OpenConnect server

  • Encrypt your internet connection to enforce security and privacy.
    • Prevent data leak and traffic spoofing on the client side.
  • Bypass regional restrictions using commercial providers.
    • Escape client side content filters and internet censorship.
  • Access your LAN services remotely without port forwarding.

Set up DDNS client if required. Install the packages and specify the VPN server configuration parameters. Fetch client password hash.

# Install packages
opkg update
opkg install ocserv
 
# Configuration parameters
OC_PORT="4443"
OC_POOL="192.168.7.0 255.255.255.0"
OC_DNS="${OC_POOL%.* *}.1"
OC_USER="USERNAME"
OC_HPASS="PASSWORD_HASH"

Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup. Allow access to VPN server from WAN zone.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="vpns+"
uci add_list firewall.lan.device="vpns+"
uci -q delete firewall.oc
uci set firewall.oc="rule"
uci set firewall.oc.name="Allow-OpenConnect"
uci set firewall.oc.src="wan"
uci set firewall.oc.dest_port="4443"
uci set firewall.oc.proto="tcp udp"
uci set firewall.oc.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

Configure VPN service.

# Configure VPN service
uci -q delete ocserv.config.enable
uci -q delete ocserv.config.zone
uci set ocserv.config.port="${OC_PORT}"
uci set ocserv.config.ipaddr="${OC_POOL% *}"
uci set ocserv.config.netmask="${OC_POOL#* }"
uci -q delete ocserv.@routes[0]
uci -q delete ocserv.@dns[0]
uci set ocserv.dns="dns"
uci set ocserv.dns.ip="${OC_DNS}"
uci -q delete ocserv.@ocservusers[0]
uci set ocserv.client="ocservusers"
uci set ocserv.client.name="${OC_USER}"
uci set ocserv.client.password="${OC_HPASS}"
uci commit ocserv
/etc/init.d/ocserv restart

Establish the VPN connection. Verify your client traffic is routed via VPN gateway.

traceroute openwrt.org
traceroute6 openwrt.org

Check your client public IP addresses.

Make sure there is no DNS leak on the client side.

Delegate a public IPv6 prefix to VPN6 network to use IPv6 by default.

Collect and analyze the following information.

# Restart services
/etc/init.d/log restart; /etc/init.d/ocserv restart; sleep 10
 
# Log and status
logread -e ocserv; netstat -l -n -p | grep -e ocserv
 
# Runtime configuration
pgrep -f -a ocserv
ip address show; ip route show table all
ip rule show; ip -6 rule show; iptables-save; ip6tables-save
 
# Persistent configuration
uci show network; uci show firewall; uci show ocserv
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/11/28 11:14
  • by vgaetera