OpenConnect issue, no Internet

DmtryJS · January 4, 2024, 8:09pm

Hello. I have a problem connecting to the Internet when using openconnect (CISCO AnyConnect)." The connection to the server is up, but there is no Internet.
Initial data, ocserv server v.1.2.3, authentication by login and password, letscrypt certificates are installed on the computer, the CiscoAnyconnect client on Windows connects correctly, on the Android phone too, but there is a problem on openwrt.

OpenWrt 22.03.5
openconnect 9.01-1
luci-proto-openconnect git-23.093.42704-230ba69

System log

Thu Jan 4 19:25:18 2024 user.notice openconnect: executing 'openconnect 'https://xkmxw.webhop.me:443' '-i' 'vpn-vpn' '--non-inter' '--syslog' '--script' '/lib/netifd/vpnc-script' '--protocol' 'anyconnect' '--servercert=pin-sha256:dmOEtRuGpEnurJ9y9UmmEzDJ1PhmQnhwpzh6Y1J8RvM=' '--no-system-trust' '-u' 'any_user' '--passwd-on-stdin''
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Server certificate verify failed: signer not found
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Connected to HTTPS on xkmxw.webhop.me with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): XML POST enabled
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Please enter your username.
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): POST https://xkmxw.webhop.me/auth
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Please enter your password.
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): POST https://xkmxw.webhop.me/auth
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Got CONNECT response: HTTP/1.1 200 CONNECTED
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): CSTP connected. DPD 90, Keepalive 32400
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): No DTLS address
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Set up UDP failed; using SSL instead
Thu Jan 4 19:28:06 2024 daemon.notice netifd: vpn (2258): Configured as 192.168.10.79, with SSL connected and DTLS disabled
Thu Jan 4 19:28:07 2024 daemon.notice netifd: Interface 'vpn' is now up

The interface shows the connection as working. An address from the required range was assigned

Here is my network config

root@OpenWrt:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd08:78fc:0b73::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.10.10.1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 6t'

config interface 'vpn'
        option proto 'openconnect'
        option vpn_protocol 'anyconnect'
        option username 'any_user'
        option password 'secret'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option delegate '0'
        option port '443'
        option server 'https://xkmxw.webhop.me'
        option serverhash 'pin-sha256:dmOEtRuGpEnurJ9y9UmmEzDJ1PhmQnhwpzh6Y1J8RvM='
        option defaultroute '0'

firewall

root@OpenWrt:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'wan'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn'
        option input 'REJECT'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

ip show

root@OpenWrt:/etc/config# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd08:78fc:b73::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
8: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
9: vpn-vpn: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534]
    inet 192.168.10.79/32 brd 255.255.255.255 scope global vpn-vpn
       valid_lft forever preferred_lft forever
    inet6 fe80::8bd7:d972:5bf9:db14/64 scope link flags 800
       valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever

routes

root@OpenWrt:/etc/config# ip route show
default via 192.168.1.1 dev eth0.2  src 192.168.1.8
10.10.10.0/24 dev br-lan scope link  src 10.10.10.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.8
192.168.10.0/24 dev vpn-vpn scope link

I would be grateful for any help.

psherman · January 5, 2024, 7:35am

Try turning on masquerading on you von firewall zone. Reboot the router and test again.

DmtryJS · January 5, 2024, 9:18am

Thanks!
Unfortunately this did not yield any results.
There is a connection, but pings do not work to the server or anywhere else.

In the last screenshot, the gateway is 0.0.0.0, is this correct?

pavelgl · January 5, 2024, 11:24am

Try enabling the default gateway on the vpn interface and set a metric for the wan.

uci set network.vpn.defaultroute='1'
uci set network.wan.metric='10'
uci commit network
/etc/init.d/network restart

DmtryJS · January 5, 2024, 2:27pm

Thanks!
Unfortunately this didn't help. It seems that client authentication is not completed.
I logged into the server and was unable to ping the assigned IP address. The client on the phone pings from the server correctly.

Just in case, I have attached the logs of the server, the moment of connection and again the openvrt syslog.

