Introduction
This guide shows how to install and configure an OpenConnect VPN server on Ubuntu 24.04, secure it with a free Let's Encrypt TLS certificate, and connect clients. It also covers firewall/NAT, IPv6, and common troubleshooting steps.
- Protocol: Cisco AnyConnect-compatible (SSL VPN)
- Works with: OpenConnect (Linux/macOS/Windows/OpenWrt) and Cisco AnyConnect (Android/iOS)
Prerequisites
- An Ubuntu 24.04 server (VPS or dedicated) with a public IPv4 address
- A domain name pointed to your server's IP (e.g., vpn.example.com)
- Shell access with sudo privileges
Install ocserv
$ sudo apt update
$ sudo apt install -y ocserv
Check the service status:
$ sudo systemctl status ocserv --no-pager
By default, ocserv listens on TCP and UDP port 443. If a web server is using 443, you can change ocserv's port later in its configuration.
If a firewall is active, allow HTTP/HTTPS for certificate issuance:
$ sudo ufw allow 80,443/tcp
Install Certbot (Let's Encrypt client)
First, install snapd
$ sudo apt install snapd
Now install certbot with snap
$ sudo snap install --classic certbot
And finally, link in the Certbot binary so it can be run from anywhere
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Obtain a Let's Encrypt certificate
Use the standalone method (no web server required):
sudo certbot certonly
--standalone
--preferred-challenges http
--agree-tos
--email you@example.com
-d vpn.example.com
This uses port 80 for the HTTP challenge. Ensure the DNS A record for vpn.example.com points to your server.
Certificates will be stored under /etc/letsencrypt/live/vpn.example.com/.
Set up an automated certificate renewal:
$ sudo crontab -e
Add this entry to run daily at 05:00:
0 5 * * * certbot renew --quiet && systemctl restart ocserv
Configure ocserv
Back up the current configuration, then edit /etc/ocserv/ocserv.conf:
$ sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.bak-$(date +%F)
$ sudo nano /etc/ocserv/ocserv.conf
Start from the default configuration and make a few changes.
-
Comment out the UDP port. You'll enable TCP BBR later to improve throughput:
# TCP and UDP port number tcp-port = 443 #udp-port = 443
-
Replace the defaults with the paths to the Let's Encrypt server certificate and key files:
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
-
Limit the number of clients. A value of 0 means no limit (subject to internal maximums):
max-clients = 0
-
Set the default domain for clients:
default-domain = vpn.example.com
-
IP addressing — avoid common home LAN ranges by using a dedicated subnet:
ipv4-network = 10.10.10.0 ipv4-netmask = 255.255.255.0
-
Enable IPv6 for clients:
ipv6-network = fda9:4efe:7e3b:03ea::/48 ipv6-subnet-prefix = 64
-
Force all DNS through the VPN and set resolvers:
tunnel-all-dns = true dns = 1.1.1.1 dns = 1.0.0.1 dns = 8.8.8.8
-
Make the server the default gateway (use a default route and comment out specific routes):
route = default #route = 10.0.0.0/8 #route = 172.16.0.0/12 #route = 192.168.0.0/16
Save and restart ocserv:
$ sudo systemctl restart ocserv
Check ocserv is running:
$ sudo systemctl status ocserv
Create VPN user accounts
Create users with ocpasswd (you'll be prompted for a password):
$ sudo ocpasswd -c /etc/ocserv/passwd <username>
Run the same command to reset a user's password.
Enable IP forwarding and TCP BBR
Create a sysctl configuration file:
$ echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf
# Optional: enable TCP BBR for better throughput/latency
$ echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf
$ echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf
# Apply and persist
$ sudo sysctl -p /etc/sysctl.d/60-custom.conf
Configure NAT (masquerading) and forwarding with UFW
Install and enable UFW:
$ sudo apt install -y ufw
$ sudo ufw allow 22/tcp
Find your main network interface name:
$ ip addr
Edit /etc/ufw/before.rules and append a NAT section (replace eth0 with your interface):
$ sudo nano /etc/ufw/before.rules
Append at the end of the file:
# OpenConnect NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# End OpenConnect rules
Allow forwarding for the VPN subnet (add the following after the # ok icmp code for FORWARD
section):
# allow forwarding for trusted network
-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT
Enable or restart UFW:
sudo ufw enable # if not enabled
# or
sudo systemctl restart ufw
Verify NAT POSTROUTING:
$ sudo iptables -t nat -L POSTROUTING --line-numbers -n -v
Check VPN ports are opened
Check that 443/tcp is ALLOWED:
$ sudo ufw status
Connect from clients
Install the OpenConnect client (Ubuntu Desktop):
$ sudo apt install -y openconnect
Connect from the CLI (runs in the background with -b):
$ sudo openconnect -b vpn.example.com
Then enter username and password.
To stop the connection:
$ sudo pkill openconnect
Doing the above non-interactively:
echo -n 'your-password' | sudo openconnect -b vpn.example.com -u your-username --passwd-on-stdin
For a GUI use the NetworkManager plugin, which can be installed with:
$ sudo apt install -y network-manager-openconnect network-manager-openconnect-gnome
Conclusion
That's it. The above instructions should help you set up OpenConnect VPN on your own Webdock server.
Feel free to contact Webdock Support if you face any issues.