Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| docs:guide-user:services:vpn:openconnect [2020/10/05 01:46] – [Basic Configuration: Router as SERVER] update vgaetera | docs:guide-user:services:vpn:openconnect:server [2024/10/17 17:27] (current) – web based config andrewz | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenConnect ====== | + | ====== OpenConnect |
| - | OpenConnect is an SSL-based VPN client which is inter-operable with the commercial products Cisco AnyConnect, Juniper Pulse Connect Secure, and Palo Alto Networks GlobalProtect. | + | {{section> |
| - | This is a beginner' | + | ===== Introduction ===== |
| + | * This how-to describes the method for setting up [[wp>OpenConnect|OpenConnect]] server | ||
| + | * Follow [[docs: | ||
| - | The primary goal of this HOWTO is to get a working OpenConnect tunnel with the least amount of compatability issues. Note that the instructions provided [[https:// | + | ===== Goals ===== |
| + | {{section> | ||
| - | For an overview of all VPN-related articles (including other VPN technologies), | + | ===== Command-line instructions ===== |
| + | ==== 1. Preparation ==== | ||
| + | Install the required packages. | ||
| + | Specify configuration parameters for VPN server. | ||
| - | ===== Use Case (the beginner' | + | <code bash> |
| - | The user wants a client to access their OpenWrt router and the network it supports on the back securely with a minimum of compatibility issues and minimum configuration fuss. The client can be a mobile user roaming on a mobile network OR at a public wifi hotspot, and wants to EITHER secure their traffic from eavesdropping, | + | # Install packages |
| + | opkg update | ||
| + | opkg install ocserv | ||
| - | The end result will be an encrypted connection directly between the client (on the WAN side) and LAN side of the OpenWRT, such that the client effectively has access to the LAN side as if they were local, PLUS the benefits of their OpenWRT firewall for browsing the Internet. | + | # Configuration parameters |
| + | VPN_PORT=" | ||
| + | VPN_POOL=" | ||
| + | VPN_DNS=" | ||
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| + | </ | ||
| - | Note that this is a FULL tunnel, meaning all traffic is routed through the VPN once connected. This is, in my opinion, the only type of tunnel to use, as a split tunnel is inherently insecure. You cannot, | + | ==== 2. Key management ==== |
| + | Generate password hash for VPN client. | ||
| - | ===== Why use OpenConnect ===== | + | <code bash> |
| - | 1) Your network provider is BLOCKING IPSEC traffic. This is apparently POLICY for mobile carriers, though they deny it. OpenConnect is SSL. | + | # Generate password hash |
| - | 2) Your client only supports AnyConnect or the OpenConnect Client. | + | ocpasswd ${VPN_USER} << EOI |
| - | 3) You just want a secure SSL-based VPN to your LAN. | + | ${VPN_PASS} |
| - | The official site for Openconnect is [[http://www.infradead.org/openconnect/|Here]] | + | ${VPN_PASS} |
| + | EOI | ||
| + | VPN_HASH=" | ||
| + | </code> | ||
| - | ===== Basic Configuration: | + | ==== 3. Firewall |
| - | You will want the following packages: [[packages: | + | Consider VPN network as private. |
| + | Assign VPN interface to LAN zone to minimize firewall setup. | ||
| + | Allow access to VPN server from WAN zone. | ||
| - | One of the easiest setups is to configure the VPN as a pseudo-bridge with Proxy ARP. What this means is that you will connect and be on the LAN side of your router with no additional routing needed, as if you were there. The configuration is described in this recipe[[http://www.infradead.org/ | + | <code bash> |
| + | # Configure firewall | ||
| + | uci rename firewall.@zone[0]=" | ||
