Openconnect client 22.03.5

Hello everyone, I updated my Netgear R7800 v22.03.5 and install openconnect vpn client, i m using this router for remote (ip camera) with LTE modem internet. i config same as old version but lose connection from server to client side, openconnect assign 192.168.100.131 ping is ok but not luci access, also port forwarding not work from openconnect to LAN, i try another router old firmware and works, what can i config? i think problem is client new version firmware or new openconnect package. please help.

Hi

please copy/paste your config

cat /etc/config/network
cat /etc/config/firewall

and redact username/password

I am using OpenWrt 23.05.0-rc2 and using OpenVPN connect v3.3.4 on Android 13. I followed the instructions here to set up the server. It works.

If all else fails, maybe you can try re-doing the configuration

look, without your config files from ssh/cli, i don't think that anybody could help you

Last login: Mon Aug 14 21:25:53 on ttys000
ramazishekiladze@Ramazis-MBP ~ % ssh root@192.168.3.1
The authenticity of host '192.168.3.1 (192.168.3.1)' can't be established.
ED25519 key fingerprint is SHA256:5i0EVib8eze0GDBWfhpTUGROxQvIzHE9wn2cETXejvk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.3.1' (ED25519) to the list of known hosts.

BusyBox v1.35.0 (2023-04-27 20:28:15 UTC) built-in shell (ash)


| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -| || | | || || |
|
_____|| |
||||___||| |____|
|
| W I R E L E S S F R E E D O M

OpenWrt 22.03.5, r20134-5f15225c1e

=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9b:b2e2:cff8::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.3.1'

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'

config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'

config interface 'wwan'
option proto 'dhcp'

config interface 'openconnect'
option proto 'openconnect'
option vpn_protocol 'anyconnect'
option server 'redacted'
option port '4443'
option serverhash 'sha256:5225987f38435319241eb7a01e5a66c43ffbdf0915c5c04acea836518979a6ee'
option username 'redacted'
option password 'redacted'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'openconnect'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
list network 'openconnect'

config forwarding
option src 'openconnect'
option dest 'lan'

root@OpenWrt:~#

hmmm
why masquerading ?
and
list network 'lan' ?

i do not know i have same config old version openwrt and works great.

what is your goal ?

you want
OC -> OC -> OWRT -> PC ?

or want
PC -> OWRT -> OC -> OC ?

i want connect from server subnet pc to openconnect client ip luci access

remove these two first

option masq '1'
list network 'lan'

from openconnect zone

then, try to ping from "server" side
ping 192.168.100.131
ping 192.168.3.1

if you are sure that you get 192.168.100.131

As others noted, you have lan in two firewall zones, that will definitely not work and is likely to break things seriously.

There must be a third machine also involved, the Anyconnect server. Either the phone or the Anyconnect server must be configured to know that the route to your LAN (192.168.3.0/24) is via your 192.168.100 IP on the tunnel.

i removed these two first, 192.168.100.131 ping ok and 192.168.3.1 host unreachable.

OpenWRT 22.02.7 i have same config and works great long time. i try everything 22.03.5 but not work from server to client side luci access, ping is ok

OK

so, you don't have routing to 192.168.3.x via 192.168.100.131 from server side
good

do you using some other packages which could interfere with routing?
PBR or something similar?

i saw you have two WAN's

what is a so called "server" ?

i have lan, openconnect, wan, wan6, wwan. no more interface.

yes, that is what i say
you have 2 WAN
wan & wwan
do you have some policy based routing package installed or similar ?

no i have only openconnect, and luci-proto-openconnect

try from your pc which is on 192.168.3.x network to open

http://192.168.3.1
http://192.168.100.131

yes both 192.168.3.1 and 192.168.100.131 works have access luci

ok, last test
lets disable firewall

from ssh

/etc/init.d/firewall stop

then try from server side to open 100.131