What's new


ah nou nhy mou

Staff member
  • SikatPInoy Staff
  • medal 1
Modify OCServ Configuration File
In the next step, you need to make some changes into the ocserv default configuration file. Open the configuration file using the below command and make below-listed changes to the file

sudo vim ocserv.conf

In the opened file make the following changes, for easy searching, you can use /search keyword in vi editor

Find the line auth = “pam[gid-min=1000]” and replace it with the following
auth = “plain[/etc/ocserv/ocpasswd]”

Replace these two lines
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
with the following lines
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

Change the value of
try-mtu-discovery from false to true
try-mtu-discovery = true

Change the DNS value from to
dns =

Remove the lines or place a # in front of following lines
route =
route =
no-route =

After making these changes, save and quit the VI editor using the keys Esc:wq

Create Password Open Connect Server
Next, you need to create a password file with details. Use the following command

sudo ocpasswd -c /etc/ocserv/ocpasswd samad

replace the value “samad” with your desired username

It will ask for the password and confirmation of passwordsetting up password
You need to make changes in the system control configuration file to allow forwarding. To do so, open the file in vi editor by using the following command

sudo vim /etc/sysctl.conf

Uncomment the line by deleting the # from #net.ipv4.ip_forward=1.

It should look like below

Save and exit the editor and activate the change by simply throwing the following command to putty box

sudo sysctl -p

IPTable Configuration
If the machine is new, you need to install the IP tables. Use the below command
sudo apt-get install iptables-persistent
installing IP tables

Now we will add SSL ports to the firewall’s accepted list. Just use the following commands for TCP and UDP connections respectively

sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp –dport 443 -j ACCEPT

Enable NAT by using the following command

sudo iptables -t nat -A POSTROUTING -j MASQUERADE

Reconfigure the IP tables to make your changes persist across server reboots

sudo dpkg-reconfigure iptables-persistent
changing ip table configuration

I have found that the server is listening on port 443 before enabling the ocserver. The following command will list the list of sockets and can find the respective unit that is listening to the port
systemctl -all list-socketslistening to port
From the screenshot, you can see that the ocserv.socket is listening to the port 443, so I stopped it using the following command before continuing further.

sudo systemctl stop ocserv.socket

After killing you can enable ocserv by running the following command

sudo ocserv -c /etc/ocserv/ocserv.conf

You can verify that it is listening to 443 using the below command

sudo netstat -tulpn | grep 443