電訊茶室 - Powered by Discuz! Board

標題: Openconnect VPN server implementation on OpenWRT router using certificate authentication [打印本頁]

作者: tomleehk 時間: 2015-10-18 10:24 標題: Openconnect VPN server implementation on OpenWRT router using certificate authentication

本帖最後由 tomleehk 於 2022-12-25 15:27 編輯

Successfully followed the below walkthrough to install and set up Openconnect VPN server on OpenWRT router using certificate authentication.
Proved default gateway re-direction working with CISCO Anyconnect client connection ( on IOS and Android ) and www.getip.com.

Original article :
http://blog.ltns.info/linux/open ... client_smart_proxy/
Updated : 08-Nov-2016
Original article updated with procedure to make OpenConnect able to run on OpenWRT ver.15.05.1 using certificate authentication.

Hardware :  LINKSYS WRT54GS : 8M Flash (This antique hardware is simply used for testing/practice)
O/S       :  openwrt-15.05-brcm47xx-legacy-linksys-wrt54gs-squashfs.bin <== downloaded at https://downloads.openwrt.org/ ( Chaos Calmer 15.05 )

Supplementary Note :
1) I selected Chaos Calmer 15.05 branch as it appeared to me that other branches failed to establish successful connection even using the simplest USER ID/Password authentication mode.
2) Other software need : SSL Toolkit for .p12 creation
                                 ( I used OpenSSL <= downloaded at https://www.openssl.org/community/binaries.html )
                                 SSH Client for OpenWRT file management
                                 ( I used WINSCP <= downloaded at https://winscp.net/eng/index.php
                                 SSH Client for terminal emulation
                                 ( I used OpenSSH <= downloaded at http://sshwindows.sourceforge.net/download/ )

OpenConnect installation/setup steps :
1) Install OpenWRT firmware and connect the router to internet
2) Use TelNet to access default server IP 192.168.1.1 and input the followings
nvram set boot_wait=on
nvram set boot_time=10
nvram set wait_time=10
nvram commit
reboot
Remark : These are to facilitate firmware recovery in case your router is bricked.
3) Use TelNet to access default server IP 192.168.1.1 again and input the followings to install packages
opkg update
opkg install ocserv
opkg install luci-app-ocserv
opkg install luci-app-ddns
4) Enable the packages via LUCI (Service/Dynamic DNS, Service/OpenConnect VPN) or at TelNet terminal with appropriate command
5) Set root password via LUCI (System/Administration) or via TelNet terminal.
Note that once the root password is set, Telnet is no longer able to access the router. You need to use a tool such as OpenSSH to access the router and emulate the terminal command prompt.
6) Enable SSH via LUCI (System/Administration)
7) Make sure DDNS and OCSERV package is enabled (System/Startup) and reboot router
8) Configure DDNS via LUCI (Services/Dynamic DNS)
9) Configure Local Time zone via LUCI (System/System)
10) Use WINSCP to access 192.168.1.1 to edit template file /etc/ocserv/pki/server.tmpl
   cn=<Your VPN server URL, e.g. vpn.dyndns.org>
   serial=2
   expiration_days=3650
   signing_key
   encryption_key
11) Use WINSCP to access 192.168.1.1  to edit template file /etc/ocserv/pki/ca.tmpl
   cn=<Your VPN server URL, e.g. vpn.dyndns.org>
   expiration_days=3650
   serial=1
   ca
   cert_signing_key
12) Then create the new ca.pem and server-cert.pem
   certtool --template /etc/ocserv/pki/ca.tmpl --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem  --outfile /etc/ocserv/ca.pem
   certtool --template /etc/ocserv/pki/server.tmpl --generate-certificate --load-privkey /etc/ocserv/server-key.pem --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem
13) Restart OCSERV via LUCI (System/Startup) or via OpenSSH (terminal emulation) with appropriate command.
14) Use WINSCP to access 192.168.1.1 and backup /etc/ocserv/ocserv.conf. Then replace /etc/ocserv/ocserv.conf with appropriate content. Sample shown below :

auth = "certificate"
listen-host-is-dyndns = true
max-clients = 16
max-same-clients = 10
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 240
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca.pem
cert-user-oid = 2.5.4.3
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
auth-timeout = 40
cookie-timeout = 300
rekey-time = 172800
rekey-method = ssl
connect-script = /usr/bin/ocserv-script
disconnect-script = /usr/bin/ocserv-script
use-utmp = true
pid-file = /var/run/ocserv.pid
chroot-dir = /var/lib/ocserv
socket-file = ocserv-socket
run-as-user = ocserv
run-as-group = ocserv
net-priority = 5
cgroup = "cpuset,cpu:test"
device = vpns
default-domain = <your vpn server URL, e.g. vpn.dyndns.org>
ipv4-network = 192.168.60.0
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
output-buffer = 10
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat = true
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"

複製代碼

You may customize the content with reference to the original ocserv.conf that you just backup.

