DataLife Engine / How to сonfigure ocserv with RADIUS

How to сonfigure ocserv with RADIUS


In this article, we’ll configure ocserv (OpenConnect VPN server) with RADIUS authentication for user access on Ubuntu 24.04.

1. Install ocserv from package:
apt install ocserv -y

2. Create ocserv config backup
mv /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf.bak

3. Create a new config file at /etc/ocserv/ocserv.conf with the following:
auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=true]"
#auth = "plain[passwd=/etc/ocserv/passwd]"
tcp-port = 443
udp-port = 443
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
run-as-user = ocserv
run-as-group = ocserv
socket-file = /run/ocserv-socket
chroot-dir = /var/lib/ocserv
isolate-workers = true
max-clients = 0
max-same-clients = 2
rate-limit-ms = 100
server-stats-reset-time = 604800
keepalive = 600
dpd = 90
mobile-dpd = 1800
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"
auth-timeout = 240
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 1200
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
log-level = 1
device = vpns
predictable-ips = true
default-domain = example.com
ipv4-network = 192.168.100.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
dns = 1.1.1.1
ping-leases = false
route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16
cisco-client-compat = true
dtls-legacy = true
client-bypass-protocol = false

4. Create radcli config backup
mv /etc/radcli/radiusclient.conf /etc/radcli/radiusclient.conf.bak

5. Create a new config file at /etc/radcli/radiusclient.conf with the following:
authserver      1.2.3.4
acctserver      1.2.3.4
servers         /etc/radcli/servers
dictionary      /etc/radcli/dictionary
default_realm
radius_timeout  10
radius_retries  3
bindaddr        *

Replace 1.2.3.4 with the IP address of your RADIUS server.

6. Add your RADIUS server credentials in /etc/radcli/servers
## Server Name or Client/Server pair            Key
## ----------------                             ---------------
#
#portmaster.elemental.net                       hardlyasecret
#portmaster2.elemental.net                      donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
#localhost/localhost                            testing123
1.2.3.4 secret

7. Restart ocserv service
systemctl restart ocserv
5-06-2025, 19:17
Вернуться назад