OS

CentOS Linux release 7.3.1611 (Core)

Install epel repository

# yum install epel-release

Install ocserv

# yum install ocserv gnutls-utils

Configure ocserv

Create cert directory

# mkdir /etc/ocserv/cert
# cd /etc/ocserv/cert

Generating the CA

# cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

# certtool --generate-privkey --outfile ca-key.pem
# certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem

Generating a local server certificate

# cat << _EOF_ >server.tmpl
cn = "My server"
dns_name = "www.example.com"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key
tls_www_server
_EOF_

# certtool --generate-privkey --outfile server-key.pem
# certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem

Create ssl directory in /etc/ocserv:

# mkdir /etc/ocserv/ssl/

Copy server certificates into it

# cp ca-cert.pem server-key.pem server-cert.pem /etc/ocserv/ssl/

Modify /etc/ocserv/ocserv.conf

Here we want to authenticate with password file. so open /etc/ocserv/ocserv.conf and find the following line:
auth = "pam"

comment it and uncomment the following:
auth = "plain[passwd=/etc/ocserv/sample.passwd,otp=./sample.otp]"

then change it to:

auth = "plain[passwd=/etc/ocserv/passwd]"

also change the following line:

server-cert = /etc/pki/ocserv/public/server.crt
server-key = /etc/pki/ocserv/private/server.key
ca-cert = /etc/pki/ocserv/cacerts/ca.crt

to this:

server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem

uncomment this line:

#ipv4-network = 192.168.1.0/24

add dns:

dns = 8.8.8.8
dns = 4.2.2.4

Configure firewall and routing

Set iptables rules

# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
# iptables -A FORWARD -j REJECT
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Save iptables rules

iptables-save > /etc/sysconfig/iptables

Restore iptables on start up

vim /etc/rc.d/rc.local
iptables-restore < /etc/sysconfig/iptables

Enable ip forward

ip forwarding needs to be enabled. so open /etc/sysctl.conf:
# vim /etc/sysctl.conf

then put this line in it:

net.ipv4.ip_forward = 1

after that run the following:

# sysctl -p

Create vpn username and password

Create password file

# touch /etc/ocserv/passwd

Create user

# ocpasswd -c /etc/ocserv/passwd -g default test

Start Ocserv

# systemctl start ocserv
# systemctl enable ocserv