+Setting up OpenConnect VPN server
+=================================
+
The openconnect server expects to be configured using the uci interface.
It is recommended to setup a dynamic DNS address with openwrt prior
to starting the server. That is because during the first startup
a certificate file which contain the setup dynamic DNS name will be
-created.
+created. You can always regenerate the certificate by deleting
+/etc/ocserv/server-key.pem.
+
+There are two approaches to setup the VPN. The proxy-arp approach (1)
+which provides clients with addresses of the LAN, and the "forwarding"
+approach (2) which provides clients with addresses of a separate private
+network. The former is suitable when you have "roadwarrior" type of clients
+connecting to the LAN, and the latter when you may need to connect
+multiple networks with the LAN.
+
+
+1. Proxy-ARP Approach
+=====================
+
+[This option is available since ocserv-0.10.9-2 package]
+
+To setup a server the provides access to LAN with network address
+10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
+The following setup will assign the upper 62 addresses for VPN use.
+
+```
+----/etc/config/ocserv-------------------------------------------
+config ocserv 'config'
+ option port '443'
+ option dpd '120'
+ option max_clients '8'
+ option max_same '2'
+ option netmask '255.255.255.192'
+ option ipaddr '10.100.2.192'
+ option auth 'plain'
+ option default_domain 'lan'
+ option compression '1'
+ option proxy_arp '1'
+ option ping_leases '1'
+ option enable '1'
+
+config dns
+ option ip '10.100.2.1'
+
+config routes
+ option ip '10.100.2.0'
+ option netmask '255.255.255.0'
+
+config ocservusers
+ option name 'test'
+ option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
+
+-----------------------------------------------------------------
+```
+
+This setup re-utilizes the addresses assigned to LAN for the VPN clients.
+To ensure that there are no conflicts with the DHCP server use the following
+commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
+which is below the first VPN assigned address (10.100.2.192).
+
+```
+# uci set dhcp.lan.start=100
+# uci set dhcp.lan.limit=91
+```
+
+For simple networks like that you may also leave the 'netmask' and 'ipaddr'
+fields empty and ocserv on startup will set the necessary values.
+
+
+2. Forwarding Approach
+======================
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 using the VPN address range
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
+```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
- option port '4443'
+ option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
+```
-This configuration also adds the user "test" with password "test". The
-password is specified in the crypt(3) format.
-The server can be enabled and started using:
-# /etc/init.d/ocserv enable
-# /etc/init.d/ocserv start
+Setting up the firewall
+=======================
+Since the connected users will be assigned to other interfaces than the LAN
+one, it is required to assign the VPN clients to an interface, and enable
+forwarding for them. That is, you should setup an unmanaged interface (e.g.,
+called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
+interfaces). Then a zone called vpn should be setup to handle interactions
+with lan. An example, which alls all forwarding between LAN and VPN clients,
+follows.
-To simplify firewall configuration, you should setup an unmanaged interface
-(e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone
-called vpn should be setup to handle interactions with lan. An example
-follows:
+```
----/etc/config/network------------------------------------------
config interface 'vpn'
option proto 'none'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
- option dest_port '4443'
+ option dest_port '443'
option name 'vpn'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
- option dest_port '4443'
+ option dest_port '443'
option name 'vpn'
-----------------------------------------------------------------
+```
+
+Note, that the last two rules, enable connections to port 443 from the
+Internet. That is the port used by OpenConnect VPN.
+
+
+Starting the server
+===================
+
+Note that both configurations above add the user "test" with password "test". The
+password is specified in the crypt(3) format.
+
+The server can be enabled and started using:
+# /etc/init.d/ocserv enable
+# /etc/init.d/ocserv start
+For any custom configuration options of ocserv you may add values in
+/etc/ocserv/ocserv.conf.local.
There is a luci plugin to allow configuring the server from
the web environment; see the package luci-app-ocserv.
+
config_get udp $1 udp "1"
config_get auth $1 auth "plain"
config_get cisco_compat $1 cisco_compat "1"
- config_get ipaddr $1 ipaddr "192.168.100.0"
- config_get netmask $1 netmask "255.255.255.0"
+ config_get ipaddr $1 ipaddr ""
+ config_get netmask $1 netmask ""
config_get ip6addr $1 ip6addr ""
+ config_get proxy_arp $1 proxy_arp "0"
+ config_get ping_leases $1 ping_leases "0"
config_get default_domain $1 default_domain ""
+ # Enable proxy arp, and make sure that ping leases is set to true in that case,
+ # to prevent conflicts.
+ if test "$proxy_arp" = 1;then
+ local ip
+ # IP address is empty. Auto-configure LAN + VPN.
+ if test -z "$ipaddr";then
+ local mask
+ mask=$(uci get network.lan.netmask)
+ if test "$mask" = "255.255.255.0";then
+ uci set dhcp.lan.start=100
+ uci set dhcp.lan.limit=91
+ fi
+ ip=$(uci get network.lan.ipaddr)
+ ipaddr="$(echo $ip|cut -d . -f1,2,3).192"
+ netmask="255.255.255.192"
+ uci set ocserv.config.ipaddr="$ipaddr"
+ uci set ocserv.config.netmask="$netmask"
+ uci commit
+ fi
+
+ if test -z "$ip6addr";then
+ ip6addr=$(uci get network.lan.ip6addr 2>/dev/null)
+ test -n "$ip6addr" && uci set ocserv.config.ip6addr="$ip6addr"
+ uci commit
+ fi
+
+ ping_leases=1
+ test -n "$ipaddr" && sysctl -w "net.ipv4.conf.$(uci get network.lan.ifname).proxy_arp"=1 >/dev/null
+ test -n "$ip6addr" && sysctl -w "net.ipv6.conf.$(uci get network.lan.ifname).proxy_ndp"=1 >/dev/null
+ else
+ test "$ipaddr" = "" && ipaddr="192.168.100.0"
+ test "$netmask" = "" && ipaddr="255.255.255.0"
+ fi
+
enable_default_domain="#"
enable_udp="#"
enable_compression="#"
test $predictable_ips = "1" && predictable_ips="true"
test $cisco_compat = "0" && cisco_compat="false"
test $cisco_compat = "1" && cisco_compat="true"
+ test $ping_leases = "0" && ping_leases="false"
+ test $ping_leases = "1" && ping_leases="true"
test $udp = "1" && enable_udp=""
test $compression = "1" && enable_compression=""
test -z $default_domain && enable_default_domain=""
-e "s/|DEFAULT_DOMAIN|/$default_domain/g" \
-e "s/|ENABLE_DEFAULT_DOMAIN|/$enable_default_domain/g" \
-e "s/|CISCO_COMPAT|/$cisco_compat/g" \
+ -e "s/|PING_LEASES|/$ping_leases/g" \
-e "s/|UDP|/$enable_udp/g" \
-e "s/|COMPRESSION|/$enable_compression/g" \
-e "s/|IPV4ADDR|/$ipaddr/g" \
procd_set_param respawn
procd_close_instance
}
+
projects / feed / packages.git / commitdiff