Set Up an OpenConnect VPN Server on your Webdock Ubuntu Server

Last updated: August 19th 2025

configuration vpn App Become an author

Introduction

This guide shows how to install and configure an OpenConnect VPN server on Ubuntu 24.04, secure it with a free Let's Encrypt TLS certificate, and connect clients. It also covers firewall/NAT, IPv6, and common troubleshooting steps.

  • Protocol: Cisco AnyConnect-compatible (SSL VPN)
  • Works with: OpenConnect (Linux/macOS/Windows/OpenWrt) and Cisco AnyConnect (Android/iOS)

Prerequisites

  • An Ubuntu 24.04 server (VPS or dedicated) with a public IPv4 address
  • A domain name pointed to your server's IP (e.g., vpn.example.com)
  • Shell access with sudo privileges

Install ocserv

$ sudo apt update
$ sudo apt install -y ocserv

Check the service status:

$ sudo systemctl status ocserv --no-pager

By default, ocserv listens on TCP and UDP port 443. If a web server is using 443, you can change ocserv's port later in its configuration.

If a firewall is active, allow HTTP/HTTPS for certificate issuance:

$ sudo ufw allow 80,443/tcp

Install Certbot (Let's Encrypt client)

First, install snapd

$ sudo apt install snapd

Now install certbot with snap

$ sudo snap install --classic certbot

And finally, link in the Certbot binary so it can be run from anywhere

$ sudo ln -s /snap/bin/certbot /usr/bin/certbot

Obtain a Let's Encrypt certificate

Use the standalone method (no web server required):

sudo certbot certonly \
  --standalone \
  --preferred-challenges http \
  --agree-tos \
  --email you@example.com \
  -d vpn.example.com

This uses port 80 for the HTTP challenge. Ensure the DNS A record for vpn.example.com points to your server.

Certificates will be stored under /etc/letsencrypt/live/vpn.example.com/.

Set up an automated certificate renewal:

$ sudo crontab -e

Add this entry to run daily at 05:00:

0 5 * * * certbot renew --quiet && systemctl restart ocserv

Configure ocserv

Back up the current configuration, then edit /etc/ocserv/ocserv.conf:

$ sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.bak-$(date +%F)
$ sudo nano /etc/ocserv/ocserv.conf

Start from the default configuration and make a few changes.

  • Comment out the UDP port. You'll enable TCP BBR later to improve throughput:

    # TCP and UDP port number
tcp-port = 443
#udp-port = 443

  • Replace the defaults with the paths to the Let's Encrypt server certificate and key files:

    server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key  = /etc/letsencrypt/live/vpn.example.com/privkey.pem

  • Limit the number of clients. A value of 0 means no limit (subject to internal maximums):

    max-clients = 0

  • Set the default domain for clients:

    default-domain = vpn.example.com

  • IP addressing — avoid common home LAN ranges by using a dedicated subnet:

    ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0

  • Enable IPv6 for clients:

    ipv6-network = fda9:4efe:7e3b:03ea::/48
ipv6-subnet-prefix = 64

  • Force all DNS through the VPN and set resolvers:

    tunnel-all-dns = true
dns = 1.1.1.1
dns = 1.0.0.1
dns = 8.8.8.8

  • Make the server the default gateway (use a default route and comment out specific routes):

    route = default

#route = 10.0.0.0/8
#route = 172.16.0.0/12
#route = 192.168.0.0/16

Save and restart ocserv:

$ sudo systemctl restart ocserv

Check ocserv is running:

$ sudo systemctl status ocserv

Create VPN user accounts

Create users with ocpasswd (you'll be prompted for a password):

$ sudo ocpasswd -c /etc/ocserv/passwd <username>

Run the same command to reset a user's password.

Enable IP forwarding and TCP BBR

Create a sysctl configuration file:

$ echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf

# Optional: enable TCP BBR for better throughput/latency
$ echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf
$ echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf

# Apply and persist
$ sudo sysctl -p /etc/sysctl.d/60-custom.conf

Configure NAT (masquerading) and forwarding with UFW

Install and enable UFW:

$ sudo apt install -y ufw
$ sudo ufw allow 22/tcp

Find your main network interface name:

$ ip addr

Edit /etc/ufw/before.rules and append a NAT section (replace eth0 with your interface):

$ sudo nano /etc/ufw/before.rules

Append at the end of the file:

# OpenConnect NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# End OpenConnect rules

Allow forwarding for the VPN subnet (add the following after the # ok icmp code for FORWARD section):

# allow forwarding for trusted network
-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPT

Enable or restart UFW:

sudo ufw enable # if not enabled
# or
sudo systemctl restart ufw

Verify NAT POSTROUTING:

$ sudo iptables -t nat -L POSTROUTING --line-numbers -n -v

Check VPN ports are opened

Check that 443/tcp is ALLOWED:

$ sudo ufw status

Connect from clients

Install the OpenConnect client (Ubuntu Desktop):

$ sudo apt install -y openconnect

Connect from the CLI (runs in the background with -b):

$ sudo openconnect -b vpn.example.com

Then enter username and password.

To stop the connection:

$ sudo pkill openconnect

Doing the above non-interactively:

echo -n 'your-password' | sudo openconnect -b vpn.example.com -u your-username --passwd-on-stdin

For a GUI use the NetworkManager plugin, which can be installed with:

$ sudo apt install -y network-manager-openconnect network-manager-openconnect-gnome

Conclusion

That's it. The above instructions should help you set up OpenConnect VPN on your own Webdock server.

Feel free to contact Webdock Support if you face any issues.

Related articles

chat box icon
Close
combined chatbox icon

Welcome to our Chatbox

Reach out to our Support Team or chat with our AI Assistant for quick and accurate answers.
webdockThe Webdock AI Assistant is good for...
webdockChatting with Support is good for...