Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:client [2023/03/15 12:54] – old revision restored (2023/03/14 23:49) vgaetera | docs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz | ||
|---|---|---|---|
| Line 12: | Line 12: | ||
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| Install the required packages. | Install the required packages. | ||
| - | Generate server [[docs: | ||
| Specify configuration parameters for VPN client. | Specify configuration parameters for VPN client. | ||
| Line 18: | Line 17: | ||
| # Install packages | # Install packages | ||
| opkg update | opkg update | ||
| - | opkg install openconnect | + | opkg install openconnect |
| # Configuration parameters | # Configuration parameters | ||
| Line 26: | Line 25: | ||
| VPN_USER=" | VPN_USER=" | ||
| VPN_PASS=" | VPN_PASS=" | ||
| - | VPN_HASH=" | ||
| </ | </ | ||
| - | ==== 2. Firewall | + | ==== 2. Key management |
| - | Consider | + | Run the code below directly on the VPN server if you can or [[docs: |
| - | Assign VPN interface to WAN zone to minimize firewall setup. | + | |
| <code bash> | <code bash> | ||
| - | # Configure firewall | + | # Generate certificate hash |
| - | uci rename firewall.@zone[0]="lan" | + | VPN_CERT="server-cert.pem" |
| - | uci rename firewall.@zone[1]=" | + | VPN_HASH="pin-sha256:$(openssl x509 -in ${VPN_CERT} -pubkey -noout \ |
| - | uci del_list firewall.wan.network="${VPN_IF}" | + | | openssl pkey -pubin -outform der \ |
| - | uci add_list firewall.wan.network=" | + | | openssl dgst -sha256 -binary \ |
| - | uci commit firewall | + | | openssl enc -base64)" |
| - | / | + | |
| </ | </ | ||
| - | ==== 3. Network ==== | + | Alternatively, |
| + | |||
| + | < | ||
| + | daemon.notice netifd: vpn (3443): Certificate from VPN server " | ||
| + | daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate | ||
| + | daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: | ||
| + | daemon.notice netifd: vpn (3443): | ||
| + | daemon.notice netifd: vpn (3443): SSL connection failure | ||
| + | </ | ||
| + | |||
| + | Copy the complete string shown __after__ '' | ||
| + | |||
| + | ==== 3. Firewall ==== | ||
| + | {{section> | ||
| + | |||
| + | ==== 4. Network ==== | ||
| Set up VPN interface. | Set up VPN interface. | ||
| Line 57: | Line 67: | ||
| uci set network.${VPN_IF}.serverhash=" | uci set network.${VPN_IF}.serverhash=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| - | Configure | + | See all available OpenConnect protocol options [[docs: |
| + | |||
| + | Disable | ||
| + | |||
| + | ===== Web-based configuration ===== | ||
| + | |||
| + | Web-based configuration is available through [[: | ||
| + | |||
| + | <code bash> | ||
| + | # Install packages | ||
| + | opkg update | ||
| + | opkg install luci-proto-openconnect | ||
| + | service rpcd restart | ||
| + | </ | ||
| + | |||
| + | Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | ||
| + | |||
| + | Currently not all the options can be set through Luci, so manual changes in ''/ | ||
| + | |||
| + | \\ | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Line 70: | Line 99: | ||
| <code bash> | <code bash> | ||
| # Restart services | # Restart services | ||
| - | / | + | service |
| # Log and status | # Log and status | ||