Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:extras [2023/10/06 05:15] – [Disable gateway redirection] update vgaetera | docs:guide-user:services:vpn:openconnect:extras [2024/10/16 20:06] – [Default gateway] andrewz | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This how-to describes the most common [[wp> | * This how-to describes the most common [[wp> | ||
| - | * Follow [[docs: | + | * Follow [[docs: |
| * Follow [[docs: | * Follow [[docs: | ||
| * Follow [[docs: | * Follow [[docs: | ||
| Line 16: | Line 16: | ||
| ==== Web interface ==== | ==== Web interface ==== | ||
| - | If you want to manage VPN settings using web interface. | + | If you want to manage VPN server |
| - | Install the necessary packages. | + | |
| <code bash> | <code bash> | ||
| Line 23: | Line 22: | ||
| opkg update | opkg update | ||
| opkg install luci-app-ocserv | opkg install luci-app-ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. | Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. | ||
| + | |||
| + | If you want to configure VPN client using web interface: | ||
| <code bash> | <code bash> | ||
| Line 32: | Line 33: | ||
| opkg update | opkg update | ||
| opkg install luci-proto-openconnect | opkg install luci-proto-openconnect | ||
| - | / | + | service |
| </ | </ | ||
| Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | Navigate to **LuCI -> Network -> Interfaces** to configure OpenConnect client. | ||
| + | |||
| + | ==== Commercial provider ==== | ||
| + | Fetch server certificate from remote VPN server. | ||
| + | Beware of possible MITM. | ||
| + | |||
| + | <code bash> | ||
| + | openssl s_client -showcerts -connect ${VPN_SERV}: | ||
| + | < /dev/null > server-cert.pem | ||
| + | </ | ||
| + | |||
| ==== Dynamic connection ==== | ==== Dynamic connection ==== | ||
| Line 41: | Line 52: | ||
| ==== Default gateway ==== | ==== Default gateway ==== | ||
| - | If you do not need to redirect | + | Disable gateway redirection in the client if you don' |
| - | Disable gateway redirection on VPN client. | + | |
| <code bash> | <code bash> | ||
| uci set network.vpn.defaultroute=" | uci set network.vpn.defaultroute=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| ==== Split gateway ==== | ==== Split gateway ==== | ||
| If VPN gateway is separate from your LAN gateway. | If VPN gateway is separate from your LAN gateway. | ||
| - | Implement plain routing between LAN network | + | Implement plain routing between LAN and VPN networks |
| * '' | * '' | ||
| * '' | * '' | ||
| - | * '' | + | * '' |
| Add port forwarding for VPN server on LAN gateway. | Add port forwarding for VPN server on LAN gateway. | ||
| Line 71: | Line 81: | ||
| uci set firewall.oc.target=" | uci set firewall.oc.target=" | ||
| uci commit firewall | uci commit firewall | ||
| - | / | + | service |
| </ | </ | ||
| Line 80: | Line 90: | ||
| uci set network.vpn=" | uci set network.vpn=" | ||
| uci set network.vpn.interface=" | uci set network.vpn.interface=" | ||
| - | uci set network.vpn.target=" | + | uci set network.vpn.target=" |
| uci set network.vpn.gateway=" | uci set network.vpn.gateway=" | ||
| uci commit network | uci commit network | ||
| - | / | + | service |
| </ | </ | ||
| Line 91: | Line 101: | ||
| <code bash> | <code bash> | ||
| - | VPN_POOL6=" | + | VPN_POOL6=" |
| - | VPN_DNS6=" | + | VPN_DNS6=" |
| uci set ocserv.config.ip6addr=" | uci set ocserv.config.ip6addr=" | ||
| uci -q delete ocserv.dns6 | uci -q delete ocserv.dns6 | ||
| Line 98: | Line 108: | ||
| uci set ocserv.dns6.ip=" | uci set ocserv.dns6.ip=" | ||
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| </ | </ | ||
| Line 123: | Line 133: | ||
| uci set ocserv.client1.password=" | uci set ocserv.client1.password=" | ||
| uci commit ocserv | uci commit ocserv | ||
| - | / | + | service |
| </ | </ | ||