Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:extras [2020/11/28 08:08] – [Server certificate hash] vgaeteradocs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz
Line 1: Line 1:
 ====== OpenConnect extras ====== ====== OpenConnect extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.
   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.
-  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for protocol-specific interface options.+  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for client configuration. 
 +  * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.
   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.
  
Line 11: Line 12:
 ==== References ==== ==== References ====
   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]
-  * [[https://ocserv.gitlab.io/www/manual.html|ocserv OpenConnect server documentation]]+  * [[https://ocserv.gitlab.io/www/manual.html|ocserv server documentation]]
   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]
  
 ==== Web interface ==== ==== Web interface ====
-Install the necessary packages if you want to manage VPN settings using web interface.+If you want to manage VPN server settings using web interface:
  
 <code bash> <code bash>
Line 21: Line 22:
 opkg update opkg update
 opkg install luci-app-ocserv opkg install luci-app-ocserv
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> VPN -> OpenConnect VPN** to configure OpenConnect server.+Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. 
 + 
 +If you want to configure VPN client using web interface:
  
 <code bash> <code bash>
Line 30: Line 33:
 opkg update opkg update
 opkg install luci-proto-openconnect opkg install luci-proto-openconnect
-/etc/init.d/rpcd restart+service rpcd restart 
 +</code> 
 + 
 +Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. 
 + 
 +==== Commercial provider ==== 
 +Fetch server certificate from remote VPN server. 
 +Beware of possible MITM. 
 + 
 +<code bash> 
 +openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ 
 +/dev/null > server-cert.pem
 </code> </code>
  
-Navigate to **[[http://openwrt.lan/|LuCI]] -> Network -> Interfaces** to configure OpenConnect client. 
  
 ==== Dynamic connection ==== ==== Dynamic connection ====
 {{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}}
  
-==== Disable gateway redirection ==== +==== Default gateway ==== 
-{{section>docs:guide-user:services:vpn:pptp:extras#disable_gateway_redirection&noheader&nofooter&noeditbutton}}+Disable gateway redirection in the client if you don't need to route all traffic through VPN.
  
-==== Server certificate hash ==== +<code bash> 
-Generate server certificate hash.+uci set network.vpn.defaultroute="0" 
 +uci commit network 
 +service network restart 
 +</code> 
 + 
 +==== Split gateway ===
 +If VPN gateway is separate from your LAN gateway. 
 +Implement plain routing between LAN and VPN networks assuming that: 
 +  * ''192.168.1.0/24'' - LAN network 
 +  * ''192.168.1.2/24'' - VPN gateway 
 +  * ''192.168.9.0/24'' - VPN network 
 + 
 +Add port forwarding for VPN server on LAN gateway.
  
 <code bash> <code bash>
-# Install packages +uci -q delete firewall.oc 
-opkg update +uci set firewall.oc="redirect" 
-opkg install openssl-util+uci set firewall.oc.name="Redirect-OpenConnect" 
 +uci set firewall.oc.src="wan" 
 +uci set firewall.oc.src_dport="4443" 
 +uci set firewall.oc.dest="lan" 
 +uci set firewall.oc.dest_ip="192.168.1.2" 
 +uci set firewall.oc.family="ipv4" 
 +uci set firewall.oc.proto="tcp udp" 
 +uci set firewall.oc.target="DNAT" 
 +uci commit firewall 
 +service firewall restart 
 +</code>
  
-# Generate certificate hash +Add route to VPN network via VPN gateway on LAN gateway.
-OC_CERT="/etc/ocserv/server-cert.pem" +
-OC_HASH="$(echo pin-sha256:+
-$(openssl x509 -in ${OC_CERT} -pubkey -noout \ +
-| openssl pkey -pubin -outform der \ +
-| openssl dgst -sha256 -binary \ +
-| openssl enc -base64))"+
  
-# Fetch certificate hash +<code bash> 
-echo ${OC_HASH}+uci -q delete network.vpn 
 +uci set network.vpn="route" 
 +uci set network.vpn.interface="lan" 
 +uci set network.vpn.target="192.168.9.0/24" 
 +uci set network.vpn.gateway="192.168.1.2" 
 +uci commit network 
 +service network restart
 </code> </code>
 +
 +==== IPv6 gateway ====
 +Set up [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or use [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_nat|IPv6 NAT or NPT]] if necessary.
 +Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway.
 +
 +<code bash>
 +VPN_POOL6="fd00:9::/64"
 +VPN_DNS6="${VPN_POOL6%:*}:1"
 +uci set ocserv.config.ip6addr="${VPN_POOL6}"
 +uci -q delete ocserv.dns6
 +uci set ocserv.dns6="dns"
 +uci set ocserv.dns6.ip="${VPN_DNS6}"
 +uci commit ocserv
 +service ocserv restart
 +</code>
 +
 +Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client.
  
 ==== DNS over VPN ==== ==== DNS over VPN ====
Line 66: Line 118:
 ==== Kill switch ==== ==== Kill switch ====
 {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:extras#kill_switch&noheader&nofooter&noeditbutton}}
 +
 +==== Multi-client ====
 +Generate [[docs:guide-user:services:vpn:openconnect:server#key_management|password hash]] for a new VPN client.
 +Set up multi-client VPN server.
 +Use unique credentials for each client.
 +
 +<code bash>
 +# Configure VPN service
 +VPN_USER="USERNAME1"
 +VPN_PASS="PASSWORD1"
 +uci -q delete ocserv.client1
 +uci set ocserv.client1="ocservusers"
 +uci set ocserv.client1.name="${VPN_USER}"
 +uci set ocserv.client1.password="${VPN_HASH}"
 +uci commit ocserv
 +service ocserv restart
 +</code>
  
 ==== Automated ==== ==== Automated ====
Line 71: Line 140:
  
 <code bash> <code bash>
-opkg update +URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server
-opkg install curl +cat << EOF > openconnect-server.sh 
-URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect" +$(wget -U "" -O - "${URL}?codeblock=0"
-cat << EOF > oc.sh +$(wget -U "" -O - "${URL}?codeblock=1"
-$(curl "${URL}/server?codeblock=0"+$(wget -U "" -O - "${URL}?codeblock=2") 
-$(curl "${URL}/server?codeblock=1"+$(wget -U "" -O - "${URL}?codeblock=3")
-$(curl "${URL}/server?codeblock=2")+
 EOF EOF
-sh oc.sh+sh openconnect-server.sh
 </code> </code>
  
  • Last modified: 2024/10/17 17:30
  • by andrewz