Openconnect VPN server implementation on OpenWRT router using certificate authentication

tomleehk

Successfully followed the below walkthrough to install and set up Openconnect VPN server on OpenWRT router using certificate authentication.
Proved default gateway re-direction working with CISCO Anyconnect client connection ( on IOS and Android ) and www.getip.com.

Original article :
http://blog.ltns.info/linux/open ... client_smart_proxy/
Updated : 08-Nov-2016
Original article updated with procedure to make OpenConnect able to run on OpenWRT ver.15.05.1 using certificate authentication.

Hardware :  LINKSYS WRT54GS : 8M Flash (This antique hardware is simply used for testing/practice)
O/S         :  openwrt-15.05-brcm47xx-legacy-linksys-wrt54gs-squashfs.bin <== downloaded at https://downloads.openwrt.org/   ( Chaos Calmer 15.05 )

Supplementary Note :
1) I selected Chaos Calmer 15.05 branch as it appeared to me that other branches failed to establish successful connection even using the simplest USER ID/Password authentication mode.
2) Other software need : SSL Toolkit for .p12 creation
                                     ( I used OpenSSL <= downloaded at https://www.openssl.org/community/binaries.html )
                                     SSH Client for OpenWRT file management
                                     ( I used WINSCP <= downloaded at https://winscp.net/eng/index.php
                                     SSH Client for terminal emulation
                                     ( I used OpenSSH <= downloaded at http://sshwindows.sourceforge.net/download/ )

OpenConnect installation/setup steps :
1) Install OpenWRT firmware and connect the router to internet
2) Use TelNet to access default server IP 192.168.1.1 and input the followings
    nvram set boot_wait=on
    nvram set boot_time=10
    nvram set wait_time=10
    nvram commit
    reboot  
    Remark : These are to facilitate firmware recovery in case your router is bricked.
3) Use TelNet to access default server IP 192.168.1.1 again and input the followings to install packages
    opkg update
    opkg install ocserv
    opkg install luci-app-ocserv   
    opkg install luci-app-ddns
4) Enable the packages via LUCI (Service/Dynamic DNS, Service/OpenConnect VPN) or at TelNet terminal with appropriate command
5) Set root password via LUCI (System/Administration) or via TelNet terminal.
    Note that once the root password is set, Telnet is no longer able to access the router. You need to use a tool such as OpenSSH to access the router and emulate the terminal command prompt.
6) Enable SSH via LUCI (System/Administration)
7) Make sure DDNS and OCSERV package is enabled (System/Startup) and reboot router
8) Configure DDNS via LUCI (Services/Dynamic DNS)
9) Configure Local Time zone via LUCI (System/System)
10) Use WINSCP to access 192.168.1.1 to edit template file /etc/ocserv/pki/server.tmpl
      cn=<Your VPN server URL, e.g. vpn.dyndns.org>   
      serial=2
      expiration_days=3650
      signing_key
      encryption_key
11) Use WINSCP to access 192.168.1.1  to edit template file /etc/ocserv/pki/ca.tmpl
      cn=<Your VPN server URL, e.g. vpn.dyndns.org>
      expiration_days=3650
      serial=1
      ca
      cert_signing_key
12) Then create the new ca.pem and server-cert.pem
      certtool --template /etc/ocserv/pki/ca.tmpl --generate-self-signed --load-privkey /etc/ocserv/ca-key.pem  --outfile /etc/ocserv/ca.pem
      certtool --template /etc/ocserv/pki/server.tmpl --generate-certificate --load-privkey /etc/ocserv/server-key.pem --load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem
13) Restart OCSERV via LUCI (System/Startup) or via OpenSSH (terminal emulation) with appropriate command.
14) Use WINSCP to access 192.168.1.1 and backup /etc/ocserv/ocserv.conf. Then replace /etc/ocserv/ocserv.conf with appropriate content. Sample shown below :

1. auth = "certificate"
   
