OpenConnect extras

This article relies on the following:

Introduction

Extras

References

Server certificate

Fetch server certificate from remote VPN server. Beware of possible MITM. 

openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \
< /dev/null > server-cert.pem

Keep existing gateway

Preserve default route to restore WAN connectivity when VPN is disconnected. 

# Preserve default route
uci set network.wan.metric="1024"
uci commit network
service network restart

Gateway redirection

Disable gateway redirection in the client if you don't need to route all traffic through VPN. 

uci set network.vpn.defaultroute="0"
uci commit network
service network restart

Split gateway

If VPN gateway is separate from your LAN gateway. Implement plain routing between LAN and VPN networks assuming that:

  • 192.168.1.0/24 - LAN network
  • 192.168.1.2/24 - VPN gateway
  • 192.168.9.0/24 - VPN network

Add port forwarding for VPN server on LAN gateway. 

uci -q delete firewall.oc
uci set firewall.oc="redirect"
uci set firewall.oc.name="Redirect-OpenConnect"
uci set firewall.oc.src="wan"
uci set firewall.oc.src_dport="4443"
uci set firewall.oc.dest="lan"
uci set firewall.oc.dest_ip="192.168.1.2"
uci set firewall.oc.family="ipv4"
uci set firewall.oc.proto="tcp udp"
uci set firewall.oc.target="DNAT"
uci commit firewall
service firewall restart

Add route to VPN network via VPN gateway on LAN gateway. 

uci -q delete network.vpn
uci set network.vpn="route"
uci set network.vpn.interface="lan"
uci set network.vpn.target="192.168.9.0/24"
uci set network.vpn.gateway="192.168.1.2"
uci commit network
service network restart

IPv6 gateway

Set up IPv6 tunnel broker or use IPv6 NAT or NPT if necessary. Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. 

VPN_POOL6="fd00:9::/64"
VPN_DNS6="${VPN_POOL6%:*}:1"
uci set ocserv.config.ip6addr="${VPN_POOL6}"
uci -q delete ocserv.dns6
uci set ocserv.dns6="dns"
uci set ocserv.dns6.ip="${VPN_DNS6}"
uci commit ocserv
service ocserv restart

Disable ISP prefix delegation to prevent IPv6 leaks on VPN client.

DNS over VPN

Serve DNS for VPN clients on OpenWrt server when using point-to-point topology.

Route DNS over VPN to prevent DNS leaks on VPN client.

Replace peer DNS with public or VPN-specific DNS provider on OpenWrt client.

Modify the VPN connection using NetworkManager on Linux desktop client. 

nmcli connection modify id VPN_CON \
ipv4.dns-search ~. ipv4.dns-priority -50 \
ipv6.dns-search ~. ipv6.dns-priority -50

Kill switch

Prevent traffic leaks on OpenWrt client isolating VPN interface in a separate firewall zone. 

uci -q delete firewall.vpn
uci set firewall.vpn="zone"
uci set firewall.vpn.name="vpn"
uci set firewall.vpn.input="REJECT"
uci set firewall.vpn.output="ACCEPT"
uci set firewall.vpn.forward="REJECT"
uci set firewall.vpn.masq="1"
uci set firewall.vpn.mtu_fix="1"
uci add_list firewall.vpn.network="vpn"
uci del_list firewall.wan.network="vpn"
uci -q delete firewall.@forwarding[0]
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="vpn"
uci commit firewall
service firewall restart

Multi-client

Generate password hash for a new VPN client. Set up multi-client VPN server. Use unique credentials for each client. 

# Configure VPN service
VPN_USER="USERNAME1"
VPN_PASS="PASSWORD1"
uci -q delete ocserv.client1
uci set ocserv.client1="ocservusers"
uci set ocserv.client1.name="${VPN_USER}"
uci set ocserv.client1.password="${VPN_HASH}"
uci commit ocserv
service ocserv restart

Automated

Automated VPN server installation. 

URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server"
cat << EOF > openconnect-server.sh
$(wget -U "" -O - "${URL}?codeblock=0")
$(wget -U "" -O - "${URL}?codeblock=1")
$(wget -U "" -O - "${URL}?codeblock=2")
$(wget -U "" -O - "${URL}?codeblock=3")
EOF
sh openconnect-server.sh
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/10/17 17:30
  • by andrewz