Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:extras [2021/02/12 22:36] – [Automated] minimize dependencies vgaetera | docs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== OpenConnect extras ====== | ====== OpenConnect extras ====== | ||
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the most common [[wp> | * This how-to describes the most common [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| + | * Follow [[docs: | ||
| * Follow [[docs: | * Follow [[docs: | ||
| Line 11: | Line 12: | ||
| ==== References ==== | ==== References ==== | ||
| * [[https:// | * [[https:// | ||
| - | * [[https:// | + | * [[https:// |
| * [[https:// | * [[https:// | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | Install the necessary packages if you want to manage VPN settings using web interface. | + | If you want to manage VPN server |
| <code bash> | <code bash> | ||
| Line 21: | Line 22: | ||
| opkg update | opkg update | ||
| opkg install luci-app-ocserv | opkg install luci-app-ocserv | ||
| - | / | + | service |
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. |
| + | |||
| + | If you want to configure VPN client using web interface: | ||
| <code bash> | <code bash> | ||
| Line 30: | Line 33: | ||
| opkg update | opkg update | ||
| opkg install luci-proto-openconnect | opkg install luci-proto-openconnect | ||
| - | / | + | service |
| </ | </ | ||
| - | Navigate to **[[http:// | + | Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. |
| - | ==== Dynamic connection | + | ==== Commercial provider |
| - | {{section> | + | Fetch server certificate from remote VPN server. |
| - | + | Beware of possible MITM. | |
| - | ==== Certificate hash ==== | + | |
| - | Generate certificate hash. | + | |
| <code bash> | <code bash> | ||
| - | # Install packages | + | openssl |
| - | opkg update | + | < /dev/null > server-cert.pem |
| - | opkg install | + | |
| - | + | ||
| - | # Generate certificate hash | + | |
| - | OC_CERT="/ | + | |
| - | OC_HCERT=" | + | |
| - | $(openssl x509 -in ${OC_CERT} -pubkey -noout | + | |
| - | | openssl pkey -pubin -outform der \ | + | |
| - | | openssl dgst -sha256 -binary \ | + | |
| - | | openssl enc -base64))" | + | |
| - | + | ||
| - | # Fetch certificate hash | + | |
| - | echo ${OC_HCERT} | + | |
| </ | </ | ||
| - | ==== Password hash ==== | ||
| - | Generate password hash. | ||
| - | <code bash> | + | ==== Dynamic connection ==== |
| - | # Generate password hash | + | {{section> |
| - | OC_USER=" | + | |
| - | OC_PASS=" | + | |
| - | ocpasswd ${OC_USER} << EOF | + | |
| - | ${OC_PASS} | + | |
| - | ${OC_PASS} | + | |
| - | EOF | + | |
| - | OC_HPASS=" | + | |
| - | # Fetch password hash | + | ==== Default |
| - | echo ${OC_HPASS} | + | Disable gateway redirection in the client if you don' |
| - | </ | + | |
| - | + | ||
| - | ==== Disable | + | |
| - | If you do not need to redirect | + | |
| - | Disable gateway redirection on VPN client. | + | |
| <code bash> | <code bash> | ||
| - | # Configure VPN service | ||
| uci set network.vpn.defaultroute=" | uci set network.vpn.defaultroute=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ==== Split gateway ==== | ==== Split gateway ==== | ||
| - | If VPN gateway is not your LAN gateway. | + | If VPN gateway is separate from your LAN gateway. |
| - | Implement plain routing between LAN network | + | Implement plain routing between LAN and VPN networks |
| * '' | * '' | ||
| * '' | * '' | ||
| - | * '' | + | * '' |
| Add port forwarding for VPN server on LAN gateway. | Add port forwarding for VPN server on LAN gateway. | ||
| Line 107: | Line 81: | ||
| uci set firewall.oc.target=" | uci set firewall.oc.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 116: | Line 90: | ||
| uci set network.vpn=" | uci set network.vpn=" | ||
| uci set network.vpn.interface=" | uci set network.vpn.interface=" | ||
| - | uci set network.vpn.target=" | + | uci set network.vpn.target=" |
| uci set network.vpn.gateway=" | uci set network.vpn.gateway=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ==== IPv6 gateway ==== | ==== IPv6 gateway ==== | ||
| - | Provide IPv6 tunnel connectivity. | + | Set up [[docs: |
| - | Set up [[docs: | + | Enable |
| - | + | ||
| - | Enable | + | |
| - | Provide default | + | |
| <code bash> | <code bash> | ||
| - | OC_POOL6="fdf1:e8a1:8d3f:7::/ | + | VPN_POOL6="fd00:9::/ |
| - | OC_DNS6="${OC_POOL6%/*}1" | + | VPN_DNS6="${VPN_POOL6%:*}:1" |
| - | uci set ocserv.config.ip6addr=" | + | uci set ocserv.config.ip6addr=" |
| uci -q delete ocserv.dns6 | uci -q delete ocserv.dns6 | ||
| uci set ocserv.dns6=" | uci set ocserv.dns6=" | ||
| - | uci set ocserv.dns6.ip=" | + | uci set ocserv.dns6.ip=" |
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| - | uci set network.wan6.sourcefilter=" | + | |
| - | uci commit network | + | |
| - | / | + | |
| </ | </ | ||
| + | |||
| + | Disable [[docs: | ||
| ==== DNS over VPN ==== | ==== DNS over VPN ==== | ||
| Line 150: | Line 120: | ||
| ==== Multi-client ==== | ==== Multi-client ==== | ||
| + | Generate [[docs: | ||
| Set up multi-client VPN server. | Set up multi-client VPN server. | ||
| Use unique credentials for each client. | Use unique credentials for each client. | ||
| Line 155: | Line 126: | ||
| <code bash> | <code bash> | ||
| # Configure VPN service | # Configure VPN service | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| uci -q delete ocserv.client1 | uci -q delete ocserv.client1 | ||
| uci set ocserv.client1=" | uci set ocserv.client1=" | ||
| - | uci set ocserv.client1.name=" | + | uci set ocserv.client1.name=" |
| - | uci set ocserv.client1.password=" | + | uci set ocserv.client1.password=" |
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Line 167: | Line 140: | ||
| <code bash> | <code bash> | ||
| - | URL=" | + | URL=" |
| cat << EOF > openconnect-server.sh | cat << EOF > openconnect-server.sh | ||
| - | $(uclient-fetch -q -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -q -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -q -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -q -O - " | + | $(wget -U "" |
| EOF | EOF | ||
| sh openconnect-server.sh | sh openconnect-server.sh | ||
| </ | </ | ||