Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:client [2023/10/14 05:20] – use service invocation vgaeteradocs:guide-user:services:vpn:openconnect:client [2024/10/17 17:46] – [2. Key management] andrewz
Line 28: Line 28:
  
 ==== 2. Key management ==== ==== 2. Key management ====
-Transfer server certificate to VPN client. +Run the code below directly on the VPN server if you can or [[docs:guide-user:services:vpn:openconnect:extras#server_certificate|fetch certificate]] from the server and generate the hash locally:
-Generate certificate hash+
 <code bash> <code bash>
 # Generate certificate hash # Generate certificate hash
Line 40: Line 38:
 </code> </code>
  
-You can fetch server certificate remotely. +Alternatively, run the client once without specifying ''serverhash'' in the configuration file or "VPN Server'certificate SHA1 hash" in LuciOpen the System Log and look for the following lines:
-Beware of possible MITM.+
  
-<code bash+<code> 
-openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ +daemon.notice netifdvpn (3443): Certificate from VPN server "vpn.example.com" failed verification. 
-< /dev/null > server-cert.pem+daemon.notice netifd: vpn (3443): Reason: unable to get local issuer certificate 
 +daemon.notice netifd: vpn (3443): To trust this server in future, perhaps add this to your command line: 
 +daemon.notice netifd: vpn (3443):     --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
 +daemon.notice netifd: vpn (3443): SSL connection failure
 </code> </code>
 +
 +Copy the complete string shown __after__ ''--servercert'' and use it in the configuration as your server hash.
  
 ==== 3. Firewall ==== ==== 3. Firewall ====
Line 68: Line 70:
 </code> </code>
  
-Configure [[docs:guide-user:services:vpn:openconnect:extras#dynamic_connection|dynamic connection]] if necessary.+See all available OpenConnect protocol options [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|here]] and a sample configuration [[https://github.com/openwrt/packages/blob/master/net/openconnect/README|here]]. 
 + 
 +Disable [[docs:guide-user:services:vpn:openconnect:extras#gateway_redirection|gateway redirection]] and/or [[docs:guide-user:services:vpn:openconnect:extras#keep_existing_gateway|keep the existing gateway]] if necessary. 
 + 
 +===== Web-based configuration ===== 
 + 
 +Web-based configuration is available through [[:packages:pkgdata:luci-proto-openconnect]] package. 
 + 
 +<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install luci-proto-openconnect 
 +service rpcd restart 
 +</code> 
 + 
 +Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. 
 + 
 +Currently not all the options can be set through Luci, so manual changes in ''/etc/config/network'' might be needed. 
 + 
 +\\
  
 ===== Testing ===== ===== Testing =====
  • Last modified: 2024/10/18 10:24
  • by andrewz