Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:extras [2020/11/28 08:08] – [Server certificate hash] vgaetera | docs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenConnect extras ====== | ====== OpenConnect extras ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the most common [[wp> | * This how-to describes the most common [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| + | * Follow [[docs: | ||
| * Follow [[docs: | * Follow [[docs: | ||
| Line 11: | Line 12: | ||
| ==== References ==== | ==== References ==== | ||
| * [[https:// | * [[https:// | ||
| - | * [[https:// | + | * [[https:// |
| * [[https:// | * [[https:// | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | Install the necessary packages if you want to manage VPN settings using web interface. | + | If you want to manage VPN server |
| <code bash> | <code bash> | ||
| Line 21: | Line 22: | ||
| opkg update | opkg update | ||
| opkg install luci-app-ocserv | opkg install luci-app-ocserv | ||
| - | / | + | service |
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. |
| + | |||
| + | If you want to configure VPN client using web interface: | ||
| <code bash> | <code bash> | ||
| Line 30: | Line 33: | ||
| opkg update | opkg update | ||
| opkg install luci-proto-openconnect | opkg install luci-proto-openconnect | ||
| - | /etc/init.d/rpcd restart | + | service rpcd restart |
| + | </code> | ||
| + | |||
| + | Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | ||
| + | |||
| + | ==== Commercial provider ==== | ||
| + | Fetch server certificate from remote VPN server. | ||
| + | Beware of possible MITM. | ||
| + | |||
| + | <code bash> | ||
| + | openssl s_client -showcerts -connect ${VPN_SERV}: | ||
| + | < /dev/null > server-cert.pem | ||
| </ | </ | ||
| - | Navigate to **[[http:// | ||
| ==== Dynamic connection ==== | ==== Dynamic connection ==== | ||
| {{section> | {{section> | ||
| - | ==== Disable | + | ==== Default |
| - | {{section> | + | Disable gateway redirection in the client if you don't need to route all traffic through VPN. |
| - | ==== Server certificate hash ==== | + | <code bash> |
| - | Generate | + | uci set network.vpn.defaultroute=" |
| + | uci commit network | ||
| + | service network restart | ||
| + | </ | ||
| + | |||
| + | ==== Split gateway | ||
| + | If VPN gateway is separate from your LAN gateway. | ||
| + | Implement plain routing between LAN and VPN networks assuming that: | ||
| + | * '' | ||
| + | * '' | ||
| + | * '' | ||
| + | |||
| + | Add port forwarding for VPN server | ||
| <code bash> | <code bash> | ||
| - | # Install packages | + | uci -q delete firewall.oc |
| - | opkg update | + | uci set firewall.oc=" |
| - | opkg install openssl-util | + | uci set firewall.oc.name=" |
| + | uci set firewall.oc.src=" | ||
| + | uci set firewall.oc.src_dport=" | ||
| + | uci set firewall.oc.dest=" | ||
| + | uci set firewall.oc.dest_ip=" | ||
| + | uci set firewall.oc.family=" | ||
| + | uci set firewall.oc.proto=" | ||
| + | uci set firewall.oc.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| - | # Generate certificate hash | + | Add route to VPN network via VPN gateway on LAN gateway. |
| - | OC_CERT="/ | + | |
| - | OC_HASH=" | + | |
| - | $(openssl x509 -in ${OC_CERT} -pubkey -noout \ | + | |
| - | | openssl pkey -pubin -outform der \ | + | |
| - | | openssl dgst -sha256 -binary \ | + | |
| - | | openssl enc -base64))" | + | |
| - | # Fetch certificate hash | + | <code bash> |
| - | echo ${OC_HASH} | + | uci -q delete network.vpn |
| + | uci set network.vpn=" | ||
| + | uci set network.vpn.interface=" | ||
| + | uci set network.vpn.target=" | ||
| + | uci set network.vpn.gateway=" | ||
| + | uci commit network | ||
| + | service network restart | ||
| </ | </ | ||
| + | |||
| + | ==== IPv6 gateway ==== | ||
| + | Set up [[docs: | ||
| + | Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. | ||
| + | |||
| + | <code bash> | ||
| + | VPN_POOL6=" | ||
| + | VPN_DNS6=" | ||
| + | uci set ocserv.config.ip6addr=" | ||
| + | uci -q delete ocserv.dns6 | ||
| + | uci set ocserv.dns6=" | ||
| + | uci set ocserv.dns6.ip=" | ||
| + | uci commit ocserv | ||
| + | service ocserv restart | ||
| + | </ | ||
| + | |||
| + | Disable [[docs: | ||
| ==== DNS over VPN ==== | ==== DNS over VPN ==== | ||
| Line 66: | Line 118: | ||
| ==== Kill switch ==== | ==== Kill switch ==== | ||
| {{section> | {{section> | ||
| + | |||
| + | ==== Multi-client ==== | ||
| + | Generate [[docs: | ||
| + | Set up multi-client VPN server. | ||
| + | Use unique credentials for each client. | ||
| + | |||
| + | <code bash> | ||
| + | # Configure VPN service | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| + | uci -q delete ocserv.client1 | ||
| + | uci set ocserv.client1=" | ||
| + | uci set ocserv.client1.name=" | ||
| + | uci set ocserv.client1.password=" | ||
| + | uci commit ocserv | ||
| + | service ocserv restart | ||
| + | </ | ||
| ==== Automated ==== | ==== Automated ==== | ||
| Line 71: | Line 140: | ||
| <code bash> | <code bash> | ||
| - | opkg update | + | URL=" |
| - | opkg install curl | + | cat << EOF > openconnect-server.sh |
| - | URL=" | + | $(wget -U "" |
| - | cat << EOF > oc.sh | + | $(wget -U "" |
| - | $(curl " | + | $(wget -U "" |
| - | $(curl " | + | $(wget -U "" |
| - | $(curl " | + | |
| EOF | EOF | ||
| - | sh oc.sh | + | sh openconnect-server.sh |
| </ | </ | ||