OpenConnect client

  • Encrypt your internet connection to enforce security and privacy.
    • Prevent traffic leaks and spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Install the required packages. Specify configuration parameters for VPN client.

# Install packages
opkg update
opkg install openconnect openssl-util
 
# Configuration parameters
VPN_IF="vpn"
VPN_SERV="SERVER_ADDRESS"
VPN_PORT="4443"
VPN_USER="USERNAME"
VPN_PASS="PASSWORD"

Run the code below directly on the VPN server if you can or fetch certificate from the server and generate the hash locally:

# Generate certificate hash
VPN_CERT="server-cert.pem"
VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64)"

Alternatively, run the client once without specifying serverhash in the configuration file or “VPN Server's certificate SHA1 hash” in Luci. Open the System Log and look for the following lines:

daemon.notice netifd: vpn (3443): Certificate from VPN server "vpn.example.com" failed verification.
daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate
daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line:
daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
daemon.notice netifd: vpn (3443): SSL connection failure

Copy what is shown after --servercert and use this in the configuration as your server hash.

Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${VPN_IF}"
uci add_list firewall.wan.network="${VPN_IF}"
uci commit firewall
service firewall restart

Set up VPN interface.

# Configure network
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="openconnect"
uci set network.${VPN_IF}.server="${VPN_SERV}"
uci set network.${VPN_IF}.port="${VPN_PORT}"
uci set network.${VPN_IF}.username="${VPN_USER}"
uci set network.${VPN_IF}.password="${VPN_PASS}"
uci set network.${VPN_IF}.serverhash="${VPN_HASH}"
uci commit network
service network restart

See all available OpenConnect protocol options here and a sample configuration here.

Disable gateway redirection and/or keep the existing gateway if necessary.

Web-based configuration is available through luci-proto-openconnect package.

# Install packages
opkg update
opkg install luci-proto-openconnect
service rpcd restart

Open Luci web interface and navigate to Network → Interfaces, then Add new interface… → Protocol: OpenConnect

Currently not all the options can be set through Luci, so manual changes in /etc/config/network might be needed.


Establish the VPN connection. Verify your routing with traceroute and traceroute6.

traceroute openwrt.org
traceroute6 openwrt.org

Check your IP and DNS provider.

Collect and analyze the following information.

# Restart services
service log restart; service network restart; sleep 10
 
# Log and status
logread -e openconnect
 
# Runtime configuration
pgrep -f -a openconnect
ip address show; ip route show table all
ip rule show; ip -6 rule show; nft list ruleset
 
# Persistent configuration
uci show network; uci show firewall
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/10/18 10:24
  • by andrewz