Important : Any typo and mistake made in this file may make your OpenConnect Server unable to be launched.

14) Make sure ocserv is enabled via LUCI (Service/Dynamic DNS/Server settings/General settings) and at the same screen input the configuration that matches the content of /etc/ocserv/ocserv.conf that you just modified.

15) Modify firewall rules via LUCI (Network/Firewall/Custom Rules)
   iptables -I INPUT -p tcp --dport 443 -j ACCEPT
   iptables -I INPUT -p udp --dport 443 -j ACCEPT
   iptables -I FORWARD -i vpns+ -s 192.168.60.0/24 -j ACCEPT
   iptables -I INPUT -i vpns+ -s 192.168.60.0/24 -j ACCEPT

16) Restart router and make sure your Openconnect Server can be up properly. If you can find the below 2 processes
   ocserv-main
   {ocserv-secmod} ocserv-secm
   at LUCI (Status/Processes), the Openconnect Server is launched properly.
   If Openconnect Server cannot be launched, review and troubleshoot your configuration.
17) Use WINSCP to access router 192.168.1.1 and create a new file  /etc/ocserv/pki/client.tmpl with the below content :
   cn = client
   unit = "users"
   expiration_days = 3650
   signing_key
   tls_www_client
18) Use OpenSSH to access router 192.168.1.1 and input the followings  at the command prompt one by one.
   cd /etc/ocserv
   ln -s pki/ca.tmpl ca.tmpl
   ln -s pki/server.tmpl server.tmpl
   ln -s ca.pem ca-cert.pem
   cp pki/client.tmpl client.tmpl

   certtool --generate-privkey --outfile user-key.pem

   certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile user-cert.pem
19) Use WINSCP to to access router 192.168.1.1 and extract the 3 files : user-key.pem, ca-cert.pem and user-cert.pem from /etc/ocserv to a certain folder on your computer.
   At the DOS prompt and change to the same folder, use SSL tool to create the file user-cert.p12.
   e.g. c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "client" -certfile ca-cert.pem -caname "VPN CA" -out user-cert.p12
   Remark : You may be prompted to create a password for the file user-cert.p12 during creation. Just input the password you desired when prompted.
20) Then load the user-cert.p12 to the Iphone or Android with the corresponding client (e.g. CISCO AnyCoonect) installed and make the corresponding connection profile configuration accordingly. When loading the certificate into your client, you will be promted for the password and you just need to input the password you captured in the above step. For this part, you can refer to google.

Comment :
1) Credit goes to the original developer.. (Not me!)
2) Before making any connection testing, make sure
   - root password at OpenWRT has been set.
   - DDNS is working and your VPN server URL has been updated properly.
   - NTP is running properly and your router is showing the correct date/time.
3) In addition to the backup of the OpenWRT server configuration via LUCI (System /Backup, Flash Firmware/Backup,Restore/Generate Archive), it is suggested to backup all the content at and below the folder /etc/ocserv/ after all tests are completed. This is to save time when you need to restore the server, you do not need to re-generate the certificate/key files again.
4) Even though the VPN connection is working properly, a number of error messages were still found at the OpenWRT system log when ocserv is launched. These are to be fine-tuned/studied if I have spare time.
5) If you prefer using the simplest ID/Password authentication method, simply make the corresponding VPN configuration via LUCI(Service/OpenConnect VPN/General Settings, User Settings) and Firewall(Network/Firewall/Custom Rules) and skip anything related to certificate, template files.
6) The antique hardware is simply used for testing/practice and faster equipment is more recommended for live running.

作者: 浮雲1965 時間: 2015-10-26 13:12

點解你唔試Tomato firmware? 8M的版本已有齊pptp及OpenVPN服務器，唔使安裝咁煩。

作者: tomleehk 時間: 2015-10-28 14:13

本帖最後由 tomleehk 於 2015-11-2 21:22 編輯

點解你唔試Tomato firmware? 8M的版本已有齊pptp及OpenVPN服務器，唔使安裝咁煩。
浮雲1965 發表於 2015-10-26 13:12

如果有留意消息應該知道國內已經有地方成功自動封殺OpenVPN, PPTP唔駛講更加容易被封殺..
封殺技術已經有,問題喺幾時會喺你身上發生..

暫時OpenConnect VPN server, 因為支援CISCO AnyConnect Client 而暫時未聽過有被整頓..

我哋要與時並進,多學幾種技術..
免得日後突然被封殺而搞到操手不及,臨急抱佛腳..

屋企嘅Tomato 或者 DD-WRT 嘅 OpenVPN, 我已經用咗好多好多年,我唔排除考慮會用 OpenConnect 全面取代..

我亦寫過DD-WRT上既OpenVPN walkthrough, Tomato版既OpenVPN 我覺得同 DD-WRT 大同小異,所以唔重覆去寫啦..
我會刻意揀D比較難嘅去寫,去同大家分享,因為易嘅Walkthough, google到好易搵到, 唔駛我寫..

