Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:extras [2023/01/21 18:01] – [IPv6 gateway] update link vgaeteradocs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz
Line 5: Line 5:
   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.   * This how-to describes the most common [[wp>OpenConnect|OpenConnect]] tuning scenarios adapted for OpenWrt.
   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.   * Follow [[docs:guide-user:services:vpn:openconnect:server|OpenConnect server]] for server setup and [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup.
-  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for protocol-specific interface options.+  * Follow [[docs:guide-user:network:tunneling_interface_protocols#protocol_openconnect_openconnect_vpn|OpenConnect protocol]] for client configuration.
   * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.   * Follow [[docs:guide-user:services:ddns:client|DDNS client]] to use own server with dynamic IP address.
   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.   * Follow [[docs:guide-user:services:rng|Random generator]] to overcome low entropy issues.
Line 12: Line 12:
 ==== References ==== ==== References ====
   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]   * [[https://www.infradead.org/openconnect/|OpenConnect official site]]
-  * [[https://ocserv.gitlab.io/www/manual.html|ocserv OpenConnect server documentation]]+  * [[https://ocserv.gitlab.io/www/manual.html|ocserv server documentation]]
   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]   * [[https://github.com/openwrt/packages/tree/master/net/ocserv|OpenConnect configuration examples]]
  
 ==== Web interface ==== ==== Web interface ====
-If you want to manage VPN settings using web interface+If you want to manage VPN server settings using web interface:
-Install the necessary packages.+
  
 <code bash> <code bash>
Line 23: Line 22:
 opkg update opkg update
 opkg install luci-app-ocserv opkg install luci-app-ocserv
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
 Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server.
 +
 +If you want to configure VPN client using web interface:
  
 <code bash> <code bash>
Line 32: Line 33:
 opkg update opkg update
 opkg install luci-proto-openconnect opkg install luci-proto-openconnect
-/etc/init.d/rpcd restart+service rpcd restart
 </code> </code>
  
 Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client.
  
-==== Dynamic connection ==== +==== Commercial provider ==== 
-{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}} +Fetch server certificate from remote VPN server. 
- +Beware of possible MITM.
-==== Certificate hash ==== +
-Generate certificate hash.+
  
 <code bash> <code bash>
-# Install packages +openssl s_client -showcerts -connect ${VPN_SERV}:${VPN_PORT} 
-opkg update +/dev/null > server-cert.pem
-opkg install openssl-util +
- +
-# Generate certificate hash +
-OC_HASH="$(echo pin-sha256:\ +
-$(openssl x509 -in /etc/ocserv/server-cert.pem -pubkey -noout \ +
-| openssl pkey -pubin -outform der \ +
-| openssl dgst -sha256 -binary \ +
-| openssl enc -base64))" +
- +
-# Fetch certificate hash +
-echo ${OC_HASH}+
 </code> </code>
  
-==== Password hash ==== 
-Generate password hash. 
  
-<code bash> +==== Dynamic connection ==== 
-# Generate password hash +{{section>docs:guide-user:services:vpn:wireguard:extras#dynamic_connection&noheader&nofooter&noeditbutton}}
-OC_USER="USERNAME" +
-OC_PASS="PASSWORD" +
-ocpasswd ${OC_USER} << EOF +
-${OC_PASS} +
-${OC_PASS} +
-EOF +
-OC_HASH="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"+
  
-# Fetch password hash +==== Default gateway ==== 
-echo ${OC_HASH} +Disable gateway redirection in the client if you don'need to route all traffic through VPN.
-</code> +
- +
-==== Disable gateway redirection ==== +
-If you do not need to redirect all traffic to VPN+
-Disable gateway redirection on VPN client.+
  
 <code bash> <code bash>
-# Configure VPN service 
 uci set network.vpn.defaultroute="0" uci set network.vpn.defaultroute="0"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ==== Split gateway ==== ==== Split gateway ====
 If VPN gateway is separate from your LAN gateway. If VPN gateway is separate from your LAN gateway.
-Implement plain routing between LAN network and VPN network assuming that:+Implement plain routing between LAN and VPN networks assuming that:
   * ''192.168.1.0/24'' - LAN network   * ''192.168.1.0/24'' - LAN network
   * ''192.168.1.2/24'' - VPN gateway   * ''192.168.1.2/24'' - VPN gateway
-  * ''192.168.7.0/24'' - VPN network+  * ''192.168.9.0/24'' - VPN network
  
