OpenConnect

Sergey Chulanov included in linux devops

2024-01-02 231 words 2 minutes

Contents

| Ubuntu 22.04

Install certbot

1

sudo snap install certbot --classic

Example how to manual generate and revoke certificate

1
2
3


YOUR_DOMAIN=www.ubukubu.ru
sudo certbot certonly --manual --preferred-challenges=dns -d ${YOUR_DOMAIN} -d nonexistent.${YOUR_DOMAIN}
sudo certbot revoke --cert-path /etc/letsencrypt/live/${YOUR_DOMAIN}/fullchain.pem

Get the cert with key

1
2


YOUR_DOMAIN=www.ubukubu.ru
sudo certbot certonly --standalone --preferred-challenges http -d ${YOUR_DOMAIN}

Run docker container:

1
2


docker pull quay.io/aminvakil/ocserv
docker run --name ocserv --sysctl net.ipv4.ip_forward=1 --cap-add NET_ADMIN --security-opt no-new-privileges -p 443:443 -p 443:443/udp -v /etc/letsencrypt/live/${YOUR_DOMAIN}/privkey.pem:/etc/ocserv/certs/server-key.pem -v /etc/letsencrypt/live/${YOUR_DOMAIN}/fullchain.pem:/etc/ocserv/certs/server-cert.pem -d quay.io/aminvakil/ocserv

Enable camouflage and set secret:

1
2
3


SECRET="$(pwgen 16 1)"
docker exec ocserv sed -i '/^camouflage = /{s/false/true/}' /etc/ocserv/ocserv.conf
docker exec ocserv sed -i "/^camouflage_secret = /{s/mysecretkey/${SECRET}/}" /etc/ocserv/ocserv.conf

Add user:

1

docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd goto

Delete default user test:

1

docker exec -ti ocserv ocpasswd -c /etc/ocserv/ocpasswd -d test

Restart the container:

1

docker restart ocserv

Connect to $YOUR_DOMAIN/?$SECRET (echo $YOUR_DOMAIN/?$SECRET) via openconnect client and enjoy

Also add in crontab this line:

1

0 4 * * 1 bash -c "docker restart ocserv"

Clients

Cisco AnyConnect Client:

OneConnect:

OpenConnect:

Using with http injector (Android):

Install anyconnect
Install HTTP-injector
HTTP Injector: Instruments -> Modem -> Hotshare -> step 1 -> start Wi-Fi Hitspot -> run your vpn (on the phone) -> (back to HTTP injector) Start HOTSHARE

Useful link:

https://habr.com/ru/articles/776256/