1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
Setting up OpenConnect VPN server
=================================
The openconnect server expects to be configured using the uci interface.
It is recommended to setup a dynamic DNS address with openwrt prior
to starting the server. That is because during the first startup
a certificate file which will contain the dynamic DNS name will be
created. You can always regenerate the certificate by deleting
/etc/ocserv/server-key.pem. Alternatively, an externally-supplied
certificate may be provided (obtained for example from Let's Encrypt
using the acme package); this too will require the server's DNS name
to match that of the certicate.
There are two approaches to setup the VPN. The proxy-arp approach (1)
which provides clients with addresses of the LAN, and the "forwarding"
approach (2) which provides clients with addresses of a separate private
network. The former is suitable when you have "roadwarrior" type of clients
connecting to the LAN, and the latter when you may need to connect
multiple networks with the LAN.
If for the client side you use OpenWRT it is recommended to check you
have the latest vpnc-scripts and openconnect packages.
1. Proxy-ARP Approach
=====================
[This option is available since ocserv-0.10.9-2 package]
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
The following setup will assign the upper 62 addresses for VPN use.
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
option netmask '255.255.255.192'
option ipaddr '10.100.2.192'
option auth 'plain'
option default_domain 'lan'
option compression '1'
option proxy_arp '1'
option ping_leases '1'
option enable '1'
config dns
option ip '10.100.2.1'
config routes
option ip '10.100.2.0'
option netmask '255.255.255.0'
config ocservusers
option name 'test'
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
```
This setup re-utilizes the addresses assigned to LAN for the VPN clients.
To ensure that there are no conflicts with the DHCP server use the following
commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
which is below the first VPN assigned address (10.100.2.192).
```
# uci set dhcp.lan.start=100
# uci set dhcp.lan.limit=91
```
For simple networks like that you may also leave the 'netmask' and 'ipaddr'
fields empty and ocserv on startup will set the necessary values.
2. Forwarding Approach
======================
To setup a server the provides access to LAN with network address
10.100.2.0/255.255.255.0 using the VPN address range
10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option port '443'
option dpd '120'
option max_clients '8'
option max_same '2'
option netmask '255.255.255.0'
option ipaddr '10.100.3.0'
option auth 'plain'
option default_domain 'lan'
option compression '1'
option enable '1'
config dns
option ip '10.100.2.1'
config routes
option ip '10.100.2.0'
option netmask '255.255.255.0'
config ocservusers
option name 'test'
option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
-----------------------------------------------------------------
```
Setting up split-dns
====================
To allow the clients to resolv with the local domain add the following
to the ocserv configuration file.
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option split_dns '1'
option default_domain 'mydomain'
```
The ```default_domain``` is optional and if not set, it will be autodetected
from dnsmasq's configuration.
Setting up the firewall
=======================
Since the connected users will be assigned to other interfaces than the LAN
one, it is required to assign the VPN clients to an interface, and enable
forwarding for them. That is, you should setup an unmanaged interface (e.g.,
called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
interfaces). Then a zone called vpn should be setup to handle interactions
with lan. An example, which alls all forwarding between LAN and VPN clients,
follows.
```
----/etc/config/network------------------------------------------
config interface 'vpn'
option proto 'none'
option ifname 'vpns+'
-----------------------------------------------------------------
----/etc/config/firewall-----------------------------------------
config zone
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option name 'vpn'
option device 'vpns+'
option network 'vpn'
config forwarding
option dest 'lan'
option src 'vpn'
config forwarding
option dest 'vpn'
option src 'lan'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option name 'vpn'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '443'
option name 'vpn'
-----------------------------------------------------------------
```
Note, that the last two rules, enable connections to port 443 from the
Internet. That is the port used by OpenConnect VPN.
Using an externally-supplied server certificate
===============================================
By default, a self-signed SSL certificate is used to identify the server.
A certificate obtained by an external Certificate Authority (such as
Let's Encrypt) may be used instead.
First, obtain the certificate and private key (for example using acme):
it will be installed somewhere like `/etc/acme/<your-dns-name>`. The two
relevant files are <your-dns-name>.key for the private key, and
fullchain.cer for the certificate containing the full chain of trust.
Then add the following configuration to the ocserv configuration file:
```
----/etc/config/ocserv-------------------------------------------
config ocserv 'config'
option server_key <path-to-server-key.key>
option server_cert <path-to-fullchain-cert.cer>
```
Starting the server
===================
Note that both configurations above add the user "test" with password "test". The
password is specified in the crypt(3) format.
The server can be enabled and started using:
# /etc/init.d/ocserv enable
# /etc/init.d/ocserv start
For any custom configuration options of ocserv you may add values in
/etc/ocserv/ocserv.conf.local.
There is a luci plugin to allow configuring the server from
the web environment; see the package luci-app-ocserv.
|