根據我嘅了解, Tomato 或者 DD-WRT, 都不支援 OpenConnect VPN server..

作者: tomleehk 時間: 2015-10-31 16:02

本帖最後由 tomleehk 於 2016-5-9 14:15 編輯

Luci script for showing connected users in the overview page is buggy. The user list is always empty
Original Article:
http://jim-think.blogspot.hk/201 ... ver-on-openwrt.html

The file to change is /usr/lib/lua/luci/controller/ocserv.lua
Find the the function ocserv_status(), replace it with the following

function ocserv_status()
local ipt = io.popen("/usr/bin/occtl show users");
if ipt then
ipt:read("*l")
local fwd = { }
while true do
local ln = ipt:read("*l")
if not ln then break end
local arr, pos = {}, 1
for k in ln:gmatch("%S+") do
arr[pos] = k
pos = pos + 1
end
if pos > 9 then
fwd[#fwd+1] = {
id = arr[1],
user = arr[2],
group = arr[3],
vpn_ip = arr[4],
ip = arr[5],
device = arr[6],
time = arr[7],
cipher = arr[8],
status = arr[9]
}
end
end
ipt:close()
luci.http.prepare_content("application/json")
luci.http.write_json(fwd)
end
end

複製代碼

Optional Configuration:
If you hope to send your router's WAN IP address to an email box every time the router is restarted, below is what you need to do:
http://www.telecom-cafe.com/forum/viewthread.php?tid=6894

作者: ckleea 時間: 2015-11-2 14:03

回復 4# tomleehk

同意

方法是使用 openconnect, SSTP or IPSEC才可以解決。

作者: cyruschan112 時間: 2016-3-20 00:48

CHing

想請教下如何另client 端force all traffic through the OpenConnect server(OpenWrt)?

我係手機端已經能夠連接上Openwrt( by Cisco anyconnect)
但開網頁 (www.getip.com)的時候發現IP依然是手機端IP
而不是openConnect server 的IP
請問如何解決?
anyconnect app上似乎冇關於routing 的setting

作者: tomleehk 時間: 2016-3-21 11:13

本帖最後由 tomleehk 於 2016-3-21 11:16 編輯

anyconnect app喺冇關於routing 的setting..

http://www.infradead.org/ocserv/manual.html

喺OpenConnect server
/etc/ocserv/ocserv.conf

# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# ’default’.
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default

你可能漏咗comment out..

作者: carlchan 時間: 2016-3-21 17:48

anyconnect app喺冇關於routing 的setting..

喺OpenConnect server
/etc/ocserv/ocserv.conf

#  ...
tomleehk 發表於 2016-3-21 11:13

可都是這樣才可...

作者: cyruschan112 時間: 2016-3-21 23:42

回復 7# tomleehk

thanks,problem solved

作者: tomleehk 時間: 2016-3-23 10:00

回復 tomleehk

thanks,problem solved
cyruschan112 發表於 2016-3-21 23:42

朋友..

你是用那一個version嘅OpenWRT ?

最近我測試剛剛發布的版本15.05.1..

但我發現不是很穩定，有時會無端端 Hang router...

你有沒有類似嘅情況 ?

作者: gameplayer 時間: 2016-3-28 01:14

Successfully followed the below walkthrough to install and set up Openconnect VPN server on OpenWRT ...
tomleehk 發表於 2015-10-18 10:24

CHING,去不P12不明，可否提示下要點做？

作者: tomleehk 時間: 2016-3-28 16:00

本帖最後由 tomleehk 於 2016-3-28 20:10 編輯

CHING,去不P12不明，可否提示下要點做？
gameplayer 發表於 2016-3-28 01:14

1) SSH Client for OpenWRT file management
                                 ( I used WINSCP <= downloaded at https://winscp.net/eng/index.php )
2) Need SSL Toolkit for .p12 creation ( I used OpenSSL <= downloaded at  https://www.openssl.org/community/binaries.html )
3) Use WINSCP to to access router 192.168.1.1 and extract the 3 files : user-key.pem, ca-cert.pem and user-cert.pem from /etc/ocserv to a certain folder on your computer.
4) At the DOS prompt and change to the same folder, use SSL tool to create the file user-cert.p12.
   e.g. c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "client" -certfile ca-cert.pem -caname "VPN CA" -out user-cert.p12
Remark : You may be prompted to create a password for the file user-cert.p12 during creation. Just input the password you desired when prompted.
5) Then load the user-cert.p12 to the Iphone or Android with the corresponding client (e.g. CISCO AnyCoonect) installed and make the corresponding connection profile configuration accordingly. When loading the certificate into your client, you will be promted for the password and you just need to input the password you captured in the above step. For this part, you can refer to google

只要按照步驟一步一步咁做..應該是幾straightforward,無法理解哪一部分你不明白 ?

