Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:client [2020/11/28 07:22] – [1. Preparation] vgaeteradocs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz
Line 1: Line 1:
 ====== OpenConnect client ====== ====== OpenConnect client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 9: Line 9:
 {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Install the packages and specify the VPN client configuration parameters.+Install the required packages
 +Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install openconnect+opkg install openconnect openssl-util
  
 # Configuration parameters # Configuration parameters
-OC_IF="vpn" +VPN_IF="vpn" 
-OC_SERV="SERVER_NAME_OR_IP_ADDRESS+VPN_SERV="SERVER_ADDRESS
-OC_PORT="4443" +VPN_PORT="4443" 
-OC_HASH="SERVER_CERT_HASH+VPN_USER="USERNAME
-OC_USER="OC_USERNAME" +VPN_PASS="PASSWORD"
-OC_PASS="OC_PASSWORD"+
 </code> </code>
  
-==== 2. Firewall ==== +==== 2. Key management ==== 
-Consider VPN network as public and assign VPN interface to WAN zone to minimize firewall setup. +Run the code below directly on the VPN server if you can or [[docs:guide-user:services:vpn:openconnect:extras#server_certificate|fetch certificate]] from the server and generate the hash locally:
 <code bash> <code bash>
-Configure firewall +Generate certificate hash 
-uci rename firewall.@zone[0]="lan" +VPN_CERT="server-cert.pem
-uci rename firewall.@zone[1]="wan+VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT-pubkey -noout \ 
-uci del_list firewall.wan.network="${OC_IF}" +| openssl pkey -pubin -outform der \ 
-uci add_list firewall.wan.network="${OC_IF}" +| openssl dgst -sha256 -binary \ 
-uci commit firewall +| openssl enc -base64)"
-/etc/init.d/firewall restart+
 </code> </code>
  
-==== 3. Network ====+Alternatively, run the client once without specifying ''serverhash'' in the configuration file or "VPN Server's certificate SHA1 hash" in Luci. Open the System Log and look for the following lines: 
 + 
 +<code> 
 +daemon.notice netifd: vpn (3443): Certificate from VPN server "vpn.example.com" failed verification. 
 +daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate 
 +daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: 
 +daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
 +daemon.notice netifd: vpn (3443): SSL connection failure 
 +</code> 
 + 
 +Copy the complete string shown __after__ ''--servercert'' and use it in the configuration as your server hash. 
 + 
 +==== 3. Firewall ==== 
 +{{section>docs:guide-user:services:vpn:wireguard:client#firewall&noheader&nofooter&noeditbutton}} 
 + 
 +==== 4. Network ====
 Set up VPN interface. Set up VPN interface.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${OC_IF+uci -q delete network.${VPN_IF
-uci set network.${OC_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${OC_IF}.proto="openconnect" +uci set network.${VPN_IF}.proto="openconnect" 
-uci set network.${OC_IF}.server="${OC_SERV}" +uci set network.${VPN_IF}.server="${VPN_SERV}" 
-uci set network.${OC_IF}.port="${OC_PORT}" +uci set network.${VPN_IF}.port="${VPN_PORT}" 
-uci set network.${OC_IF}.serverhash="${OC_HASH}" +uci set network.${VPN_IF}.username="${VPN_USER}" 
-uci set network.${OC_IF}.username="${OC_USER}" +uci set network.${VPN_IF}.password="${VPN_PASS}" 
-uci set network.${OC_IF}.password="${OC_PASS}"+uci set network.${VPN_IF}.serverhash="${VPN_HASH}"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
 +
 +See all available OpenConnect protocol options [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|here]] and a sample configuration [[https://github.com/openwrt/packages/blob/master/net/openconnect/README|here]].
 +
 +Disable [[docs:guide-user:services:vpn:openconnect:extras#gateway_redirection|gateway redirection]] and/or [[docs:guide-user:services:vpn:openconnect:extras#keep_existing_gateway|keep the existing gateway]] if necessary.
 +
 +===== Web-based configuration =====
 +
 +Web-based configuration is available through [[:packages:pkgdata:luci-proto-openconnect]] package.
 +
 +<code bash>
 +# Install packages
 +opkg update
 +opkg install luci-proto-openconnect
 +service rpcd restart
 +</code>
 +
 +Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client.
 +
 +Currently not all the options can be set through Luci, so manual changes in ''/etc/config/network'' might be needed.
 +
 +\\
  
 ===== Testing ===== ===== Testing =====
Line 65: Line 99:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
Line 73: Line 107:
 pgrep -f -a openconnect pgrep -f -a openconnect
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2024/10/18 10:24
  • by andrewz