Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:server [2020/11/12 08:14] – [1. Preparation] add vgaetera | docs:guide-user:services:vpn:openconnect:server [2023/03/25 10:46] – [2. Key management] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenConnect server ====== | + | ====== OpenConnect server ====== |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 9: | Line 9: | ||
| {{section> | {{section> | ||
| + | ===== Command-line instructions ===== | ||
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages and specify the VPN server | + | Specify configuration parameters for VPN server. |
| <code bash> | <code bash> | ||
| Line 17: | Line 18: | ||
| opkg update | opkg update | ||
| opkg install ocserv | opkg install ocserv | ||
| - | </ | ||
| - | |||
| - | ===== Use case (the beginner' | ||
| - | The user wants a client to access their OpenWrt router and the network it supports on the back securely with a minimum of compatibility issues and minimum configuration fuss. | ||
| - | The client can be a mobile user roaming on a mobile network OR at a public wifi hotspot, and wants to EITHER secure their traffic from eavesdropping, | ||
| - | |||
| - | The end result will be an encrypted connection directly between the client (on the WAN side) and LAN side of the OpenWRT, such that the client effectively has access to the LAN side as if they were local, PLUS the benefits of their OpenWRT firewall for browsing the Internet. | ||
| - | |||
| - | Note that this is a FULL tunnel, meaning all traffic is routed through the VPN once connected. This is, in my opinion, the only type of tunnel to use, as a split tunnel is inherently insecure. | ||
| - | You cannot, for example, secure your traffic from a public hotspot using a split tunnel since your banking traffic will go through the PUBLIC hotspot and not through your VPN tunnel. | ||
| - | |||
| - | ===== Server ===== | ||
| - | One of the easiest setups is to configure the VPN as a pseudo-bridge with Proxy ARP. | ||
| - | What this means is that you will connect and be on the LAN side of your router with no additional routing needed, as if you were there. | ||
| - | The configuration is described in this recipe[[http:// | ||
| - | |||
| - | Router is configured at 192.168.1.1 | ||
| - | DHCP hosts are configured to use the range 192.168.1.2-192.168.1.50 | ||
| - | You want your VPN hosts to use the range 192.168.1.100 and have only 1-2 hosts connecting at any given time | ||
| - | |||
| - | 1) Edit VPN service configuration: | ||
| - | |||
| - | <code bash> | ||
| - | # / | ||
| - | config ocserv ' | + | # Configuration parameters |
| - | | + | VPN_PORT=" |
| - | option port '4443' | + | VPN_POOL=" |
| - | | + | VPN_DNS=" |
| - | | + | VPN_USER=" |
| - | | + | VPN_PASS=" |
| </ | </ | ||
| - | This will put your VPN clients at 192.168.1.100+. | + | ==== 2. Key management ==== |
| - | Note that the netmask limits the # of clients you can have to TWO. | + | Generate password hash for VPN client. |
| - | Change as necessary. | + | |
| - | + | ||
| - | NOTE: the above suggests port 443 as the preferred port. | + | |
| - | This is to support MOBILE clients. | + | |
| - | Many mobile network operators are blocking other ports (despite the FCC open internet order), but they cannot block port 443, therefore 443 is more likely to work for the majority of mobil users. | + | |
| - | + | ||
| - | 2) Add your DNS server: | + | |
| <code bash> | <code bash> | ||
| - | config dns | + | # Generate password hash |
| - | | + | ocpasswd ${VPN_USER} << EOI |
| + | ${VPN_PASS} | ||
| + | ${VPN_PASS} | ||
| + | EOI | ||
| + | VPN_HASH=" | ||
| </ | </ | ||
| ==== 3. Firewall ==== | ==== 3. Firewall ==== | ||
| - | Consider VPN network as private | + | Consider VPN network as private. |
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| Line 86: | Line 61: | ||
| </ | </ | ||
| - | 4) Modify kernel parameters: | + | ==== 4. VPN service ==== |
| + | Configure VPN service. | ||
| <code bash> | <code bash> | ||
| - | cat << EOF >> /etc/sysctl.conf | + | # Configure VPN service |
| - | net.ipv4.conf.all.proxy_arp=1 | + | uci -q delete ocserv.config.enable |
| - | EOF | + | uci -q delete ocserv.config.zone |
| - | / | + | uci set ocserv.config.port=" |
| + | uci set ocserv.config.ipaddr=" | ||
| + | uci set ocserv.config.netmask=" | ||
| + | uci -q delete ocserv.@routes[0] | ||
| + | uci -q delete ocserv.@dns[0] | ||
| + | uci set ocserv.dns=" | ||
| + | uci set ocserv.dns.ip=" | ||
| + | uci -q delete ocserv.@ocservusers[0] | ||
| + | uci set ocserv.client=" | ||
| + | uci set ocserv.client.name=" | ||
| + | uci set ocserv.client.password=" | ||
| + | uci commit ocserv | ||
| + | / | ||
| </ | </ | ||
| - | |||
| - | 5) Add users (and passwords) to your OpenConnect service. | ||
| - | I find LuCI to be pretty easy to use for all of these steps. | ||
| - | |||
| - | FINALLY: Fire up the OpenConnect server to test it out. | ||
| - | |||
| - | That's all there is to it! | ||
| ===== Testing ===== | ===== Testing ===== | ||
| Line 118: | Line 99: | ||
| pgrep -f -a ocserv | pgrep -f -a ocserv | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||