Openconnect Default Gateway VPN and LAN ports

What started as simple/quick test, turned into week of learning, and still can't get openwrt do something which I'd think is the most basic vpn setup :slight_smile: :slight_smile:

At this point, much rather not go through GUI, if possible CLI solution would be preferred.

Requirement is very very simple. run openconnect (I've got a one liner shell script that does that) to connect to VPN server on internet. From moment that VPN is established, it should be fully routed to LAN ports, but it is not :slight_smile:

the openconnect script is already there, and WORKS:

cat ./myp | openconnect -u user --script ./vpnc-script --no-proxy --servercert $CERT vpn.server-ip.com --passwd-on-stdin

This creates a tun0 interface, however it is only routed/available when sshing into the router.

Note: had to use this vpnc-script https://gitlab.com/openconnect/vpnc-scripts/raw/master/vpnc-script, original script on system, /lib/netifd/vpnc-script did not work.

The need is to map the tun0 to all LAN ports (both ways). I've tried VPN route policy:

https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389

and many other GUI suggestions, however, no matter what, VPN is created OK, but only available from the router ports, not from the LAN ports.

If there are set of CLI commands to run to get it to do that, would be great. a bit lost with the GUI and config files, has few "glitches" (will not get into not to distract focus), like inability to setup re-connect "timeouts/retries" to any created vpn "interface", so much rather handle that logic in CLI if possible, just need to map VPN to LAN network.. simple?

Thanks for any tips.
Stormy.

Found such suggestions:

https://itectec.com/unixlinux/openconnect-setting-default-routes/

tried, but not sure what ROUTES should take, tried to put the LAN IPs, like:

ROUTES="192.168.2.0/24"

hoping it would map LAN to VPN, but instead got locked out of the router :slight_smile:

the VPN routes can be many different subnets, I'm not aware of them all, all traffic should be routed to VPN and all LAN to VPN, just like any default router would work with "internet" from ISP, and just before VPN is enabled, the VPN should take over the role of WAN and "hide" all PC's connecting from LAN ports.

I'm convinced this should be simple, just can't find the way to get it done.
Thanks.

Reading more, the vpn-splice is probably not relevant, since we want ALL vpn traffic to be routed..

found this , which exactly describes the issue:

https://forum.openwrt.org/t/solved-lan-clients-to-access-remote-vpn-hosts/48599/1

seems very promising, but it's for openvpn... trying to apply to openconnect instead... any tips welcomed.

The wiki instructions work for me pretty well:

However, WireGuard is currently the preferred solution.

1 Like

Thanks for the reply.... at the moment staying w/openconnect as the vpn provider suggested that... I disagree that wiki works, for example, that link in openconnect fails for several reasons:

  1. Missing package to install luci-proto-openconnect
  2. there is no mapping of zone from LAN to VPN and VPN to LAN, which is whole point of the post. I've followed the steps on the wiki long time before signing up for account, posting this question.

Anyways, the link above leads to a set up that has the solution, simply COPY/PASTED that and immediately worked.

the wiki does not cover mapping of LAN to VPN, by default. Should it? maybe... anyways, this is resolved now. Thanks to all.
Stormy.

I have no problem installing the package:

# opkg install luci-proto-openconnect
Installing luci-proto-openconnect (git-21.148.49484-9eee69a) to root...
Downloading http://downloads.openwrt.org/releases/21.02.0/packages/x86_64/luci/luci-proto-openconnect_git-21.148.49484-9eee69a_all.ipk
Configuring luci-proto-openconnect.

# opkg install luci-proto-openconnect
Package luci-proto-openconnect (git-21.148.49484-9eee69a) installed in root is up to date.

LAN is routed to VPN by default and the kill-switch is described in the extras.
It works for me just fine, so the issue should be on your side.

right, my point is the WIKI does not include the mention/need to install the luci-proto-openconnect package.
in addition, even after installing, on vanila 21.02 , the zone/mapping did not "just happen" until followed the manual steps in the forum URL.

If you see/think these steps are in the WIKI, I'd love to know which exact step causes:

firewall LAN-VPN and VPN->LAN mapping to take place?

Thanks, just trying to help improve content, I'm newbie :slight_smile:

Providing web interface is described in the extras.
It is linked in the introduction in the very beginning for both client and server articles.

Firewall zone mappings depend on your setup.
It's common practice to assign WAN zone for the client and LAN zone for the server.
This configuration proven to be suitable by default for most use cases.

Additional security hardening to prevent traffic leak is described in the extras.
The kill-switch section creates a separate zone and the necessary forwarding.

I personally tested and verified both OpenConnect client and server how-tos.
In addition, my testing setup utilizes PBR with netifd.

I guess you're a veteran or author/dev of these things, for newbie, i did not see:

luci-proto-openconnect mentioned for installation, nor did it get auto-pulled.

the original /lib/netifd/vpnc-script returned errors:

`Script '/lib/netifd/vpnc-script' returned error 1

Script '/lib/netifd/vpnc-script' returned error 1`

had to pull one from github.

As mentioned in original post, tried " VPN Policy-Based Routing" package, as mentioned spent several days before writing. This is "feedback", what cleared everything, in less than 2 minutes, is this post:

if these steps are in the wiki somewhere, or something equivalent, that's great.. after many days, i did not find the location in the wiki. not sure what "extras" or other sections of the docs, without a URL, hard to tell what is discussed... esp. for newbie :slight_smile:

it's all good, no need to drill beyond, it is what it is, and everyone has their own experiences based on their own background and prior exposure, sometimes newbies test things in more naive fashion.

Basic things that may be clear to you, may not to a newbie.. the VPN worked first try, but LAN ports were not forwarding it, until the manual commands were run from that forum post.

Thanks.
Stormy.