Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:server [2020/10/17 06:50] – [Server] optimize code vgaeteradocs:guide-user:services:vpn:openconnect:server [2023/03/25 10:46] – [2. Key management] vgaetera
Line 1: Line 1:
-====== OpenConnect server ======  +====== OpenConnect server ====== 
-OpenConnect is an SSL-based VPN client which is inter-operable with the commercial products Cisco AnyConnect, Juniper Pulse Connect Secure, and Palo Alto Networks GlobalProtect. +{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
-(GlobalProtect mode is new in OpenConnect 8.0 and is not yet fully integrated into OpenWrt). +
-A companion VPN server ''ocserv'' which implements the AnyConnect protocol is also available for OpenWrt. +
-The rest of this page describes the ocserv server. +
-To set up an OpenConnect client, see [[docs:guide-user:services:vpn:openconnect:client]].+
  
-This is a beginner's guide to setting up OpenConnect as a SERVICE (ocserv) on OpenWRT for use with a client running either the OpenConnect client or Cisco's Anyconnect.+===== Introduction ===== 
 +  * This how-to describes the method for setting up [[wp>OpenConnect|OpenConnect]] server on OpenWrt. 
 +  * Follow [[docs:guide-user:services:vpn:openconnect:client|OpenConnect client]] for client setup and [[docs:guide-user:services:vpn:openconnect:extras|OpenConnect extras]] for additional tuning.
  
-The primary goal of this HOWTO is to get a working OpenConnect tunnel with the least amount of compatability issues. Note that the instructions provided [[https://github.com/openwrt/packages/tree/master/net/ocserv|here]] did NOT WORK for me, and it seemed like there is an easier, more elegant solution as described in the [[http://www.infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html|OpenConnect documentation on Pseudo-Bridging]].+===== Goals ===== 
 +{{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Use case (the beginner's configuration) ===== +===== Command-line instructions ===== 
-The user wants a client to access their OpenWrt router and the network it supports on the back securely with a minimum of compatibility issues and minimum configuration fuss+==== 1. Preparation ==== 
-The client can be a mobile user roaming on a mobile network OR at a public wifi hotspot, and wants to EITHER secure their traffic from eavesdropping, or access their private network.+Install the required packages
 +Specify configuration parameters for VPN server.
  
-The end result will be an encrypted connection directly between the client (on the WAN side) and LAN side of the OpenWRT, such that the client effectively has access to the LAN side as if they were local, PLUS the benefits of their OpenWRT firewall for browsing the Internet.+<code bash> 
 +# Install packages 
 +opkg update 
 +opkg install ocserv
  
-Note that this is a FULL tunnel, meaning all traffic is routed through the VPN once connectedThis is, in my opinion, the only type of tunnel to use, as a split tunnel is inherently insecure+# Configuration parameters 
-You cannot, for example, secure your traffic from a public hotspot using a split tunnel since your banking traffic will go through the PUBLIC hotspot and not through your VPN tunnel.+VPN_PORT="4443" 
 +VPN_POOL="192.168.7.0 255.255.255.0" 
 +VPN_DNS="${VPN_POOL%.* *}.1" 
 +VPN_USER="USERNAME" 
 +VPN_PASS="PASSWORD" 
 +</code>
  
-===== Why use OpenConnect ===== +==== 2. Key management ==== 
-  * Your network provider is BLOCKING IPSEC traffic. This is apparently POLICY for mobile carriers, though they deny it. OpenConnect is SSL. +Generate password hash for VPN client.
-  * Your client only supports AnyConnect or the OpenConnect Client(Blackberry, for example, does not support OpenVPN). +
-  * You just want a secure SSL-based VPN to your LAN. +
- +
-[[http://www.infradead.org/openconnect/|OpenConnect official site]] +
- +
-===== Server ===== +
-You will want the following packages: [[packages:pkgdata:ocserv]] + [[packages:pkgdata:luci-app-ocserv]] +
- +
-One of the easiest setups is to configure the VPN as a pseudo-bridge with Proxy ARP. +
-What this means is that you will connect and be on the LAN side of your router with no additional routing needed, as if you were there. +
-The configuration is described in this recipe[[http://www.infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html|recipe: ocserv pseudo bridge]]. +
- +
-Router is configured at 192.168.1.1 +
-DHCP hosts are configured to use the range 192.168.1.2-192.168.1.50 +
-You want your VPN hosts to use the range 192.168.1.100 and have only 1-2 hosts connecting at any given time +
- +
-1) Edit VPN service configuration:+
  
