User Tools

Site Tools


docs:guide-user:services:vpn:openconnect:extras

OpenConnect extras

Introduction

Extras

References

Web interface

Install the necessary packages if you want to manage VPN settings using web interface.

# Install packages
opkg update
opkg install luci-app-ocserv
/etc/init.d/rpcd restart

Navigate to LuCIVPN → OpenConnect VPN to configure OpenConnect server.

# Install packages
opkg update
opkg install luci-proto-openconnect
/etc/init.d/rpcd restart

Navigate to LuCI → Network → Interfaces to configure OpenConnect client.

Dynamic connection

Preserve default route to restore WAN connectivity when VPN is disconnected.

# Preserve default route
uci set network.wan.metric="100"
uci set network.wan6.metric="100"
uci commit network
/etc/init.d/network restart

Certificate hash

Generate certificate hash.

# Install packages
opkg update
opkg install openssl-util
 
# Generate certificate hash
OC_CERT="/etc/ocserv/server-cert.pem"
OC_HCERT="$(echo pin-sha256:\
$(openssl x509 -in ${OC_CERT} -pubkey -noout \
| openssl pkey -pubin -outform der \
| openssl dgst -sha256 -binary \
| openssl enc -base64))"
 
# Fetch certificate hash
echo ${OC_HCERT}

Password hash

Generate password hash.

# Generate password hash
OC_USER="USERNAME"
OC_PASS="PASSWORD"
ocpasswd ${OC_USER} << EOF
${OC_PASS}
${OC_PASS}
EOF
OC_HPASS="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"
 
# Fetch password hash
echo ${OC_HPASS}

Disable gateway redirection

If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client.

# Configure VPN service
uci set network.vpn.defaultroute="0"
uci commit network
/etc/init.d/network restart

Split gateway

If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that:

  • 192.168.1.0/24 - LAN network
  • 192.168.1.2/24 - VPN gateway
  • 192.168.7.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway.

uci -q delete firewall.oc
uci set firewall.oc="redirect"
uci set firewall.oc.name="Redirect-OpenConnect"
uci set firewall.oc.src="wan"
uci set firewall.oc.src_dport="4443"
uci set firewall.oc.dest="lan"
uci set firewall.oc.dest_ip="192.168.1.2"
uci set firewall.oc.family="ipv4"
uci set firewall.oc.proto="tcp udp"
uci set firewall.oc.target="DNAT"
uci commit firewall
/etc/init.d/firewall restart

Add route to VPN network via VPN gateway on LAN gateway.

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.7.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
/etc/init.d/network restart

IPv6 gateway

Provide IPv6 tunnel connectivity. Set up transitional connectivity or NAT6 with IPv6 masquerading if required.

Enable VPN6 network on VPN server, provide DNS6, redirect GW6. Provide default IPv6 route for VPN clients.

OC_POOL6="fdf1:e8a1:8d3f:7::/64"
OC_DNS6="${OC_POOL6%/*}1"
uci set ocserv.config.ip6addr="${OC_POOL6}"
uci -q delete ocserv.dns6
uci set ocserv.dns6="dns"
uci set ocserv.dns6.ip="${OC_DNS6}"
uci commit ocserv
/etc/init.d/ocserv restart
uci set network.wan6.sourcefilter="0"
uci commit network
/etc/init.d/network restart

DNS over VPN

Utilize DNS over VPN to prevent DNS leak.

Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client.

nmcli connection modify id VPN_CON ipv4.dns-search ~. ipv6.dns-search ~. ipv4.dns-priority -50 ipv6.dns-priority -50

Kill switch

Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone.

uci rename firewall.@forwarding[0]="lan_wan"
uci set firewall.lan_wan.enabled="0"
uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
/etc/init.d/firewall restart

Multi-client

Set up multi-client VPN server. Use unique credentials for each client.

# Configure VPN service
uci -q delete ocserv.client1
uci set ocserv.client1="ocservusers"
uci set ocserv.client1.name="USERNAME1"
uci set ocserv.client1.password="PASSWORD_HASH1"
uci commit ocserv
/etc/init.d/ocserv restart

Automated

Automated VPN server installation.

opkg update
opkg install curl
URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect"
cat << EOF > oc.sh
$(curl "${URL}/server?codeblock=0")
$(curl "${URL}/extras?codeblock=4")
$(curl "${URL}/server?codeblock=1")
$(curl "${URL}/server?codeblock=2")
EOF
sh oc.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openconnect/extras.txt · Last modified: 2020/11/29 00:10 by vgaetera