Show pagesourceOld revisionsBacklinksBack to top × Table of Contents OpenConnect extras Introduction Extras References Web interface Dynamic connection Certificate hash Password hash Disable gateway redirection Split gateway IPv6 gateway DNS over VPN Kill switch Multi-client Automated OpenConnect extras This article relies on the following: Accessing OpenWrt CLI Managing configurations Managing packages Managing services Introduction This how-to describes the most common OpenConnect tuning scenarios adapted for OpenWrt. Follow OpenConnect server for server setup and OpenConnect client for client setup. Follow OpenConnect protocol for protocol-specific interface options. Follow Random generator to overcome low entropy issues. Extras References OpenConnect official site ocserv OpenConnect server documentation OpenConnect configuration examples Web interface Install the necessary packages if you want to manage VPN settings using web interface. # Install packages opkg update opkg install luci-app-ocserv /etc/init.d/rpcd restart Navigate to LuCI → VPN → OpenConnect VPN to configure OpenConnect server. # Install packages opkg update opkg install luci-proto-openconnect /etc/init.d/rpcd restart Navigate to LuCI → Network → Interfaces to configure OpenConnect client. Dynamic connection Preserve default route to restore WAN connectivity when VPN is disconnected. # Preserve default route uci set network.wan.metric="100" uci set network.wan6.metric="100" uci commit network /etc/init.d/network restart Certificate hash Generate certificate hash. # Install packages opkg update opkg install openssl-util # Generate certificate hash OC_CERT="/etc/ocserv/server-cert.pem" OC_HCERT="$(echo pin-sha256:\ $(openssl x509 -in ${OC_CERT} -pubkey -noout \ | openssl pkey -pubin -outform der \ | openssl dgst -sha256 -binary \ | openssl enc -base64))" # Fetch certificate hash echo ${OC_HCERT} Password hash Generate password hash. # Generate password hash OC_USER="USERNAME" OC_PASS="PASSWORD" ocpasswd ${OC_USER} << EOF ${OC_PASS} ${OC_PASS} EOF OC_HPASS="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)" # Fetch password hash echo ${OC_HPASS} Disable gateway redirection If you do not need to redirect all traffic to VPN. Disable gateway redirection on VPN client. # Configure VPN service uci set network.vpn.defaultroute="0" uci commit network /etc/init.d/network restart Split gateway If VPN gateway is not your LAN gateway. Implement plain routing between LAN network and VPN network assuming that: 192.168.1.0/24 - LAN network 192.168.1.2/24 - VPN gateway 192.168.7.0/24 - VPN network Add port forwarding for VPN server on LAN gateway. uci -q delete firewall.oc uci set firewall.oc="redirect" uci set firewall.oc.name="Redirect-OpenConnect" uci set firewall.oc.src="wan" uci set firewall.oc.src_dport="4443" uci set firewall.oc.dest="lan" uci set firewall.oc.dest_ip="192.168.1.2" uci set firewall.oc.family="ipv4" uci set firewall.oc.proto="tcp udp" uci set firewall.oc.target="DNAT" uci commit firewall /etc/init.d/firewall restart Add route to VPN network via VPN gateway on LAN gateway. uci -q delete network.vpn uci set network.vpn="route" uci set network.vpn.interface="lan" uci set network.vpn.target="192.168.7.0/24" uci set network.vpn.gateway="192.168.1.2" uci commit network /etc/init.d/network restart IPv6 gateway Enable IPv6 tunnel on VPN server, offer DNSv6, redirect IPv6 gateway. Provide default IPv6 route for VPN clients. Set up transitional connectivity or NAT6 with IPv6 masquerading if required. OC_POOL6="fdf1:e8a1:8d3f:7::/64" OC_DNS6="${OC_POOL6%/*}1" uci set ocserv.config.ip6addr="${OC_POOL6}" uci -q delete ocserv.dns6 uci set ocserv.dns6="dns" uci set ocserv.dns6.ip="${OC_DNS6}" uci commit ocserv /etc/init.d/ocserv restart uci set network.wan6.sourcefilter="0" uci commit network /etc/init.d/network restart Disable ISP prefix delegation to avoid IPv6 leak on the client. uci set network.lan.ip6class="local" uci commit network /etc/init.d/network restart DNS over VPN Provide DNS for VPN clients in P2P topology on OpenWrt server. Utilize DNS over VPN to prevent DNS leak on VPN client. Disable peer DNS and configure a VPN-routed DNS provider on OpenWrt client. Modify the VPN connection using NetworkManager on Linux desktop client. nmcli connection modify id VPN_CON ipv4.dns-search ~. ipv6.dns-search ~. ipv4.dns-priority -50 ipv6.dns-priority -50 Kill switch Prevent traffic leak on OpenWrt client isolating VPN interface in a separate firewall zone. uci rename firewall.@forwarding[0]="lan_wan" uci set firewall.lan_wan.enabled="0" uci -q delete firewall.vpn uci set firewall.vpn="zone" uci set firewall.vpn.name="vpn" uci set firewall.vpn.input="REJECT" uci set firewall.vpn.output="ACCEPT" uci set firewall.vpn.forward="REJECT" uci set firewall.vpn.masq="1" uci set firewall.vpn.mtu_fix="1" uci add_list firewall.vpn.network="vpn" uci del_list firewall.wan.network="vpn" uci -q delete firewall.lan_vpn uci set firewall.lan_vpn="forwarding" uci set firewall.lan_vpn.src="lan" uci set firewall.lan_vpn.dest="vpn" uci commit firewall /etc/init.d/firewall restart Multi-client Set up multi-client VPN server. Use unique credentials for each client. # Configure VPN service uci -q delete ocserv.client1 uci set ocserv.client1="ocservusers" uci set ocserv.client1.name="USERNAME1" uci set ocserv.client1.password="PASSWORD_HASH1" uci commit ocserv /etc/init.d/ocserv restart Automated Automated VPN server installation. opkg update opkg install libustream-mbedtls URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect" cat << EOF > openconnect-server.sh $(uclient-fetch -O - "${URL}/server?codeblock=0") $(uclient-fetch -O - "${URL}/extras?codeblock=4") $(uclient-fetch -O - "${URL}/server?codeblock=1") $(uclient-fetch -O - "${URL}/server?codeblock=2") EOF sh openconnect-server.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/04/04 14:18by vgaetera