Ocserv build server using Cisco Anyconnect


Some time ago the appleID theft uproar,I determined to return to prison upgraded 9.0. This is just great,Shadowsocks can not be used。This concerned me quite envious of Android phones……Use Surge let go Shadowsocks iOSRealize Scientific Internet。

In short,We still have to work hard in the VPN, right up and down iOS。Today's VPN has been certified almost,Because although they cryptographic security,Could not help but feature detection - Well,After all, this thing saysNot to conceal born。Cisco currently touches me there is a big father alive anyconnect,It is not how strong,But with too many businesses,Can not ban,And,It also has automatic disconnection connection,Many of the benefits of automatic diversion of domestic and foreign demand - the largest point:You do not need to jailbreak。


I am usingDigital OceanThe VPS,Ubuntu 15.04 ,The whole configuration step is to side with the side of my record,It is entirely feasible,However, due to the complex system environment,Everyone is different,So when your specific operation may still need to be flexible to use!

0、Questions about PAC

We often say,Cisco's AnyConnect YesUnable to use PACof,Because of its different mechanism,Not the agent but the VPN,Therefore, the method used herein is the direct route entry number issued from the server - Because the client restrictions,We can not always issued a complete routing table (only 200 pieces),This is always the majority AnyConnect a heart disease。In short,In fact, there is another one way,For those who need a global vpn but want to distinguish the network business,Cisco still has a corresponding way。

That is to let go proxy server。?

That you have a demand of China as a pre-vps,And this vps use other tools such as Shadowsocks connected to your foreign vps,Then build ocserv in China vps,Then configure it pac file,Such ocserv will be based on your proxy strategies to achieve routing。In short,If you want to try this method,Please direct jump at the bottom of the page [Reference article] Section,“Venue Anyconnect VPN to use PAC smart shunt"This reference articles。

1、Configuration Environment

This step reference I wrote earlieran article- If you are new vps,Otherwise skip it -

2、Erection OpenConnectServer

2.1Download Source

See ocserv the latest version from here,You do not need to point to an FTP watching,Just replace the installation format link path on the line。For example, now the latest version is 0.10.8,Then you put the address written as: ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.8.tar.xz ,it is good,We now Download Source:

2.2 Installation depends

Download extract good code,You need to install the dependencies,These are needed,Some are optional,Here we try to install all the dependencies,In case of future need it too! After all, it's ten trillion size。

If there is no problem,It can be installed,For example, here are my results so:

2.3 Compile and install

Use the make command to compile and install:

3、配置 OpenConnectServer


Install Certificate Tools apt-get install gnutls-bin

Create a directory named in this that.TMPL CA certificate template,Write the following statement:

use certtool --generate-privkey --outfile that-key.estab CA key generation;

use certtool --generate-self-signed --load-privkey that-key.estab --template that.TMPL --outfile that-cert.estab Generated CA certificate;

Then we generate the server certificate,Note here that cn items must correspond to your server's domain name or IP,Template name is server.TMPL ,Follows:

use certtool --generate-privkey --outfile server-key.estab Generate the key;

use certtool --generate-certificate --load-privkey server-key.estab --load-that-certificate that-cert.estab --load-that-privkey that-key.estab --template server.TMPL --outfile server-cert.estab Generate server certificates;

The certificate is moved to the right place:

3.2 Prepare the configuration file

We put the configuration file default location ocserv read:

The configuration file can referenceOfficial HandbookTo write,But here we focus on to ensure that the following entries are correct:

3.3 Test Server

Now,Since we can test the server,Use the command to create a test account:

Also if you are using Ubuntu system,Then you can follow what I wroteThis articleTo open the NAT forwarding;

use iptables -t nat -L To verify the transponder is turned on success:

Then,We can use ocserv -f -d 1 Command to start the next service it!

Open the Cisco Anyconnect on your mobile phone to create a VPN,Add the server's IP is your vps IP:port

All right,If you see the following information,The server should be able to have a normal operation:

3.4 Optimization OpenConnectServer

All right,Since the server is ready to run up,Then we can optimize it,First of all,Write a script to start - after all,,Are not using debug mode every time you start is not it?

If you're like me using Ubuntu 15.04 Instead Older,Then you need to refer toThis articleTo retrieve what upstart can use the script below。

Write the following script in the configuration file:

Such,We can use service ocserv start and service ocserv stopTo control the service。

3.5 Create a client certificate,Enter the old password province

Write the following:

PKCS12 certificates and keys into a format,Good import Anyconnect:

During the certificate will ask you to enter the name and password。

Then you need to put this into place a certificate that can be accessed directly,Then the URL user.p12 file into AnyConnect,Specific location section under the Diagnostics tab page Certificates,After successfully imported,The Advanced Settings section of the VPN settings corresponding certificate section,This certificate to import。

Now,In order for the server to recognize this certificate,Let's modify the configuration:

Such,We use service ocserv start To start it you can!

4、Smart shunt

All right,usually,If you are a stable and does not slow the speed of foreign vps,Well, now you can start to enjoy life! but,Our mission has not ended with,Manual switching can not say is smart,We use the ready-made。


But I did not write the whole,He wrote only part of the inside - I mainly brush push -

All right,Right here!


Reference article:

Toss notes:Erection OpenConnect Server for iPhone provides smoother network life

Anyconnect VPN to use PAC smart shunt



Original article written by Gerber drop-off:R0uter's Blog » Ocserv build server using Cisco Anyconnect

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1343.html

By R0uter's Blog

The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


  1. Bloggers seek advice finally make a mistake when turning back the next question should be out here some of these libraries are to me how to add them to the build path go? Thank you
    local talloc: no
    local protobuf-c: no
    local PCL library: no
    local libopts: no
    local http-parser: no

      1. Get yourself in trouble before the whole library is based on the Chinese online tutorial patchwork….barley

        See the next official readme finally get

  2. R0uter:

    Hello there!

    I am more layman,Ask you something,I also use the VPS Digital Ocean,Ubuntu 15.04 ,$ 5 monthly fee that paragraph,Before you follow the http://www.chedanji.com/ubuntu-shadowsocks/ this post deployed Shadowsocks , Android phones and PC can be turned,As you are now ready to build this masterpiece Cisco Anyconnect server,I can operate it? Previous Shadowsocks will conflict?

    Hope reply,Thank you!

    1. do not worry,Casually with,My vps now both ran without any problems! The only caveat is that:To avoid port conflicts。Just keep this in mind to ok。but,ac in my speed is not ye,I'm ready to unload it。Recommend the latest surge!

Leave a comment

Your email address will not be published. Required fields are marked *