# DIY SSL VPN with Ocserv and an old SBC Ocserv is an open source fork of Cisco Anyconnect. It's easy to install from a debian repo and there is an opensource client to connect to it. https://github.com/openconnect/openconnect-gui It's also compatible with the official cisco anyconnect app. Which is a pretty neat way to implement a free SSL VPN yourself as it's very easy to setup. ## Setup I had an old rock64 sitting around so I grabbed a copy of Armbian Bookworm from here: https://www.armbian.com/rock64/ After flashing with etcher on boot nothing would display via hdmi. Following https://forum.pine64.org/showthread.php?tid=5029 I was able to connect via a 3.3v serial adapter and complete the device setup creating a username and password for the device. These devices are really not for beginners... To setup ocserv, I partially followed this guide: https://www.linuxbabe.com/debian/openconnect-vpn-server-ocserv-debian-12-bookworm Login via ssh then: ``` sudo bash apt update apt install ocserv ``` ## Configuration Passwords for users need to be made using their tool: ``` ocpasswd -c /etc/ocserv/passwd myuser ``` Since I'm using the free subdomain forwarding service duckdns instead of a domain I need to deviate from the guide. At the moment I don't want to play with setting up a letsencrypt's certbot using txt records, although it's possible. https://github.com/maksimstojkovic/docker-letsencrypt So I'm just going to use a self signed cert ``` apt install gnutls-bin certtool --generate-privkey --outfile /etc/ocserv/server-key.pem nano ca-cert.cfg ``` I then added: ``` organization = "myforwarder.duckdns.org" cn = "Self Signed CA" serial = 001 expiration_days = -1 ca signing_key cert_signing_key crl_signing_key ``` and used that to sign my cert ``` certtool --generate-self-signed --load-privkey /etc/ocserv/server-key.pem --template ca-cert.cfg --outfile /etc/ocserv/server-cert.pem ``` My ocserv.conf was made mostly following the guide above and looks like this: ``` auth = "plain[passwd=/etc/ocserv/passwd]" tcp-port = 443 udp-port = 443 run-as-user = ocserv run-as-group = ocserv socket-file = /run/ocserv-socket chroot-dir = /var/lib/ocserv server-cert = /etc/ocserv/server-cert.pem server-key = /etc/ocserv/server-key.pem isolate-workers = true max-clients = 1024 max-same-clients = 0 rate-limit-ms = 100 server-stats-reset-time = 604800 keepalive = 30 dpd = 90 mobile-dpd = 1800 switch-to-tcp-timeout = 25 try-mtu-discovery = true cert-user-oid = 0.9.2342.19200300.100.1.1 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3" auth-timeout = 240 min-reauth-time = 300 max-ban-score = 80 ban-reset-time = 1200 cookie-timeout = 300 deny-roaming = false rekey-time = 172800 rekey-method = ssl use-occtl = true pid-file = /run/ocserv.pid log-level = 1 device = vpns predictable-ips = true default-domain = myforwarder.duckdns.org ipv4-network = 10.10.10.0 ipv4-netmask = 255.255.255.0 tunnel-all-dns = true dns = 8.8.8.8 ping-leases = false cisco-client-compat = true dtls-legacy = true client-bypass-protocol = false ``` I didn't bother enabling ipv6 ``` systemctl restart ocserv systemctl status ocserv ``` I also setup iptables manually instead of using ufw ``` iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o end0 -j MASQUERADE apt install iptables-persistent systemctl is-enabled netfilter-persistent.service systemctl status netfilter-persistent.service ``` The kernel also needed some changes according to the guide ``` nano /etc/sysctl.d/99-sysctl.conf ``` and added: ``` net.ipv4.ip_forward=1 net.core.default_qdisc=fq net.ipv4.tcp_congestion_control=bbr ``` Then I rebooted to have the changes take effect ``` reboot ``` I'm not sure if those kernel changes did anything for performance, but I added them anyways I then setup my router to have a static ip for the rock64 mac address and forwarded port 443. ## Result Using openconnect on linux I can connect to the vpn server. ``` sudo apt install openconnect sudo openconnect -b myforwarder.duckdns.org ``` Speedtest.net reports 162 mbps (my home internet gets gig speeds). Which really isn't terrible for this old SBC. I can also connect using anyconnect from my iphone and get similar speeds Good enough for me and useful for remoting into my house when on the go.