Introduction

This guide shows how to install and configure an OpenConnect VPN server on Ubuntu 24.04, secure it with a free Let's Encrypt TLS certificate, and connect clients. It also covers firewall/NAT, IPv6, and common troubleshooting steps.

• Protocol: Cisco AnyConnect-compatible (SSL VPN)
• Works with: OpenConnect (Linux/macOS/Windows/OpenWrt) and Cisco AnyConnect (Android/iOS)

Prerequisites

• An Ubuntu 24.04 server (VPS or dedicated) with a public IPv4 address
• A domain name pointed to your server's IP (e.g., vpn.example.com)
• Shell access with sudo privileges

Install ocserv

$ sudo apt update
$ sudo apt install -y ocserv

Check the service status:

$ sudo systemctl status ocserv --no-pager

By default, ocserv listens on TCP and UDP port 443. If a web server is using 443, you can change ocserv's port later in its configuration.

If a firewall is active, allow HTTP/HTTPS for certificate issuance:

$ sudo ufw allow 80,443/tcp

Install Certbot (Let's Encrypt client)

First, install snapd

$ sudo apt install snapd

Now install certbot with snap

$ sudo snap install --classic certbot

And finally, link in the Certbot binary so it can be run from anywhere

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Obtain a Let's Encrypt certificate

Use the standalone method (no web server required):

sudo certbot certonly 
  --standalone 
  --preferred-challenges http 
  --agree-tos 
  --email [email protected] 
  -d vpn.example.com

This uses port 80 for the HTTP challenge. Ensure the DNS A record for vpn.example.com points to your server.

Certificates will be stored under /etc/letsencrypt/live/vpn.example.com/.

Set up an automated certificate renewal:

$ sudo crontab -e

Add this entry to run daily at 05:00:

0 5 * * * certbot renew --quiet && systemctl restart ocserv

Configure ocserv

Back up the current configuration, then edit /etc/ocserv/ocserv.conf:

$ sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.bak-$(date +%F)
$ sudo nano /etc/ocserv/ocserv.conf

Start from the default configuration and make a few changes.

• Comment out the UDP port. You'll enable TCP BBR later to improve throughput:

  # TCP and UDP port number
  tcp-port = 443
  #udp-port = 443
  

• Replace the defaults with the paths to the Let's Encrypt server certificate and key files:

  server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
  server-key  = /etc/letsencrypt/live/vpn.example.com/privkey.pem
  

• Limit the number of clients. A value of 0 means no limit (subject to internal maximums):

  max-clients = 0
  

• Set the default domain for clients:

  default-domain = vpn.example.com
  

• IP addressing — avoid common home LAN ranges by using a dedicated subnet:

  ipv4-network = 10.10.10.0
  ipv4-netmask = 255.255.255.0
  

• Enable IPv6 for clients:

  ipv6-network = fda9:4efe:7e3b:03ea::/48
  ipv6-subnet-prefix = 64
  

• Force all DNS through the VPN and set resolvers:

  tunnel-all-dns = true
  dns = 1.1.1.1
  dns = 1.0.0.1
  dns = 8.8.8.8
  

• Make the server the default gateway (use a default route and comment out specific routes):

  route = default
  
  #route = 10.0.0.0/8
  #route = 172.16.0.0/12
  #route = 192.168.0.0/16
  

Save and restart ocserv:

$ sudo systemctl restart ocserv

Check ocserv is running:

$ sudo systemctl status ocserv

Create VPN user accounts

Create users with ocpasswd (you'll be prompted for a password):

$ sudo ocpasswd -c /etc/ocserv/passwd <username>

Run the same command to reset a user's password.

Enable IP forwarding and TCP BBR

Create a sysctl configuration file:

$ echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf

# Optional: enable TCP BBR for better throughput/latency
$ echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf
$ echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf

# Apply and persist
$ sudo sysctl -p /etc/sysctl.d/60-custom.conf

Configure NAT (masquerading) and forwarding with UFW

Install and enable UFW:

$ sudo apt install -y ufw
$ sudo ufw allow 22/tcp

Find your main network interface name:

$ ip addr

Edit /etc/ufw/before.rules and append a NAT section (replace eth0 with your interface):

$ sudo nano /etc/ufw/before.rules

Append at the end of the file:

# OpenConnect NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# End OpenConnect rules

Allow forwarding for the VPN subnet (add the following after the # ok icmp code for FORWARD section):

# allow forwarding for trusted network
-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT

Enable or restart UFW:

sudo ufw enable # if not enabled
# or
sudo systemctl restart ufw

Verify NAT POSTROUTING:

$ sudo iptables -t nat -L POSTROUTING --line-numbers -n -v

Check VPN ports are opened

Check that 443/tcp is ALLOWED:

$ sudo ufw status

Connect from clients

Install the OpenConnect client (Ubuntu Desktop):

$ sudo apt install -y openconnect

Connect from the CLI (runs in the background with -b):

$ sudo openconnect -b vpn.example.com

Then enter username and password.

To stop the connection:

$ sudo pkill openconnect

Doing the above non-interactively:

echo -n 'your-password' | sudo openconnect -b vpn.example.com -u your-username --passwd-on-stdin

For a GUI use the NetworkManager plugin, which can be installed with:

$ sudo apt install -y network-manager-openconnect network-manager-openconnect-gnome

Conclusion

That's it. The above instructions should help you set up OpenConnect VPN on your own Webdock server.

Feel free to contact Webdock Support if you face any issues.