OpenConnect client
Introduction
- This how-to describes the method for setting up openconnect client on OpenWrt.
- Follow OpenConnect server for server setup and OpenConnect extras for additional tuning.
Goals
- Encrypt your internet connection to enforce security and privacy.
- Prevent traffic leaks and spoofing on the client side.
- Bypass regional restrictions using commercial providers.
- Escape client side content filters and internet censorship.
- Access your LAN services remotely without port forwarding.
Command-line instructions
1. Preparation
Install the required packages. Specify configuration parameters for VPN client.
# Install packages opkg update opkg install openconnect openssl-util # Configuration parameters VPN_IF="vpn" VPN_SERV="SERVER_ADDRESS" VPN_PORT="4443" VPN_USER="USERNAME" VPN_PASS="PASSWORD"
2. Key management
Run the code below directly on the VPN server if you can or fetch certificate from the server and generate the hash locally:
# Generate certificate hash VPN_CERT="server-cert.pem" VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ | openssl pkey -pubin -outform der \ | openssl dgst -sha256 -binary \ | openssl enc -base64)"
Variable $VPN_HASH will be used in the example below. Alternatively print its value with echo $VPN_HASH and use it with serverhash in the configuration file or in “VPN Server's certificate SHA1 hash” in Luci.
3. Firewall
Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup.
# Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.wan.network="${VPN_IF}" uci add_list firewall.wan.network="${VPN_IF}" uci commit firewall service firewall restart
4. Network
Set up VPN interface.
# Configure network uci -q delete network.${VPN_IF} uci set network.${VPN_IF}="interface" uci set network.${VPN_IF}.proto="openconnect" uci set network.${VPN_IF}.server="${VPN_SERV}" uci set network.${VPN_IF}.port="${VPN_PORT}" uci set network.${VPN_IF}.username="${VPN_USER}" uci set network.${VPN_IF}.password="${VPN_PASS}" uci set network.${VPN_IF}.serverhash="${VPN_HASH}" uci commit network service network restart
See all available OpenConnect protocol options here and a sample configuration here.
Disable gateway redirection and/or keep the existing gateway if necessary.
Web-based configuration
Web-based configuration is available through luci-proto-openconnect package.
# Install packages opkg update opkg install luci-proto-openconnect service rpcd restart
Open Luci web interface and navigate to Network → Interfaces, then Add new interface… → Protocol: OpenConnect
Currently not all the options can be set through Luci, so manual changes in /etc/config/network might be needed.
Testing
Establish the VPN connection. Verify your routing with traceroute and traceroute6.
traceroute openwrt.org traceroute6 openwrt.org
Check your external IP address and DNS provider in use
- WhatIsMyIP should show a public IP address of VPN server if all the traffic is routed through the VPN connection
- ipleak.net, dnsleaktest.com results depend on whether DNS traffic is routed through the VPN connection
On router:
- Go to LuCI > Network > Interfaces and look for VPN interface state, its IP address and Tx/Rx counters
- Go to LuCI > Network > Diagnostics and ipv4 ping any address that should be accessible through the VPN connection
Troubleshooting
Collect and analyze the following information.
# Restart services service log restart; service network restart; sleep 10 # Log and status logread -e openconnect # Runtime configuration pgrep -f -a openconnect ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset # Persistent configuration uci show network; uci show firewall