Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:extras [2023/03/14 18:38] – [Introduction] vgaetera | docs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| * This how-to describes the most common [[wp> | * This how-to describes the most common [[wp> | ||
| * Follow [[docs: | * Follow [[docs: | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| * Follow [[docs: | * Follow [[docs: | ||
| * Follow [[docs: | * Follow [[docs: | ||
| Line 12: | Line 12: | ||
| ==== References ==== | ==== References ==== | ||
| * [[https:// | * [[https:// | ||
| - | * [[https:// | + | * [[https:// |
| * [[https:// | * [[https:// | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | If you want to manage VPN settings using web interface. | + | If you want to manage VPN server |
| - | Install the necessary packages. | + | |
| <code bash> | <code bash> | ||
| Line 23: | Line 22: | ||
| opkg update | opkg update | ||
| opkg install luci-app-ocserv | opkg install luci-app-ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. | Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. | ||
| + | |||
| + | If you want to configure VPN client using web interface: | ||
| <code bash> | <code bash> | ||
| Line 32: | Line 33: | ||
| opkg update | opkg update | ||
| opkg install luci-proto-openconnect | opkg install luci-proto-openconnect | ||
| - | / | + | service |
| </ | </ | ||
| Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | ||
| - | ==== Dynamic connection | + | ==== Commercial provider |
| - | {{section> | + | Fetch server certificate from remote VPN server. |
| - | + | Beware of possible MITM. | |
| - | ==== Certificate hash ==== | + | |
| - | Generate certificate hash. | + | |
| <code bash> | <code bash> | ||
| - | # Install packages | + | openssl |
| - | opkg update | + | < /dev/null > server-cert.pem |
| - | opkg install | + | |
| - | + | ||
| - | # Fetch certificate hash | + | |
| - | VPN_HASH=" | + | |
| - | $(openssl x509 -in /etc/ocserv/ | + | |
| - | | openssl pkey -pubin -outform der \ | + | |
| - | | openssl dgst -sha256 -binary \ | + | |
| - | | openssl enc -base64))" | + | |
| - | + | ||
| - | # Show certificate hash | + | |
| - | echo ${VPN_HASH} | + | |
| </ | </ | ||
| - | ==== Password hash ==== | ||
| - | Generate password hash. | ||
| - | <code bash> | + | ==== Dynamic connection ==== |
| - | # Fetch password hash | + | {{section> |
| - | VPN_USER=" | + | |
| - | VPN_PASS=" | + | |
| - | ocpasswd ${VPN_USER} << EOI | + | |
| - | ${VPN_PASS} | + | |
| - | ${VPN_PASS} | + | |
| - | EOI | + | |
| - | VPN_HASH=" | + | |
| - | # Show password hash | + | ==== Default |
| - | echo ${VPN_HASH} | + | Disable gateway redirection in the client if you don' |
| - | </ | + | |
| - | + | ||
| - | ==== Disable | + | |
| - | If you do not need to redirect | + | |
| - | Disable gateway redirection on VPN client. | + | |
| <code bash> | <code bash> | ||
| - | # Configure VPN service | ||
| uci set network.vpn.defaultroute=" | uci set network.vpn.defaultroute=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ==== Split gateway ==== | ==== Split gateway ==== | ||
| If VPN gateway is separate from your LAN gateway. | If VPN gateway is separate from your LAN gateway. | ||
| - | Implement plain routing between LAN network | + | Implement plain routing between LAN and VPN networks |
| * '' | * '' | ||
| * '' | * '' | ||
| - | * '' | + | * '' |
| Add port forwarding for VPN server on LAN gateway. | Add port forwarding for VPN server on LAN gateway. | ||
| Line 108: | Line 81: | ||
| uci set firewall.oc.target=" | uci set firewall.oc.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 117: | Line 90: | ||
| uci set network.vpn=" | uci set network.vpn=" | ||
| uci set network.vpn.interface=" | uci set network.vpn.interface=" | ||
| - | uci set network.vpn.target=" | + | uci set network.vpn.target=" |
| uci set network.vpn.gateway=" | uci set network.vpn.gateway=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ==== IPv6 gateway ==== | ==== IPv6 gateway ==== | ||
| - | Set up an [[docs: | + | Set up [[docs: |
| Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. | Enable IPv6 tunnel on VPN server, offer IPv6 DNS, redirect IPv6 gateway. | ||
| <code bash> | <code bash> | ||
| - | VPN_POOL6=" | + | VPN_POOL6=" |
| - | VPN_DNS6=" | + | VPN_DNS6=" |
| uci set ocserv.config.ip6addr=" | uci set ocserv.config.ip6addr=" | ||
| uci -q delete ocserv.dns6 | uci -q delete ocserv.dns6 | ||
| Line 135: | Line 108: | ||
| uci set ocserv.dns6.ip=" | uci set ocserv.dns6.ip=" | ||
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Line 147: | Line 120: | ||
| ==== Multi-client ==== | ==== Multi-client ==== | ||
| + | Generate [[docs: | ||
| Set up multi-client VPN server. | Set up multi-client VPN server. | ||
| Use unique credentials for each client. | Use unique credentials for each client. | ||
| Line 152: | Line 126: | ||
| <code bash> | <code bash> | ||
| # Configure VPN service | # Configure VPN service | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| uci -q delete ocserv.client1 | uci -q delete ocserv.client1 | ||
| uci set ocserv.client1=" | uci set ocserv.client1=" | ||
| - | uci set ocserv.client1.name=" | + | uci set ocserv.client1.name=" |
| - | uci set ocserv.client1.password=" | + | uci set ocserv.client1.password=" |
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Line 164: | Line 140: | ||
| <code bash> | <code bash> | ||
| - | URL=" | + | URL=" |
| cat << EOF > openconnect-server.sh | cat << EOF > openconnect-server.sh | ||
| - | $(uclient-fetch -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -O - " | + | $(wget -U "" |
| - | $(uclient-fetch -O - " | + | $(wget -U "" |
| EOF | EOF | ||
| sh openconnect-server.sh | sh openconnect-server.sh | ||
| </ | </ | ||