作者: gameplayer 時間: 2016-3-29 21:11

本帖最後由 gameplayer 於 2016-3-29 21:16 編輯

1) SSH Client for OpenWRT file management
( I used WINSCP ...
tomleehk 發表於 2016-3-28 16:00

CHING，我按著指示做，但去到16），在 LUCI (Status/Processes)找不到以下兩個processes，Openconnect Server不能啟動。
ocserv-main
{ocserv-secmod} ocserv-secm 。

14) Make sure ocserv is enabled via LUCI (Service/Dynamic DNS/Server settings/General settings) and at the same screen input the configuration that matches the content of /etc/ocserv/ocserv.conf that you just modified. -》是否 (Service/OpenConnect VPN/Server settings/General settings)

如果將14）段sample，全部copy 到ocserv.conf ，Service/OpenConnect VPN/Server settings/General settings 要如何設定。
我的設定如圖，是否正確？ Thank you very much!
[attach]3758[/attach][attach]3759[/attach]

作者: tomleehk 時間: 2016-3-29 21:50

本帖最後由 tomleehk 於 2016-3-29 23:24 編輯

你的設定圖..看不出特別的問題令你起唔到個 OpenConnect Server..

只喺要留意應該delete咗routing table 下面嗰個config..不過呢部份唔會令你起唔到個 OpenConnect Server..

當然，我假設你已經 enable 咗個 OpenConnect Server..

[attach]3761[/attach]
當然亦假設你跟哂步驟, gen 哂 D cert file, key file etc 响 /etc/ocserv foler..

呢D你自己可以double check

你可以試吓,睇吓manual start 個 OpenConnect..

用OpenSSH connect 你個router, 出command promt 之後打..

/etc/init.d/ocserv start

睇吓有無error message

另外,如果你個router 唔喺 broadcom based chipset, 唔排除因為個kernel 唔同,package唔同,有唔同嘅問題/bug..所以起唔到

當然如果你唔介意每一次 VPN connect都打 Password, 可以轉用 User ID/Password authentication 嘅方法..咁就唔需要處理 D cert files, key files etc.

作者: gameplayer 時間: 2016-3-29 23:26

你的設定圖..看不出特別的問題令你起唔到個 OpenConnect Server..

只喺要留意應該delete咗routing table ...
tomleehk 發表於 2016-3-29 21:50

成功啟動到。
系LUCI (Status/Processes)

多謝CHING先，明天再試。

作者: gameplayer 時間: 2016-3-30 23:31

本帖最後由 gameplayer 於 2016-3-30 23:47 編輯

你的設定圖..看不出特別的問題令你起唔到個 OpenConnect Server..

只喺要留意應該delete咗routing table ...
tomleehk 發表於 2016-3-29 21:50

server 啟動到，成功 load 左 user-cert.p12 file 到iphone,但連接不成功。未知何處出現問題，有空再試。

CHING，如果轉用 User ID/Password authentication 嘅方法，Android/IOS 是否選 IPSec VPN？或者用什麼client? 但IPSec VPN必須填密鑰，請問在server side 邊到設定密鑰？

Many Thanks!

作者: tomleehk 時間: 2016-3-30 23:55

本帖最後由 tomleehk 於 2016-3-31 00:22 編輯

你用邊個OpenWRT version先 ?

15.05.1(Released: Mon, 16 Mar 2016) 定喺 15.05 ?

15.05.1(Released: Mon, 16 Mar 2016) 我都發覺用cert connect點整都喺connection唔成功..我偏向相信喺ver 15.05.01個package有D bug, 用cert connect時會顯示connection唔成功,但用ID/Password 做authentication 就OK..

而家繼續用緊 15.05, 用cert 去connect, 因為唔想次次connect都打 Password
IOS, Android, Windows 全部都 so far so good

如果轉用 User ID/Password authentication 嘅方法,Client 用番 CISCO AnyConnect 就得

作者: cyruschan112 時間: 2016-4-3 23:59

本帖最後由 cyruschan112 於 2016-4-4 00:02 編輯

回復 10# tomleehk

[attach]3766[/attach]

暫時未長開,唔太清楚是否會hang task
但改完openconnect config一定要reboot router
因為個process會冇左(我知其實reboot openconnet 個task應該都得,但linux真係唔熟)

and 我用user name, password連,未有時間試用cert

速度方面各位未知如何呢?
我部asus 500W,最快都係得5M左右,屋企用HKBN BB100

作者: cyruschan112 時間: 2016-4-4 00:04

本帖最後由 cyruschan112 於 2016-4-4 00:07 編輯

回復 16# gameplayer

client 用app ( cisco anyconnect ) IOS/android
openconnect android 都試過,可以連到
人在國內的時候,我是用user name/password的,冇用cert

PS: anyconnect的setting,係冇用Connect with IPsec

作者: tomleehk 時間: 2016-4-4 09:50

本帖最後由 tomleehk 於 2016-4-4 10:16 編輯

回復 gameplayer

速度方面各位未知如何呢?

cyruschan112 發表於 2016-4-4 00:04

就算外地用手機嚟睇myTV直播我發覺都唔會起格,唔會窒,非常流暢,同本地睇完全無乜分別..如果WIFI signal夠強夠穩定連續睇一,兩個小時都無乜問題..

