Cisco VPN server alternative

You are tired from openvpn performance issues. You want to use more opensource software? You wan to replace your Cisco ASA but don’t want to give up annyconnect VPN client software?
You want a reliable VPN server for your business? I found a solution for your requirements.

OpenConnect VPN Server called OCSERV

You can use the AnnyConnect client to dial in to OCSERV VPN server or openconnect VPN client.

On Debian/Ubuntu
apt install ocserv

You have installed the VPN Server but in Enterprise enviroments that is not enough for security. You want to use this for hundred or thousand of employees.

I want to show you my configuration of OCSERV and RADIUS integration with Privacyidea a two factor opensource solution.

If you want to use OCSERV with RADIUS please read this first

You have to compile radcli from source first without this you have no RADIUS functionality.

Look at for the latest version

How to compile

Fill the information for your radius server under


nas-identifier fw01
servers /etc/radcli/servers
dictionary /etc/radcli/dictionary
radius_timeout 10
radius_retries 3
bindaddr *

cat /etc/radcli/servers

# Server Name or Client/Server pair            Key             
## ----------------                             ---------------
#                       hardlyasecret                      donttellanyone
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#localhost/localhost                            testing123
# yourradiussecrectkey

After you have compile radcli on the system you can choose to install ocserv from the distribution repository or to compile it from source. I have use the repository from the distribution.

add following to the


auth = “radius[config=/etc/radcli/radiusclient.conf,groupconfig=true]”

Fixing some errors…

custom-header = “X-CSTP-Client-Bypass-Protocol: true”

Add your own certificate for your domain

server-cert =
server-key =

VPN Pool

ipv4-network =
ipv4-netmask =

Add route to network that you want to reach form the vpn server


VPN PPTP Alternative

PPTP gilt seit kurzem als unsicher. Siehe auch hier

Ab Windows Vista gibt es eine ähnlich einfache Lösung ohne zusätzlich einen VPN Client auf dem Windows Rechner zu installieren. Weiterer Vorteil ist es wird nur Port 443 benötigt.

SSTP ist die Antwort darauf. Es ist ab Server 2008 R2 möglich
hier mal ein paar Links

SSTP unter Windows Server 2012

Sowie eine Anleitung dazu

Client einrichten unter Windows 7