Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:services:vpn:openconnect:extras [2020/11/28 06:07] – [Automated] vgaeteradocs:guide-user:services:vpn:openconnect:extras [2024/10/17 17:30] (current) – web based config moved to client and server pages andrewz
Line 1: Line 1:
 ====== OpenConnect extras ====== ====== OpenConnect extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.
   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.
-  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for protocol-specific interface options.+  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for client configuration. 
 +  * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.
   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.
  
Line 11: Line 12:
 ==== References ==== ==== References ====
   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]
-  * [[https://ocserv.gitlab.io/www/manual.html|ocserv OpenConnect server documentation]]+  * [[https://ocserv.gitlab.io/www/manual.html|ocserv server documentation]]
   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]
  
-==== Web interface ==== + 
-Install the necessary packages if you want to manage VPN settings using web interface.+==== Server certificate ==== 
 +Fetch server certificate from remote VPN server. Beware of possible MITM.
  
 <code bash> <code bash>
-# Install packages +openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ 
-opkg update +/dev/null > server-cert.pem
-opkg install luci-app-ocserv +
-/etc/init.d/rpcd restart+
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> VPN -> OpenConnect VPN** to configure OpenConnect server.+ 
 +==== Keep existing gateway ==== 
 +{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}} 
 + 
 +==== Gateway redirection ==== 
 +Disable gateway redirection in the client if you don't need to route all traffic through VPN.
  
 <code bash> <code bash>
-# Install packages +uci set network.vpn.defaultroute="0" 
-opkg update +uci commit network 
-opkg install luci-proto-openconnect +service network restart
-/etc/init.d/rpcd restart+
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> Interfaces** to configure OpenConnect client.+==== Split gateway ==== 
 +If VPN gateway is separate from your LAN gateway. 
 +Implement plain routing between LAN and VPN networks assuming that: 
 +  * ''192.168.1.0/24'' - LAN network 
 +  * ''192.168.1.2/24'' VPN gateway 
 +  ''192.168.9.0/24'' - VPN network
  
-==== Dynamic connection ==== +Add port forwarding for VPN server on LAN gateway.
-{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}}+
  
-==== Disable gateway redirection ==== +<code bash> 
-{{section>docs:guide-user:services:vpn:pptp:extras#disable_gateway_redirection&noheader&nofooter&noeditbutton}}+uci -q delete firewall.oc 
 +uci set firewall.oc="redirect" 
 +uci set firewall.oc.name="Redirect-OpenConnect" 
 +uci set firewall.oc.src="wan" 
 +uci set firewall.oc.src_dport="4443" 
 +uci set firewall.oc.dest="lan" 
 +uci set firewall.oc.dest_ip="192.168.1.2" 
 +uci set firewall.oc.family="ipv4" 
 +uci set firewall.oc.proto="tcp udp" 
 +uci set firewall.oc.target="DNAT" 
 +uci commit firewall 
 +service firewall restart 
 +</code> 
 + 
 +Add route to VPN network via VPN gateway on LAN gateway. 
 + 
 +<code bash> 
 +uci -q delete network.vpn 
 +uci set network.vpn="route" 
 +uci set network.vpn.interface="lan" 
 +uci set network.vpn.target="192.168.9.0/24" 
 +uci set network.vpn.gateway="192.168.1.2" 
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +==== IPv6 gateway ==== 
 +Set up [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or use [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_nat|IPv6 NAT or NPT]] if necessary. 
 +Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. 
 + 
 +<code bash> 
 +VPN_POOL6="fd00:9::/64" 
 +VPN_DNS6="${VPN_POOL6%:*}:1" 
 +uci set ocserv.config.ip6addr="${VPN_POOL6}
 +uci -q delete ocserv.dns6 
 +uci set ocserv.dns6="dns" 
 +uci set ocserv.dns6.ip="${VPN_DNS6}" 
 +uci commit ocserv 
 +service ocserv restart 
 +</code> 
 + 
 +Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client.
  
 ==== DNS over VPN ==== ==== DNS over VPN ====
Line 46: Line 95:
 ==== Kill switch ==== ==== Kill switch ====
 {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}}
 +
 +==== Multi-client ====
 +Generate [[docs:guide-user:services:vpn:openconnect:server#key_management|password hash]] for a new VPN client.
 +Set up multi-client VPN server.
 +Use unique credentials for each client.
 +
 +<code bash>
 +# Configure VPN service
 +VPN_USER="USERNAME1"
 +VPN_PASS="PASSWORD1"
 +uci -q delete ocserv.client1
 +uci set ocserv.client1="ocservusers"
 +uci set ocserv.client1.name="${VPN_USER}"
 +uci set ocserv.client1.password="${VPN_HASH}"
 +uci commit ocserv
 +service ocserv restart
 +</code>
  
 ==== Automated ==== ==== Automated ====
Line 51: Line 117:
  
 <code bash> <code bash>
-opkg update +URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server
-opkg install curl +cat << EOF > openconnect-server.sh 
-URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect" +$(wget -U "" -O - "${URL}?codeblock=0"
-cat << EOF > oc.sh +$(wget -U "" -O - "${URL}?codeblock=1"
-$(curl "${URL}/server?codeblock=0"+$(wget -U "" -O - "${URL}?codeblock=2") 
-$(curl "${URL}/server?codeblock=1"+$(wget -U "" -O - "${URL}?codeblock=3")
-$(curl "${URL}/server?codeblock=2")+
 EOF EOF
-sh oc.sh+sh openconnect-server.sh
 </code> </code>
  
  • Last modified: 2024/10/17 17:30
  • by andrewz