Ocserv build server using Cisco Anyconnect

Some time ago the appleID theft uproar,I determined to return to prison upgraded 9.0. This is just great,Shadowsocks can not be used。This concerned me quite envious of Android phones……Use Surge let go Shadowsocks iOSRealize Scientific Internet。

In short,We still have to work hard in the VPN, right up and down iOS。Today's VPN has been certified almost,Because although they cryptographic security,Could not help but feature detection - Well,After all, this thing saysNot to conceal born。Cisco currently touches me there is a big father alive anyconnect,It is not how strong,But with too many businesses,Can not ban,And,It also has automatic disconnection connection,Many of the benefits of automatic diversion of domestic and foreign demand - the largest point:You do not need to jailbreak。


I am usingDigital OceanThe VPS,Ubuntu 15.04 ,The whole configuration step is to side with the side of my record,It is entirely feasible,However, due to the complex system environment,Everyone is different,So when your specific operation may still need to be flexible to use!

0、Questions about PAC

We often say,Cisco's AnyConnect YesUnable to use PACof,Because of its different mechanism,Not the agent but the VPN,Therefore, the method used herein is the direct route entry number issued from the server - Because the client restrictions,We can not always issued a complete routing table (only 200 pieces),This is always the majority AnyConnect a heart disease。In short,In fact, there is another one way,For those who need a global vpn but want to distinguish the network business,Cisco still has a corresponding way。

That is to let go proxy server。?

That you have a demand of China as a pre-vps,And this vps use other tools such as Shadowsocks connected to your foreign vps,Then build ocserv in China vps,Then configure it pac file,Such ocserv will be based on your proxy strategies to achieve routing。In short,If you want to try this method,Please direct jump at the bottom of the page [Reference article] Section,“Venue Anyconnect VPN to use PAC smart shunt"This reference articles。

1、Configuration Environment

This step reference I wrote earlieran article- If you are new vps,Otherwise skip it -

2、Erection OpenConnectServer

2.1Download Source

See ocserv the latest version from here,You do not need to point to an FTP watching,Just replace the installation format link path on the line。For example, now the latest version is 0.10.8,Then you put the address written as: ftp://ftp.infradead.org/pub/ocserv/ocserv-0.10.8.tar.xz ,it is good,We now Download Source:

2.2 Installation depends

Download extract good code,You need to install the dependencies,These are needed,Some are optional,Here we try to install all the dependencies,In case of future need it too! After all, it's ten trillion size。

If there is no problem,It can be installed,For example, here are my results so:

2.3 Compile and install

Use the make command to compile and install:

3、配置 OpenConnectServer


Install Certificate Tools apt-get install gnutls-bin

Create a directory named in this that.TMPL CA certificate template,Write the following statement:

use certtool --generate-privkey --outfile that-key.estab CA key generation;

use certtool --generate-self-signed --load-privkey that-key.estab --template that.TMPL --outfile that-cert.estab Generated CA certificate;

Then we generate the server certificate,Note here that cn items must correspond to your server's domain name or IP,Template name is server.TMPL ,Follows:

use certtool --generate-privkey --outfile server-key.estab Generate the key;

use certtool --generate-certificate --load-privkey server-key.estab --load-that-certificate that-cert.estab --load-that-privkey that-key.estab --template server.TMPL --outfile server-cert.estab Generate server certificates;

The certificate is moved to the right place:

3.2 Prepare the configuration file

We put the configuration file default location ocserv read:

The configuration file can referenceOfficial HandbookTo write,But here we focus on to ensure that the following entries are correct:

3.3 Test Server

Now,Since we can test the server,Use the command to create a test account:

Also if you are using Ubuntu system,Then you can follow what I wroteThis articleTo open the NAT forwarding;

use iptables -t nat -L To verify the transponder is turned on success:

Then,We can use ocserv -f -d 1 Command to start the next service it!

Open the Cisco Anyconnect on your mobile phone to create a VPN,Add the server's IP is your vps IP:port

All right,If you see the following information,The server should be able to have a normal operation:

3.4 Optimization OpenConnectServer

All right,Since the server is ready to run up,Then we can optimize it,First of all,Write a script to start - after all,,Are not using debug mode every time you start is not it?

