Deploy an AnyConnect Compatible VPN Server with Certificate Verification on CentOS 7

Introduction

AnyConnect is a remote access solution developed by Cisco that is well-known for portability and stability. This guide explains how to install ocserv on CentOS7, which is open-source and compatible with Cisco AnyConnect, and deploy certificate verification.

Prerequisites

• A newly-created CentOS 7 server with IPv6 enabled.
• A workstation to generate private keys
• A client with AnyConnect or OpenConnect client software

If you want to use a Let's Encrypt certificate instead of a self-signed certificate, you also need a Fully-Qualified Domain Name.

Installation

Install ocserv with yum.

yum update
yum install ocserv

Install certbot, which is used to create the Let's Encrypt server certificate. A domain name is required for certbot.

yum install certbot
certbot certonly

Choose "spin up a temporary Web server" to authenticate with ACME CA.

If you don't have a domain, a self-signed certificate will be issued later.

Certificate Generation

The traditional PKI is rather inconvenient to use, so you will use the easyrsa utility from the OpenVPN project. Install git on your working machine and clone the repository:

git clone https://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3

Build the CA and issue certificates. Record the PEM passphrase for safekeeping.

./easyrsa init-pki
./easyrsa build-ca

Keep pki/private/ca.key somewhere safe. Leaking that will render your whole infrastructure useless.

If you choose to use a self-signed server certificate, do the following:

./easyrsa gen-req server

And input your server's IP address as the common name.

./easyrsa sign-req server server

This will sign a certificate for the server. Transfer pki/issued/server.crt and pki/ca.crt to /etc/ssl/certs and pki/private/server.key to /etc/ssl/private on your server.

Next we will create client certificates. Do the following:

./easyrsa gen-req client_01
./easyrsa sign-req client client_01

Choose a name for the client and fill it into the common name field. Remember the passphrase!

Next, you will export the certificate in pkcs12 format for usage on mobile platforms. Do:

./easyrsa export-p12 client_01

Choose an export password which you will be prompted to enter when importing the certificate on the phone. Transfer pki/private/client_01.p12 to your phone and import it.

Configure the Server

Edit ocserv.conf to fill in the certificate information.

vim /etc/ocserv/ocserv.conf

Locate server-cert section and fill in the following:

# If you use Let's Encrypt
server-cert = /etc/letsencrypt/live/example.com/fullchain.pem
server-key = /etc/letsencrypt/live/example.com/privkey.pem

# If you use self-signed server certificate
server-cert = /etc/ssl/certs/server.crt
server-key = /etc/ssl/private/server.key

ca-cert = /etc/ssl/certs/ca.crt

Note that if you're using a self-signed certificate, remember to remove the passphrase first by openssl rsa -in server.key -out server-new.key so that ocserv can use the private key.

Locate auth section. Enable this line:

auth = "certificate"

And comment out all other auth lines.

Uncomment this line:

cert-user-oid = 2.5.4.3

Locate ipv6-network and fill in your server's ipv6 block to define the lease block that the server uses to assign IP addresses.

ipv6-network = 2001:0db8:0123:4567::/64
ipv6-subnet-prefix = 124

Set DNS servers.

dns = 8.8.8.8
dns = 8.8.4.4

Enable compatibility with Cisco clients.

cisco-client-compat = true

Open the ports you set in tcp-port and udp-port and enable masquerade for both ipv4 and ipv6 in firewalld.

Start the server.

systemctl enable ocserv
systemctl start ocserv

Testing

The server has been successfully configured. Create a connection in your client and connect. If things go wrong, use this command to debug:

journalctl -fu ocserv

Also, IPv6 should work on the client-side if your client software supports ipv6 even if your client's network doesn't provide you with an address. Go to this site to test.