Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:client [2020/11/28 02:27] – [1. Preparation] update vgaeteradocs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz
Line 1: Line 1:
 ====== OpenConnect client ====== ====== OpenConnect client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 9: Line 9:
 {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Install the packages and specify the VPN client configuration parameters.+Install the required packages
 +Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install openconnect+opkg install openconnect openssl-util
  
 # Configuration parameters # Configuration parameters
-OC_IF="vpn"+VPN_IF="vpn
 +VPN_SERV="SERVER_ADDRESS" 
 +VPN_PORT="4443" 
 +VPN_USER="USERNAME" 
 +VPN_PASS="PASSWORD"
 </code> </code>
  
-==== 2. Firewall ==== +==== 2. Key management ==== 
-Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup.+Run the code below directly on the VPN server if you can or [[docs:guide-user:services:vpn:openconnect:extras#server_certificate|fetch certificate]] from the server and generate the hash locally: 
 +<code bash> 
 +# Generate certificate hash 
 +VPN_CERT="server-cert.pem" 
 +VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ 
 +| openssl pkey -pubin -outform der \ 
 +| openssl dgst -sha256 -binary \ 
 +| openssl enc -base64)" 
 +</code> 
 + 
 +Alternatively, run the client once without specifying ''serverhash'' in the configuration file or "VPN Server's certificate SHA1 hash" in Luci. Open the System Log and look for the following lines: 
 + 
 +<code> 
 +daemon.notice netifd: vpn (3443): Certificate from VPN server "vpn.example.com" failed verification. 
 +daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate 
 +daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: 
 +daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
 +daemon.notice netifd: vpn (3443): SSL connection failure 
 +</code> 
 + 
 +Copy the complete string shown __after__ ''--servercert'' and use it in the configuration as your server hash. 
 + 
 +==== 3. Firewall ==== 
 +{{section>docs:guide-user:services:vpn:wireguard:client#firewall&noheader&nofooter&noeditbutton}} 
 + 
 +==== 4. Network ==== 
 +Set up VPN interface.
  
 <code bash> <code bash>
-# Configure firewall +# Configure network 
-uci rename firewall.@zone[0]="lan+uci -q delete network.${VPN_IF} 
-uci rename firewall.@zone[1]="wan+uci set network.${VPN_IF}="interface
-uci del_list firewall.wan.network="vpn+uci set network.${VPN_IF}.proto="openconnect
-uci add_list firewall.wan.network="vpn+uci set network.${VPN_IF}.server="${VPN_SERV}" 
-uci commit firewall +uci set network.${VPN_IF}.port="${VPN_PORT}
-/etc/init.d/firewall restart+uci set network.${VPN_IF}.username="${VPN_USER}" 
 +uci set network.${VPN_IF}.password="${VPN_PASS}" 
 +uci set network.${VPN_IF}.serverhash="${VPN_HASH}
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +See all available OpenConnect protocol options [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|here]] and a sample configuration [[https://github.com/openwrt/packages/blob/master/net/openconnect/README|here]]. 
 + 
 +Disable [[docs:guide-user:services:vpn:openconnect:extras#gateway_redirection|gateway redirection]] and/or [[docs:guide-user:services:vpn:openconnect:extras#keep_existing_gateway|keep the existing gateway]] if necessary. 
 + 
 +===== Web-based configuration ===== 
 + 
 +Web-based configuration is available through [[:packages:pkgdata:luci-proto-openconnect]] package. 
 + 
 +<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install luci-proto-openconnect 
 +service rpcd restart
 </code> </code>
  
-==== 2. Configuration ==== +Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client.
-An instance of the OpenConnect client is configured and started through the UCI system by declaring a network interface of ''[[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|proto openconnect]]''+
-The resulting interface will be named vpn-name where 'name' is the name specified. +
-In this document it is assumed to be ''ocvpn'', thus the full name is ''vpn-ocvpn''.+
  
-==== 3. Certificates ==== +Currently not all the options can be set through Luci, so manual changes in ''/etc/config/network'' might be needed.
-PKI authentication is integral to OpenConnect. +
-Certificates must be installed to the filesystem at ''/etc/openconnect''+
-This can be done by scp, or by pasting the certificate base64 text into LuCI.+
  
-==== 4. Operation ==== +\\
-Upon a successful authentication and connection, the vpn-ocvpn interface will be created and brought up, and assigned an IP address by the server. +
-If the interface does not come up, examine the system log file for error messages. +
-Although OpenConnect is started with command line options, it is not possible to fully bring up an OpenConnect client interface manually from the command line (''vpnc'' will fail with "must be used on an active interface"). +
-Manually running OpenConnect through the authentication stages is useful to diagnose authentication problems though. +
-UCI will retry a connection constantly at 5 second intervals, which if unsuccessful could lead to being blacklisted by the server. +
-Thus it would be advisable to disable the configuration in ''/etc/config/network'' while troubleshooting.+
  
 ===== Testing ===== ===== Testing =====
Line 61: Line 99:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
Line 69: Line 107:
 pgrep -f -a openconnect pgrep -f -a openconnect
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2024/10/18 10:24
  • by andrewz