If you're like me using Ubuntu 15.04 Instead Older,Then you need to refer toThis articleTo retrieve what upstart can use the script below。

Write the following script in the configuration file:

Such,We can use service ocserv start and service ocserv stopTo control the service。

3.5 Create a client certificate,Enter the old password province

Write the following:

PKCS12 certificates and keys into a format,Good import Anyconnect:

During the certificate will ask you to enter the name and password。

Then you need to put this into place a certificate that can be accessed directly,Then the URL user.p12 file into AnyConnect,Specific location section under the Diagnostics tab page Certificates,After successfully imported,The Advanced Settings section of the VPN settings corresponding certificate section,This certificate to import。

Now,In order for the server to recognize this certificate,Let's modify the configuration:

Such,We use service ocserv start To start it you can!

4、Smart shunt

All right,usually,If you are a stable and does not slow the speed of foreign vps,Well, now you can start to enjoy life! but,Our mission has not ended with,Manual switching can not say is smart,We use the ready-made。


But I did not write the whole,He wrote only part of the inside - I mainly brush push -

All right,Right here!



Reference article:

Toss notes:Erection OpenConnect Server for iPhone provides smoother network life

Anyconnect VPN to use PAC smart shunt



Original article written by Gerber drop-off:R0uter's Blog » Ocserv build server using Cisco Anyconnect

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1343.html

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


  1. ocserv -f -d 1 start service can be used normally。After running service ocserv start,Enter IP to connect to the server,After clicking continue,It says can't connect to server。what reason?

    1. Can you ping the server?
      Try curl? usually,gfw will block and block you as soon as you connect.,Try changing to a random port,And use a foreign server to run the client and connect to confirm whether it is gfw or the service is not paired.。

      Other,Make sure your port is accessible,such as server firewall,And if you use cloud services,Usually the platform itself has a default firewall,Maybe only port 22 is opened,Also open it。

      1. What is the difference between ocserv -f -d 1 and service ocserv start?
        ocserv -f -d 1 start,Mobile phone Cisco Anyconnect can log in with account and password,Can access external networks such as Google。It means there is no problem with the firewall port or anything like that.。
        Switch to service ocserv start start,connect to the server,After clicking continue,It says can't connect to server。

  2. Hello,would like to ask。
    After setting up the service with reference to your article,AnyConnect can connect,But after connecting, I can't access google.
    i tried
    telnet ip port and nc commands tested TCP and UDP
    iptables -t nat -L The result is also consistent with yours
    net.ipv4.ip_forward=1 no comment
    can you give me an idea,Thank you

    1. First look at where your server room is,let's say it's in the west,Then try it first, for example, if you can visit my blog,This way we can determine if you are dns polluted or not,dns pollution goes both ways,Not only for domestic,also for foreign。
      Then make sure to curl google on the server,Make sure the server itself is connected
      You telnet and the ip is through,It means that there is no problem with accessing the server locally,Then I guess it is very likely to be a problem with DNS resolution (especially if only blocked websites such as Google cannot be opened,Start with this

      In addition, tools such as wireguard may be much better than anyconnect now,After all, the latter should have been recognized and blocked by gfw by now…………

      1. my server,Use of IPSec that has been deployed,The server itself is fine。
        But IPSec has poor support for windows,Registry needs to be modified、DNS and group policy issues,I learned about ocserv a few days ago and wanted to try it。
        Who knew that another wireguard appeared,still narrow vision,First time hearing about this

        1. Based on my experience deploying this thing back in the day,gfw is see one seal one,Maybe your server was fine before,but he got this,started to interfere。That's why I gave up on it so quickly,it's just encrypted,not confused,It is generally difficult to live long。
          wireguard is relatively new,It's small code size but high performance,send packets using UDP,But in some operators there may be restrictions on UDP,The effect is not necessarily the best,But definitely better than AnyConnect。

  3. Bloggers seek advice finally make a mistake when turning back the next question should be out here some of these libraries are to me how to add them to the build path go? Thank you
    local talloc: no
    local protobuf-c: no
    local PCL library: no
    local libopts: no
    local http-parser: no

      1. Get yourself in trouble before the whole library is based on the Chinese online tutorial patchwork….barley

        See the next official readme finally get

  4. R0uter:

    Hello there!

    I am more layman,Ask you something,I also use the VPS Digital Ocean,Ubuntu 15.04 ,$ 5 monthly fee that paragraph,Before you follow the http://www.chedanji.com/ubuntu-shadowsocks/ this post deployed Shadowsocks , Android phones and PC can be turned,As you are now ready to build this masterpiece Cisco Anyconnect server,I can operate it? Previous Shadowsocks will conflict?

    Hope reply,Thank you!

    1. do not worry,Casually with,My vps now both ran without any problems! The only caveat is that:To avoid port conflicts。Just keep this in mind to ok。but,ac in my speed is not ye,I'm ready to unload it。Recommend the latest surge!

Leave a Reply

Your email address will not be published. Required fields are marked *