你router嘅hardware config同我嘅差唔多,速度方面我覺得應該OK.. 如果你想再快D唯有試吓用個再快D嘅router

作者: cyruschan112 時間: 2016-4-4 14:48

本帖最後由 cyruschan112 於 2016-4-4 14:51 編輯

回復 20# tomleehk

未試過用來煲劇
只是一般上下facebook,google察下野only
個speedtest 都是在香港試的,因為國內個home network得個4M
試來冇咩意思

and 唔會再投資太多落router 到啦
除非壞左啦....
但發現D router 都幾耐用,我N年前部asus 520GU依然用得,奈何只有16M ram,跑openwrt超lag....

作者: tomleehk 時間: 2016-4-4 16:32

本帖最後由 tomleehk 於 2016-4-4 17:34 編輯

回復 tomleehk

但發現D router 都幾耐用,我N年前部asus 520GU依然用得,奈何只有16M ram,跑openwrt超lag....

cyruschan112 發表於 2016-4-4 14:48

我嘅router hardware 好小小, CPU 300MHz, 8M Rom + 32M RAM, gigabit LAN/WAN

OpenWRT 嘅 GUI 都喺有D Lag, 但可以接受,反正config 嘅嘢set好咗試好咗之後好少改..

但如果client 嘅 network 得4Mb

, 升級router都唔會改善得好多囉..

Router一般真好耐用,我一次都未試過壞,只喺壞過兩,三次牛..

作者: gameplayer 時間: 2016-4-4 20:21

你用邊個OpenWRT version先 ?

15.05.1(Released: Mon, 16 Mar 2016) 定喺 15.05 ?

15.05.1(Released: Mo ...
tomleehk 發表於 2016-3-30 23:55

Ching,我係用OpenWrt Chaos Calmer 15.05。

作者: tomleehk 時間: 2016-4-4 22:38

本帖最後由 tomleehk 於 2016-4-4 22:40 編輯

Ching,我係用OpenWrt Chaos Calmer 15.05。
gameplayer 發表於 2016-4-4 20:21

如果用緊 Chaos Calmer 15.05, 就要review多一次D設定嘅steps..

或者試吓用 user ID/Password authentication 嘅方法...

作者: tomleehk 時間: 2016-11-8 23:38

本帖最後由 tomleehk 於 2016-11-9 00:13 編輯

更新 : 09-Nov-2016

參考原文 : http://blog.ltns.info/linux/open ... client_smart_proxy/
嘅
2016.09.16 更新
2016.10.24 更新
章節

成功更新至OpenWRT ver.15.05.1及使用證書認證去行 Open Connect
1) 無重新create 任何 pem, p12 file, 只喺重用15.05 work緊嗰一批files
2) 編輯啟動腳本 /etc/init.d/dnsmasq，註釋掉或刪掉對應的如下一行
...
append_bool "$cfg" proxydnssec "--proxy-dnssec"
# append_bool "$cfg" localservice "--local-service"
append_bool "$cfg" quietdhcp "--quiet-dhcp"
...
3) 改用新版本的 ocserv配置文件

auth = "certificate"
listen-host-is-dyndns = true
max-clients = 16
max-same-clients = 10
tcp-port = 443
udp-port = 443
keepalive = 32400
dpd = 240
mobile-dpd = 1800
try-mtu-discovery = true
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
ca-cert = /etc/ocserv/ca-cert.pem
cert-user-oid = 2.5.4.3
#cert-group-oid = 2.5.4.11
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
mobile-idle-timeout
cookie-timeout = 86400000
rekey-time = 86400000
rekey-method = ssl
#connect-script = /etc/ocserv/connect-script
#disconnect-script = /etc/ocserv/connect-script
use-utmp = true
use-occtl = true
pid-file = /var/run/ocserv.pid
socket-file = /var/run/ocserv-socket
run-as-user = ocserv
run-as-group = ocserv
net-priority = 5
cgroup = "cpuset,cpu:test"
device = vpns
default-domain = <your vpn server URL, e.g. vpn.dyndns.org>
ipv4-network = 192.168.60.1
ipv4-netmask = 255.255.255.0
dns = 8.8.8.8
ping-leases = false
output-buffer = 10
#route = ip
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat =true
custom-header = "X-DTLS-MTU: 1200"
custom-header = "X-CSTP-MTU: 1200"

複製代碼

無用connect-script, disconnect-script

4) 修改 /etc/init.d/ocserv
.....
   SERVICE_USE_PID=1
   START=97
   setup_config() {
.....

