Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:openconnect-client [2020/10/05 01:47] – [Installation] update vgaeteradocs:guide-user:services:vpn:openconnect:client [2024/10/18 10:24] (current) – [Introduction] andrewz
Line 1: Line 1:
 ====== OpenConnect client ====== ====== OpenConnect client ======
-The OpenConnect VPN client can connect to servers running either ocserv, Cisco AnyConnect, or Juniper Pulse Connect Secure.+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
-===== Installation ===== +===== Introduction ===== 
-Install the packages: [[packages:pkgdata:openconnect]] [[packages:pkgdata:luci-proto-openconnect]]+  * This how-to describes the method for setting up [[:packages:pkgdata:openconnect]] client on OpenWrt. 
 +  * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:extras|OpenConnect extras]] for additional tuning.
  
-===== Configuration ===== +===== Goals ===== 
-An instance of the OpenConnect client is configured and started through the UCI system by declaring a network interface of ''proto openconnect''+{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
-The resulting interface will be named vpn-name where 'name' is the name specified. +
-In this document it is assumed to be ''ocvpn'', thus the full name is ''vpn-ocvpn''.+
  
-The interface configuration accepts the following options (in addition to those applicable to every proto such as ''disable'' and ''zone'')+===== Command-line instructions ===== 
-Most of these options are passed directly to the OpenConnect executive, so see [[http://www.infradead.org/openconnect/manual.html]] for details.+==== 1Preparation ==== 
 +Install the required packages. 
 +Specify configuration parameters for VPN client.
  
-^ Option ^ OpenConnect CLI option ^ Description ^ +<code bash> 
-| ''server'' | (always required) | The server's FQDN or IP | +# Install packages 
-| ''port'' | (part of server) | Server port number. Default is 443 | +opkg update 
-| ''juniper'' | ''-''''-juniper'' | Connect to a Juniper server. DEPRECATED, 8.0 uses ''--protocol=nc'' instead. | +opkg install openconnect openssl-util
-| ''serverhash'' | ''-''''-servercert=; -''''-nosystemtrust'' | Force trust of server's certificate based only on hash matching | +
-| ''authgroup'' | ''-''''-authgroup='' | Group membership to request from the server | +
-| ''username'' | ''-''''-user='' | Login username for user/pass authentication | +
-| ''password'' | (passed via stdin) | Password for user/pass authentication | +
-| ''password2'' | (passed via stdin) | Second password for 2 factor | +
-| ''token_mode'' | ''-''''-token-mode='' | ''rsa'', ''totp'' or ''hotp'' to internally compute a two-factor token as passwd2 | +
-| ''token_secret'' | ''-''''-token-secret='' | Crypto secret required by token_mode | +
-| ''token_script'' | ''-''''-token-script='' | Local shell script that will dynamically produce passwd2 | +
-| ''os'' | ''-''''-os='' | Operating system to report to the server. Default is ''Linux''+
-| ''interface'' | N/A | Outgoing local interface (used to create a netifd host dependency) | +
-| ''csd_wrapper'' | ''-''''-csd-wrapper='' | Run this instead of any binary or script that the server pushes us to run |+
  
-===== Certificates ===== +# Configuration parameters 
-PKI authentication is integral to OpenConnect. +VPN_IF="vpn" 
-Certificates must be installed to the filesystem at ''/etc/openconnect''+VPN_SERV="SERVER_ADDRESS" 
-This can be done by scp, or by pasting the certificate base64 text into luci-app-openconnect. +VPN_PORT="4443" 
-Certificate files must be in the Base64/.pem format and named exactly as shown below. +VPN_USER="USERNAME" 
-Change 'ocvpn' to your interface name if necessary. +VPN_PASS="PASSWORD" 
-| ''/etc/openconnect/ca-vpn-ocvpn.pem'' | ''-''''-cafile='' | CA certificate used to verify the server's certificate. | +</code>
-| ''/etc/openconnect/user-cert-vpn-ocvpn.pem'' | ''-c'' | Client certificate, signed by a CA that the server knows. | +
-| ''/etc/openconnect/user-key-vpn-ocvpn.pem'' | ''-''''-sslkey'' | Private key of the client certificate, Must not be encrypted. |+
  
-===== Operation ===== +==== 2. Key management ==== 
-Upon a successful authentication and connection, the vpn-ocvpn interface will be created and brought up, and assigned an IP address by the server. +Run the code below directly on the VPN server if you can or [[docs:guide-user:services:vpn:openconnect:extras#server_certificate|fetch certificate]] from the server and generate the hash locally: 
-The firewall and routing should be configured for this interface like any other VPN, for example:+<code bash> 
 +# Generate certificate hash 
 +VPN_CERT="server-cert.pem" 
 +VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ 
 +| openssl pkey -pubin -outform der \ 
 +| openssl dgst -sha256 -binary \ 
 +| openssl enc -base64)" 
 +</code> 
 + 
 +Alternativelyrun the client once without specifying ''serverhash'' in the configuration file or "VPN Server's certificate SHA1 hash" in Luci. Open the System Log and look for the following lines: 
 + 
 +<code> 
 +daemon.notice netifd: vpn (3443): Certificate from VPN server "vpn.example.com" failed verification. 
 +daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate 
 +daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: 
 +daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
 +daemon.notice netifd: vpn (3443): SSL connection failure 
 +</code> 
 + 
 +Copy what is shown __after__ ''--servercert'' and use this in the configuration as your server hash
 + 
 +==== 3. Firewall ==== 
 +{{section>docs:guide-user:services:vpn:wireguard:client#firewall&noheader&nofooter&noeditbutton}} 
 + 
 +==== 4. Network ==== 
 +Set up VPN interface.
  
 <code bash> <code bash>
-# /etc/config/firewall+Configure network 
 +uci -q delete network.${VPN_IF} 
 +uci set network.${VPN_IF}="interface" 
 +uci set network.${VPN_IF}.proto="openconnect" 
 +uci set network.${VPN_IF}.server="${VPN_SERV}" 
 +uci set network.${VPN_IF}.port="${VPN_PORT}" 
 +uci set network.${VPN_IF}.username="${VPN_USER}" 
 +uci set network.${VPN_IF}.password="${VPN_PASS}" 
 +uci set network.${VPN_IF}.serverhash="${VPN_HASH}" 
 +uci commit network 
 +service network restart 
 +</code>
  
-config zone +See all available OpenConnect protocol options [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|here]] and a sample configuration [[https://github.com/openwrt/packages/blob/master/net/openconnect/README|here]].
- option name vpn +
- list network 'ocvpn' +
- option input REJECT +
- option output ACCEPT +
- option forward REJECT +
- option masq 1 +
- option mtu_fix 1+
  
-config forwarding +Disable [[docs:guide-user:services:vpn:openconnect:extras#gateway_redirection|gateway redirection]] and/or [[docs:guide-user:services:vpn:openconnect:extras#keep_existing_gateway|keep the existing gateway]] if necessary. 
- option src lan + 
- option dest vpn+===== Web-based configuration ===== 
 + 
 +Web-based configuration is available through [[:packages:pkgdata:luci-proto-openconnect]] package. 
 + 
 +<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install luci-proto-openconnect 
 +service rpcd restart
 </code> </code>
  
-If the interface does not come upexamine the system log file for error messages. +Open Luci web interface and navigate to Network → Interfacesthen Add new interface… → Protocol: OpenConnect 
-Although OpenConnect is started with command line options, it is not possible to fully bring up an OpenConnect client interface manually from the command line (''vpnc'' will fail with "must be used on an active interface"). + 
-Manually running OpenConnect through the authentication stages is useful to diagnose authentication problems though. +Currently not all the [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|options]] can be set through Luciso manual changes in ''/etc/config/network'' might be needed. 
-UCI will retry a connection constantly at 5 second intervalswhich if unsuccessful could lead to being blacklisted by the server. + 
-Thus it would be advisable to disable the configuration in ''/etc/config/network'' while troubleshooting.+\\ 
 + 
 +===== Testing ===== 
 +{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}} 
 + 
 +===== Troubleshooting ===== 
 +Collect and analyze the following information. 
 + 
 +<code bash> 
 +# Restart services 
 +service log restart; service network restart; sleep 10 
 + 
 +# Log and status 
 +logread -e openconnect 
 + 
 +# Runtime configuration 
 +pgrep -f -a openconnect 
 +ip address show; ip route show table all 
 +ip rule show; ip -6 rule show; nft list ruleset 
 + 
 +# Persistent configuration 
 +uci show network; uci show firewall 
 +</code>
  
  • Last modified: 2024/10/18 10:24
  • by andrewz