Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:services:vpn:openconnect:server [2020/11/28 05:17] – [3. VPN service] optimize code vgaetera | docs:guide-user:services:vpn:openconnect:server [2023/03/25 10:46] – [2. Key management] vgaetera | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== OpenConnect server ====== | + | ====== OpenConnect server ====== |
| - | {{section> | + | {{section> |
| ===== Introduction ===== | ===== Introduction ===== | ||
| Line 9: | Line 9: | ||
| {{section> | {{section> | ||
| - | ===== Instructions | + | ===== Command-line instructions |
| ==== 1. Preparation ==== | ==== 1. Preparation ==== | ||
| - | Set up [[docs: | + | Install the required |
| - | Install the packages and specify the VPN server | + | Specify configuration parameters for VPN server. |
| <code bash> | <code bash> | ||
| Line 20: | Line 20: | ||
| # Configuration parameters | # Configuration parameters | ||
| - | OC_PORT=" | + | VPN_PORT=" |
| - | OC_USER="OC_USERNAME" | + | VPN_POOL="192.168.7.0 255.255.255.0" |
| - | OC_PASS="OC_PASSWORD" | + | VPN_DNS="${VPN_POOL%.* *}.1" |
| + | VPN_USER=" | ||
| + | VPN_PASS=" | ||
| </ | </ | ||
| - | ==== 2. Firewall ==== | + | ==== 2. Key management ==== |
| - | Consider VPN network as private | + | Generate password hash for VPN client. |
| + | |||
| + | <code bash> | ||
| + | # Generate password hash | ||
| + | ocpasswd ${VPN_USER} << EOI | ||
| + | ${VPN_PASS} | ||
| + | ${VPN_PASS} | ||
| + | EOI | ||
| + | VPN_HASH=" | ||
| + | </ | ||
| + | |||
| + | ==== 3. Firewall ==== | ||
| + | Consider VPN network as private. | ||
| + | Assign | ||
| Allow access to VPN server from WAN zone. | Allow access to VPN server from WAN zone. | ||
| Line 46: | Line 61: | ||
| </ | </ | ||
| - | ==== 3. VPN service ==== | + | ==== 4. VPN service ==== |
| Configure VPN service. | Configure VPN service. | ||
| <code bash> | <code bash> | ||
| - | # Encrypt password | ||
| - | ocpasswd ${OC_USER} << EOF | ||
| - | ${OC_PASS} | ||
| - | ${OC_PASS} | ||
| - | EOF | ||
| - | OC_PASS=" | ||
| - | |||
| # Configure VPN service | # Configure VPN service | ||
| - | while uci -q delete ocserv.@ocservusers[0]; do :; done | + | uci -q delete ocserv.config.enable |
| - | uci set ocserv.config.enable="1" | + | uci -q delete ocserv.config.zone |
| - | uci set ocserv.login=" | + | uci set ocserv.config.port=" |
| - | uci set ocserv.login.name=" | + | uci set ocserv.config.ipaddr=" |
| - | uci set ocserv.login.password=" | + | uci set ocserv.config.netmask=" |
| + | uci -q delete ocserv.@routes[0] | ||
| + | uci -q delete ocserv.@dns[0] | ||
| + | uci set ocserv.dns=" | ||
| + | uci set ocserv.dns.ip="${VPN_DNS}" | ||
| + | uci -q delete ocserv.@ocservusers[0] | ||
| + | uci set ocserv.client=" | ||
| + | uci set ocserv.client.name=" | ||
| + | uci set ocserv.client.password=" | ||
| uci commit ocserv | uci commit ocserv | ||
| / | / | ||
| Line 83: | Line 99: | ||
| pgrep -f -a ocserv | pgrep -f -a ocserv | ||
| ip address show; ip route show table all | ip address show; ip route show table all | ||
| - | ip rule show; ip -6 rule show; iptables-save; | + | ip rule show; ip -6 rule show; nft list ruleset |
| # Persistent configuration | # Persistent configuration | ||