OpenConnect server

OpenConnect server

This article relies on the following:

Accessing web interface / command-line interface
Managing configs / packages / services / logs

Introduction

This how-to describes the method for setting up OpenConnect server on OpenWrt.
Follow OpenConnect client for client setup and OpenConnect extras for additional tuning.

Goals

Encrypt your internet connection to enforce security and privacy.
- Prevent traffic leaks and spoofing on the client side.
Bypass regional restrictions using commercial providers.
- Escape client side content filters and internet censorship.
Access your LAN services remotely without port forwarding.

Command-line instructions

1. Preparation

Install the required packages. Specify configuration parameters for VPN server.

# Install packages
opkg update
opkg install ocserv
 
# Configuration parameters
VPN_PORT="4443"
VPN_POOL="192.168.9.0 255.255.255.0"
VPN_DNS="${VPN_POOL%.* *}.1"
VPN_USER="USERNAME"
VPN_PASS="PASSWORD"

2. Key management

Generate password hash for VPN client.

# Generate password hash
ocpasswd ${VPN_USER} << EOI
${VPN_PASS}
${VPN_PASS}
EOI
VPN_HASH="$(sed -n -e "/^${VPN_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"

3. Firewall

Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="vpns+"
uci add_list firewall.lan.device="vpns+"
uci -q delete firewall.oc
uci set firewall.oc="rule"
uci set firewall.oc.name="Allow-OpenConnect"
uci set firewall.oc.src="wan"
uci set firewall.oc.dest_port="4443"
uci set firewall.oc.proto="tcp udp"
uci set firewall.oc.target="ACCEPT"
uci commit firewall
service firewall restart

4. VPN service

Configure VPN service.

# Configure VPN service
uci -q delete ocserv.config.enable
uci -q delete ocserv.config.zone
uci set ocserv.config.port="${VPN_PORT}"
uci set ocserv.config.ipaddr="${VPN_POOL% *}"
uci set ocserv.config.netmask="${VPN_POOL#* }"
uci -q delete ocserv.@routes[0]
uci -q delete ocserv.@dns[0]
uci set ocserv.dns="dns"
uci set ocserv.dns.ip="${VPN_DNS}"
uci -q delete ocserv.@ocservusers[0]
uci set ocserv.client="ocservusers"
uci set ocserv.client.name="${VPN_USER}"
uci set ocserv.client.password="${VPN_HASH}"
uci commit ocserv
service ocserv restart

Web-based configuration

If you want to manage VPN server settings using web interface:

# Install packages
opkg update
opkg install luci-app-ocserv
service rpcd restart

Navigate to LuCI → VPN → OpenConnect VPN to configure OpenConnect server.

Testing

Establish the VPN connection. Verify your routing with traceroute and traceroute6.

traceroute openwrt.org
traceroute6 openwrt.org

Check your IP and DNS provider.

Troubleshooting

Collect and analyze the following information.

# Restart services
service log restart; service ocserv restart; sleep 10
 
# Log and status
logread -e ocserv; netstat -l -n -p | grep -e ocserv
 
# Runtime configuration
pgrep -f -a ocserv
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall; uci show ocserv

Table of Contents