OpenConnect on Oracle Linux

Installing OpenConnect VPN Server 1.3.0 on Oracle Linux 9.5 and configuring client-to-site connections with PAM authentication and site-to-site connections with certificate based authentication

Note: client-to-site and site-to-site connections will be established from Windows 10 and Oracle Linux respectively

Install OpenConnect

Enable IPv4 forwarding

echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/0-ocserv.conf

Install the EPEL repository

dnf install epel-release

Install the OpenConnect server

dnf install ocserv

Configure PAM authentication for client-to-site connections

Edit /etc/ocserv/ocserv.conf file

tcp-port = 443
udp-port = 443
server-cert = /etc/ocserv/public.pem
server-key = /etc/ocserv/private.pem
camouflage = true
camouflage_secret = "3a061501-6335-4838-9602-1f1534903e37"
camouflage_realm = "e20b4c1d-e3e1-4531-ac9c-9cd927ab7620"
device = ocs
ipv4-network = 192.168.254.0/24
route = 10.100.100.0/24
dns = 10.100.100.1
default-domain = domain.lan
auth = "pam"
max-clients = 0
max-same-clients = 0
log-level = 1

Issue a self-signed certificate

openssl req -x509 -newkey rsa:8192 -days 3650 -keyout /etc/ocserv/private.pem -out /etc/ocserv/public.pem -subj "/CN=Server/" -addext "subjectAltName=IP:1.1.1.1" -nodes

Replace content of /etc/pam.d/ocserv file

auth			[success=ok default=die]		pam_succeed_if.so quiet user ingroup vpn_users
auth			[success=1 default=bad]			pam_unix.so
auth			[default=die]					pam_faillock.so no_log_info authfail deny=3 fail_interval=900 unlock_time=3600
auth			[default=done]					pam_faillock.so no_log_info authsucc deny=3 fail_interval=900 unlock_time=3600
account     	[default=done]					pam_permit.so

Create users

groupadd vpn_users
useradd --no-create-home --no-user-group --groups vpn_users test
passwd test

Note 1: group membership can be changed using "gpasswd" command

Note 2: group members can be seen using "lid -g" command

Test authentication

pamtester -v ocserv test authenticate
faillock --user test

Establish client-to-site connection

Add the root certificate into the trusted CA store

Install AnyConnect application using Microsoft Store

Add a new VPN-connection

VPN provider - AnyConnect
Conection name - AnyConnect
Hostname - https://1.1.1.1?3a061501-6335-4838-9602-1f1534903e37

Establish a connection

Configuring certificate based authentication for site-to-site connections

Edit /etc/ocserv/ocserv.conf file

tcp-port = 443
udp-port = 443
server-cert = /etc/ocserv/public.pem
server-key = /etc/ocserv/private.pem
camouflage = true
camouflage_secret = "3a061501-6335-4838-9602-1f1534903e37"
camouflage_realm = "e20b4c1d-e3e1-4531-ac9c-9cd927ab7620"
device = ocs
ipv4-network = 192.168.254.0/24
route = 10.100.100.0/24
auth = "certificate"
config-per-user = /etc/ocserv/config-per-user/
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
max-clients = 0
max-same-clients = 0
log-level = 1

Create /etc/ocserv/config-per-user/Client file

ipv4-network = 192.168.254.0/30
iroute = 10.200.200.0/24

Create a PKI directory

mkdir /var/lib/pki

Create /var/lib/pki/ca.template file

dn = "cn=CA"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key

Issue a CA certificate

certtool --generate-privkey --bits 8192 --outfile /var/lib/pki/ca.key
certtool --generate-self-signed --template /var/lib/pki/ca.template --load-privkey /var/lib/pki/ca.key --outfile /var/lib/pki/ca.crt

Create /var/lib/pki/server.template file

dn = "cn=Server"
ip_address = "1.1.1.1"
expiration_days = -1
signing_key
encryption_key
tls_www_server

Issue a server certificate

certtool --generate-privkey --bits 8192 --outfile /var/lib/pki/server.key
certtool --generate-certificate --load-ca-certificate /var/lib/pki/ca.crt --load-ca-privkey /var/lib/pki/ca.key --template /var/lib/pki/server.template --load-privkey /var/lib/pki/server.key --outfile /var/lib/pki/server.crt

Create /var/lib/pki/client.template file

dn = "uid=Client"
expiration_days = -1
signing_key
tls_www_client

Issue a client certificate

certtool --generate-privkey --bits 8192 --outfile /var/lib/pki/client.key
certtool --generate-certificate --load-ca-certificate /var/lib/pki/ca.crt --load-ca-privkey /var/lib/pki/ca.key --template /var/lib/pki/client.template --load-privkey /var/lib/pki/client.key --outfile /var/lib/pki/client.crt

Copy the corresponding certificates to a server and a client

Establish site-to-site connection

Install the necessary packages

dnf install NetworkManager-openconnect

Create a unit file /etc/systemd/system/openconnect.service

[Unit]
Description=OpenConnect Client
After=network.target
 
[Service]
Type=simple
ExecStart=/usr/sbin/openconnect --protocol=anyconnect --cafile=/etc/openconnect/ca.crt --certificate=/etc/openconnect/client.crt --sslkey=/etc/openconnect/client.key  --interface=ocs0 https://1.1.1.1?3a061501-6335-4838-9602-1f1534903e37
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Establish a connection

systemctl start openconnect

Tags: , , , , ,

Leave a Reply