Install Cisco anyconnect VPN on Debian 9 with SSL ready

Environment: Debian9

Installation step

// Step 1 - Install openconnect VPN package
apt update
apt install ocserv

// Step 2 - Install certbot to get free Let's encrypt SSL
apt install certbot

// Step 3 - generate SSL 
certbot certonly --standalone -d vpn.example.com

// Step 4 - Replace generated PEM and Privkey in ocserv.conf
nano /etc/ocserv.conf

** Comment out all route and no-route 
# 注释掉所有的 route 和 no-route,让服务器成为gateway
#route = 192.168.1.0/255.255.255.0
#no-route = 192.168.5.0/255.255.255.0

Recommended configuration

auth = "plain[/etc/ocserv/ocpasswd]"
# TCP and UDP port number
tcp-port = 583
udp-port = 583
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
server-cert = /etc/letsencrypt/live/xxx.com/fullchain.pem
server-key = /etc/letsencrypt/live/xxx.com/privkey.pem
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 240
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = false
default-domain = vpn.xxx.com
ipv4-network = 192.168.3.0/24
# The IPv6 subnet that leases will be given from.
ipv6-network = fef4:db8:1000:1001::/64 
dns = 108.61.201.119
dns = 9.9.9.9
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
// Step 5 - Modify ocserv.socket port number too
nano /lib/systemd/system/ocserv.socket

// Replace port number and save 
[Socket]
ListenStream=443 // change this to your desire port number
ListenDatagram=443 // change this to your desire port number

// Step 6 - Generate user password
ocpasswd -c /etc/ocserv/ocpasswd <username>

// Step 7 - Start your server
service ocserv restart

// Step 8 - Ensure ocserv was successful fireup
netstat -tulpn | grep 443 

Config your iptables

// ens3 is the outgoing port on Vultr, usually is eth0
// IPv4
*nat
-A POSTROUTING -s 192.168.0.0/24 -o ens3 -j MASQUERADE
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT

*filter
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
COMMIT

// IPv6
*filter
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s fef4:db8:1000:1001::/64 -m conntrack --ctstate NEW -j ACCEPT
COMMIT

*nat
-A POSTROUTING -s fef4:db8:1000:1001::/64 -o ens3 -j MASQUERADE
-A POSTROUTING -o ens3 -j MASQUERADE
COMMIT

References:
1. https://lowendbox.com/blog/install-openconnect-server-on-ubuntu-16-04/
2. https://nova.moe/deploy-openconnect-ocserv-with-letsencrypt/
3. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837944