重新 enable ocserv

作者: yiucsw 時間: 2019-12-30 00:18

本帖最後由 yiucsw 於 2019-12-30 01:21 編輯

發現 reboot 後，ocserv 不能startup.
要加： (sleep 11; /etc/init.d/ocserv start)&
https://cndaqiang.github.io/2017/09/27/openwrt-ocserv/

System log error:
daemon.info ocserv[2670]: sec-mod: reading supplemental config from files
daemon.info ocserv[2670]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.4955d7de)

最終加多一句在 system-startup-local startup.
(sleep 30; ocserv )&

作者: tomleehk 時間: 2019-12-30 00:39

本帖最後由 tomleehk 於 2019-12-30 00:48 編輯

之前d舊openwrt vesion 印象中未試過有開機startup問題
近來version 18.06.1 至 18.06.5 都沒有遇過開機startup 問題, 無加過sleep..
/etc/init.d/ocserv enable <<enter>>
就喺去enable 個startup
我一直有用luci-app-ocserv, luci 有個enable option, 不肯定有無關係

作者: yiucsw 時間: 2019-12-30 11:33

本帖最後由 yiucsw 於 2019-12-30 11:35 編輯

最近启动V2ray server, 所以要起openconnect server,有问题時可以用openconnect client. 想問能否remote access openconnect client's router（安裝在openwrt-openconnect client) 來解决问题。
在 /etc/init.d/ocserv 内 start_service 加了 Sleep 20 没有帮助。
在luci->system-startup-local startup, 加了 (sleep 11; /etc/init.d/ocserv start)& 看到2 process, 但不能access server，
最终，在luci->system-startup-local startup 加了 (sleep 30; ocserv )& 现在能access openconnect server.
我想 access 國內的 openwrt-openconnect client, 是不是可以的？
有沒有 openwrt firewall 能參考以下，我嘗試加firewall zone, interface 不能啟動。

現在國內用聯通的SIM 卡上網，是否有真IP？

作者: tomleehk 時間: 2019-12-30 12:31

本帖最後由 tomleehk 於 2019-12-30 13:40 編輯

ocserv server 是 server, client 是 client, client 是不能被remote access
解決方法喺router同時安裝client + server, 你remote access ocserv server, 就可以連到router, 間接config client 部分

用SIM 卡上網，就算見到有真IP, 只代表機樓/發射站, 不代表你手機

作者: yiucsw 時間: 2020-1-1 13:55

明白，比較麻煩，沒有國內Public IP, 不能安裝 Openconnect server.
現在在iphone/ipad 加 CISCO anyconnect.
For 新版Ipad anyconnect client 加certifcation.
ipad 打開 email，長按 .p12 attachment, share to anyconnect.
在ios section.
https://www.linuxbabe.com/ubuntu ... t-vpn-server-ocserv

作者: yiucsw 時間: 2020-1-1 19:38

在 Step 17. Create client .p12, 是不是每一個Client create 改 cn=client ? cn= client1.... 可不可以重用一個Client .p12？
17)  /etc/ocserv/pki/client.tmpl
   cn = client
   unit = "users"
   expiration_days = 3650
   signing_key
   tls_www_client

作者: tomleehk 時間: 2020-1-1 19:54

本帖最後由 tomleehk 於 2020-1-2 00:14 編輯

可以唔同devices 同時使用同一個client.p12連到server

留意server config 有句
max-same-clients = 10

作者: yiucsw 時間: 2020-1-9 14:01

本帖最後由 yiucsw 於 2020-1-9 14:03 編輯

想在ocserv.conf 加 no-route. 用後是不是本地website不用route vpn？
改善原因：主要是國內的bandwidth 太少10Mbps，wechat video 有問題。

