Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:services:vpn:openconnect:extras [2020/11/28 06:07] – [Automated] vgaetera | docs:guide-user:services:vpn:openconnect:extras [2024/10/17 17:30] (current) – web based config moved to client and server pages andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenConnect extras ====== | ====== OpenConnect extras ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the most common [[wp> | * This how-to describes the most common [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| + | * Follow [[docs: | ||
| * Follow [[docs: | * Follow [[docs: | ||
| Line 11: | Line 12: | ||
| ==== References ==== | ==== References ==== | ||
| * [[https:// | * [[https:// | ||
| - | * [[https:// | + | * [[https:// |
| * [[https:// | * [[https:// | ||
| - | ==== Web interface | + | |
| - | Install the necessary packages if you want to manage | + | ==== Server certificate |
| + | Fetch server certificate from remote | ||
| <code bash> | <code bash> | ||
| - | # Install packages | + | openssl s_client |
| - | opkg update | + | < /dev/null > server-cert.pem |
| - | opkg install luci-app-ocserv | + | |
| - | /etc/init.d/rpcd restart | + | |
| </ | </ | ||
| - | Navigate to **[[http:// | + | |
| + | ==== Keep existing gateway ==== | ||
| + | {{section> | ||
| + | |||
| + | ==== Gateway redirection ==== | ||
| + | Disable gateway redirection in the client if you don't need to route all traffic through VPN. | ||
| <code bash> | <code bash> | ||
| - | # Install packages | + | uci set network.vpn.defaultroute=" |
| - | opkg update | + | uci commit network |
| - | opkg install luci-proto-openconnect | + | service network |
| - | / | + | |
| </ | </ | ||
| - | Navigate to **[[http://openwrt.lan/|LuCI]] | + | ==== Split gateway ==== |
| + | If VPN gateway is separate from your LAN gateway. | ||
| + | Implement plain routing between LAN and VPN networks assuming that: | ||
| + | * '' | ||
| + | * '' | ||
| + | | ||
| - | ==== Dynamic connection ==== | + | Add port forwarding for VPN server on LAN gateway. |
| - | {{section> | + | |
| - | ==== Disable | + | <code bash> |
| - | {{section> | + | uci -q delete firewall.oc |
| + | uci set firewall.oc=" | ||
| + | uci set firewall.oc.name=" | ||
| + | uci set firewall.oc.src=" | ||
| + | uci set firewall.oc.src_dport=" | ||
| + | uci set firewall.oc.dest=" | ||
| + | uci set firewall.oc.dest_ip=" | ||
| + | uci set firewall.oc.family=" | ||
| + | uci set firewall.oc.proto=" | ||
| + | uci set firewall.oc.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| + | |||
| + | Add route to VPN network via VPN gateway | ||
| + | |||
| + | <code bash> | ||
| + | uci -q delete network.vpn | ||
| + | uci set network.vpn=" | ||
| + | uci set network.vpn.interface=" | ||
| + | uci set network.vpn.target=" | ||
| + | uci set network.vpn.gateway=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| + | </code> | ||
| + | |||
| + | ==== IPv6 gateway ==== | ||
| + | Set up [[docs: | ||
| + | Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. | ||
| + | |||
| + | <code bash> | ||
| + | VPN_POOL6=" | ||
| + | VPN_DNS6=" | ||
| + | uci set ocserv.config.ip6addr=" | ||
| + | uci -q delete ocserv.dns6 | ||
| + | uci set ocserv.dns6=" | ||
| + | uci set ocserv.dns6.ip=" | ||
| + | uci commit ocserv | ||
| + | service ocserv restart | ||
| + | </ | ||
| + | |||
| + | Disable [[docs: | ||
| ==== DNS over VPN ==== | ==== DNS over VPN ==== | ||
| Line 46: | Line 95: | ||
| ==== Kill switch ==== | ==== Kill switch ==== | ||
| {{section> | {{section> | ||
| + | |||
| + | ==== Multi-client ==== | ||
| + | Generate [[docs: | ||
| + | Set up multi-client VPN server. | ||
| + | Use unique credentials for each client. | ||
| + | |||
| + | <code bash> | ||
| + | # Configure VPN service | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| + | uci -q delete ocserv.client1 | ||
| + | uci set ocserv.client1=" | ||
| + | uci set ocserv.client1.name=" | ||
| + | uci set ocserv.client1.password=" | ||
| + | uci commit ocserv | ||
| + | service ocserv restart | ||
| + | </ | ||
| ==== Automated ==== | ==== Automated ==== | ||
| Line 51: | Line 117: | ||
| <code bash> | <code bash> | ||
| - | opkg update | + | URL=" |
| - | opkg install curl | + | cat << EOF > openconnect-server.sh |
| - | URL=" | + | $(wget -U "" |
| - | cat << EOF > oc.sh | + | $(wget -U "" |
| - | $(curl " | + | $(wget -U "" |
| - | $(curl " | + | $(wget -U "" |
| - | $(curl " | + | |
| EOF | EOF | ||
| - | sh oc.sh | + | sh openconnect-server.sh |
| </ | </ | ||