Show pagesourceOld revisionsBacklinksBack to top × Table of Contents OpenConnect client Introduction Goals Command-line instructions 1. Preparation 2. Key management 3. Firewall 4. Network Testing Troubleshooting OpenConnect client This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up OpenConnect client on OpenWrt. Follow OpenConnect server for server setup and OpenConnect extras for additional tuning. Goals Encrypt your internet connection to enforce security and privacy. Prevent traffic leaks and spoofing on the client side. Bypass regional restrictions using commercial providers. Escape client side content filters and internet censorship. Access your LAN services remotely without port forwarding. Command-line instructions 1. Preparation Install the required packages. Specify configuration parameters for VPN client. # Install packages opkg update opkg install openconnect openssl-util # Configuration parameters VPN_IF="vpn" VPN_SERV="SERVER_ADDRESS" VPN_PORT="4443" VPN_USER="USERNAME" VPN_PASS="PASSWORD" 2. Key management Transfer server certificate to VPN client. Generate certificate hash. # Generate certificate hash VPN_CERT="server-cert.pem" VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ | openssl pkey -pubin -outform der \ | openssl dgst -sha256 -binary \ | openssl enc -base64)" You can fetch server certificate remotely. Beware of possible MITM. openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ < /dev/null > server-cert.pem 3. Firewall Consider VPN network as public. Assign VPN interface to WAN zone to minimize firewall setup. # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.wan.network="${VPN_IF}" uci add_list firewall.wan.network="${VPN_IF}" uci commit firewall /etc/init.d/firewall restart 4. Network Set up VPN interface. # Configure network uci -q delete network.${VPN_IF} uci set network.${VPN_IF}="interface" uci set network.${VPN_IF}.proto="openconnect" uci set network.${VPN_IF}.server="${VPN_SERV}" uci set network.${VPN_IF}.port="${VPN_PORT}" uci set network.${VPN_IF}.username="${VPN_USER}" uci set network.${VPN_IF}.password="${VPN_PASS}" uci set network.${VPN_IF}.serverhash="${VPN_HASH}" uci commit network /etc/init.d/network restart Configure dynamic connection if necessary. Testing Establish the VPN connection. Verify your routing with traceroute and traceroute6. traceroute openwrt.org traceroute6 openwrt.org Check your IP and DNS provider. ipleak.net dnsleaktest.com Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/network restart; sleep 10 # Log and status logread -e openconnect # Runtime configuration pgrep -f -a openconnect ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset # Persistent configuration uci show network; uci show firewall This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/09/14 11:38by vgaetera