How to install Ocserv on Debian

Introduction

In this tutorial, we will guide you through the installation process of Ocserv on Debian which is a VPN server that allows clients to connect securely to remote networks using the SSL/TLS protocol.

Prerequisites

  • A Debian operating system with root access.
  • Basic Linux command-line knowledge.

Step 1: Update and Upgrade the System

Before installing Ocserv, it is always good practice to update and upgrade the system to ensure that all packages are up-to-date.

To do this, open the terminal and run the following command:

sudo apt update && sudo apt upgrade

Step 2: Install Necessary Packages

Ocserv requires some packages to be installed on the system before it can be installed.

We will install these packages by running the following command:

sudo apt install ocserv net-tools iptables ufw libgnutls28-dev libkrb5-dev gperf build-essential pkg-config autoconf automake libpam0g-dev libev-dev libopts25-dev libnl-route-3-dev libseccomp-dev
  • ocserv: The main package to install.
  • net-tools: Contains important networking commands.
  • iptables: Required for configuring firewall rules.
  • ufw: A convenient command-line firewall for Ubuntu.
  • libgnutls28-dev: Development files for GnuTLS, required for communicating with TLS clients.
  • libkrb5-dev: Development files for Kerberos V, required for enabling authentication via Kerberos.
  • gperf: A tool for generating perfect hash functions.
  • build-essential: Required for compiling and building packages from source.
  • pkg-config: A helper tool used in the compilation of source code.
  • autoconf: A tool for generating configure scripts.
  • automake: A tool for generating Makefiles to build software in a cross-platform environment.
  • libpam0g-dev: Development files for PAM (Plugable Authentication Modules).
  • libev-dev: A high-performance event-loop library.
  • libopts25-dev: Development files for the getopt function.
  • libnl-route-3-dev: Development files for Linux-specific networking libraries.
  • libseccomp-dev: Development files for Secure Computing mode, essential for providing system call filtering.

Step 3: Download and Install Ocserv

In this step, we will download and install Ocserv from the official website.

To download the latest version of Ocserv, run:

wget http://www.infradead.org/ocserv/download.html -O ocserv.tar.xz

Once the download is complete, extract the archive using the tar command:

tar -xf ocserv.tar.xz

Change into the extracted directory:

cd ocserv-*

Now, execute the configure script:

./configure

Then, build and install the source code:

make && make install

Step 4: Configure Ocserv

After installing Ocserv, it needs to be configured to enable the SSL/TLS connection protocol.

The configuration file is located in /etc/ocserv/ocserv.conf.

Open the configuration file using your preferred text editor:

sudo nano /etc/ocserv/ocserv.conf

Within this file, make sure to set the following parameters:

  • auth: Specify the type of authentication to be used. By default, it is set to "pam".
  • server-cert: Provide the path to the server certificate file.
  • server-key: Provide the path to the server key file.
  • ca-cert: Provide the path to the certificate authority file.
  • ipv4-network: Provide the IP address of the IPv4 network to be used for VPN connections.
  • dns: Provide the DNS IP addresses that should be given to clients.

Once you have made the necessary changes, save and close the file.

Step 5: Enable Firewall and Ports

To enable clients to connect to the VPN server, we need to allow the necessary ports through the firewall.

By default, Ocserv uses port 443 for communication, which is the same port used by HTTPS.

We will allow incoming connections on port 443 by running the following command:

sudo ufw allow 443/tcp

In addition, we need to enable IP forwarding, which is required for VPN clients to be able to access the internet:

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Finally, we need to configure NAT (Network Address Translation) to allow VPN clients to access the internet.

To configure NAT, we need to create a new file in /etc/ufw/before.rules. Open the file for editing:

sudo nano /etc/ufw/before.rules

Add the following lines at the end of the file:

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o [internet interface name here] -j MASQUERADE
COMMIT

Be sure to replace [internet interface name here] in the third line above with the name of your internet-facing network interface.

Save and close the file.

Finally, restart ufw for the changes to take effect:

sudo systemctl restart ufw

Step 6: Start the Ocserv Service

Before clients can connect to the VPN, we need to start the Ocserv service.

Run the following command to start the service:

sudo systemctl start ocserv

To check if the service has started successfully, run the following command:

sudo systemctl status ocserv

If the service is up and running, the output should indicate so.

Conclusion

You have successfully installed Ocserv on Debian and configured it to allow secure client connections to your remote server through an SSL/TLS connection.