How to install and setup OpenConnect Server (ocserv) on Ubuntu 22.04 with Let's Encrypt

What is covered in this technical guide?

This step-by-step technical guide shows you how to set up the service. OpenConnect (ocserv) On Ubuntu 22.04 Along with receiving and managing certificates Let's Encrypt, secure configuration, firewall and NAT settings, user authentication, and tips for connecting clients and automating certificate renewal are covered.

For sensitive environments such as trading, gaming or corporate access, choosing the right location and using servers with anti-DDoS protection is crucial. Our company offers over 85+ global locations, anti-DDoS servers and a BGP network.

Prerequisites and location selection

Before you start, make sure that:

• A server Ubuntu 22.04 You have root or sudo access.
• A domain (e.g. vpn.example.com) refers to the server IP.
• Ports 80 and 443 They are open on the firewall to receive the Let's Encrypt certificate.

Why is location important?

• For traders and gamers, choosing a location with low ping (e.g. London, Frankfurt or Tokyo) is a priority.
• Organizations may need multiple locations with BGP and CDN to increase stability.
• For protection and stability, servers with anti-DDoS protection are recommended.

Installing ocserv and required packages

First, update the system and install the basic packages:

sudo apt update && sudo apt upgrade -y
sudo apt install ocserv certbot libnss3-tools -y

Recommended packages for the operational environment:

• ufw or nftables for firewall management
• fail2ban to protect against brute-force attacks
• openssl or gnutls‑bin if TLS testing is needed

Obtain a Let's Encrypt certificate (methods)

Two common ways to get certified:

Method A — Using nginx (if you have a web server)

If you have nginx, you can enable virtual host and use certbot with the nginx plugin:

sudo apt install nginx
sudo certbot --nginx -d vpn.example.com

Then, in the ocserv configuration file, specify the certificate path as follows:

server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

Method B — standalone (if you don't have nginx)

Because ocserv listens on port 443 by default, you must temporarily stop ocserv or use a DNS challenge before running certbot standalone:

sudo systemctl stop ocserv
sudo certbot certonly --standalone -d vpn.example.com
sudo systemctl start ocserv

ocserv configuration — sample ocserv.conf

Main configuration file: /etc/ocserv/ocserv.conf. Example of key sections:

# ports
tcp-port = 443
udp-port = 443

# certificates
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

# network
default-domain = vpn.example.com
dns = 1.1.1.1
dns = 1.0.0.1
route = 0.0.0.0/0
no-route = 192.168.0.0/16

# limits
max-clients = 250
max-same-clients = 2

# security and performance
keepalive = 60
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
compression = false
tls-priorities = "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2"
allow-roaming = true

Important notes: route = 0.0.0.0/0 For Full Tunnel. For Split‑Tunnel, add only the required networks. For security reasons compression = false Recommended.

Firewall and NAT (IP forwarding) settings

Enabling IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

Example iptables rules for NAT (assuming outgoing interface eth0 and internal network 10.10.10.0/24):

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT

To preserve rules across reboots, use iptables-persistent or save config in nftables.

Example UFW commands:

sudo ufw allow 443/tcp
sudo ufw allow 443/udp
sudo ufw allow 80/tcp
sudo ufw enable

Authentication and user management

Simple method based on local passwd file:

sudo ocpasswd -c /etc/ocserv/ocpasswd alice

You can from PAM Use for LDAP/AD integration (configuration) auth = "pam"" in ocserv.conf).

For certificate-based authentication (x.509) generate client key/certificate:

sudo certtool --generate-privkey --outfile client-key.pem
sudo certtool --generate-certificate --load-privkey client-key.pem --outfile client-cert.pem --template client.tmpl

To add 2FA, you can use libpam-google-authenticator and setting PAM in /etc/pam.d/ocserv Use.

Security, hardening, and optimization

• Restricting TLS versions Using tls-priorities.
• Disabling compression For security reasons (such as CRIME).
• Limit the number of simultaneous connections (max-same-clients).
• Enable logging and resource monitoring.
• Install and configure fail2ban to prevent repeated login attempts.

Simple fail2ban setup example:

[ocserv]
enabled = true
port = 443
filter = ocserv
logpath = /var/log/syslog
maxretry = 5

It is necessary to create an appropriate filter (regex) according to the ocserv logs.

Testing and connecting clients

Linux command line client with openconnect:

sudo apt install openconnect
sudo openconnect vpn.example.com

On the Linux desktop from network-manager-openconnect And on Windows/macOS, use the OpenConnect GUI or Cisco AnyConnect-compatible clients.

To check the service status:

sudo systemctl status ocserv
sudo journalctl -u ocserv -f

Certificate renewal and maintenance automation

If you are using nginx or apache as a reverse proxy, certbot can usually renew the certificate without stopping the service, and reload ocserv after renewal:

sudo certbot renew --deploy-hook "systemctl reload ocserv"

If you are using standalone and ocserv is enabled on 443, the options are DNS challenge or using pre/post hooks:

sudo certbot renew --pre-hook "systemctl stop ocserv" --post-hook "systemctl start ocserv"

Practical tips and specialized cases for applications

• Trade: Choose a server in the closest location for the lowest latency; trading-specific VPSs with port 443 and UDP/DTLS can be useful.
• Gaming: Use split-tunneling to only send necessary traffic through the VPN and reduce gaming ping.
• Artificial Intelligence and Rendering: Using GPU servers in the same region can reduce network load and latency.
• Organizational Security: A combination of LDAP/AD, 2FA, monitoring, and anti-DDoS servers is recommended.

Our company provides high-performance cloud services, graphics server (GPU), trading/gaming VPS, domain registration, CDN and BGP network in 85+ global locations Offers you the ability to place the VPN close to your users and benefit from DDoS protection.

Conclusion

This guide practically covered the steps to set up OpenConnect (ocserv) on Ubuntu 22.04, from installation to obtaining a Let's Encrypt certificate, secure configuration, firewall and NAT, authentication, optimization, and renewal automation.

By observing safety precautions such as: Modern TLS, Disabling compression, connection limits, 2FA activation, and fail2ban can provide a secure and reliable VPN service for teams, gamers, and traders.