adminRunning your own VPN server is an excellent way to ensure privacy and gain full control over your data. In this comprehensive tutorial, we’ll show you how to set up an OpenConnect VPN server (ocserv) on Ubuntu 20.04 and secure it with a free SSL certificate from Let’s Encrypt. OpenConnect is an open-source implementation of the Cisco AnyConnect SSL VPN protocol and works seamlessly on Linux, Windows, macOS, OpenWRT, Android, and iOS.
Why Use OpenConnect VPN?
OpenConnect VPN offers a range of benefits:
- Fast and lightweight
- Easy to configure and manage
- Resistant to deep packet inspection (DPI)
- Compatible with Cisco AnyConnect clients
- Supports password and certificate authentication
- Secure with TLS encryption over TCP/UDP
- Excellent cross-platform support
It’s ideal for users who want to bypass censorship, self-host a privacy-respecting VPN, or create a secure gateway for internal services.
Prerequisites
Before you begin:
- A VPS (Virtual Private Server) running Ubuntu 20.04
- A registered domain name (e.g.,
vpn.example.com) - Port 443 available on the server
- SSH access to the server
We recommend Kamatera for fast, KVM-based VPS hosting. You can also use any cloud provider like DigitalOcean or Linode.
Step 1: Install and Setup OpenConnect VPN Server
Log in to your server via SSH and run:
sudo apt update
sudo apt install ocservOnce installed, check if the service is running:
systemctl status ocservStep 2: Allow Required Ports in Firewall
If UFW is enabled, open ports 80 and 443:
sudo ufw allow 80,443/tcpStep 3: Install Certbot (Let’s Encrypt Client)
sudo apt install certbotStep 4: Obtain SSL Certificate (Standalone Method)
sudo certbot certonly --standalone --agree-tos --email your@email.com -d vpn.example.comMake sure your domain’s A record points to your VPS IP.
Step 5: Configure ocserv
Edit the config file:
sudo nano /etc/ocserv/ocserv.confUpdate the following lines:
auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
#udp-port = 443
server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem
max-clients = 128
max-same-clients = 5
keepalive = 30
try-mtu-discovery = true
default-domain = vpn.example.com
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
ipv6-network = fda9:4efe:7e3b:03ea::/48
tunnel-all-dns = true
dns = 8.8.8.8
dns = 1.1.1.1Comment out any existing route = and no-route = lines.
Step 6: Create User Credentials
sudo ocpasswd -c /etc/ocserv/ocpasswd usernameStep 7: Enable IP Forwarding
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/60-custom.conf
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.d/60-custom.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.d/60-custom.conf
sudo sysctl -p /etc/sysctl.d/60-custom.confStep 8: Configure IP Masquerading
Install and configure UFW:
sudo apt install ufw
sudo ufw allow 22/tcpFind your main network interface:
ip addrEdit UFW rules:
sudo nano /etc/ufw/before.rulesAppend at the end:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j MASQUERADE
COMMITThen enable forwarding:
-A ufw-before-forward -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward -d 10.10.10.0/24 -j ACCEPTEnable UFW:
sudo ufw enableStep 9: Restart ocserv
sudo systemctl restart ocservStep 10: Install OpenConnect Client
To connect to your self-hosted OpenConnect VPN server, you’ll need to install a compatible OpenConnect client. Below is a detailed guide for Linux, Windows, macOS, Android, and iOS.
Linux (Ubuntu/Debian Example)
sudo apt install openconnect
sudo openconnect -b vpn.yourdomain.comUse -u to specify a username and --passwd-on-stdin to provide password non-interactively:
echo -n 'yourpassword' | sudo openconnect -u yourusername --passwd-on-stdin vpn.yourdomain.comWindows
- Download the official OpenConnect GUI client from the GitHub page.
- Install the application. Make sure to enable the TAP driver during installation.
- Launch the OpenConnect GUI.
- Click “New Profile” and set the server address (
vpn.yourdomain.com) and protocol (TLS/DTLS). - Save and connect — you’ll be prompted for your username and password.
⚠️ If you see “No Tap-Windows Adapter installed” error, uninstall and reinstall OpenConnect GUI and make sure TAP driver is selected.
macOS
- Use Homebrew to install the client:
brew install openconnect- Then connect:
sudo openconnect -b vpn.yourdomain.com- Alternatively, for GUI users, install Tunnelblick or a compatible Cisco AnyConnect client (if certificate-based auth is used).
Android
- Install Cisco AnyConnect from the Google Play Store.
- Open the app → Add a new connection:
- Description: Vpnymous
- Server Address:
vpn.yourdomain.com
- Save and connect. Enter your username and password.
✅ Cisco AnyConnect is fully compatible with OpenConnect servers.
iOS (iPhone/iPad)
- Download Cisco AnyConnect from the App Store.
- Tap “Add VPN Connection” → enter the following:
- Description: Vpnymous
- Server:
vpn.yourdomain.com - VPN Type: SSL
- Save and connect. Use your provided credentials.
Troubleshooting Tips
- Can’t Connect: Check if port 443 is open and your domain DNS is correct.
- Can’t Browse: Verify UFW NAT rules and IP forwarding.
- SSL Issues: Make sure your TLS certificate hasn’t expired.
- Speed Issues: Disable DTLS and enable TCP BBR.
Conclusion
Setting up OpenConnect VPN with Let’s Encrypt on Ubuntu 20.04 is a powerful way to take control of your privacy. Whether you’re a developer, remote worker, or privacy advocate, a self-hosted VPN gives you reliable encrypted access.
Why Choose Vpnymous?
Vpnymous is built for true privacy enthusiasts. We offer anonymous access to powerful VPN servers — no emails, no names, no logs. Buy VPN with crypto and protect your identity without compromise.
- Accepts Bitcoin, Ethereum, USDT, Monero & more
- Compatible with OpenConnect, OpenVPN, WireGuard, and IKEv2
- Zero logs, zero tracking, full freedom
Related Guides:
What is a Remote Access VPN and How Does It Work?
