Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:extras [2020/11/28 06:07] – [Automated] vgaeteradocs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:13] – title corrected andrewz
Line 1: Line 1:
 ====== OpenConnect extras ====== ====== OpenConnect extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.
   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.
-  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for protocol-specific interface options.+  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for client configuration. 
 +  * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.
   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.
  
Line 11: Line 12:
 ==== References ==== ==== References ====
   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]
-  * [[https://ocserv.gitlab.io/www/manual.html|ocserv OpenConnect server documentation]]+  * [[https://ocserv.gitlab.io/www/manual.html|ocserv server documentation]]
   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]
  
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage VPN settings using web interface.+If you want to manage VPN server settings using web interface:
  
 <code bash> <code bash>
Line 21: Line 22:
 opkg update opkg update
 opkg install luci-app-ocserv opkg install luci-app-ocserv
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> VPN -> OpenConnect VPN** to configure OpenConnect server.+Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. 
 + 
 +If you want to configure VPN client using web interface:
  
 <code bash> <code bash>
Line 30: Line 33:
 opkg update opkg update
 opkg install luci-proto-openconnect opkg install luci-proto-openconnect
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> Interfaces** to configure OpenConnect client.+Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client.
  
-==== Dynamic connection ====+==== Server certificate ==== 
 +Fetch server certificate from remote VPN server. Beware of possible MITM. 
 + 
 +<code bash> 
 +openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ 
 +< /dev/null > server-cert.pem 
 +</code> 
 + 
 + 
 +==== Keep existing gateway ====
 {{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}}
  
-==== Disable gateway redirection ==== +==== Gateway redirection ==== 
-{{section>docs:guide-user:services:vpn:pptp:extras#disable_gateway_redirection&noheader&nofooter&noeditbutton}}+Disable gateway redirection in the client if you don't need to route all traffic through VPN. 
 + 
 +<code bash> 
 +uci set network.vpn.defaultroute="0" 
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +==== Split gateway ==== 
 +If VPN gateway is separate from your LAN gateway. 
 +Implement plain routing between LAN and VPN networks assuming that: 
 +  * ''192.168.1.0/24'' - LAN network 
 +  * ''192.168.1.2/24'' - VPN gateway 
 +  * ''192.168.9.0/24'' - VPN network 
 + 
 +Add port forwarding for VPN server on LAN gateway. 
 + 
 +<code bash> 
 +uci -q delete firewall.oc 
 +uci set firewall.oc="redirect" 
 +uci set firewall.oc.name="Redirect-OpenConnect" 
 +uci set firewall.oc.src="wan" 
 +uci set firewall.oc.src_dport="4443" 
 +uci set firewall.oc.dest="lan" 
 +uci set firewall.oc.dest_ip="192.168.1.2" 
 +uci set firewall.oc.family="ipv4" 
 +uci set firewall.oc.proto="tcp udp" 
 +uci set firewall.oc.target="DNAT" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +Add route to VPN network via VPN gateway on LAN gateway. 
 + 
 +<code bash> 
 +uci -q delete network.vpn 
 +uci set network.vpn="route" 
 +uci set network.vpn.interface="lan" 
 +uci set network.vpn.target="192.168.9.0/24" 
 +uci set network.vpn.gateway="192.168.1.2" 
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +==== IPv6 gateway ==== 
 +Set up [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or use [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_nat|IPv6 NAT or NPT]] if necessary. 
 +Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. 
 + 
 +<code bash> 
 +VPN_POOL6="fd00:9::/64" 
 +VPN_DNS6="${VPN_POOL6%:*}:1" 
 +uci set ocserv.config.ip6addr="${VPN_POOL6}
 +uci -q delete ocserv.dns6 
 +uci set ocserv.dns6="dns" 
 +uci set ocserv.dns6.ip="${VPN_DNS6}" 
 +uci commit ocserv 
 +service ocserv restart 
 +</code> 
 + 
 +Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client.
  
 ==== DNS over VPN ==== ==== DNS over VPN ====
Line 46: Line 117:
 ==== Kill switch ==== ==== Kill switch ====
 {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}}
 +
 +==== Multi-client ====
 +Generate [[docs:guide-user:services:vpn:openconnect:server#key_management|password hash]] for a new VPN client.
 +Set up multi-client VPN server.
 +Use unique credentials for each client.
 +
 +<code bash>
 +# Configure VPN service
 +VPN_USER="USERNAME1"
 +VPN_PASS="PASSWORD1"
 +uci -q delete ocserv.client1
 +uci set ocserv.client1="ocservusers"
 +uci set ocserv.client1.name="${VPN_USER}"
 +uci set ocserv.client1.password="${VPN_HASH}"
 +uci commit ocserv
 +service ocserv restart
 +</code>
  
 ==== Automated ==== ==== Automated ====
Line 51: Line 139:
  
 <code bash> <code bash>
-opkg update +URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server
-opkg install curl +cat << EOF > openconnect-server.sh 
-URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect" +$(wget -U "" -O - "${URL}?codeblock=0"
-cat << EOF > oc.sh +$(wget -U "" -O - "${URL}?codeblock=1"
-$(curl "${URL}/server?codeblock=0"+$(wget -U "" -O - "${URL}?codeblock=2") 
-$(curl "${URL}/server?codeblock=1"+$(wget -U "" -O - "${URL}?codeblock=3")
-$(curl "${URL}/server?codeblock=2")+
 EOF EOF
-sh oc.sh+sh openconnect-server.sh
 </code> </code>
  
  • Last modified: 2024/10/17 17:30
  • by andrewz