2. listen-host-is-dyndns = true
   
3. max-clients = 16
   
4. max-same-clients = 10
   
5. tcp-port = 443
   
6. udp-port = 443
   
7. keepalive = 32400
   
8. dpd = 240
   
9. mobile-dpd = 1800
   
10. try-mtu-discovery = true
    
11. server-cert = /etc/ocserv/server-cert.pem
    
12. server-key = /etc/ocserv/server-key.pem
    
13. ca-cert = /etc/ocserv/ca.pem
    
14. cert-user-oid = 2.5.4.3
    
15. tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
    
16. auth-timeout = 40
    
17. cookie-timeout = 300
    
18. rekey-time = 172800
    
19. rekey-method = ssl
    
20. connect-script = /usr/bin/ocserv-script
    
21. disconnect-script = /usr/bin/ocserv-script
    
22. use-utmp = true
    
23. pid-file = /var/run/ocserv.pid
    
24. chroot-dir = /var/lib/ocserv
    
25. socket-file = ocserv-socket
    
26. run-as-user = ocserv
    
27. run-as-group = ocserv
    
28. net-priority = 5
    
29. cgroup = "cpuset,cpu:test"
    
30. device = vpns
    
31. default-domain = <your vpn server URL, e.g. vpn.dyndns.org>
    
32. ipv4-network = 192.168.60.0
    
33. ipv4-netmask = 255.255.255.0
    
34. dns = 8.8.8.8
    
35. ping-leases = false
    
36. output-buffer = 10
    
37. #route = 192.168.1.0/255.255.255.0
    
38. #route = 192.168.5.0/255.255.255.0
    
39. #route = fef4:db8:1000:1001::/64
    
40. route-add-cmd = "ip route add %{R} dev %{D}"
    
41. route-del-cmd = "ip route delete %{R} dev %{D}"
    
42. cisco-client-compat = true
    
43. custom-header = "X-DTLS-MTU: 1200"
    
44. custom-header = "X-CSTP-MTU: 1200"

複製代碼

You may customize the content with reference to the original ocserv.conf that you just backup.

Important : Any typo and mistake made in this file may make your OpenConnect Server unable to be launched.

14) Make sure ocserv is enabled via LUCI (Service/Dynamic DNS/Server settings/General settings) and at the same screen input the configuration that matches the content of /etc/ocserv/ocserv.conf that you just modified.

15) Modify firewall rules via LUCI (Network/Firewall/Custom Rules)
      iptables -I INPUT -p tcp --dport 443 -j ACCEPT
      iptables -I INPUT -p udp --dport 443 -j ACCEPT
      iptables -I FORWARD -i vpns+ -s 192.168.60.0/24 -j ACCEPT
      iptables -I INPUT -i vpns+ -s 192.168.60.0/24 -j ACCEPT

16) Restart router and make sure your Openconnect Server can be up properly. If you can find the below 2 processes
      ocserv-main
      {ocserv-secmod} ocserv-secm       
      at LUCI (Status/Processes), the Openconnect Server is launched properly.
      If Openconnect Server cannot be launched, review and troubleshoot your configuration.
17) Use WINSCP to access router 192.168.1.1 and create a new file  /etc/ocserv/pki/client.tmpl with the below content :
      cn = client
      unit = "users"
      expiration_days = 3650   
      signing_key
      tls_www_client
18) Use OpenSSH to access router 192.168.1.1 and input the followings  at the command prompt one by one.
      cd /etc/ocserv
      ln -s pki/ca.tmpl ca.tmpl            
      ln -s pki/server.tmpl server.tmpl
      ln -s ca.pem ca-cert.pem
      cp pki/client.tmpl client.tmpl

      certtool --generate-privkey --outfile user-key.pem

      certtool --generate-certificate --load-privkey user-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template client.tmpl --outfile user-cert.pem
19) Use WINSCP to to access router 192.168.1.1 and extract the 3 files : user-key.pem, ca-cert.pem and user-cert.pem from /etc/ocserv to a certain folder on your computer.
      At the DOS prompt and change to the same folder, use SSL tool to create the file user-cert.p12.
      e.g.   c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "client" -certfile ca-cert.pem -caname "VPN CA" -out user-cert.p12
      Remark : You may be prompted to create a password for the file user-cert.p12 during creation. Just input the password you desired when prompted.
20) Then load the user-cert.p12 to the Iphone or Android with the corresponding client (e.g. CISCO AnyCoonect) installed and make the corresponding connection profile configuration accordingly. When loading the certificate into your client, you will be promted for the password and you just need to input the password you captured in the above step. For this part, you can refer to google.

