LAN clients to access VPN

I'm using my OPENWRT router as a client for a remote OpenVPN server.

The router connects seamlessly via the CLI:

root@OpenWrt:~# openconnect --user=ramos.mar --protocol=gp ramos.br --dump

root@OpenWrt:~# ip route del 0.0.0.0/0 dev tun0

root@OpenWrt:~# ip a
16: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1455 qdisc fq_codel state UNKNOWN default group qlen 500
            link/none
            inet 10.10.10.166/32 global scope tun0
               valid_lft forever preferred_lft forever
            inet6 fe80::84ba:c22b:7f8:fa70/64 stable privacy scope link
               valid_lft forever preferred_lft forever

This way, using the router's bash terminal, I can access my organization and the rest of the internet, however, only from the router!

I followed several suggestions for adding VPN through UCI:

#Configurationparameters
VPN_IF="vpn"
VPN_SERV="ramos.br"
VPN_PORT="443"
VPN_USER="ramos.mar"
VPN_PASS="pass"
VPN_HASH=$(openssl s_client -connect "${VPN_SERV}":"${VPN_PORT}" -showcerts 2>/dev/null </dev/null \
| awk '/-----BEGIN/,/-----END/ { print $0 }' \
| openssl x509 -noout -fingerprint -sha1 \
| sed -n 's/.*=//p' | tr -d ':')

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="openconnect"
uci set network.${VPN_IF}.server="${VPN_SERV}"
uci set network.${VPN_IF}.port="${VPN_PORT}"
uci set network.${VPN_IF}.username="${VPN_USER}"
uci set network.${VPN_IF}.password="${VPN_PASS}"
uci set network.${VPN_IF}.serverhash="${VPN_HASH}"
uci set network.${VPN_IF}.interface='wan'
uci set network.${VPN_IF}.defaultroute='0'
uci set network.${VPN_IF}.ipaddr='10.10.10.166'
uci set network.${VPN_IF}.netmask='255.255.255.255'

uci commit network
service network restart


root@OpenWrt:~# cat /etc/config/network
[...]
config interface 'vpn'
         option proto 'openconnect'
         option server 'ramos.br'
         option port '443'
         option username 'ramos.mar'
         option password 'pass'
         option serverhash 'serverhash'
         option interface 'wan'
         option defaultroute '0'
         option ipaddr '10.10.10.166'
         option netmask '255.255.255.255'

uci commit network
service network reset
root@OpenWrt:~# cat /etc/config/network
[...]
config interface 'vpn'
        option proto 'openconnect'
        option server 'ramos.br'
        option port '443'
        option username 'user'
        option password 'pass'
        option serverhash 'serverhash'
        option interface 'wan'
        option defaultroute '0'
        option ipaddr '10.10.10.166'
        option netmask '255.255.255.255'

An interface is created in Luci this way, however, I cannot access my organization even through the router's bash terminal and the final challenge is to make sure it is on the LAN and has a route to this organization's VPN.

LuCI openwrt-23.05 branch (git-24.073.29889-cd7e519) / OpenWrt 23.05.3 (r23809-234f1a2efa)

This is somehow jumbled up. The proper syntax is

config interface 'vpn'
    option proto 'openconnect'

similarly you need

   option defaultroute '0'
   option ipaddr '10.10.10.166'

etc. Though I thought that the OpenConnect server pushes your tunnel IP and also sets up a route to its LAN.
Don't use uci manually. Just edit the config file directly.

The syntax was very strange, I used the automatic translator to post it here, I already made the correction

Yes, the tunnel even sends when making the connection openconnect --user=ramos.mar --protocol=gp ramos.br --dump the tun0 interface is created with the appropriate network settings, IP prefix and routes, however, when use the WEB or CLI UCI interface is created without route and network addressing settings, visible in the web console and cli, but in the operating system the interface is not created

Hi @madson7
maybe this will help

config interface 'vpn'
        option proto 'openconnect'
        option username 'XXXXXXXX'
        option password2 'XXXXXXX'
        option password 'XXXXXXX'
        option defaultroute '0'
        option os 'win'
        option server 'XXXXXXXXXXX'

and don't forget to add this interface to firewall zone and enable masquerade
something like

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

this is working as expected for me

This didn't work for me!

What has worked so far based on this ISSUE below

Note: had to use this vpnc-script https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script, original script on system, /lib/netifd/vpnc-script did not work.

Create a network interface for device tun0 using openconnect

openconnect --user=user --protocol=gp example.br --dump

ip a
[...]
10: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1455 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 10.10.10.202/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8887:9e6b:7dfc:1da6/64 scope link flags 800 
       valid_lft forever preferred_lft forever
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none
uci commit network

Create a firewall zone for vpn

uci set firewall.vpn=zone
uci set firewall.vpn.name=vpn
uci set firewall.vpn.network=vpn0
uci set firewall.vpn.input=ACCEPT
uci set firewall.vpn.forward=REJECT
uci set firewall.vpn.output=ACCEPT
uci set firewall.vpn.masq=1
uci commit firewall

Create a firewall forwarding from vpn to lan and lan to vpn

uci set firewall.vpn_forwarding_lan_in=forwarding
uci set firewall.vpn_forwarding_lan_in.src=vpn
uci set firewall.vpn_forwarding_lan_in.dest=lan
uci set firewall.vpn_forwarding_lan_out=forwarding
uci set firewall.vpn_forwarding_lan_out.src=lan
uci set firewall.vpn_forwarding_lan_out.dest=vpn
uci commit firewall

This is the result

config interface 'vpn0'
        option proto 'none'
        option device 'tun0'

root@OpenWrt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth1
8.0.0.0         0.0.0.0         255.255.255.248 U         0 0          0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 tun0
10.10.10.42     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.10.10.44     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.10.223.202   0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
101.216.54.188  192.168.1.1     255.255.255.255 UGH       0 0          0 eth1
$ ip route 
default via 8.0.0.1 dev enp0s31f6 proto static metric 100 
8.0.0.0/29 dev enp0s31f6 proto kernel scope link src 8.0.0.3 metric 100

openwrt LAN client (my real machine)

 $ ping 10.10.10.203
PING 10.32.223.202 (10.32.223.202) 56(84) bytes of data.
64 bytes from 10.10.10.202: icmp_seq=1 ttl=64 time=0.344 ms
64 bytes from 10.10.10.202: icmp_seq=2 ttl=64 time=0.297 ms

That is an excellent point that you would almost always want to masquerade into the tunnel. This type of VPN expects a road warrior which holds only one IP. The server side is not aware of your lan without special configuration on that end.