Deploy an AnyConnect Compatible VPN Server with Certificate Verification on CentOS 7
AnyConnect is a remote access solution developed by Cisco that is well-known for portability and stability. This guide explains how to install ocserv on CentOS7, which is open-source and compatible with Cisco AnyConnect, and deploy certificate verification.
- A newly-created CentOS 7 server with IPv6 enabled.
- A workstation to generate private keys
- A client with AnyConnect or OpenConnect client software
If you want to use a Let's Encrypt certificate instead of a self-signed certificate, you also need a Fully-Qualified Domain Name.
yum install ocserv
Install certbot, which is used to create the Let's Encrypt server certificate. A domain name is required for certbot.
yum install certbot
Choose "spin up a temporary Web server" to authenticate with ACME CA.
If you don't have a domain, a self-signed certificate will be issued later.
The traditional PKI is rather inconvenient to use, so you will use the
easyrsa utility from the OpenVPN project. Install git on your working machine and clone the repository:
git clone https://github.com/OpenVPN/easy-rsa
Build the CA and issue certificates. Record the PEM passphrase for safekeeping.
pki/private/ca.key somewhere safe. Leaking that will render your whole infrastructure useless.
If you choose to use a self-signed server certificate, do the following:
./easyrsa gen-req server
And input your server's IP address as the common name.
./easyrsa sign-req server server
This will sign a certificate for the server. Transfer
/etc/ssl/private on your server.
Next we will create client certificates. Do the following:
./easyrsa gen-req client_01
./easyrsa sign-req client client_01
Choose a name for the client and fill it into the common name field. Remember the passphrase!
Next, you will export the certificate in pkcs12 format for usage on mobile platforms. Do:
./easyrsa export-p12 client_01
Choose an export password which you will be prompted to enter when importing the certificate on the phone. Transfer
pki/private/client_01.p12 to your phone and import it.
Configure the Server
ocserv.conf to fill in the certificate information.
server-cert section and fill in the following:
# If you use Let's Encrypt
server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem
# If you use self-signed server certificate
server-cert = /etc/ssl/certs/server.crt
server-key = /etc/ssl/private/server.key
ca-cert = /etc/ssl/certs/ca.crt
Note that if you're using a self-signed certificate, remember to remove the passphrase first by
openssl rsa -in server.key -out server-new.key so that
ocserv can use the private key.
auth section. Enable this line:
auth = "certificate"
And comment out all other
Uncomment this line:
cert-user-oid = 18.104.22.168
ipv6-network and fill in your server's ipv6 block to define the lease block that the server uses to assign IP addresses.
ipv6-network = 2001:0db8:0123:4567::/64
ipv6-subnet-prefix = 124
Set DNS servers.
dns = 22.214.171.124
dns = 126.96.36.199
Enable compatibility with Cisco clients.
cisco-client-compat = true
Open the ports you set in
udp-port and enable masquerade for both ipv4 and ipv6 in firewalld.
Start the server.
systemctl enable ocserv
systemctl start ocserv
The server has been successfully configured. Create a connection in your client and connect. If things go wrong, use this command to debug:
journalctl -fu ocserv
Also, IPv6 should work on the client-side if your client software supports ipv6 even if your client's network doesn't provide you with an address. Go to this site to test.