Installing OpenConnect on Oracle Linux 9 with PAM authentication based on local users
Enable IPv4 forwarding
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/0-ocserv.conf
sysctl -w net.ipv4.ip_forward=1
Install EPEL repository
dnf install epel-release
Install OpenConnect
dnf install ocserv
Generate a self-signed certificate and DH parameters
openssl req -x509 -newkey rsa:8192 -days 3650 -keyout /etc/ocserv/private.pem -out /etc/ocserv/public.pem -subj "/CN=$(uuidgen)/" -addext "subjectAltName=IP:1.2.3.4" -nodes
openssl dhparam -out /etc/ocserv/dh.pem 8192
Edit the /etc/ocserv/ocserv.conf file
auth = "pam"
tcp-port = 443
udp-port = 443
server-cert = /etc/ocserv/public.pem
server-key = /etc/ocserv/private.pem
dh-params = /etc/ocserv/dh.pem
max-clients = 0
max-same-clients = 0
log-level = 1
device = ocs
default-domain = domain.corp
ipv4-network = 192.168.100.0/24
dns = 10.10.1.1
route = 10.10.0.0/16
camouflage = true
camouflage_secret = "c767ccd0-9aa4-49dd-8d75-02bf6dca171b"
camouflage_realm = "0ff89d28-dd03-4d50-b538-455eef138daf"
Edit the /etc/pam.d/ocserv file
auth [success=ok default=die] pam_succeed_if.so quiet user ingroup vpn_users
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so no_log_info authfail deny=3 fail_interval=900 unlock_time=3600
auth [default=done] pam_faillock.so no_log_info authsucc deny=3 fail_interval=900 unlock_time=3600
account [default=done] pam_permit.so
Create users
groupadd vpn_users
useradd --no-create-home --no-user-group --groups vpn_users test
passwd test
Note 1: group membership can be changed by using 'gpasswd' command
Note 2: members of a group can be seen by using 'lid -g' command
Test authentication
pamtester -v ocserv test authenticate
faillock --user test
On a client PC add the root certificate into the trusted CA store, install AnyConnect application using Microsoft Store and add a new VPN connection
VPN Provider - AnyConnect
Conection Name - AnyConnect
Hostname - https://1.2.3.4?c767ccd0-9aa4-49dd-8d75-02bf6dca171b