Step‑by‑Step Guide to Install and Configure ocserv VPN on CentOS

1. Install ocserv

# yum -y install epel-release
# yum -y install ocserv

2. Create certificates

2.1 Create CA

# cd /etc/ocserv
# mkdir CA
# cd CA
# cat > ca.tmpl <<EOF
cn = "pugongying"
organization = "Test Qi"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
EOF

2.2 Generate CA private key

# certtool --generate-privkey --outfile ca-key.pem

2.3 Generate CA certificate

# certtool --generate-self-signed --load-privkey ca-key.pem \
    --template ca.tmpl --outfile ca-cert.pem

2.4 Create server private key

# certtool --generate-privkey --outfile server-key.pem

2.5 Create server certificate template

# cat > server.tmpl <<EOF
cn = "192.168.56.24"
organization = "jq"
expiration_days = 36500
signing_key
encryption_key
tls_www_server
EOF

2.6 Generate server certificate

# certtool --generate-certificate --load-privkey server-key.pem \
    --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
    --template server.tmpl --outfile server-cert.pem

3. Create routing group directory

# mkdir -p /etc/ocserv/group
# ls -l /etc/ocserv/group

4. Modify ocserv configuration

Backup the original file and edit /etc/ocserv/ocserv.conf:

# cp /etc/ocserv/ocserv.conf{,_bak}
# egrep -v "^$|#" /etc/ocserv/ocserv.conf

Key settings (examples):

auth = "plain[/etc/ocserv/ocpasswd]"
run-as-user = ocserv
run-as-group = ocserv
default-group-config = /etc/ocserv/group/Default
config-per-group = /etc/ocserv/group/
auto-select-group = false
socket-file = ocserv.sock
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
auth-timeout = 240
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
server-cert = /etc/ocserv/CA/server-cert.pem
server-key = /etc/ocserv/CA/server-key.pem
ca-cert = /etc/ocserv/CA/ca-cert.pem
ipv4-network = 192.168.56.0/24
dns = 192.168.5.1
ping-leases = false
cisco-client-compat = true
cisco-client-compat = true

5. Restart ocserv

# systemctl restart ocserv

6. User management

# ocpasswd -c /etc/ocserv/ocpasswd test
Enter password: ********
Re-enter password: ********
# cat /etc/ocserv/ocpasswd
test:*:$5$...$...

7. Configure firewall

7.1 Adjust kernel parameters

# cp /etc/sysctl.conf{,_bak}
# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
# ... (other sysctl settings as needed)

# sysctl -p

7.2 Install and enable iptables‑services

# yum install iptables-services
# service iptables start
# systemctl stop firewalld
# systemctl mask firewalld

7.3 iptables rules for VPN

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.5.0/24 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 443 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 192.168.5.0/24 -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT

# iptables-restore < /etc/sysconfig/iptables

8. ocserv management commands

# occtl -n show status          # service status
# occtl -n show users           # online users
# occtl disconnect user <username>   # kick user by name
# occtl disconnect id <id>          # kick user by session id
# ocpasswd -c /etc/ocserv/ocpasswd -g <group> <user>   # add to group
# ocpasswd -c /etc/ocserv/ocpasswd -l <user>        # lock user
# ocpasswd -c /etc/ocserv/ocpasswd -u <user>        # unlock user
# ocpasswd -c /etc/ocserv/ocpasswd -d <user>        # delete user