Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:client [2021/09/27 04:46] – [1. Preparation] vgaeteradocs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz
Line 1: Line 1:
 ====== OpenConnect client ====== ====== OpenConnect client ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 12: Line 12:
 ==== 1. Preparation ==== ==== 1. Preparation ====
 Install the required packages. Install the required packages.
-Specify the VPN client configuration parameters.+Specify configuration parameters for VPN client.
  
 <code bash> <code bash>
 # Install packages # Install packages
 opkg update opkg update
-opkg install openconnect+opkg install openconnect openssl-util
  
 # Configuration parameters # Configuration parameters
-OC_IF="vpn" +VPN_IF="vpn" 
-OC_SERV="SERVER_ADDRESS" +VPN_SERV="SERVER_ADDRESS" 
-OC_PORT="4443" +VPN_PORT="4443" 
-OC_USER="USERNAME" +VPN_USER="USERNAME" 
-OC_PASS="PASSWORD+VPN_PASS="PASSWORD"
-OC_HASH="SERVER_CERT_HASH"+
 </code> </code>
  
-Fetch server [[docs:guide-user:services:vpn:openconnect:extras#certificate_hash|certificate hash]].+==== 2. Key management ==== 
 +Run the code below directly on the VPN server if you can or [[docs:guide-user:services:vpn:openconnect:extras#server_certificate|fetch certificate]] from the server and generate the hash locally: 
 +<code bash> 
 +# Generate certificate hash 
 +VPN_CERT="server-cert.pem" 
 +VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ 
 +| openssl pkey -pubin -outform der \ 
 +| openssl dgst -sha256 -binary \ 
 +| openssl enc -base64)" 
 +</code>
  
-==== 2. Firewall ==== +Alternatively, run the client once without specifying ''serverhash'' in the configuration file or "VPN Server's certificate SHA1 hash" in LuciOpen the System Log and look for the following lines:
-Consider VPN network as public. +
-Assign VPN interface to WAN zone to minimize firewall setup.+
  
-<code bash+<code> 
-# Configure firewall +daemon.notice netifd: vpn (3443): Certificate from VPN server "vpn.example.comfailed verification. 
-uci rename firewall.@zone[0]="lan+daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate 
-uci rename firewall.@zone[1]="wan" +daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: 
-uci del_list firewall.wan.network="${OC_IF}" +daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
-uci add_list firewall.wan.network="${OC_IF}" +daemon.notice netifd: vpn (3443): SSL connection failure
-uci commit firewall +
-/etc/init.d/firewall restart+
 </code> </code>
  
-==== 3. Network ====+Copy the complete string shown __after__ ''--servercert'' and use it in the configuration as your server hash. 
 + 
 +==== 3. Firewall ==== 
 +{{section>docs:guide-user:services:vpn:wireguard:client#firewall&noheader&nofooter&noeditbutton}} 
 + 
 +==== 4. Network ====
 Set up VPN interface. Set up VPN interface.
  
 <code bash> <code bash>
 # Configure network # Configure network
-uci -q delete network.${OC_IF+uci -q delete network.${VPN_IF
-uci set network.${OC_IF}="interface" +uci set network.${VPN_IF}="interface" 
-uci set network.${OC_IF}.proto="openconnect" +uci set network.${VPN_IF}.proto="openconnect" 
-uci set network.${OC_IF}.server="${OC_SERV}" +uci set network.${VPN_IF}.server="${VPN_SERV}" 
-uci set network.${OC_IF}.port="${OC_PORT}" +uci set network.${VPN_IF}.port="${VPN_PORT}" 
-uci set network.${OC_IF}.username="${OC_USER}" +uci set network.${VPN_IF}.username="${VPN_USER}" 
-uci set network.${OC_IF}.password="${OC_PASS}" +uci set network.${VPN_IF}.password="${VPN_PASS}" 
-uci set network.${OC_IF}.serverhash="${OC_HASH}"+uci set network.${VPN_IF}.serverhash="${VPN_HASH}"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
-Configure [[docs:guide-user:services:vpn:openconnect:extras#dynamic_connection|dynamic connection]] if necessary.+See all available OpenConnect protocol options [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|here]] and a sample configuration [[https://github.com/openwrt/packages/blob/master/net/openconnect/README|here]]. 
 + 
 +Disable [[docs:guide-user:services:vpn:openconnect:extras#gateway_redirection|gateway redirection]] and/or [[docs:guide-user:services:vpn:openconnect:extras#keep_existing_gateway|keep the existing gateway]] if necessary. 
 + 
 +===== Web-based configuration ===== 
 + 
 +Web-based configuration is available through [[:packages:pkgdata:luci-proto-openconnect]] package. 
 + 
 +<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install luci-proto-openconnect 
 +service rpcd restart 
 +</code> 
 + 
 +Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. 
 + 
 +Currently not all the options can be set through Luci, so manual changes in ''/etc/config/network'' might be needed. 
 + 
 +\\
  
 ===== Testing ===== ===== Testing =====
Line 71: Line 99:
 <code bash> <code bash>
 # Restart services # Restart services
-/etc/init.d/log restart; /etc/init.d/network restart; sleep 10+service log restart; service network restart; sleep 10
  
 # Log and status # Log and status
Line 79: Line 107:
 pgrep -f -a openconnect pgrep -f -a openconnect
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; iptables-save -c +ip rule show; ip -6 rule show; nft list ruleset
-ip -6 rule show; ip6tables-save -c+
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2024/10/18 10:24
  • by andrewz