Get a entry level burstable instance with alicloud with ubuntu 18.04 on it.
-
Install ocserv, easy-rsa and firewalld
apt-get update apt install ocserv git firewalld git clone https://github.com/OpenVPN/easy-rsa
-
Generate certificates
cd easy-rsa/easyrsa3 ./easyrsa init-pki # Use a strong password as the CA password and make a note of it ./easyrsa build-ca # Use server IP as common name, e.g. 123.123.123.123 # Use a strong password as the server key and make a note of it # You will need to use the CA password above to sign ./easyrsa gen-req server ./easyrsa sign-req server server # Use a strong password as the client key and make a note of it ./easyrsa gen-req shared_client ./easyrsa sign-req client shared_client # Use a strong password as the 'export password', you'll need this on your phone to unlock the cert ./easyrsa export-p12 shared_client mkdir /etc/ssl/private openssl rsa -in pki/private/server.key -out pki/private/server.key cp /root/easy-rsa/easyrsa3/pki/issued/server.crt /etc/ssl/certs/server.crt cp /root/easy-rsa/easyrsa3/pki/private/server.key /etc/ssl/private/server.key cp /root/easy-rsa/easyrsa3/pki/ca.crt /etc/ssl/certs/ca.crt
-
Configure ocserv
vi /etc/ocserv/ocserv.conf
Add/edit the following:
server-cert = /etc/ssl/certs/server.crt server-key = /etc/ssl/private/server.key ca-cert = /etc/ssl/certs/ca.crt auth = "certificate" cert-user-oid = 2.5.4.3 ipv4-network = 192.168.1.0 ipv4-netmask = 255.255.255.0 no-route = 172.21.0.0/255.255.0.0 # this is needed if you want to route all traffic via vpn route = default dns = 8.8.8.8 dns = 8.8.4.4 max-clients = 20 max-same-clients = 20 -
Configure the network
sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g' /etc/sysctl.conf sudo sysctl -p systemctl start firewalld firewall-cmd --permanent --new-service=ocserv firewall-cmd --permanent --service=ocserv --add-port=443/tcp firewall-cmd --permanent --add-service=ocserv firewall-cmd --permanent --add-masquerade firewall-cmd --reload -
Start ocserv
systemctl enable ocserv systemctl start ocserv -
From your laptop's terminal, run the following and upload the file to Dropbox so it can be opened with a publicly accessible link (so you can enter that link in your phone's AnyConnect client to fetch the cert)
scp IP_OF_VM:~/easyrsa/easyrsa3/pki/private/shared_client .
If you have trouble in importing the certiicate (incorrect password error), you will have to run additional commands and invoke legacy mode
$ openssl pkcs12 -nodes < shared_client.p12 > /tmp/certbag.pem
$ openssl pkcs12 -export -legacy -in /tmp/certbag.pem > /tmp/usable-shared-client.p12-
Download Cisco AnyConnect on your laptop/phone. For MacOS you can get it from https://www.ed.ac.uk/information-services/computing/desktop-personal/vpn/vpn-cisco-client/cisco-anyconnect-ssl-client-mac, for Android it's on the Play Store.
-
In the AnyConnect settings, make sure "Block Untrusted Servers" is off.
-
For laptop clients, install the shared_client certificate (you'll need to use the 'export_password' that you set in Step 2). Enter the server's public IP and connect, it'll ask you if you want to import the server's certificate or trust it, you can import it to avoid having to trust it every time.
-
For Android clients, in AnyConnect click on the 3 dots on the top right > Diagnostics > Certificate Management > 3 dots on top right > Import > Network Location (URI) > enter the dropbox/share link and the
export passwordwhen requested. Back in the main menu, click on Connections > Add New VPN Connection > enter the server's public IP. On the first connection, it'll ask you if you want to import the server's certificate or trust it, you can import it to avoid having to trust it every time. -
For raspberry pi install, copy the shared certificate (as pem file)
openssl pkcs12 -in shared_client.p12 -out shared_client.pem -nodes
scp shared_client.pem pi@raspberrypi:
then install the openconnect package
apt install openconnect
openconnect -c shared_client.pem -b <vpn-ip-address>