 <code bash> <code bash>
-/etc/config/ocserv +Generate password hash 
- +ocpasswd ${VPN_USER} << EOI 
-config ocserv 'config' +${VPN_PASS} 
-    option enable '1' +${VPN_PASS} 
-    option port '443' +EOI 
-    option netmask '255.255.255.253' +VPN_HASH="$(sed -n -e "/^${VPN_USER}:.*:/s///p" /etc/ocserv/ocpasswd)"
-    option ipaddr '192.168.1.100' +
-    option zone 'lan'+
 </code> </code>
  
-This will put your VPN clients at 192.168.1.100++==== 3Firewall ==== 
-Note that the netmask limits the # of clients you can have to TWO. +Consider VPN network as private
-Change as necessary+Assign VPN interface to LAN zone to minimize firewall setup
- +Allow access to VPN server from WAN zone.
-NOTE: the above suggests port 443 as the preferred port. +
-This is to support MOBILE clients+
-Many mobile network operators are blocking other ports (despite the FCC open internet order), but they cannot block port 443, therefore 443 is more likely to work for the majority of mobil users. +
- +
-2) Add your DNS server:+
  
 <code bash> <code bash>
-config dns +# Configure firewall 
-    option ip '192.168.1.1'+uci rename firewall.@zone[0]="lan" 
 +uci rename firewall.@zone[1]="wan" 
 +uci del_list firewall.lan.device="vpns+" 
 +uci add_list firewall.lan.device="vpns+" 
 +uci -q delete firewall.oc 
 +uci set firewall.oc="rule" 
 +uci set firewall.oc.name="Allow-OpenConnect" 
 +uci set firewall.oc.src="wan" 
 +uci set firewall.oc.dest_port="4443" 
 +uci set firewall.oc.proto="tcp udp" 
 +uci set firewall.oc.target="ACCEPT" 
 +uci commit firewall 
 +/etc/init.d/firewall restart
 </code> </code>
  
-3) Edit firewall configuration:+==== 4. VPN service ==== 
 +Configure VPN service.
  
 <code bash> <code bash>
-/etc/config/firewall +Configure VPN service 
- +uci -q delete ocserv.config.enable 
-config rule +uci -q delete ocserv.config.zone 
-    option name 'Allow SSL VPN' +uci set ocserv.config.port="${VPN_PORT}" 
-    option src 'wan' +uci set ocserv.config.ipaddr="${VPN_POOL% *}" 
-    option proto 'tcp udp' +uci set ocserv.config.netmask="${VPN_POOL#* }" 
-    option dest_port '443' +uci -q delete ocserv.@routes[0] 
-    option target 'ACCEPT'+uci -q delete ocserv.@dns[0] 
 +uci set ocserv.dns="dns" 
 +uci set ocserv.dns.ip="${VPN_DNS}" 
 +uci -q delete ocserv.@ocservusers[0] 
 +uci set ocserv.client="ocservusers" 
 +uci set ocserv.client.name="${VPN_USER}" 
 +uci set ocserv.client.password="${VPN_HASH}" 
 +uci commit ocserv 
 +/etc/init.d/ocserv restart
 </code> </code>
  
-What this does is accept traffic for SSL on the WAN side.+===== Testing ===== 
 +{{section>docs:guide-user:services:vpn:wireguard:server#testing&noheader&nofooter&noeditbutton}}
  
-4) Add custom firewall rules:+===== Troubleshooting ===== 
 +Collect and analyze the following information.
  
 <code bash> <code bash>
-cat << EOF >> /etc/firewall.user +# Restart services 
-iptables -A input_rule -i vpns+ -j ACCEPT +/etc/init.d/log restart; /etc/init.d/ocserv restart; sleep 10
-iptables -A forwarding_rule -i vpns+ -j ACCEPT +
-iptables -A forwarding_rule -o vpns+ -j ACCEPT +
-iptables -A output_rule -o vpns+ -j ACCEPT +
-EOF +
-/etc/init.d/firewall restart +
-</code>+
  
-What these do is allow traffic from the VPN interface(s).+# Log and status 
 +logread -e ocserv; netstat -l -n -p | grep -e ocserv
  
-5) Modify kernel parameters:+# Runtime configuration 
 +pgrep -f -a ocserv 
 +ip address show; ip route show table all 
 +ip rule show; ip -6 rule show; nft list ruleset
  
-<code bash> +# Persistent configuration 
-cat << EOF >> /etc/sysctl.conf +uci show network; uci show firewall; uci show ocserv
-net.ipv4.conf.all.proxy_arp=1 +
-EOF +
-/etc/init.d/sysctl restart+
 </code> </code>
- 
-5) Add users (and passwords) to your OpenConnect service. 
-I find LuCI to be pretty easy to use for all of these steps. 
- 
-FINALLY: Fire up the OpenConnect server to test it out. 
-That's all there is to it! 
  
  • Last modified: 2024/10/17 17:27
  • by andrewz