The OpenConnect VPN client can connect to servers running either ocserv, Cisco AnyConnect, or Juniper Pulse Connect Secure. There are various openconnect clients, including in GNOME NetworkManager, Windows, and Android.
An instance of the OpenConnect client is configured and started through the UCI system by declaring a network interface of
The resulting interface will be named vpn-name where 'name' is the name specified.
In this document it is assumed to be
ocvpn, thus the full name is
The interface configuration accepts the following options (in addition to those applicable to every proto such as
Most of these options are passed directly to the OpenConnect executive, so see openconnect for details.
|Option||OpenConnect CLI option||Description|
| ||(always required)||The server's FQDN or IP|
| ||(part of server)||Server port number. Default is 443|
| || || Connect to a Juniper server. DEPRECATED, 8.0 uses
| || ||Force trust of server's certificate based only on hash matching|
| || ||Group membership to request from the server|
| || ||Login username for user/pass authentication|
| ||(passed via stdin)||Password for user/pass authentication|
| ||(passed via stdin)||Second password for 2 factor|
| || ||
| || ||Crypto secret required by token_mode|
| || ||Local shell script that will dynamically produce passwd2|
| || || Operating system to report to the server. Default is
| ||N/A||Outgoing local interface (used to create a netifd host dependency)|
| || ||Run this instead of any binary or script that the server pushes us to run|
PKI authentication is integral to OpenConnect.
Certificates must be installed to the filesystem at
This can be done by scp, or by pasting the certificate base64 text into luci-app-openconnect.
Certificate files must be in the Base64/.pem format and named exactly as shown below.
Change 'ocvpn' to your interface name if necessary.
| || ||CA certificate used to verify the server's certificate.|
| || ||Client certificate, signed by a CA that the server knows.|
| || ||Private key of the client certificate, Must not be encrypted.|
Upon a successful authentication and connection, the vpn-ocvpn interface will be created and brought up, and assigned an IP address by the server. The firewall and routing should be configured for this interface like any other VPN, for example:
# /etc/config/firewall config zone option name vpn list network 'ocvpn' option input REJECT option output ACCEPT option forward REJECT option masq 1 option mtu_fix 1 config forwarding option src lan option dest vpn
If the interface does not come up, examine the system log file for error messages.
Although OpenConnect is started with command line options, it is not possible to fully bring up an OpenConnect client interface manually from the command line (
vpnc will fail with “must be used on an active interface”).
Manually running OpenConnect through the authentication stages is useful to diagnose authentication problems though.
UCI will retry a connection constantly at 5 second intervals, which if unsuccessful could lead to being blacklisted by the server.
Thus it would be advisable to disable the configuration in
/etc/config/network while troubleshooting.