Free analog of AnyConnect VPN Server


    In my last post, I described Softether VPN Server and how to install it from source. Over the past time, I was very disappointed in this server because for all the time I could not get it to work at normal speed. I wrote to the developers forum, but I didn’t get a clear answer what’s the matter. Well, there’s nothing to do; you have to choose another solution.

    I tried StrongSwan VPN server, but the server turned out to be difficult to configure, and also it could not make money through http-proxy (and by the way should not).
    In the end, I opted for Open Connect Server, a free and excellent implementation of Cisco AnyConnect server.
    I think many of you are familiar with Any Connect server, a proprietary vpnserver for Cisco routers.

    Unfortunately, I have no information whether this program is in the Debian repository or in any other, but we can collect it from the source.


    ...
    InstallNettle ()
    {
    if ["$ isget" = "get"]
    then
    rm -rfv ./nettle*
    wget -c ftp.gnu.org/gnu/nettle/nettle-2.7.1.tar.gz
    tar -xvf nettle -2.7.1.tar.gz
    fi
    cd nettle-2.7.1
    #autoreconf
    ./configure --prefix = / --host = $ HOST
    check_success
    make V = 0 -j 4 LDFLAGS = "- ldl"
    check_success
    make V = 0 install DESTDIR = $ SYSROOT
    check_success
    cd ...
    }

    InstallGnutls ()
    {
    if ["$ isget" = "get"]
    then
    rm -rfv ./gnutls*
    git clone git: //gitorious.org/gnutls/gnutls.git
    fi
    cd gnutls
    make autoreconf
    check_success
    ./configure --prefix = / --host = $ HOST NETTLE_CFLAGS = "- I $ SYSROOT / include "NETTLE_LIBS =" - L $ SYSROOT / lib -lnettle "\
    HOGWEED_CFLAGS =" - I $ SYSROOT / include "HOGWEED_LIBS =" - L $ SYSROOT / lib -lhogweed "\
    --disable-doc --with-default-trust -store-file = "/ etc / ssl / ca-bundle.crt" --enable-local-libopts = yes


    check_success
    make V = 0 -j 4
    check_success
    make V = 0 install DESTDIR = $ SYSROOT
    check_success
    cd ...

    InstallOpenConnect ()
    {
    if ["$ isget" = "get"]
    then
    rm -rfv ./ocserv*
    git clone git: //git.infradead.org/ocserv.git
    fi
    cd ocserv
    make autoreconf
    chmod + x ./autogen.sh
    ./autogen.sh
    ./configure --prefix = / --host = $ HOST LIBGNUTLS_CFLAGS = " $ sysroot -I / the include "LIBGNUTLS_LIBS =" - sysroot of L $ / lib -lgnutls "\
    LIBREADLINE_CFLAGS =" - I of $ sysroot / the include / the readline "LIBREADLINE_LIBS =" - sysroot of L $ / lib -lreadline -lncurses "\
    --enable -local-libopts = yes

    check_success
    make V = 0 AUTOGEN = "autogen"
    check_success
    sed -i -e 's | / bin / true | autogen | g' ./doc/ Makefile
    make V = 0 install DESTDIR = $ SYSROOT
    check_success
    cd ...
    }
    }


    Certificate Generation


    #! / bin / bash

    certtool --generate-privkey --outfile ca-key.pem
    cat << _EOF_> ca.tmpl
    cn = "loft.dtdns.net"
    organization = "loft inc."
    serial = 1
    expiration_days = 999
    ca
    signing_key
    cert_signing_key
    crl_signing_key
    _EOF_

    certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

    certtool --generate-privkey --outfile server-key. pem
    cat << _EOF_> server.tmpl
    cn = "loft.dtdns.net"
    organization = "loft inc."
    serial = 2
    expiration_days = 999
    signing_key
    encryption_key #only if the generated key is an RSA one
    tls_www_server
    _EOF_

    certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

    mv -fv ./server-cert.pem / etc /
    mv -fv ./server-key.pem / etc /
    ocpasswd root -c / etc / ocpasswd


    Settings file


    max-clients = 16
    max-same-clients = 16
    tcp-port = 443
    udp-port = 443
    keepalive = 32400
    dpd = 1900
    mobile-dpd = 1800
    try-mtu-discovery = false
    auth = "plain [/ etc / ocpasswd] "

    Server-cert = /etc/server-cert.pem
    server-key = /etc/server-key.pem

    tls-priorities =" NORMAL:% SERVER_PRECEDENCE:% COMPAT "

    auth-timeout = 4000
    cookie-timeout = 300
    deny- roaming = false
    rekey-time = 172800
    rekey-method = ssl

    use-utmp = true
    use-occtl = true

    pid-file = /var/run/ocserv.pid
    socket-file = / var / run / ocserv-socket

    run-as -user = root
    run-as-group = root
    cgroup = "cpuset, cpu: test"
    device = vpns
    cisco-client-compat = true
    predictable-ips = true

    default-domain = example.com

    # The pool of addresses that leases will be given from.
    ipv4-network = 192.168.2.0
    ipv4-netmask = 255.255.255.0

    dns = 8.8.8.8

    ping-leases = false



    Unit to run in systemd


    [Unit]
    Description = OpenConnect server
    After = network.target [Service]
    Type = forking Environment = "LD_LIBRARY_PATH = / lib: / lib" PIDFile = / var / run / ocserv.pid
    ExecStart = / sbin / ocserv --config = / etc / ocserv.conf Restart = always
    [Install]
    WantedBy = multi-user.target


    After starting the server with the command "/ sbin / ocserv --config = / etc / ocserv.conf"
    we can connect using the official AnyConnect Client.

    through the official iOS app.


    Well, in the end I want to say that I really liked the project. I corresponded with the developer and he answered me very quickly and in detail.
    The server is very smart, it seemed to me that the speed does not cut at all
    Do not pass by!

    Also popular now: