Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect-client [2020/10/05 01:50] – [OpenConnect client] update vgaetera | docs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenConnect client ====== | ====== OpenConnect client ====== | ||
| - | The OpenConnect VPN client can connect to servers running either ocserv, Cisco AnyConnect, or Juniper Pulse Connect Secure. | + | {{section> |
| - | There are various [[https:// | + | |
| - | ===== Installation | + | ===== Introduction |
| - | Install | + | * This how-to describes |
| + | * Follow [[docs:guide-user: | ||
| - | ===== Configuration | + | ===== Goals ===== |
| - | An instance of the OpenConnect client is configured and started through the UCI system by declaring a network interface of '' | + | {{section> |
| - | The resulting interface will be named vpn-name where ' | + | |
| - | In this document it is assumed to be '' | + | |
| - | The interface configuration accepts the following options (in addition to those applicable to every proto such as '' | + | ===== Command-line instructions ===== |
| - | Most of these options are passed directly to the OpenConnect executive, so see [[man> | + | ==== 1. Preparation ==== |
| + | Install | ||
| + | Specify configuration parameters | ||
| - | ^ Option ^ OpenConnect CLI option ^ Description ^ | + | <code bash> |
| - | | '' | + | # Install packages |
| - | | '' | + | opkg update |
| - | | '' | + | opkg install openconnect openssl-util |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | | '' | + | |
| - | ===== Certificates ===== | + | # Configuration parameters |
| - | PKI authentication is integral to OpenConnect. | + | VPN_IF=" |
| - | Certificates must be installed to the filesystem at ''/ | + | VPN_SERV=" |
| - | This can be done by scp, or by pasting the certificate base64 text into luci-app-openconnect. | + | VPN_PORT=" |
| - | Certificate files must be in the Base64/.pem format and named exactly as shown below. | + | VPN_USER=" |
| - | Change ' | + | VPN_PASS=" |
| - | | ''/ | + | </code> |
| - | | '' | + | |
| - | | ''/ | + | |
| - | ===== Operation | + | ==== 2. Key management |
| - | Upon a successful authentication and connection, the vpn-ocvpn interface will be created | + | Run the code below directly on the VPN server if you can or [[docs: |
| - | The firewall | + | <code bash> |
| + | # Generate certificate hash | ||
| + | VPN_CERT=" | ||
| + | VPN_HASH=" | ||
| + | | openssl pkey -pubin -outform der \ | ||
| + | | openssl dgst -sha256 -binary \ | ||
| + | | openssl enc -base64)" | ||
| + | </ | ||
| + | |||
| + | Alternatively, run the client once without specifying '' | ||
| + | |||
| + | < | ||
| + | daemon.notice netifd: | ||
| + | daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate | ||
| + | daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: | ||
| + | daemon.notice netifd: vpn (3443): | ||
| + | daemon.notice netifd: vpn (3443): SSL connection failure | ||
| + | </ | ||
| + | |||
| + | Copy the complete string shown __after__ '' | ||
| + | |||
| + | ==== 3. Firewall ==== | ||
| + | {{section> | ||
| + | |||
| + | ==== 4. Network ==== | ||
| + | Set up VPN interface. | ||
| <code bash> | <code bash> | ||
| - | # /etc/ | + | # Configure network |
| + | uci -q delete network.${VPN_IF} | ||
| + | uci set network.${VPN_IF}=" | ||
| + | uci set network.${VPN_IF}.proto=" | ||
| + | uci set network.${VPN_IF}.server=" | ||
| + | uci set network.${VPN_IF}.port=" | ||
| + | uci set network.${VPN_IF}.username=" | ||
| + | uci set network.${VPN_IF}.password=" | ||
| + | uci set network.${VPN_IF}.serverhash=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| + | </code> | ||
| - | config zone | + | See all available OpenConnect protocol options [[docs: |
| - | option name vpn | + | |
| - | list network ' | + | |
| - | option input REJECT | + | |
| - | option output ACCEPT | + | |
| - | option forward REJECT | + | |
| - | option masq 1 | + | |
| - | option mtu_fix 1 | + | |
| - | config forwarding | + | Disable [[docs: |
| - | option src lan | + | |
| - | option dest vpn | + | ===== Web-based configuration ===== |
| + | |||
| + | Web-based configuration is available through [[: | ||
| + | |||
| + | <code bash> | ||
| + | # Install packages | ||
| + | opkg update | ||
| + | opkg install luci-proto-openconnect | ||
| + | service rpcd restart | ||
| </ | </ | ||
| - | If the interface does not come up, examine the system log file for error messages. | + | Navigate to **LuCI -> Network -> Interfaces** |
| - | Although OpenConnect is started with command line options, it is not possible | + | |
| - | Manually running OpenConnect through the authentication stages is useful to diagnose authentication problems though. | + | Currently not all the options can be set through Luci, so manual changes |
| - | UCI will retry a connection constantly at 5 second intervals, which if unsuccessful could lead to being blacklisted by the server. | + | |
| - | Thus it would be advisable to disable the configuration | + | \\ |
| + | |||
| + | ===== Testing ===== | ||
| + | {{section> | ||
| + | |||
| + | ===== Troubleshooting ===== | ||
| + | Collect and analyze the following information. | ||
| + | |||
| + | <code bash> | ||
| + | # Restart services | ||
| + | service log restart; service network restart; sleep 10 | ||
| + | |||
| + | # Log and status | ||
| + | logread -e openconnect | ||
| + | |||
| + | # Runtime configuration | ||
| + | pgrep -f -a openconnect | ||
| + | ip address show; ip route show table all | ||
| + | ip rule show; ip -6 rule show; nft list ruleset | ||
| + | |||
| + | # Persistent configuration | ||
| + | uci show network; uci show firewall | ||
| + | </ | ||