Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:extras [2021/10/04 11:26] – [Automated] bypass download limitations vgaeteradocs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz
Line 1: Line 1:
 ====== OpenConnect extras ====== ====== OpenConnect extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.
   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.
-  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for protocol-specific interface options.+  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for client configuration.
   * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.   * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.
   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.
Line 12: Line 12:
 ==== References ==== ==== References ====
   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]
-  * [[https://ocserv.gitlab.io/www/manual.html|ocserv OpenConnect server documentation]]+  * [[https://ocserv.gitlab.io/www/manual.html|ocserv server documentation]]
   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]
  
 ==== Web interface ==== ==== Web interface ====
-If you want to manage VPN settings using web interface+If you want to manage VPN server settings using web interface:
-Install the necessary packages.+
  
 <code bash> <code bash>
Line 23: Line 22:
 opkg update opkg update
 opkg install luci-app-ocserv opkg install luci-app-ocserv
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
 Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server.
 +
 +If you want to configure VPN client using web interface:
  
 <code bash> <code bash>
Line 32: Line 33:
 opkg update opkg update
 opkg install luci-proto-openconnect opkg install luci-proto-openconnect
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
 Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client.
  
-==== Dynamic connection ==== +==== Commercial provider ==== 
-{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}} +Fetch server certificate from remote VPN server. 
- +Beware of possible MITM.
-==== Certificate hash ==== +
-Generate certificate hash.+
  
 <code bash> <code bash>
-# Install packages +openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} \ 
-opkg update +< /dev/null > server-cert.pem
-opkg install openssl-util +
- +
-# Generate certificate hash +
-OC_CERT="/etc/ocserv/server-cert.pem" +
-OC_HASH="$(echo pin-sha256:+
-$(openssl x509 -in ${OC_CERT-pubkey -noout +
-| openssl pkey -pubin -outform der \ +
-| openssl dgst -sha256 -binary \ +
-| openssl enc -base64))" +
- +
-# Fetch certificate hash +
-echo ${OC_HASH}+
 </code> </code>
  
-==== Password hash ==== 
-Generate password hash. 
  
-<code bash> +==== Dynamic connection ==== 
-# Generate password hash +{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}}
-OC_USER="USERNAME" +
-OC_PASS="PASSWORD" +
-ocpasswd ${OC_USER} << EOF +
-${OC_PASS} +
-${OC_PASS} +
-EOF +
-OC_HASH="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"+
  
-# Fetch password hash +==== Default gateway ==== 
-echo ${OC_HASH} +Disable gateway redirection in the client if you don'need to route all traffic through VPN.
-</code> +
- +
-==== Disable gateway redirection ==== +
-If you do not need to redirect all traffic to VPN+
-Disable gateway redirection on VPN client.+
  
 <code bash> <code bash>
-# Configure VPN service 
 uci set network.vpn.defaultroute="0" uci set network.vpn.defaultroute="0"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ==== Split gateway ==== ==== Split gateway ====
 If VPN gateway is separate from your LAN gateway. If VPN gateway is separate from your LAN gateway.
-Implement plain routing between LAN network and VPN network assuming that:+Implement plain routing between LAN and VPN networks assuming that:
   * ''192.168.1.0/24'' - LAN network   * ''192.168.1.0/24'' - LAN network
   * ''192.168.1.2/24'' - VPN gateway   * ''192.168.1.2/24'' - VPN gateway
-  * ''192.168.7.0/24'' - VPN network+  * ''192.168.9.0/24'' - VPN network
  
 Add port forwarding for VPN server on LAN gateway. Add port forwarding for VPN server on LAN gateway.
Line 109: Line 81:
 uci set firewall.oc.target="DNAT" uci set firewall.oc.target="DNAT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 118: Line 90:
 uci set network.vpn="route" uci set network.vpn="route"
 uci set network.vpn.interface="lan" uci set network.vpn.interface="lan"
-uci set network.vpn.target="192.168.7.0/24"+uci set network.vpn.target="192.168.9.0/24"
 uci set network.vpn.gateway="192.168.1.2" uci set network.vpn.gateway="192.168.1.2"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ==== IPv6 gateway ==== ==== IPv6 gateway ====
-Set up an [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or [[docs:guide-user:network:ipv6:ipv6.nat6#nat6_simplified|IPv6 masquerading]] if necessary.+Set up [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or use [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_nat|IPv6 NAT or NPT]] if necessary.
 Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway.
  
 <code bash> <code bash>
-OC_POOL6="fdf1:e8a1:8d3f:7::/64" +VPN_POOL6="fd00:9::/64" 
-OC_DNS6="${OC_POOL6%/*}1" +VPN_DNS6="${VPN_POOL6%:*}:1" 
-uci set ocserv.config.ip6addr="${OC_POOL6}"+uci set ocserv.config.ip6addr="${VPN_POOL6}"
 uci -q delete ocserv.dns6 uci -q delete ocserv.dns6
 uci set ocserv.dns6="dns" uci set ocserv.dns6="dns"
-uci set ocserv.dns6.ip="${OC_DNS6}"+uci set ocserv.dns6.ip="${VPN_DNS6}"
 uci commit ocserv uci commit ocserv
-/etc/init.d/ocserv restart+service ocserv restart
 </code> </code>
  
-Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_source_routing|source routing]] on the server. +Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client.
-Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to avoid IPv6 leak on the client.+
  
 ==== DNS over VPN ==== ==== DNS over VPN ====
Line 149: Line 120:
  
 ==== Multi-client ==== ==== Multi-client ====
 +Generate [[docs:guide-user:services:vpn:openconnect:server#key_management|password hash]] for a new VPN client.
 Set up multi-client VPN server. Set up multi-client VPN server.
 Use unique credentials for each client. Use unique credentials for each client.
Line 154: Line 126:
 <code bash> <code bash>
 # Configure VPN service # Configure VPN service
 +VPN_USER="USERNAME1"
 +VPN_PASS="PASSWORD1"
 uci -q delete ocserv.client1 uci -q delete ocserv.client1
 uci set ocserv.client1="ocservusers" uci set ocserv.client1="ocservusers"
-uci set ocserv.client1.name="USERNAME1+uci set ocserv.client1.name="${VPN_USER}
-uci set ocserv.client1.password="PASSWORD_HASH1"+uci set ocserv.client1.password="${VPN_HASH}"
 uci commit ocserv uci commit ocserv
-/etc/init.d/ocserv restart+service ocserv restart
 </code> </code>
  
Line 166: Line 140:
  
 <code bash> <code bash>
-URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect+URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server"
-alias uclient-fetch="uclient-fetch --no-check-certificate"+
 cat << EOF > openconnect-server.sh cat << EOF > openconnect-server.sh
-$(uclient-fetch -O - "${URL}/server?codeblock=0"+$(wget -U "" -O - "${URL}?codeblock=0"
-$(uclient-fetch -O - "${URL}/extras?codeblock=4") +$(wget -U "" -O - "${URL}?codeblock=1") 
-$(uclient-fetch -O - "${URL}/server?codeblock=1") +$(wget -U "" -O - "${URL}?codeblock=2") 
-$(uclient-fetch -O - "${URL}/server?codeblock=2")+$(wget -U "" -O - "${URL}?codeblock=3")
 EOF EOF
 sh openconnect-server.sh sh openconnect-server.sh
 </code> </code>
  
  • Last modified: 2024/10/17 17:30
  • by andrewz