GL-MT300A Openconnect how to ?


#1

Hello,

I would like to use Openconnect protocol with my Torguard account.

I have already installed the packages to use luci gui but I don’t know how to setup the connection.

Could you please help me ?

Thank you.

Yann.


#2

Hi Yann, Sorry I don’t have experience in this. If you made this work, please share.


#3

Hi, I have a GL-MT300A router with the latest official firmware of GL-Inet, I’m using the wan port connected to a LAN port of the main router, I have opened port 443 on the main router pointing to the dynamic address obtained in MT300 ( 192.168.1.x). the clients that I have used are in android (AnyConnect-OpenConnect), Win7, Win10; Linux Mint Mate

—OCSERV GL-MT300A—

first of all create a free account on no-ip.com then register a hostname to be used in OpenWrt.

—softwares:

ddns-cripts_no-ip_com
updated-mod-noip
nano
luci-app-ddns
luci-app-ocserv
ocserv

—configuration ddns no-ip:
(Services-Dynamic DNS)

add a name for account ddns.
Enabled: yes
Lookup Hostname: example.no-ip.com
IP address version: IPv4-Address
DDNS Service provider [IPv4]: no-ip.com
Hostname/Domain: example.no-ip.com
Username: example@gmail.com
Password: passwordaccountno-ip

||| Advanced Settings tab

IP address source [IPv4]: URL
URL to detect [IPv4]: http://checkip.dyndns.com
Event Network [IPv4]: wan

|||Timer Settings

Check Interval: 10 minutes
Force Interval: 6 hours

Save and apply.

—configuration OpenConnectVPN:
(Services-OpenConnectVPN)

User Authentication: plain
Firewall Zone: lan
port: 443
AnyConnect client compatibility: yes
VPN IPv4-Network-Address: 192.168.8.51
VPN IPv4-Netmask: 255.255.255.5

-DNS servers

192.168.1.1
192.168.8.1

-Routing table

192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0

|||Edit template tab(default-domain important):

isolate-workers = false

A banner to be displayed on clients

banner = “Bienvenidos a mi OpenWRT Server ;-)”

When the server has a dynamic DNS address (that may change),

should set that to true to ask the client to resolve again on

reconnects.

listen-host-is-dyndns = true

Uncomment this to enable compression negotiation (LZS, LZ4).

|COMPRESSION|compression = true

The default domain to be advertised

default-domain = example.no-ip.com

The domains over which the provided DNS should be used. Use

multiple lines for multiple domains.

split-dns = example.no-ip.com

||| Add User un Users tab.

Save and apply.

—Network Firewall Menu(traffic Rules tab:

||| Traffic Rules tab:

name: Ocserv
Protocol: TCP+UDP
Source zone: wan
Source mac address: any
Source address: any
Destination zone: Device(input)
Destination address: any
Destination port: 443
Action: accept

||| Custom Rules tab:

force_dns() {

lanip=$(ifconfig br-lan |sed -n ‘s/.dr:(.) Bc.*/\1/p’)

lanip=$(uci get network.lan.ipaddr)
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
}
force=$(uci get glconfig.general.force_dns)
if [ -n “$force” ]; then
force_dns
fi

iptables -A input_rule -i vpns+ -j ACCEPT
iptables -A forwarding_rule -i vpns+ -j ACCEPT
iptables -A forwarding_rule -o vpns+ -j ACCEPT
iptables -A output_rule -o vpns+ -j ACCEPT

 

Save and apply.

— Edit /etc/sysctl.conf over ssh or telnet.
nano /etc/sysctl.conf
Add:
net.ipv4.conf.all.proxy_arp=1

Then type sysctl -p to reload the configuration.

This is works form me, sorry for my spanglish. Good luck.


#4

Hi Juanesf,

Thank you for your very complete reply but I think you made a server.

I would like to use my GL-MT300A as a VPN router using openconnect protocol.

The country where I’m living use Deep Packet Inspection and all the VPN’s protocol are blocked except openconnect.

I’d just to configure my openconnect client on the router.

Yann.


#5

Hi Yann.

OpenConnect-based VPN Solutions

You may setup openwrt as an OpenConnect VPN client or server. This is a protocol based on SSL/TLS and datagram TLS and is compatible with CISCO’s AnyConnect SSL VPN.

Client side requirements:

openconnect: Follow for instructions to configure without luci interface

luci-proto-openconnect

Server side requirements:

ocserv

luci-app-ocserv

A How-To for the server setup.Note: the instructions include comments on the Github advice which might not work for some. In addition, the instructions are for a FULL tunnel setup.


The openconnect client expects to be configured using the uci interface.

To setup a VPN connection, add the following to /etc/config/network:

config interface ‘MYVPN’

option proto ‘openconnect’

option interface ‘wan’

option server ‘vpn.example.com

option port ‘4443’

option username ‘test’

option password ‘secret’

option serverhash ‘AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25’

option defaultroute ‘0’

option authgroup ‘DEFAULT’

For second factor auth:

when a fixed 2FA password can be used

#option password2 ‘my-fixed-2fa-password’

RSA tokens, must be built with stoken support

#option token_mode ‘rsa’

#option token_secret ‘secret’

HOTP/TOTP tokens

#option token_mode ‘hotp’

#option token_secret ‘00’

tokens from script

#option token_mode ‘script’

#option token_script ‘/lib/custom/getocpass.sh’

Juniper vpn support

#option juniper ‘1’

The additional files are also used:

/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate

/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key

/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)

After these are setup you can initiate the VPN using “ifup MYVPN”, and

deinitialize it using ifdown. You may also use the luci web interface

(Network -> Interfaces -> MYVPN Connect).

Note that you need to configure the firewall to allow communication between

the MYVPN interface and lan.

There is a luci plugin to allow configuring an openconnect interface from

the web environment; see the luci-proto-openconnect package

 


#6

Hello,

I tried many things but it’s not working.

It’s OK with my raspberry using the shell with something like this:
sudo openconnect -u username --authgroup=DEFAULT -b --no-dtls --pfs fr.torguardvpnaccess.com:22

Before authgroup, no-dtls and pfs there is double dash but the forum doesn’t show them…
As it’s written here, the current version of openconnect doesn’t work with Openwrt/Lede:

https://torguard.net/forums/index.php?/topic/1065-howto-openconnect-on-linux-devices-like-raspberry-pi-openwrt-dd-wrt/&hl=raspberry

Yann.