Openconnect VPN server implementation on OpenWRT router using certificate authentication
本帖最後由 tomleehk 於 2022-12-25 15:27 編輯
Successfully followed the below walkthrough to install and set up Openconnect VPN server on OpenWRT router using certificate authentication.
Proved default gateway re-direction working with CISCO Anyconnect client connection ( on IOS and Android ) and www.getip.com.
Original article :
http://blog.ltns.info/linux/open ... client_smart_proxy/
Updated : 08-Nov-2016
Original article updated with procedure to make OpenConnect able to run on OpenWRT ver.15.05.1 using certificate authentication.
Hardware : LINKSYS WRT54GS : 8M Flash (This antique hardware is simply used for testing/practice)
O/S : openwrt-15.05-brcm47xx-legacy-linksys-wrt54gs-squashfs.bin <== downloaded at https://downloads.openwrt.org/ ( Chaos Calmer 15.05 )
Supplementary Note :
1) I selected Chaos Calmer 15.05 branch as it appeared to me that other branches failed to establish successful connection even using the simplest USER ID/Password authentication mode.
2) Other software need : SSL Toolkit for .p12 creation
( I used OpenSSL <= downloaded at https://www.openssl.org/community/binaries.html )
SSH Client for OpenWRT file management
( I used WINSCP <= downloaded at https://winscp.net/eng/index.php
SSH Client for terminal emulation
( I used OpenSSH <= downloaded at http://sshwindows.sourceforge.net/download/ )
OpenConnect installation/setup steps :
1) Install OpenWRT firmware and connect the router to internet
2) Use TelNet to access default server IP 192.168.1.1 and input the followings
nvram set boot_wait=on
nvram set boot_time=10
nvram set wait_time=10
nvram commit
reboot
Remark : These are to facilitate firmware recovery in case your router is bricked.
3) Use TelNet to access default server IP 192.168.1.1 again and input the followings to install packages
opkg update
opkg install ocserv
opkg install luci-app-ocserv
opkg install luci-app-ddns
4) Enable the packages via LUCI (Service/Dynamic DNS, Service/OpenConnect VPN) or at TelNet terminal with appropriate command
5) Set root password via LUCI (System/Administration) or via TelNet terminal.
Note that once the root password is set, Telnet is no longer able to access the router. You need to use a tool such as OpenSSH to access the router and emulate the terminal command prompt.
6) Enable SSH via LUCI (System/Administration)
7) Make sure DDNS and OCSERV package is enabled (System/Startup) and reboot router
8) Configure DDNS via LUCI (Services/Dynamic DNS)
9) Configure Local Time zone via LUCI (System/System)
10) Use WINSCP to access 192.168.1.1 to edit template file /etc/ocserv/pki/server.tmpl
cn=<Your VPN server URL, e.g. vpn.dyndns.org>
serial=2
expiration_days=3650
signing_key
encryption_key
11) Use WINSCP to access 192.168.1.1 to edit template file /etc/ocserv/pki/ca.tmpl
cn=<Your VPN server URL, e.g. vpn.dyndns.org>
expiration_days=3650
serial=1
ca
cert_signing_key
12) Then create the new ca.pem and server-cert.pem
certtool --template /etc/ocserv/pki/ca.tmpl --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem --outfile /etc/ocserv/ca.pem
certtool --template /etc/ocserv/pki/server.tmpl --generate-certificate --load-privkey /etc/ocserv/server-key.pem --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem
13) Restart OCSERV via LUCI (System/Startup) or via OpenSSH (terminal emulation) with appropriate command.
