Ocserv Certificates - letsencrypt

Author: Mauro Gaspari

###Scope This recipe provides a deployment example of letsencrypt to provide ssl certificates for ocserv.
This recipe does not claim to be a step-by-step guide or a letsencrypt tutorial, as there are plenty of those available online. Also, this recipe does not claim to be the best or most secure letsencrypt setup, but barely a starting point example for a GNU/Linux based router/firewall with Ocserv.

Platforms used for testing

This Recipe was tested on the following platforms:


net.ipv4.ip_forward = 1  

Details on lab used on this recipe

###Install let’s encrypt to manage certificates


apt-get install certbot

On older versions

yum install certbot  

Or, on latest versions

dnf install certbot  


zypper in shorewall certbot  

###Create certificates for ocserv

certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d vpn.yourdomain.domain

NOTE1: closely monitor the output to find any issue with certificate creation.
NOTE2: make sure you have a valid dns A record to point “vpn.yourdomain.domain” to the public IP address configured of your wan.

###Setup auto renewal of certificates
Edit: /etc/crontab
Add this line to your crontab:

15 00 * * * root certbot renew --quiet && systemctl restart ocserv

###Configure openconnect server
Configure ocserv according to instructions on official site: https://ocserv.gitlab.io/www/recipes-ocserv-configuration-basic.html - Skip the certificate creation step, we are getting certificates from letsencrypt.
- Instead of generating certificates, link the location where your certificates are stored by letsencrypt: /etc/letsencrypt/live/vpn.yourdomain.domain

###restart openconnect server

service ocserv restart

Check status

service ocserv status

Appendix A. of shorewall recipe has configuration examples for letsencrypt. Refer to the recipe here: http://www.infradead.org/ocserv/recipes.html .

Conclusion and final notes

This concludes Ocserv Certificates - letsencrypt recipe. At this point Openconnect server should be configured with ssl certificates released by letsencrypt. Also, certificates will be automatically renewed with certbot.
If you want to learn more, you can find Ocserv recipes here: http://www.infradead.org/ocserv/recipes.html