Comment :
1) Credit goes to the original developer.. (Not me!)
2) Before making any connection testing, make sure
     - root password at OpenWRT has been set.
     - DDNS is working and your VPN server URL has been updated properly.
     - NTP is running properly and your router is showing the correct date/time.
3) In addition to the backup of the OpenWRT server configuration via LUCI (System /Backup, Flash Firmware/Backup,Restore/Generate Archive), it is suggested to backup all the content at and below the folder /etc/ocserv/ after all tests are completed. This is to save time when you need to restore the server, you do not need to re-generate the certificate/key files again.
4) Even though the VPN connection is working properly, a number of error messages were still found at the OpenWRT system log when ocserv is launched. These are to be fine-tuned/studied if I have spare time.
5) If you prefer using the simplest ID/Password authentication method, simply make the corresponding VPN configuration via LUCI(Service/OpenConnect VPN/General Settings, User Settings) and Firewall(Network/Firewall/Custom Rules) and skip anything related to certificate, template files.
6) The antique hardware is simply used for testing/practice and faster equipment is more recommended for live running.

浮雲1965

點解你唔試Tomato firmware? 8M的版本已有齊pptp及OpenVPN服務器，唔使安裝咁煩。

tomleehk

點解你唔試Tomato firmware? 8M的版本已有齊pptp及OpenVPN服務器，唔使安裝咁煩。
浮雲1965 發表於 2015-10-26 13:12

如果有留意消息應該知道國內已經有地方成功自動封殺OpenVPN, PPTP唔駛講更加容易被封殺..
封殺技術已經有,問題喺幾時會喺你身上發生..

暫時OpenConnect VPN server, 因為支援CISCO AnyConnect Client 而暫時未聽過有被整頓..

我哋要與時並進,多學幾種技術..
免得日後突然被封殺而搞到操手不及,臨急抱佛腳..

屋企嘅Tomato 或者 DD-WRT 嘅 OpenVPN, 我已經用咗好多好多年,我唔排除考慮會用 OpenConnect 全面取代..

我亦寫過DD-WRT上既OpenVPN walkthrough, Tomato版既OpenVPN 我覺得同 DD-WRT 大同小異,所以唔重覆去寫啦..
我會刻意揀D比較難嘅去寫,去同大家分享,因為易嘅Walkthough, google到好易搵到, 唔駛我寫..

根據我嘅了解, Tomato  或者 DD-WRT, 都不支援 OpenConnect VPN server..

tomleehk

Luci script for showing connected users in the overview page is buggy. The user list is always empty
Original Article:
http://jim-think.blogspot.hk/201 ... ver-on-openwrt.html

The file to change is /usr/lib/lua/luci/controller/ocserv.lua
Find the the function ocserv_status(), replace it with the following

1. function ocserv_status()
   
2. local ipt = io.popen("/usr/bin/occtl show users");
   
3. 
   
4.   if ipt then
   
5.   ipt:read("*l")
   
6.   local fwd = { }
   
7.   while true do
   
8. 
   
9.     local ln = ipt:read("*l")
   
10.    if not ln then break end
    
11.    
    
12.    local arr, pos = {}, 1
    
13.    for k in ln:gmatch("%S+") do
    
14.     arr[pos] = k
    
15.     pos = pos + 1
    
16.    end
    
17.    if pos > 9 then
    
18.     fwd[#fwd+1] = {
    
19.      id = arr[1],
    
20.      user = arr[2],
    
21.      group = arr[3],
    
22.      vpn_ip = arr[4],
    
23.      ip = arr[5],
    
24.      device = arr[6],
    
25.      time = arr[7],
    
26.      cipher = arr[8],
    
27.      status = arr[9]
    
28.     }
    
29.    end
    
30.   end
    
31.   ipt:close()
    
32.   luci.http.prepare_content("application/json")
    
33.   luci.http.write_json(fwd)
    
34. end
    
35. end

複製代碼

Optional Configuration:
If you hope to send your router's WAN IP address to an email box every time the router is restarted, below is what you need to do:
http://www.telecom-cafe.com/forum/viewthread.php?tid=6894

ckleea

回復 4# tomleehk

同意

方法是使用 openconnect, SSTP or IPSEC才可以解決。

cyruschan112

CHing

想請教下如何另client 端force all traffic through the OpenConnect server(OpenWrt)?

我係手機端已經能夠連接上Openwrt( by Cisco anyconnect)
但開網頁 (www.getip.com)的時候發現IP依然是手機端IP
而不是openConnect server 的IP
請問如何解決?
anyconnect app上似乎冇關於routing 的setting

tomleehk

anyconnect app喺冇關於routing 的setting..

http://www.infradead.org/ocserv/manual.html

喺OpenConnect server     
/etc/ocserv/ocserv.conf  

# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# ’default’.
#route = 10.10.10.0/255.255.255.0
#route = 192.168.0.0/255.255.0.0
#route = fef4:db8:1000:1001::/64
#route = default

你可能漏咗comment out..

carlchan

anyconnect app喺冇關於routing 的setting..



