Hello,
I would like to use Openconnect protocol with my Torguard account.
I have already installed the packages to use luci gui but I don’t know how to setup the connection.
Could you please help me ?
Thank you.
Yann.
Hello,
I would like to use Openconnect protocol with my Torguard account.
I have already installed the packages to use luci gui but I don’t know how to setup the connection.
Could you please help me ?
Thank you.
Yann.
Hi Yann, Sorry I don’t have experience in this. If you made this work, please share.
Hi, I have a GL-MT300A router with the latest official firmware of GL-Inet, I’m using the wan port connected to a LAN port of the main router, I have opened port 443 on the main router pointing to the dynamic address obtained in MT300 ( 192.168.1.x). the clients that I have used are in android (AnyConnect-OpenConnect), Win7, Win10; Linux Mint Mate
—OCSERV GL-MT300A—
first of all create a free account on no-ip.com then register a hostname to be used in OpenWrt.
—softwares:
ddns-cripts_no-ip_com
updated-mod-noip
nano
luci-app-ddns
luci-app-ocserv
ocserv
—configuration ddns no-ip:
(Services-Dynamic DNS)
add a name for account ddns.
Enabled: yes
Lookup Hostname: example.no-ip.com
IP address version: IPv4-Address
DDNS Service provider [IPv4]: no-ip.com
Hostname/Domain: example.no-ip.com
Username: example@gmail.com
Password: passwordaccountno-ip
||| Advanced Settings tab
IP address source [IPv4]: URL
URL to detect [IPv4]: http://checkip.dyndns.com
Event Network [IPv4]: wan
|||Timer Settings
Check Interval: 10 minutes
Force Interval: 6 hours
Save and apply.
—configuration OpenConnectVPN:
(Services-OpenConnectVPN)
User Authentication: plain
Firewall Zone: lan
port: 443
AnyConnect client compatibility: yes
VPN IPv4-Network-Address: 192.168.8.51
VPN IPv4-Netmask: 255.255.255.5
-DNS servers
192.168.1.1
192.168.8.1
-Routing table
192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0
|||Edit template tab(default-domain important):
isolate-workers = false
banner = “Bienvenidos a mi OpenWRT Server ;-)”
listen-host-is-dyndns = true
|COMPRESSION|compression = true
default-domain = example.no-ip.com
split-dns = example.no-ip.com
||| Add User un Users tab.
Save and apply.
—Network Firewall Menu(traffic Rules tab:
||| Traffic Rules tab:
name: Ocserv
Protocol: TCP+UDP
Source zone: wan
Source mac address: any
Source address: any
Destination zone: Device(input)
Destination address: any
Destination port: 443
Action: accept
||| Custom Rules tab:
force_dns() {
lanip=$(uci get network.lan.ipaddr)
iptables -t nat -A PREROUTING -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
}
force=$(uci get glconfig.general.force_dns)
if [ -n “$force” ]; then
force_dns
fi
iptables -A input_rule -i vpns+ -j ACCEPT
iptables -A forwarding_rule -i vpns+ -j ACCEPT
iptables -A forwarding_rule -o vpns+ -j ACCEPT
iptables -A output_rule -o vpns+ -j ACCEPT
Save and apply.
— Edit /etc/sysctl.conf over ssh or telnet.
nano /etc/sysctl.conf
Add:
net.ipv4.conf.all.proxy_arp=1
Then type sysctl -p to reload the configuration.
This is works form me, sorry for my spanglish. Good luck.
Hi Juanesf,
Thank you for your very complete reply but I think you made a server.
I would like to use my GL-MT300A as a VPN router using openconnect protocol.
The country where I’m living use Deep Packet Inspection and all the VPN’s protocol are blocked except openconnect.
I’d just to configure my openconnect client on the router.
Yann.
Hi Yann.
OpenConnect-based VPN Solutions
You may setup openwrt as an OpenConnect VPN client or server. This is a protocol based on SSL/TLS and datagram TLS and is compatible with CISCO’s AnyConnect SSL VPN.
Client side requirements:
openconnect: Follow for instructions to configure without luci interface
luci-proto-openconnect
Server side requirements:
ocserv
luci-app-ocserv
A How-To for the server setup.Note: the instructions include comments on the Github advice which might not work for some. In addition, the instructions are for a FULL tunnel setup.
The openconnect client expects to be configured using the uci interface.
To setup a VPN connection, add the following to /etc/config/network:
config interface ‘MYVPN’
option proto ‘openconnect’
option interface ‘wan’
option server ‘vpn.example.com’
option port ‘4443’
option username ‘test’
option password ‘secret’
option serverhash ‘AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25’
option defaultroute ‘0’
option authgroup ‘DEFAULT’
#option password2 ‘my-fixed-2fa-password’
#option token_mode ‘rsa’
#option token_secret ‘secret’
#option token_mode ‘hotp’
#option token_secret ‘00’
#option token_mode ‘script’
#option token_script ‘/lib/custom/getocpass.sh’
#option juniper ‘1’
The additional files are also used:
/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
After these are setup you can initiate the VPN using “ifup MYVPN”, and
deinitialize it using ifdown. You may also use the luci web interface
(Network -> Interfaces -> MYVPN Connect).
Note that you need to configure the firewall to allow communication between
the MYVPN interface and lan.
There is a luci plugin to allow configuring an openconnect interface from
the web environment; see the luci-proto-openconnect package
Hello,
I tried many things but it’s not working.
It’s OK with my raspberry using the shell with something like this:
sudo openconnect -u username --authgroup=DEFAULT -b --no-dtls --pfs fr.torguardvpnaccess.com:22
Before authgroup, no-dtls and pfs there is double dash but the forum doesn’t show them…
As it’s written here, the current version of openconnect doesn’t work with Openwrt/Lede:
Yann.
echo YourPassHere | sudo openconnect -u YourUsernameHere --authgroup=DEFAULT -b --passwd-on-stdin --cafile=/Your/Cert/File/Path/Here/torguard/ca.crt --servercert=YourServerCertHere --pfs Server:port.
you have to be aware of the OpenWrt locations you have to be more specific
How do you make internet traffic to go through OpenConnect tunnel? I was able to configure this openconnect tunnel and successfully establish connections. I was able to ping traffic if I specify the interface. However, I can’t make internet traffic to flow through OpenConnect tunnel.
Any idea?
Thanks