How to сonfigure ocserv with RADIUS

In this article, we’ll configure ocserv (OpenConnect VPN server) with RADIUS authentication for user access on Ubuntu 24.04.

1. Install ocserv from package:

apt install ocserv -y

2. Create ocserv config backup

mv /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.bak

3. Create a new config file at /etc/ocserv/ocserv.conf with the following:

auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=true]"
#auth = "plain[passwd=/etc/ocserv/passwd]"
tcp-port = 443
udp-port = 443
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
run-as-user = ocserv
run-as-group = ocserv
socket-file = /run/ocserv-socket
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 0
max-same-clients = 2
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 600
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
log-level = 1
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.100.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 1.1.1.1
ping-leases = false
route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16
cisco-client-compat = true
dtls-legacy = true
client-bypass-protocol = false

4. Create radcli config backup

mv /etc/radcli/radiusclient.conf /etc/radcli/radiusclient.conf.bak

5. Create a new config file at /etc/radcli/radiusclient.conf with the following:

authserver      1.2.3.4
acctserver      1.2.3.4
servers         /etc/radcli/servers
dictionary      /etc/radcli/dictionary
default_realm
radius_timeout  10
radius_retries  3
bindaddr        *

Replace 1.2.3.4 with the IP address of your RADIUS server.

6. Add your RADIUS server credentials in /etc/radcli/servers

## Server Name or Client/Server pair            Key
## ----------------                             ---------------
#
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
#localhost/localhost                            testing123
1.2.3.4 secret

7. Restart ocserv service

systemctl restart ocserv