Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:server [2020/11/28 03:51] – [1. Preparation] update vgaeteradocs:guide-user:services:vpn:openconnect:server [2023/03/25 10:46] – [2. Key management] vgaetera
Line 1: Line 1:
-====== OpenConnect server ======  +====== OpenConnect server ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 9: Line 9:
 {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
Line 19: Line 19:
 opkg install ocserv opkg install ocserv
  
-OC_USER="OC_USERNAME+# Configuration parameters 
-OC_PASS="OC_PASSWORD"+VPN_PORT="4443" 
 +VPN_POOL="192.168.7.0 255.255.255.0" 
 +VPN_DNS="${VPN_POOL%.* *}.1" 
 +VPN_USER="USERNAME
 +VPN_PASS="PASSWORD"
 </code> </code>
  
-==== 2. Firewall ==== +==== 2. Key management ==== 
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Generate password hash for VPN client. 
 + 
 +<code bash> 
 +# Generate password hash 
 +ocpasswd ${VPN_USER} << EOI 
 +${VPN_PASS} 
 +${VPN_PASS} 
 +EOI 
 +VPN_HASH="$(sed -n -e "/^${VPN_USER}:.*:/s///p" /etc/ocserv/ocpasswd)" 
 +</code> 
 + 
 +==== 3. Firewall ==== 
 +Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 44: Line 61:
 </code> </code>
  
-Modify kernel parameters:+==== 4. VPN service ==== 
 +Configure VPN service.
  
 <code bash> <code bash>
-cat << EOF >> /etc/sysctl.conf +# Configure VPN service 
-net.ipv4.conf.all.proxy_arp=1 +uci -q delete ocserv.config.enable 
-EOF +uci -q delete ocserv.config.zone 
-/etc/init.d/sysctl restart+uci set ocserv.config.port="${VPN_PORT}" 
 +uci set ocserv.config.ipaddr="${VPN_POOL% *}" 
 +uci set ocserv.config.netmask="${VPN_POOL#* }" 
 +uci -q delete ocserv.@routes[0] 
 +uci -q delete ocserv.@dns[0] 
 +uci set ocserv.dns="dns" 
 +uci set ocserv.dns.ip="${VPN_DNS}" 
 +uci -q delete ocserv.@ocservusers[0] 
 +uci set ocserv.client="ocservusers" 
 +uci set ocserv.client.name="${VPN_USER}" 
 +uci set ocserv.client.password="${VPN_HASH}" 
 +uci commit ocserv 
 +/etc/init.d/ocserv restart
 </code> </code>
- 
-==== 2. VPN service ==== 
-One of the easiest setups is to configure the VPN as a pseudo-bridge with Proxy ARP. 
-What this means is that you will connect and be on the LAN side of your router with no additional routing needed, as if you were there. 
-The configuration is described in this recipe[[http://www.infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html|recipe: ocserv pseudo bridge]]. 
- 
-Router is configured at 192.168.1.1 
-DHCP hosts are configured to use the range 192.168.1.2-192.168.1.50 
-You want your VPN hosts to use the range 192.168.1.100 and have only 1-2 hosts connecting at any given time 
- 
-Edit VPN service configuration: 
- 
-<code bash> 
-# /etc/config/ocserv 
- 
-config ocserv 'config' 
-    option enable '1' 
-    option port '4443' 
-    option netmask '255.255.255.253' 
-    option ipaddr '192.168.1.100' 
-    option zone 'lan' 
-</code> 
- 
-This will put your VPN clients at 192.168.1.100+. 
-Note that the netmask limits the # of clients you can have to TWO. 
-Change as necessary. 
- 
-NOTE: the above suggests port 443 as the preferred port. 
-This is to support MOBILE clients. 
-Many mobile network operators are blocking other ports (despite the FCC open internet order), but they cannot block port 443, therefore 443 is more likely to work for the majority of mobil users. 
- 
-Add your DNS server: 
- 
-<code bash> 
-config dns 
-    option ip '192.168.1.1' 
-</code> 
- 
-Add users (and passwords) to your OpenConnect service. 
-I find LuCI to be pretty easy to use for all of these steps. 
  
 ===== Testing ===== ===== Testing =====
Line 109: Line 99:
 pgrep -f -a ocserv pgrep -f -a ocserv
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2024/10/17 17:27
  • by andrewz