14) Use WINSCP to access 192.168.1.1 and backup /etc/ocserv/ocserv.conf. Then replace /etc/ocserv/ocserv.conf with appropriate content. Sample shown below :- auth = "certificate"
- listen-host-is-dyndns = true
- max-clients = 16
- max-same-clients = 10
- tcp-port = 443
- udp-port = 443
- keepalive = 32400
- dpd = 240
- mobile-dpd = 1800
- try-mtu-discovery = true
- server-cert = /etc/ocserv/server-cert.pem
- server-key = /etc/ocserv/server-key.pem
- ca-cert = /etc/ocserv/ca.pem
- cert-user-oid = 2.5.4.3
- tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
- auth-timeout = 40
- cookie-timeout = 300
- rekey-time = 172800
- rekey-method = ssl
- connect-script = /usr/bin/ocserv-script
- disconnect-script = /usr/bin/ocserv-script
- use-utmp = true
- pid-file = /var/run/ocserv.pid
- chroot-dir = /var/lib/ocserv
- socket-file = ocserv-socket
- run-as-user = ocserv
- run-as-group = ocserv
- net-priority = 5
- cgroup = "cpuset,cpu:test"
- device = vpns
- default-domain = <your vpn server URL, e.g. vpn.dyndns.org>
- ipv4-network = 192.168.60.0
- ipv4-netmask = 255.255.255.0
- dns = 8.8.8.8
- ping-leases = false
- output-buffer = 10
- #route = 192.168.1.0/255.255.255.0
- #route = 192.168.5.0/255.255.255.0
- #route = fef4:db8:1000:1001::/64
- route-add-cmd = "ip route add %{R} dev %{D}"
- route-del-cmd = "ip route delete %{R} dev %{D}"
- cisco-client-compat = true
- custom-header = "X-DTLS-MTU: 1200"
- custom-header = "X-CSTP-MTU: 1200"
Important : Any typo and mistake made in this file may make your OpenConnect Server unable to be launched.
14) Make sure ocserv is enabled via LUCI (Service/Dynamic DNS/Server settings/General settings) and at the same screen input the configuration that matches the content of /etc/ocserv/ocserv.conf that you just modified.
15) Modify firewall rules via LUCI (Network/Firewall/Custom Rules)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -p udp --dport 443 -j ACCEPT
iptables -I FORWARD -i vpns+ -s 192.168.60.0/24 -j ACCEPT
iptables -I INPUT -i vpns+ -s 192.168.60.0/24 -j ACCEPT
16) Restart router and make sure your Openconnect Server can be up properly. If you can find the below 2 processes
ocserv-main
{ocserv-secmod} ocserv-secm
at LUCI (Status/Processes), the Openconnect Server is launched properly.
If Openconnect Server cannot be launched, review and troubleshoot your configuration.
17) Use WINSCP to access router 192.168.1.1 and create a new file /etc/ocserv/pki/client.tmpl with the below content :
cn = client
unit = "users"
expiration_days = 3650
signing_key
tls_www_client
18) Use OpenSSH to access router 192.168.1.1 and input the followings at the command prompt one by one.
cd /etc/ocserv
ln -s pki/ca.tmpl ca.tmpl
ln -s pki/server.tmpl server.tmpl
ln -s ca.pem ca-cert.pem
cp pki/client.tmpl client.tmpl
certtool --generate-privkey --outfile user-key.pem
certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile user-cert.pem
19) Use WINSCP to to access router 192.168.1.1 and extract the 3 files : user-key.pem, ca-cert.pem and user-cert.pem from /etc/ocserv to a certain folder on your computer.
At the DOS prompt and change to the same folder, use SSL tool to create the file user-cert.p12.
e.g. c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "client" -certfile ca-cert.pem -caname "VPN CA" -out user-cert.p12
Remark : You may be prompted to create a password for the file user-cert.p12 during creation. Just input the password you desired when prompted.
20) Then load the user-cert.p12 to the Iphone or Android with the corresponding client (e.g. CISCO AnyCoonect) installed and make the corresponding connection profile configuration accordingly. When loading the certificate into your client, you will be promted for the password and you just need to input the password you captured in the above step. For this part, you can refer to google.
Comment :
1) Credit goes to the original developer.. (Not me!)
2) Before making any connection testing, make sure
- root password at OpenWRT has been set.
- DDNS is working and your VPN server URL has been updated properly.
- NTP is running properly and your router is showing the correct date/time.
3) In addition to the backup of the OpenWRT server configuration via LUCI (System /Backup, Flash Firmware/Backup,Restore/Generate Archive), it is suggested to backup all the content at and below the folder /etc/ocserv/ after all tests are completed. This is to save time when you need to restore the server, you do not need to re-generate the certificate/key files again.
4) Even though the VPN connection is working properly, a number of error messages were still found at the OpenWRT system log when ocserv is launched. These are to be fine-tuned/studied if I have spare time.
5) If you prefer using the simplest ID/Password authentication method, simply make the corresponding VPN configuration via LUCI(Service/OpenConnect VPN/General Settings, User Settings) and Firewall(Network/Firewall/Custom Rules) and skip anything related to certificate, template files.
6) The antique hardware is simply used for testing/practice and faster equipment is more recommended for live running. |
發表於 2015-10-18 10:24
| 
, 升級router都唔會改善得好多囉..