Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:client [2020/11/28 02:29] – [1. Preparation] update vgaetera | docs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenConnect client ====== | ====== OpenConnect client ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 9: | Line 9: | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Install the packages | + | Install the required |
| + | Specify | ||
| <code bash> | <code bash> | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install openconnect | + | opkg install openconnect |
| # Configuration parameters | # Configuration parameters | ||
| - | OC_IF=" | + | VPN_IF=" |
| - | OC_PORT=" | + | VPN_SERV=" |
| + | VPN_PORT="4443" | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| </ | </ | ||
| - | ==== 2. Firewall | + | ==== 2. Key management |
| - | Consider | + | Run the code below directly on the VPN server if you can or [[docs: |
| + | <code bash> | ||
| + | # Generate certificate hash | ||
| + | VPN_CERT=" | ||
| + | VPN_HASH=" | ||
| + | | openssl pkey -pubin -outform der \ | ||
| + | | openssl dgst -sha256 -binary \ | ||
| + | | openssl enc -base64)" | ||
| + | </ | ||
| + | |||
| + | Alternatively, | ||
| + | |||
| + | < | ||
| + | daemon.notice netifd: vpn (3443): Certificate from VPN server " | ||
| + | daemon.notice netifd: vpn (3443): Reason: unable | ||
| + | daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: | ||
| + | daemon.notice netifd: vpn (3443): | ||
| + | daemon.notice netifd: vpn (3443): SSL connection failure | ||
| + | </ | ||
| + | |||
| + | Copy the complete string shown __after__ '' | ||
| + | |||
| + | ==== 3. Firewall ==== | ||
| + | {{section> | ||
| + | |||
| + | ==== 4. Network ==== | ||
| + | Set up VPN interface. | ||
| <code bash> | <code bash> | ||
| - | # Configure | + | # Configure |
| - | uci rename firewall.@zone[0]="lan" | + | uci -q delete network.${VPN_IF} |
| - | uci rename firewall.@zone[1]="wan" | + | uci set network.${VPN_IF}="interface" |
| - | uci del_list firewall.wan.network=" | + | uci set network.${VPN_IF}.proto="openconnect" |
| - | uci add_list firewall.wan.network=" | + | uci set network.${VPN_IF}.server=" |
| - | uci commit | + | uci set network.${VPN_IF}.port="${VPN_PORT}" |
| - | /etc/init.d/firewall | + | uci set network.${VPN_IF}.username=" |
| + | uci set network.${VPN_IF}.password="${VPN_PASS}" | ||
| + | uci set network.${VPN_IF}.serverhash=" | ||
| + | uci commit | ||
| + | service network restart | ||
| + | </code> | ||
| + | |||
| + | See all available OpenConnect protocol options [[docs: | ||
| + | |||
| + | Disable [[docs: | ||
| + | |||
| + | ===== Web-based configuration ===== | ||
| + | |||
| + | Web-based configuration is available through [[: | ||
| + | |||
| + | <code bash> | ||
| + | # Install packages | ||
| + | opkg update | ||
| + | opkg install luci-proto-openconnect | ||
| + | service rpcd restart | ||
| </ | </ | ||
| - | ==== 2. Configuration ==== | + | Navigate to **LuCI |
| - | An instance of the OpenConnect client is configured and started through the UCI system by declaring a network interface of '' | + | |
| - | The resulting interface will be named vpn-name where ' | + | |
| - | In this document it is assumed | + | |
| - | ==== 3. Certificates ==== | + | Currently not all the options can be set through Luci, so manual changes in ''/ |
| - | PKI authentication is integral to OpenConnect. | + | |
| - | Certificates must be installed to the filesystem at ''/ | + | |
| - | This can be done by scp, or by pasting the certificate base64 text into LuCI. | + | |
| - | ==== 4. Operation ==== | + | \\ |
| - | Upon a successful authentication and connection, the vpn-ocvpn interface will be created and brought up, and assigned an IP address by the server. | + | |
| - | If the interface does not come up, examine the system log file for error messages. | + | |
| - | Although OpenConnect is started with command line options, it is not possible to fully bring up an OpenConnect client interface manually from the command line ('' | + | |
| - | Manually running OpenConnect through the authentication stages is useful to diagnose authentication problems though. | + | |
| - | UCI will retry a connection constantly at 5 second intervals, which if unsuccessful could lead to being blacklisted by the server. | + | |
| - | Thus it would be advisable to disable the configuration in ''/ | + | |
| ===== Testing ===== | ===== Testing ===== | ||
| Line 62: | Line 99: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||
| Line 70: | Line 107: | ||
| pgrep -f -a openconnect | pgrep -f -a openconnect | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||