喺OpenConnect server     
/etc/ocserv/ocserv.conf  

#  ...
tomleehk 發表於 2016-3-21 11:13

可都是這樣才可...

cyruschan112

回復 7# tomleehk


   
thanks,problem solved

tomleehk

回復  tomleehk


   
thanks,problem solved
cyruschan112 發表於 2016-3-21 23:42

朋友..

你是用那一個version嘅OpenWRT ?

最近我測試 剛剛發布的版本15.05.1..

但我發現不是很穩定，有時會無端端 Hang router...

你有沒有類似嘅情況 ?

gameplayer

Successfully followed the below walkthrough to install and set up Openconnect VPN server on OpenWRT  ...
tomleehk 發表於 2015-10-18 10:24

    CHING,去不P12不明，可否提示下要點做？

tomleehk

CHING,去不P12不明，可否提示下要點做？
gameplayer 發表於 2016-3-28 01:14

1) SSH Client for OpenWRT file management
                                     ( I used WINSCP <= downloaded at https://winscp.net/eng/index.php )
2) Need SSL Toolkit for .p12 creation   ( I used OpenSSL <= downloaded at  https://www.openssl.org/community/binaries.html )
3) Use WINSCP to to access router 192.168.1.1 and extract the 3 files : user-key.pem, ca-cert.pem and user-cert.pem from /etc/ocserv to a certain folder on your computer.
4) At the DOS prompt and change to the same folder, use SSL tool to create the file user-cert.p12.
      e.g.   c:\openssl-win32\bin\openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name "client" -certfile ca-cert.pem -caname "VPN CA" -out user-cert.p12
Remark : You may be prompted to create a password for the file user-cert.p12 during creation. Just input the password you desired when prompted.
5) Then load the user-cert.p12 to the Iphone or Android with the corresponding client (e.g. CISCO AnyCoonect) installed and make the corresponding connection profile configuration accordingly. When loading the certificate into your client, you will be promted for the password and you just need to input the password you captured in the above step. For this part, you can refer to google

只要按照步驟一步一步咁做..應該是幾straightforward,無法理解哪一部分你不明白 ?

gameplayer

1) SSH Client for OpenWRT file management
                                     ( I used WINSCP  ...
tomleehk 發表於 2016-3-28 16:00

CHING，我按著指示做，但去到16），在 LUCI (Status/Processes)找不到以下兩個processes，Openconnect Server不能啟動 。
ocserv-main
{ocserv-secmod} ocserv-secm 。


14) Make sure ocserv is enabled via LUCI (Service/Dynamic DNS/Server settings/General settings) and at the same screen input the configuration that matches the content of /etc/ocserv/ocserv.conf that you just modified. -》是否 (Service/OpenConnect VPN/Server settings/General settings)


如果 將14）段sample，全部copy 到ocserv.conf ，Service/OpenConnect VPN/Server settings/General settings 要如何設定。
我的設定如圖，是否正確？ Thank you very much!

tomleehk

你的設定圖..看不出特別的問題令你起唔到個 OpenConnect Server..

只喺要留意應該delete咗routing table 下面嗰個config..不過呢部份唔會令你起唔到個 OpenConnect Server..

當然，我假設你已經 enable 咗個 OpenConnect Server..


當然亦假設你跟哂步驟, gen 哂 D cert file, key file etc 响 /etc/ocserv foler..

呢D你自己可以double check

你可以試吓,睇吓manual start 個 OpenConnect..

用OpenSSH connect 你個router, 出command promt 之後打..

    /etc/init.d/ocserv start

睇吓有無error message

另外,如果你個router 唔喺 broadcom based chipset, 唔排除因為個kernel 唔同,package唔同,有唔同嘅問題/bug..所以起唔到

當然如果你唔介意每一次 VPN connect都打 Password, 可以轉用 User ID/Password authentication 嘅方法..咁就唔需要處理 D cert files, key files  etc.

gameplayer

你的設定圖..看不出特別的問題令你起唔到個 OpenConnect Server..

只喺要留意應該delete咗routing table  ...
tomleehk 發表於 2016-3-29 21:50

成功啟動到。
系LUCI (Status/Processes)

多謝CHING先，明天再試。