https://github.com/wppurking/ocs ... /ocserv/ocserv.conf

no-route = 192.168.0.0/255.255.0.0
no-route = 1.0.0.0/255.192.0.0
no-route = 1.64.0.0/255.224.0.0
no-route = 1.112.0.0/255.248.0.0
no-route = 1.176.0.0/255.240.0.0
no-route = 1.192.0.0/255.240.0.0
no-route = 14.0.0.0/255.224.0.0
no-route = 14.96.0.0/255.224.0.0
no-route = 14.128.0.0/255.224.0.0
no-route = 14.192.0.0/255.224.0.0
no-route = 27.0.0.0/255.192.0.0
no-route = 27.96.0.0/255.224.0.0
no-route = 27.128.0.0/255.224.0.0
no-route = 27.176.0.0/255.240.0.0
no-route = 27.192.0.0/255.224.0.0
no-route = 27.224.0.0/255.252.0.0
no-route = 36.0.0.0/255.192.0.0
no-route = 36.96.0.0/255.224.0.0
no-route = 36.128.0.0/255.192.0.0
no-route = 36.192.0.0/255.224.0.0
no-route = 36.240.0.0/255.240.0.0
no-route = 39.0.0.0/255.255.0.0
no-route = 39.64.0.0/255.224.0.0
no-route = 39.96.0.0/255.240.0.0
no-route = 39.128.0.0/255.192.0.0
no-route = 40.72.0.0/255.254.0.0
no-route = 40.124.0.0/255.252.0.0
no-route = 42.0.0.0/255.248.0.0
no-route = 42.48.0.0/255.240.0.0
no-route = 42.80.0.0/255.240.0.0
no-route = 42.96.0.0/255.224.0.0
no-route = 42.128.0.0/255.128.0.0
no-route = 43.224.0.0/255.224.0.0
no-route = 45.3.32.0/255.255.224.0
no-route = 45.65.16.0/255.255.240.0
no-route = 45.78.80.0/255.255.240.0
no-route = 45.112.0.0/255.240.0.0
no-route = 45.248.0.0/255.248.0.0
no-route = 47.92.0.0/255.252.0.0
no-route = 47.96.0.0/255.224.0.0
no-route = 49.0.0.0/255.128.0.0
no-route = 49.128.0.0/255.224.0.0
no-route = 49.192.0.0/255.192.0.0
no-route = 52.80.0.0/255.252.0.0
no-route = 54.222.0.0/255.254.0.0
no-route = 58.0.0.0/255.128.0.0
no-route = 58.128.0.0/255.224.0.0
no-route = 58.192.0.0/255.224.0.0
no-route = 58.240.0.0/255.240.0.0
no-route = 59.32.0.0/255.224.0.0
no-route = 59.64.0.0/255.224.0.0
no-route = 59.96.0.0/255.240.0.0
no-route = 59.144.0.0/255.240.0.0
no-route = 59.160.0.0/255.224.0.0
no-route = 59.192.0.0/255.192.0.0
no-route = 60.0.0.0/255.224.0.0
no-route = 60.48.0.0/255.240.0.0
no-route = 60.160.0.0/255.224.0.0
no-route = 60.192.0.0/255.192.0.0
no-route = 61.0.0.0/255.192.0.0
no-route = 61.80.0.0/255.248.0.0
no-route = 61.128.0.0/255.192.0.0
no-route = 61.224.0.0/255.224.0.0
no-route = 91.234.36.0/255.255.255.0
no-route = 101.0.0.0/255.128.0.0
no-route = 101.128.0.0/255.224.0.0
no-route = 101.192.0.0/255.240.0.0
no-route = 101.224.0.0/255.224.0.0
no-route = 103.0.0.0/255.0.0.0
no-route = 104.167.16.0/255.255.240.0
no-route = 104.207.32.0/255.255.224.0
no-route = 106.0.0.0/255.128.0.0
no-route = 106.224.0.0/255.240.0.0
no-route = 110.0.0.0/255.128.0.0
no-route = 110.144.0.0/255.240.0.0
no-route = 110.160.0.0/255.224.0.0
no-route = 110.192.0.0/255.192.0.0
no-route = 111.0.0.0/255.192.0.0
no-route = 111.64.0.0/255.224.0.0
no-route = 111.112.0.0/255.240.0.0
no-route = 111.128.0.0/255.192.0.0
no-route = 111.192.0.0/255.224.0.0
no-route = 111.224.0.0/255.240.0.0
no-route = 112.0.0.0/255.128.0.0
no-route = 112.128.0.0/255.240.0.0
no-route = 112.192.0.0/255.252.0.0
no-route = 112.224.0.0/255.224.0.0
no-route = 113.0.0.0/255.128.0.0
no-route = 113.128.0.0/255.240.0.0
no-route = 113.192.0.0/255.192.0.0
no-route = 114.16.0.0/255.240.0.0
no-route = 114.48.0.0/255.240.0.0
no-route = 114.64.0.0/255.192.0.0
no-route = 114.128.0.0/255.240.0.0
no-route = 114.192.0.0/255.192.0.0
no-route = 115.0.0.0/255.0.0.0
no-route = 116.0.0.0/255.0.0.0
no-route = 117.0.0.0/255.128.0.0
no-route = 117.128.0.0/255.192.0.0
no-route = 118.16.0.0/255.240.0.0
no-route = 118.64.0.0/255.192.0.0
no-route = 118.128.0.0/255.128.0.0
no-route = 119.0.0.0/255.128.0.0
no-route = 119.128.0.0/255.192.0.0
