OpenConnect VPN server, or
ocserv, is an SSL VPN server compatible with Cisco AnyConnect.
It can easily be installed in a cheap OpenVZ Virtual Private Server (VPS) with TUN capability.
However, most online tutorials for installing OpenConnect VPN server rely on
certtool to generate a self-signed certificate via OpenSSL.
Afterwards, since the self-signed certificate is not trusted by operating systems, either the VPN client must be configured to skip certificate checking, or the self-signed certificate must be imported as a trusted certificate on the VPN client machine.
Both practices are insecure.
Bypassing certificate checking would allow an attacker to impose as the VPN server.
Importing a trusted certificate does not seem wrong at first, but in case the private key is compromised, an attacker would be able to impose as any server to the client, including online shopping and bank websites, using a certificate signed by that private key.
Remember that the self-signed certificate's private key is stored on the VPS filesystem, it is much less secure than Hardware Security Modules used at real CAs to store private keys, and therefore it is a bad idea to trust such certificates in client machines.
Let's Encrypt is a free, automated, and open Certificate Authority (CA).
It allows anyone to obtain a domain-verified certificate within minutes, and without paying anything.
Certificates from Let's Encrypt are trusted by most modern operating systems.
They are ideal for securing an OpenConnect VPN server.
This article explains how to request a proper trusted certificate from Let's Encrypt for use with
ocserv, how to install OpenConnect VPN Server and use the Let's Encrypt certificate, and how to configure Cisco AnyConnect client to connect to
These steps are verified with an OpenVZ Ubuntu 16.04 64bit VPS provided by SecureDragon.
It is required to enable TUN devices for the VPS, typically through a button in SolusVM or other control panel provided by the hosting company.
Request Let's Encrypt Certificate for OpenConnect VPN Server
Before requesting a certificate from Let's Encrypt, you must have a Virtual Private Server with an IPv4 address, and have a domain name (could be subdomain) resolved to the server so that you are able to ping the server via the domain name.
A year ago, a Kickstarter campaign CHIP - The World's First Nine Dollar Computer caught my attention: it's a $9 computer smaller than a banana.
Unlikely the Raspberry Pi, it comes with onboard storage so I don't need to buy a separate SD card, it has WiFi instead of wired Ethernet so I don't have to run wires everywhere, and it is compatible with my existing VGA monitor through a $10 adaptor so I don't have to buy another HDMI monitor.
Therefore, I snapped two of these little computer along with one VGA adapter during the campaign.
During the whole year of waiting, Next Thing Co sends me regular email updates on the development progress, with each email ending with mmmtc (much much more to come) and a lot of hearts.
NTC also clarified that C.H.I.P is strictly B.Y.O.B.
Finally, my pair of CHIPs and a VGA DIP arrived in my mailbox on Jun 16.
An hour later, yoursunny.com homepage is displayed on its Debian desktop.
A few more hours later, I start to discover a limitation of C.H.I.P software:
The Linux kernel comes with CHIP operating system has very limited features.
$ sudo modprobe fuse
modprobe: FATAL: Module fuse not found.
Obviously, the solution to this problem is to compile my own Linux kernel with more features.
The compilation can be done on the C.H.I.P itself.
I managed to do that when the CHIP is powered by a 5V 1A phone charger plus a 1500mAh LiPo battery.
I had the compilation running under
screen(1) and attended to it intermittently, and finished in a day.
Recently I'm doing some heavy research work.
One part of my work involves invoking a simulation script with different inputs and parameters and then an analysis script to analyze the simulation output.
At first, this is an easy bash loop:
My laptop comes with Windows, like most other laptops in the market.
But as a computer science student, I need to use Linux from time to time.
The laptop manufacturer advised me not to install Linux directly on this laptop.
Although this would not void my warranty, they would not provide technical support or supply device drivers if I install Linux.
Therefore, I turned into VirtualBox, a hypervisor that allows me to run Linux in a virtual machine, alongside the Windows installation.
I'm also a heavy user of Dropbox, a file hosting service that can synchronize my documents among all my device.
I have Dropbox clients installed everywhere, including the Windows of this laptop, and the Linux virtual machine.
When I edit a file, the Dropbox client uploads this file to the cloud, and then the Dropbox clients on all other devices download the file from the cloud.
One day, there's a congestion on my apartment's WiFi hotspot, and I notice that the Dropbox synchronization between Windows and the Linux virtual machine is having significant delay: every update travels a long way to the cloud, and then comes back.
I also realize that, in my setup, the entire Dropbox contents are duplicated twice: it has one copy in Windows, and another copy in Linux virtual machine.
Although having multiple copies is usually a good thing because you have more redundancy, having multiple copies on the same hard drive is not useful.
Can I eliminate the synchronization delay and the redundant copy?
VirtualBox Shared Folder
VirtualBox has a nifty feature, shared folders, which allows files of the host system to be accessed within a guest system.
In my setup, I could use this feature to access the Dropbox on Windows within the Linux virtual machine.