Just in case, I have attached the logs of the server, the moment of connection (successful connection from mobile client and unsuccessful connection from openwrt) and again the openvrt syslog.
ocserv log of unsuccessful connection

Jan 05 16:43:56 ruvds-r0jos ocserv[701150]: worker: 46.4.234.22 accepted connection
Jan 05 16:43:56 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701150 and uid 998sec-mod: cmd [size=38] sm: sign hash
Jan 05 16:43:56 ruvds-r0jos ocserv[701150]: worker: 46.4.234.22 TLS handshake completedworker: 46.4.234.22 sending message 'session info' to main
Jan 05 16:43:56 ruvds-r0jos ocserv[701081]: main:46.4.234.22:47236 main received worker's message 'session info' of 66 bytes
Jan 05 16:43:56 ruvds-r0jos ocserv[701150]: worker: 46.4.234.22 User-agent: 'Open AnyConnect VPN Agent v9.01'worker: 46.4.234.22 Detected OpenConnect v4 or newerworker: 46.4.234.22 User-agent: 'Open AnyConnect VPN Agent v9.01'worker: 46.4.234.22 Detected>
Jan 05 16:43:56 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701150 and uid 998sec-mod: cmd [size=140] sm: auth init
Jan 05 16:43:56 ruvds-r0jos ocserv[701092]: sec-mod: sec-mod instance 0 issue cookiesec-mod: using 'plain' authentication to authenticate user (session: YsTlsQ)sec-mod: auth init for user 'any_user' (session: YsTlsQ) of group: '' from '46.4.234.22'
Jan 05 16:43:56 ruvds-r0jos ocserv[701150]: worker[any_user]: 46.4.234.22 received auth reply message (value: 2)worker[any_user]: 46.4.234.22 continuing authentication for 'any_user'worker[any_user]: 46.4.234.22 User-agent: 'Open AnyConnect VPN Agent v9.>
Jan 05 16:43:56 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701150 and uid 998sec-mod: cmd [size=63] sm: auth cont
Jan 05 16:43:56 ruvds-r0jos ocserv[701092]: sec-mod: auth cont for user 'any_user' (session: YsTlsQ)sec-mod: auth complete for user 'any_user' (session: YsTlsQ) of group: ''
!!Jan 05 16:43:57 ruvds-r0jos ocserv[701150]: worker[any_user]: 46.4.234.22 received auth reply message (value: 1)worker[any_user]: 46.4.234.22 User-agent: 'Open AnyConnect VPN Agent v9.01'worker[any_user]: 46.4.234.22 Detected OpenConnect v4 or newerworker>
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main:46.4.234.22:47236 main received worker's message 'auth cookie request' of 43 bytes
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main:46.4.234.22:47236 sending msg sm: session open to sec-mod
Jan 05 16:43:57 ruvds-r0jos ocserv[701092]: sec-mod: received request sm: session opensec-mod: cmd [size=34] sm: session open
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main[any_user]:46.4.234.22:47236 new user sessionmain[any_user]:46.4.234.22:47236 selected IP: 192.168.10.79main[any_user]:46.4.234.22:47236 assigned IPv4: 192.168.10.79main[any_user]:46.4.234.22:47236 assi>
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main[any_user]:46.4.234.22:47236 user of group '[unknown]' authenticated (using cookie)main[any_user]:46.4.234.22:47236 sending (socket) message 2 to workermain[any_user]:46.4.234.22:47236 user logged in
Jan 05 16:43:57 ruvds-r0jos ocserv[701150]: worker[any_user]: 46.4.234.22 received auth reply message (value: 1)worker[any_user]: 46.4.234.22 suggesting DPD of 90 secsworker[any_user]: 46.4.234.22 disabling UDP (DTLS) connectionworker[any_user]: 176.116.>
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main[any_user]:46.4.234.22:47236 main received worker's message 'tun mtu change' of 3 bytes
Jan 05 16:43:57 ruvds-r0jos ocserv[701081]: main[any_user]:46.4.234.22:47236 setting vpns0 MTU to 1472

successful connection from mobileclient ciscoAnyconnect. It contains more lines)

