you have to compile ocserv manually and deal with many dependency issues. But on CentOS 7, the configuration is fairly easy.

Apply for server certificate

Generate a CSR

cd ~
openssl req -new -newkey rsa:4096 -sha256 -nodes -out server.csr -keyout server.key

In the following prompts, only Common Name is mandatory. Fill it with domain name. Other blanks are optional.
ECC certificate is not recommended, because AnyConnect always prompts unsafe site even if it’s issued by a trusted CA.

Get a certificate from WoSign/StartCom or other CA with the generated CSR.
If signing algorithms can be chosen, do select SHA-2 rather than SHA-1.

The “fast issuance” of WoSign only applies to paid customers. Free users have to go through manual review on weekdays. Therefore I put certificate application on the first step.

Install ocserv

yum install epel-release
yum install ocserv

Configure ocserv

vim /etc/ocserv/ocserv.conf

Change as follows:

#Uncomment certificate auth and comment out PAM auth
auth = "certificate"
#auth = "pam"

#Client limit and per-user client limit.
max-clients = 16
max-same-clients = 2

#Listening port
tcp-port = 1234
udp-port = 1234

#Comment out this line because we use certificate auth
#listen-clear-file = /var/run/ocserv-conn.socket

#Mobile dead-peer-detection interval
mobile-dpd = 1800

#Set this to true. Otherwise problems may occur
try-mtu-discovery = true

#Server cert path
server-cert = /etc/ocserv/pki/server/server.crt
server-key = /etc/ocserv/pki/server/server.key

#CA cert path
ca-cert = /etc/ocserv/pki/ca/ca.crt

#IP range for clients. If you have other VPNs, make sure the IP range won't conflict
ipv4-network = 192.168.101.0
ipv4-netmask = 255.255.255.0

#DNS server
dns = 8.8.8.8
dns = 8.8.4.4
#dns = other fast DNS

Configure certificate

Create directories
mkdir /etc/ocserv/pki && cd /etc/ocserv/pki
mkdir server ca clients template
Configure server certificate
cd server
#Move private key here
mv ~/server.key . && chmod 400 server.key
#Copy issued certificate here
vim server.crt
Configure CA certificate
cd ../ca
certtool --generate-privkey --sec-param high --outfile ca.key
#You may write any text for self-signed certificate
cat << _EOF_ >../template/ca.tmpl
cn = "VPN CA"
organization = "Mid-south Sea"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
#Generate certificate
certtool --generate-self-signed --load-privkey ca.key --template ../template/ca.tmpl --outfile ca.crt
chmod 400 ca.key
Configure client certificate
cd ../template
vim client.tmpl

#Input the follows as you like
cn = user
o = "Organization"
email = user@example.com
dns_name = "www.example.com"
country = US
state = "New York"
serial = 1
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_client
ipsec_ike_key
time_stamping_key

#Automatic issuance script
cd ..
vim make-client.sh

#Input follows
#!/bin/sh
serial=`date +%s`
certtool --generate-privkey --outfile clients/$1.key
sed -i "1ccn = ${1}" template/client.tmpl
sed -i "3cemail = ${1}@example.com" template/client.tmpl
sed -i "7cserial = ${serial}" template/client.tmpl
certtool --generate-certificate --load-privkey clients/$1.key --load-ca-certificate ca/ca.crt --load-ca-privkey ca/ca.key --template template/client.tmpl --outfile clients/$1.crt
openssl pkcs12 -export -inkey clients/$1.key -in clients/$1.crt -name "$1 VPN Client Cert" -certfile ca/ca.crt -out clients/$1.p12
exit 0

#Setting permission
chmod 700 make-client.sh

Then you can conveniently generate client certificate:

./make-client.sh testuser

Start ocserv and add to auto-start

systemctl start ocserv
systemctl enable ocserv

Configure FirewallD

Create an ocserv service
vim /etc/firewalld/services/ocserv.xml

Input following content:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>ocserv</short>
  <description>Cisco AnyConnect</description>
  <port protocol="tcp" port="1234"/>
  <port protocol="udp" port="1234"/>
</service>
Start firewalld
systemctl start firewalld
firewall-cmd --permanent --add-service=ocserv
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

Configure client

If you’ve used make-client.sh to generate certificate, you can find .p12 file in /etc/ocserv/pki/client .
Transfer this file to mobile phone or iPad.

Install AnyConnect or OpenConnect client. You may refer to Configuration Guide of AnyConnect Client. OpenConnect is similar.

Tips

  1. Although you may write arbitrary text in self-signed certificate, don’t write “strange” text in it because the text is transferred in plain-text which may be filtered by the firewall.
  2. ECC is not recommended for server certificate, because AnyConnect will prompt unsafe. Don’t use ECC for CA and client certificates, because OpenConnect doesn’t support that.

Reference

[1] OpenConnect Server Manual
[2] 自动签发脚本

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.