 Add port forwarding for VPN server on LAN gateway. Add port forwarding for VPN server on LAN gateway.
Line 108: Line 81:
 uci set firewall.oc.target="DNAT" uci set firewall.oc.target="DNAT"
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
Line 117: Line 90:
 uci set network.vpn="route" uci set network.vpn="route"
 uci set network.vpn.interface="lan" uci set network.vpn.interface="lan"
-uci set network.vpn.target="192.168.7.0/24"+uci set network.vpn.target="192.168.9.0/24"
 uci set network.vpn.gateway="192.168.1.2" uci set network.vpn.gateway="192.168.1.2"
 uci commit network uci commit network
-/etc/init.d/network restart+service network restart
 </code> </code>
  
 ==== IPv6 gateway ==== ==== IPv6 gateway ====
-Set up an [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or [[docs:guide-user:network:ipv6:ipv6.nat6|IPv6 masquerading]] if necessary.+Set up [[docs:guide-user:network:ipv6:ipv6_henet|IPv6 tunnel broker]] or use [[docs:guide-user:firewall:fw3_configurations:fw3_nat#ipv6_nat|IPv6 NAT or NPT]] if necessary.
 Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway.
  
 <code bash> <code bash>
-OC_POOL6="fdf1:e8a1:8d3f:7::/64" +VPN_POOL6="fd00:9::/64" 
-OC_DNS6="${OC_POOL6%/*}1" +VPN_DNS6="${VPN_POOL6%:*}:1" 
-uci set ocserv.config.ip6addr="${OC_POOL6}"+uci set ocserv.config.ip6addr="${VPN_POOL6}"
 uci -q delete ocserv.dns6 uci -q delete ocserv.dns6
 uci set ocserv.dns6="dns" uci set ocserv.dns6="dns"
-uci set ocserv.dns6.ip="${OC_DNS6}"+uci set ocserv.dns6.ip="${VPN_DNS6}"
 uci commit ocserv uci commit ocserv
-/etc/init.d/ocserv restart+service ocserv restart
 </code> </code>
  
-Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_ipv6_source_routing|IPv6 source routing]] on VPN server. 
 Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client. Disable [[docs:guide-user:network:ipv6:ipv6_extras#disabling_gua_prefix|ISP prefix delegation]] to prevent IPv6 leaks on VPN client.
  
Line 148: Line 120:
  
 ==== Multi-client ==== ==== Multi-client ====
 +Generate [[docs:guide-user:services:vpn:openconnect:server#key_management|password hash]] for a new VPN client.
 Set up multi-client VPN server. Set up multi-client VPN server.
 Use unique credentials for each client. Use unique credentials for each client.
Line 153: Line 126:
 <code bash> <code bash>
 # Configure VPN service # Configure VPN service
 +VPN_USER="USERNAME1"
 +VPN_PASS="PASSWORD1"
 uci -q delete ocserv.client1 uci -q delete ocserv.client1
 uci set ocserv.client1="ocservusers" uci set ocserv.client1="ocservusers"
-uci set ocserv.client1.name="USERNAME1+uci set ocserv.client1.name="${VPN_USER}
-uci set ocserv.client1.password="PASSWORD_HASH1"+uci set ocserv.client1.password="${VPN_HASH}"
 uci commit ocserv uci commit ocserv
-/etc/init.d/ocserv restart+service ocserv restart
 </code> </code>
  
Line 165: Line 140:
  
 <code bash> <code bash>
-URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect"+URL="https://openwrt.org/_export/code/docs/guide-user/services/vpn/openconnect/server"
 cat << EOF > openconnect-server.sh cat << EOF > openconnect-server.sh
-$(uclient-fetch -O - "${URL}/server?codeblock=0"+$(wget -U "" -O - "${URL}?codeblock=0"
-$(uclient-fetch -O - "${URL}/extras?codeblock=4") +$(wget -U "" -O - "${URL}?codeblock=1") 
-$(uclient-fetch -O - "${URL}/server?codeblock=1") +$(wget -U "" -O - "${URL}?codeblock=2") 
-$(uclient-fetch -O - "${URL}/server?codeblock=2")+$(wget -U "" -O - "${URL}?codeblock=3")
 EOF EOF
 sh openconnect-server.sh sh openconnect-server.sh
 </code> </code>
  
  • Last modified: 2024/10/17 17:30
  • by andrewz