Show pagesourceOld revisionsBacklinksBack to top × Table of Contents OpenConnect server Introduction Goals Command-line instructions 1. Preparation 2. Key management 3. Firewall 4. VPN service Testing Troubleshooting OpenConnect server This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This how-to describes the method for setting up OpenConnect server on OpenWrt. Follow OpenConnect client for client setup and OpenConnect extras for additional tuning. Goals Encrypt your internet connection to enforce security and privacy. Prevent traffic leaks and spoofing on the client side. Bypass regional restrictions using commercial providers. Escape client side content filters and internet censorship. Access your LAN services remotely without port forwarding. Command-line instructions 1. Preparation Install the required packages. Specify configuration parameters for VPN server. # Install packages opkg update opkg install ocserv # Configuration parameters VPN_PORT="4443" VPN_POOL="192.168.7.0 255.255.255.0" VPN_DNS="${VPN_POOL%.* *}.1" VPN_USER="USERNAME" VPN_PASS="PASSWORD" 2. Key management Generate password hash for VPN client. # Generate password hash ocpasswd ${VPN_USER} << EOI ${VPN_PASS} ${VPN_PASS} EOI VPN_HASH="$(sed -n -e "/^${VPN_USER}:.*:/s///p" /etc/ocserv/ocpasswd)" 3. Firewall Consider VPN network as private. Assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone. # Configure firewall uci rename firewall.@zone[0]="lan" uci rename firewall.@zone[1]="wan" uci del_list firewall.lan.device="vpns+" uci add_list firewall.lan.device="vpns+" uci -q delete firewall.oc uci set firewall.oc="rule" uci set firewall.oc.name="Allow-OpenConnect" uci set firewall.oc.src="wan" uci set firewall.oc.dest_port="4443" uci set firewall.oc.proto="tcp udp" uci set firewall.oc.target="ACCEPT" uci commit firewall /etc/init.d/firewall restart 4. VPN service Configure VPN service. # Configure VPN service uci -q delete ocserv.config.enable uci -q delete ocserv.config.zone uci set ocserv.config.port="${VPN_PORT}" uci set ocserv.config.ipaddr="${VPN_POOL% *}" uci set ocserv.config.netmask="${VPN_POOL#* }" uci -q delete ocserv.@routes[0] uci -q delete ocserv.@dns[0] uci set ocserv.dns="dns" uci set ocserv.dns.ip="${VPN_DNS}" uci -q delete ocserv.@ocservusers[0] uci set ocserv.client="ocservusers" uci set ocserv.client.name="${VPN_USER}" uci set ocserv.client.password="${VPN_HASH}" uci commit ocserv /etc/init.d/ocserv restart Testing Establish the VPN connection. Verify your routing with traceroute and traceroute6. traceroute openwrt.org traceroute6 openwrt.org Check your IP and DNS provider. ipleak.net dnsleaktest.com Troubleshooting Collect and analyze the following information. # Restart services /etc/init.d/log restart; /etc/init.d/ocserv restart; sleep 10 # Log and status logread -e ocserv; netstat -l -n -p | grep -e ocserv # Runtime configuration pgrep -f -a ocserv ip address show; ip route show table all ip rule show; ip -6 rule show; nft list ruleset # Persistent configuration uci show network; uci show firewall; uci show ocserv This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/03/25 06:46by vgaetera