OpenConnect extras

• This how-to describes the most common OpenConnect tuning scenarios adapted for OpenWrt.
• Follow OpenConnect server for server setup and OpenConnect client for client setup.
• Follow OpenConnect protocol for protocol-specific interface options.
• Follow Random generator to overcome low entropy issues.

• OpenConnect official site
• ocserv OpenConnect server documentation
• OpenConnect configuration examples

Install the necessary packages if you want to manage VPN settings using web interface.

# Install packages
opkg update
opkg install luci-app-ocserv
/etc/init.d/rpcd restart

Navigate to LuCI → VPN → OpenConnect VPN to configure OpenConnect server.

# Install packages
opkg update
opkg install luci-proto-openconnect
/etc/init.d/rpcd restart

Navigate to LuCI → Network → Interfaces to configure OpenConnect client.

Generate certificate hash.

# Install packages
opkg update
opkg install openssl-util
 
# Generate certificate hash
OC_CERT="/etc/ocserv/server-cert.pem"
OC_HCERT="$(echo pin-sha256:\
$(openssl x509 -in ${OC_CERT} -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64))"
 
# Fetch certificate hash
echo ${OC_HCERT}

Generate password hash.

# Generate password hash
OC_USER="USERNAME"
OC_PASS="PASSWORD"
ocpasswd ${OC_USER} << EOF
${OC_PASS}
${OC_PASS}
EOF
OC_HPASS="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"
 
# Fetch password hash
echo ${OC_HPASS}

If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client.

# Configure VPN service
uci set network.vpn.defaultroute="0"
uci commit network
/etc/init.d/network restart

If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

• 192.168.1.0/24 - LAN network
• 192.168.1.2/24 - VPN gateway
• 192.168.7.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.oc
uci set firewall.oc="redirect"
uci set firewall.oc.name="Redirect-OpenConnect"
uci set firewall.oc.src="wan"
uci set firewall.oc.src_dport="4443"
uci set firewall.oc.dest="lan"
uci set firewall.oc.dest_ip="192.168.1.2"
uci set firewall.oc.family="ipv4"
uci set firewall.oc.proto="tcp udp"
uci set firewall.oc.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.7.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

Enable IPv6 tunnel on VPN server, offer DNSv6, redirect IPv6 gateway. Provide default IPv6 route for VPN clients. Set up transitional connectivity or NAT6 with IPv6 masquerading if required.

OC_POOL6="fdf1:e8a1:8d3f:7::/64"
OC_DNS6="${OC_POOL6%/*}1"
uci set ocserv.config.ip6addr="${OC_POOL6}"
uci -q delete ocserv.dns6
uci set ocserv.dns6="dns"
uci set ocserv.dns6.ip="${OC_DNS6}"
uci commit ocserv
/etc/init.d/ocserv restart
uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart

Disable ISP prefix delegation to avoid IPv6 leak on the client.

uci set network.lan.ip6class="local"
uci commit network
/etc/init.d/network restart

Set up multi-client VPN server. Use unique credentials for each client.

# Configure VPN service
uci -q delete ocserv.client1
uci set ocserv.client1="ocservusers"
uci set ocserv.client1.name="USERNAME1"
uci set ocserv.client1.password="PASSWORD_HASH1"
uci commit ocserv
/etc/init.d/ocserv restart

Automated VPN server installation.

opkg update
opkg install libustream-mbedtls
URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect"
cat << EOF > openconnect-server.sh
$(uclient-fetch -O - "${URL}/server?codeblock=0")
$(uclient-fetch -O - "${URL}/extras?codeblock=4")
$(uclient-fetch -O - "${URL}/server?codeblock=1")
$(uclient-fetch -O - "${URL}/server?codeblock=2")
EOF
sh openconnect-server.sh