no-route = 119.224.0.0/255.224.0.0
no-route = 120.0.0.0/255.192.0.0
no-route = 120.64.0.0/255.224.0.0
no-route = 120.128.0.0/255.240.0.0
no-route = 120.192.0.0/255.192.0.0
no-route = 121.0.0.0/255.128.0.0
no-route = 121.192.0.0/255.192.0.0
no-route = 122.0.0.0/254.0.0.0
no-route = 124.0.0.0/255.0.0.0
no-route = 125.0.0.0/255.128.0.0
no-route = 125.160.0.0/255.224.0.0
no-route = 125.192.0.0/255.192.0.0
no-route = 137.59.59.0/255.255.255.0
no-route = 137.59.88.0/255.255.252.0
no-route = 139.0.0.0/255.224.0.0
no-route = 139.128.0.0/255.128.0.0
no-route = 140.64.0.0/255.240.0.0
no-route = 140.128.0.0/255.240.0.0
no-route = 140.192.0.0/255.192.0.0
no-route = 144.0.0.0/255.248.0.0
no-route = 144.12.0.0/255.255.0.0
no-route = 144.48.0.0/255.248.0.0
no-route = 144.123.0.0/255.255.0.0
no-route = 144.255.0.0/255.255.0.0
no-route = 146.196.0.0/255.255.128.0
no-route = 150.0.0.0/255.255.0.0
no-route = 150.96.0.0/255.224.0.0
no-route = 150.128.0.0/255.240.0.0
no-route = 150.192.0.0/255.192.0.0
no-route = 152.104.128.0/255.255.128.0
no-route = 153.0.0.0/255.192.0.0
no-route = 153.96.0.0/255.224.0.0
no-route = 157.0.0.0/255.255.0.0
no-route = 157.18.0.0/255.255.0.0
no-route = 157.61.0.0/255.255.0.0
no-route = 157.112.0.0/255.240.0.0
no-route = 157.144.0.0/255.240.0.0
no-route = 157.255.0.0/255.255.0.0
no-route = 159.226.0.0/255.255.0.0
no-route = 160.19.208.0/255.255.240.0
no-route = 160.20.48.0/255.255.252.0
no-route = 160.202.0.0/255.255.0.0
no-route = 160.238.64.0/255.255.252.0
no-route = 161.207.0.0/255.255.0.0
no-route = 162.105.0.0/255.255.0.0
no-route = 163.0.0.0/255.192.0.0
no-route = 163.96.0.0/255.224.0.0
no-route = 163.128.0.0/255.192.0.0
no-route = 163.192.0.0/255.224.0.0
no-route = 166.111.0.0/255.255.0.0
no-route = 167.139.0.0/255.255.0.0
no-route = 167.189.0.0/255.255.0.0
no-route = 167.220.244.0/255.255.252.0
no-route = 168.160.0.0/255.255.0.0
no-route = 170.179.0.0/255.255.0.0
no-route = 171.0.0.0/255.128.0.0
no-route = 171.192.0.0/255.224.0.0
no-route = 175.0.0.0/255.128.0.0
no-route = 175.128.0.0/255.192.0.0
no-route = 180.64.0.0/255.192.0.0
no-route = 180.128.0.0/255.128.0.0
no-route = 182.0.0.0/255.0.0.0
no-route = 183.0.0.0/255.192.0.0
no-route = 183.64.0.0/255.224.0.0
no-route = 183.128.0.0/255.128.0.0
no-route = 192.124.154.0/255.255.255.0
no-route = 192.140.128.0/255.255.128.0
no-route = 202.0.0.0/255.128.0.0
no-route = 202.128.0.0/255.192.0.0
no-route = 202.192.0.0/255.224.0.0
no-route = 203.0.0.0/255.0.0.0
no-route = 210.0.0.0/255.192.0.0
no-route = 210.64.0.0/255.224.0.0
no-route = 210.160.0.0/255.224.0.0
no-route = 210.192.0.0/255.224.0.0
no-route = 211.64.0.0/255.248.0.0
no-route = 211.80.0.0/255.240.0.0
no-route = 211.96.0.0/255.248.0.0
no-route = 211.136.0.0/255.248.0.0
no-route = 211.144.0.0/255.240.0.0
no-route = 211.160.0.0/255.248.0.0
no-route = 218.0.0.0/255.128.0.0
no-route = 218.160.0.0/255.224.0.0
no-route = 218.192.0.0/255.192.0.0
no-route = 219.64.0.0/255.224.0.0
no-route = 219.128.0.0/255.224.0.0
no-route = 219.192.0.0/255.192.0.0
no-route = 220.96.0.0/255.224.0.0
no-route = 220.128.0.0/255.128.0.0
no-route = 221.0.0.0/255.224.0.0
no-route = 221.96.0.0/255.224.0.0
no-route = 221.128.0.0/255.128.0.0
no-route = 222.0.0.0/255.0.0.0
no-route = 223.0.0.0/255.224.0.0
no-route = 223.64.0.0/255.192.0.0
no-route = 223.128.0.0/255.128.0.0

作者: tomleehk 時間: 2020-1-9 14:41

本帖最後由 tomleehk 於 2020-1-9 14:47 編輯

無用過, 我唔會留喺固定地區用vpn..

作者: yiucsw 時間: 2020-1-9 17:18

我猜 no-route 像 Split channel, 將no-route traffic 直接轉到本地的網路。

歡迎光臨電訊茶室 (http://telecom-cafe.com/forum/)