You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Nikos Mavrogiannopoulos dcd08a6639 Merge branch 'makefile_silent_recipe' into 'master' 4 weeks ago
build-aux gnulib: updated and removed base64 6 years ago
doc Merge branch 'visual_studio_spell_checker' into 'master' 4 weeks ago
gl strcasestr.m4: explicitly unblock SIGALRM 6 years ago
m4 ax_code_coverage: updated to latest version 4 years ago
src Revert previous typo fixes to CCAN and PCL 4 weeks ago
tests radiusd.conf: set libdir through autoconf 4 weeks ago
.codespellrc Add codespell CI runner 4 weeks ago
.gitignore Uses fork/exec to limit memory footprint of ocserv-worker processes 2 years ago
.gitlab-ci.yml Add codespell CI runner 4 weeks ago
.mailmap .mailmap: added aliases of Mike 1 year ago
.triage-policies.yml .triage-policies.yml: improved message on reopening 1 year ago Typos found by Visual Studio Code Checker 4 weeks ago
COPYING Revert "license upgraded to GPLv3" 7 years ago
INSTALL Added options to explicitly disable checking for certain libraries 8 years ago
LICENSE Replaced the configuration parser with inih parser 4 years ago Silence the codespell recipe in Makefile 4 weeks ago
NEWS Fix more typos 4 weeks ago updated [ci skip] 7 months ago
TODO Removed TODO file; it is out-of-date 1 year ago chmod +x 4 weeks ago radiusd.conf: set libdir through autoconf 4 weeks ago


The Openconnect VPN server (ocserv) is an open source Linux SSL VPN server designed for organizations that require a remote access VPN with enterprise user management and control. It follows the openconnect protocol and is the counterpart of the openconnect VPN client. It is also compatible with CISCO's AnyConnect SSL VPN.

The program consists of:

  1. ocserv, the main server application
  2. occtl, the server's control tool. A tool which allows one to query the server for information.
  3. ocpasswd, a tool to administer simple password files.

Supported platforms

The OpenConnect VPN server is designed and tested to work, with both IPv6 and IPv4, on Linux systems. It is, however, known to work on FreeBSD, OpenBSD and other BSD derived systems.

Known limitation is that on platforms, which do not support procfs(5), changes to the configuration must only be made while ocserv(8) is stopped. Not doing so will cause new worker processes picking up the new configuration while ocserv-main will use the previous configuration.

Build dependencies


# Required
apt-get install -y libgnutls28-dev libev-dev
# Optional functionality and testing
apt get install -y libpam0g-dev liblz4-dev libseccomp-dev \
	libreadline-dev libnl-route-3-dev libkrb5-dev libradcli-dev \
	libcurl4-gnutls-dev libcjose-dev libjansson-dev libprotobuf-c-dev \
	libtalloc-dev libhttp-parser-dev protobuf-c-compiler gperf \
	nuttcp lcov libuid-wrapper libpam-wrapper libnss-wrapper \
	libsocket-wrapper gss-ntlmssp haproxy iputils-ping freeradius \
	gawk gnutls-bin iproute2 yajl-tools tcpdump


# Required
yum install -y gnutls-devel libev-devel
# Optional functionality and testing
yum install -y pam-devel lz4-devel libseccomp-devel readline-devel \
	libnl3-devel krb5-devel radcli-devel libcurl-devel cjose-devel \
	jansson-devel protobuf-c-devel libtalloc-devel http-parser-devel \
	protobuf-c gperf nuttcp lcov uid_wrapper pam_wrapper nss_wrapper \
	socket_wrapper gssntlmssp haproxy iputils freeradius gawk \
	gnutls-utils iproute yajl tcpdump

See README-radius for more information on Radius dependencies and its configuration.

Build instructions

To build from a distributed release use:

$ ./configure && make && make check

To test the code coverage of the test suite use the following:

$ ./configure --enable-code-coverage
$ make && make check && make code-coverage-capture

Note that the code coverage reported does not currently include tests which are run within docker.

In addition to the prerequisites listed above, building from git requires the following packages: autoconf, automake, and xz.

To build from the git repository use:

$ autoreconf -fvi
$ ./configure && make

Basic installation instructions

Now you need to generate a certificate. E.g.

$ certtool --generate-privkey > ./test-key.pem
$ certtool --generate-self-signed --load-privkey test-key.pem --outfile test-cert.pem

(make sure you enable encryption or signing)

Create a dedicated user and group for the server unprivileged processes (e.g., 'ocserv'), and then edit the sample.config and set these users on run-as-user and run-as-group options. The run:

# cd doc && ../src/ocserv -f -c sample.config


Several configuration instruction are available in the recipes repository.


To identify the bottlenecks in software under certain loads you can profile ocserv using the following command.

# perf record -g ocserv

After the server is terminated, the output is placed in You may examine the output using:

# perf report

Continuous Integration (CI)

We use the gitlab-ci continuous integration system. It is used to test most of the Linux systems (see .gitlab-ci.yml),and is split in two phases, build image creation and compilation/test. The build image creation is done at the openconnect/build-images subproject and uploads the image at the container registry. The compilation/test phase is on every commit to project.

How the VPN works

Please see the technical description page.