Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:vpn:openconnect:server [2020/11/28 05:30] – [3. VPN service] configure port vgaeteradocs:guide-user:services:vpn:openconnect:server [2023/03/25 10:46] – [2. Key management] vgaetera
Line 1: Line 1:
-====== OpenConnect server ======  +====== OpenConnect server ====== 
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
Line 9: Line 9:
 {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}} {{section>docs:guide-user:services:vpn:wireguard:server#goals&noheader&nofooter&noeditbutton}}
  
-===== Instructions =====+===== Command-line instructions =====
 ==== 1. Preparation ==== ==== 1. Preparation ====
-Set up [[docs:guide-user:services:ddns:client|DDNS client]] if required. +Install the required packages
-Install the packages and specify the VPN server configuration parameters.+Specify configuration parameters for VPN server.
  
 <code bash> <code bash>
Line 20: Line 20:
  
 # Configuration parameters # Configuration parameters
-OC_PORT="4443" +VPN_PORT="4443" 
-OC_USER="OC_USERNAME+VPN_POOL="192.168.7.0 255.255.255.0
-OC_PASS="OC_PASSWORD"+VPN_DNS="${VPN_POOL%.* *}.1" 
 +VPN_USER="USERNAME" 
 +VPN_PASS="PASSWORD"
 </code> </code>
  
-==== 2. Firewall ==== +==== 2. Key management ==== 
-Consider VPN network as private and assign VPN interface to LAN zone to minimize firewall setup.+Generate password hash for VPN client. 
 + 
 +<code bash> 
 +# Generate password hash 
 +ocpasswd ${VPN_USER} << EOI 
 +${VPN_PASS} 
 +${VPN_PASS} 
 +EOI 
 +VPN_HASH="$(sed -n -e "/^${VPN_USER}:.*:/s///p" /etc/ocserv/ocpasswd)" 
 +</code> 
 + 
 +==== 3. Firewall ==== 
 +Consider VPN network as private
 +Assign VPN interface to LAN zone to minimize firewall setup.
 Allow access to VPN server from WAN zone. Allow access to VPN server from WAN zone.
  
Line 46: Line 61:
 </code> </code>
  
-==== 3. VPN service ====+==== 4. VPN service ====
 Configure VPN service. Configure VPN service.
  
 <code bash> <code bash>
-# Encrypt password 
-ocpasswd ${OC_USER} << EOF 
-${OC_PASS} 
-${OC_PASS} 
-EOF 
-OC_PASS="$(sed -n -e "/^${OC_USER}:.*:/s///p" /etc/ocserv/ocpasswd)" 
- 
 # Configure VPN service # Configure VPN service
-while uci -q delete ocserv.@ocservusers[0]; do :; done +uci -q delete ocserv.config.enable 
-uci set ocserv.config.enable="1+uci -q delete ocserv.config.zone 
-uci set ocserv.config.port="${OC_PORT}" +uci set ocserv.config.port="${VPN_PORT}" 
-uci set ocserv.login="ocservusers" +uci set ocserv.config.ipaddr="${VPN_POOL% *}" 
-uci set ocserv.login.name="${OC_USER}" +uci set ocserv.config.netmask="${VPN_POOL#* }" 
-uci set ocserv.login.password="${OC_PASS}"+uci -q delete ocserv.@routes[0] 
 +uci -q delete ocserv.@dns[0] 
 +uci set ocserv.dns="dns
 +uci set ocserv.dns.ip="${VPN_DNS}" 
 +uci -q delete ocserv.@ocservusers[0] 
 +uci set ocserv.client="ocservusers" 
 +uci set ocserv.client.name="${VPN_USER}" 
 +uci set ocserv.client.password="${VPN_HASH}"
 uci commit ocserv uci commit ocserv
 /etc/init.d/ocserv restart /etc/init.d/ocserv restart
Line 84: Line 99:
 pgrep -f -a ocserv pgrep -f -a ocserv
 ip address show; ip route show table all ip address show; ip route show table all
-ip rule show; ip -6 rule show; iptables-save; ip6tables-save+ip rule show; ip -6 rule show; nft list ruleset
  
 # Persistent configuration # Persistent configuration
  • Last modified: 2024/10/17 17:27
  • by andrewz