| + | uci rename firewall.@zone[1]=" | ||
| + | uci del_list firewall.lan.device=" | ||
| + | uci add_list firewall.lan.device=" | ||
| + | uci -q delete firewall.oc | ||
| + | uci set firewall.oc=" | ||
| + | uci set firewall.oc.name=" | ||
| + | uci set firewall.oc.src=" | ||
| + | uci set firewall.oc.dest_port=" | ||
| + | uci set firewall.oc.proto=" | ||
| + | uci set firewall.oc.target=" | ||
| + | uci commit firewall | ||
| + | service firewall restart | ||
| + | </ | ||
| - | Router is configured at 192.168.1.1 | + | ==== 4. VPN service ==== |
| - | DHCP hosts are configured to use the range 192.168.1.2-192.168.1.50 | + | Configure |
| - | You want your VPN hosts to use the range 192.168.1.100 and have only 1-2 hosts connecting at any given time | + | |
| - | 1) Edit / | + | <code bash> |
| - | | + | # Configure VPN service |
| - | | + | uci -q delete |
| - | option port ' | + | uci -q delete ocserv.config.zone |
| - | | + | uci set ocserv.config.port=" |
| - | option ipaddr '192.168.1.100' | + | uci set ocserv.config.ipaddr=" |
| - | option zone ' | + | uci set ocserv.config.netmask=" |
| - | This will put your VPN clients at 192.168.1.100+. Note that the netmask | + | uci -q delete ocserv.@routes[0] |
| - | NOTE: the above suggests port 443 as the preferred port. This is to support MOBILE clients. | + | uci -q delete ocserv.@dns[0] |
| - | Many mobile network operators are blocking other ports (despite the FCC open internet order), | + | uci set ocserv.dns=" |
| - | but they cannot block port 443, therefore 443 is more likely to work for the majority of mobil users. | + | uci set ocserv.dns.ip=" |
| - | | + | uci -q delete ocserv.@ocservusers[0] |
| - | 2) Add your DNS server | + | uci set ocserv.client=" |
| + | uci set ocserv.client.name=" | ||
| + | uci set ocserv.client.password=" | ||
| + | uci commit ocserv | ||
| + | service ocserv restart | ||
| + | </ | ||
| - | | + | ===== Web-based configuration ===== |
| - | | + | |
| - | + | ||
| - | 3) Edit / | + | |
| - | config rule | + | |
| - | option name 'Allow SSL vpn in (tcp)' | + | |
| - | option src ' | + | |
| - | option proto ' | + | |
| - | option dest_port ' | + | |
| - | option target ' | + | |
| - | + | ||
| - | config rule | + | |
| - | option name 'Allow SSL vpn in (udp)' | + | |
| - | option src ' | + | |
| - | option proto ' | + | |
| - | option dest_port ' | + | |
| - | option target ' | + | |
| - | + | ||
| - | What this does is accept traffic for SSL on the WAN side. | + | |
| - | 4) Add the following | + | If you want to manage VPN server settings using web interface: |
| - | iptables -A input_rule -i vpns+ -j ACCEPT | + | <code bash> |
| - | | + | # Install packages |
| - | | + | opkg update |
| - | | + | opkg install luci-app-ocserv |
| + | service rpcd restart | ||
| + | </ | ||
| - | What these do is allow traffic from the VPN interface(s). | + | Navigate to **LuCI -> VPN -> OpenConnect VPN** to configure OpenConnect server. |
| - | Lastly: | ||
| - | 5) Edit / | ||
| - | | ||
| - | Then type sysctl | + | ===== Testing ===== |
| + | {{section> | ||
| - | 5) Add users(and passwords) to your OpenConnect service. I find LUCI to be pretty easy to use for all of these steps. | + | ===== Troubleshooting ===== |
| + | Collect | ||
| - | FINALLY: | + | <code bash> |
| - | That' | + | # Restart |
| + | service | ||
| + | |||
| + | # Log and status | ||
| + | logread -e ocserv; netstat -l -n -p | grep -e ocserv | ||
| + | |||
| + | # Runtime configuration | ||
| + | pgrep -f -a ocserv | ||
| + | ip address show; ip route show table all | ||
| + | ip rule show; ip -6 rule show; nft list ruleset | ||
| + | |||
| + | # Persistent configuration | ||
| + | uci show network; uci show firewall; uci show ocserv | ||
| + | </ | ||