 sec-mod: received request from pid 701206 and uid 0sec-mod: cmd [size=57] sm: sign
Jan 05 17:02:23 ruvds-r0jos ocserv[701206]: worker: 176.59.19.45 accepted connection
Jan 05 17:02:23 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701206 and uid 998sec-mod: cmd [size=38] sm: sign hash
Jan 05 17:02:24 ruvds-r0jos ocserv[701206]: worker: 176.59.19.45 TLS handshake completedworker: 176.59.19.45 sending message 'session info' to main
Jan 05 17:02:24 ruvds-r0jos ocserv[701081]: main:176.59.19.45:32558 main received worker's message 'session info' of 66 bytes
Jan 05 17:02:25 ruvds-r0jos ocserv[701206]: worker: 176.59.19.45 User-agent: 'AnyConnect Android 5.0.05042'worker: 176.59.19.45 Detected Cisco AnyConnectworker: 176.59.19.45 Platform: 'android' (mobile)worker: 176.59.19.45 Device-type: 'Xiaomi M2103K19PY'worker: 176.59.>
Jan 05 17:02:25 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701206 and uid 998sec-mod: cmd [size=159] sm: auth init
Jan 05 17:02:25 ruvds-r0jos ocserv[701092]: sec-mod: sec-mod instance 0 issue cookiesec-mod: using 'plain' authentication to authenticate user (session: yvQLLJ)sec-mod: auth init for user 'any_user' (session: yvQLLJ) of group: '' from '176.59.19.45'
Jan 05 17:02:28 ruvds-r0jos ocserv[701206]: worker[any_user]: 176.59.19.45 received auth reply message (value: 2)worker[any_user]: 176.59.19.45 continuing authentication for 'any_user'
Jan 05 17:02:28 ruvds-r0jos ocserv[701092]: sec-mod: performing maintenance
Jan 05 17:02:28 ruvds-r0jos ocserv[701081]: main: main received message 'sm: stats' from sec-mod of 10 bytes
Jan 05 17:02:29 ruvds-r0jos ocserv[701092]: sec-mod: active sessions 1
Jan 05 17:02:29 ruvds-r0jos ocserv[701206]: worker[any_user]: 176.59.19.45 User-agent: 'AnyConnect Android 5.0.05042'worker[any_user]: 176.59.19.45 Detected Cisco AnyConnectworker[any_user]: 176.59.19.45 Platform: 'android' (mobile)worker[any_user]: 176.59.19.45 Dev>
Jan 05 17:02:29 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701206 and uid 998sec-mod: cmd [size=60] sm: auth cont
Jan 05 17:02:29 ruvds-r0jos ocserv[701092]: sec-mod: auth cont for user 'any_user' (session: yvQLLJ)sec-mod: auth complete for user 'any_user' (session: yvQLLJ) of group: ''
Jan 05 17:02:29 ruvds-r0jos ocserv[701206]: worker[any_user]: 176.59.19.45 received auth reply message (value: 1)
Jan 05 17:02:29 ruvds-r0jos ocserv[701081]: main: queue_length retval:0 rqueue:0 wqueue:1024
Jan 05 17:02:29 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701207 and uid 0sec-mod: cmd [size=57] sm: sign
Jan 05 17:02:29 ruvds-r0jos ocserv[701207]: worker: 176.59.19.45 accepted connection
Jan 05 17:02:29 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701207 and uid 998sec-mod: cmd [size=38] sm: sign hash
Jan 05 17:02:30 ruvds-r0jos ocserv[701207]: worker: 176.59.19.45 TLS handshake completedworker: 176.59.19.45 sending message 'session info' to main
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:5639 main received worker's message 'session info' of 66 bytes
Jan 05 17:02:30 ruvds-r0jos ocserv[701207]: worker: 176.59.19.45 User-agent: 'AnyConnect Android 5.0.05042'worker: 176.59.19.45 Detected Cisco AnyConnect
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:5639 worker terminatedmain:176.59.19.45:5639 user disconnected (reason: unspecified, rx: 0, tx: 0)main: queue_length retval:0 rqueue:0 wqueue:1024
Jan 05 17:02:30 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701208 and uid 0sec-mod: cmd [size=57] sm: sign
Jan 05 17:02:30 ruvds-r0jos ocserv[701208]: worker: 176.59.19.45 accepted connection
Jan 05 17:02:30 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701208 and uid 998sec-mod: cmd [size=38] sm: sign hash
Jan 05 17:02:30 ruvds-r0jos ocserv[701208]: worker: 176.59.19.45 TLS handshake completedworker: 176.59.19.45 sending message 'session info' to main
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:5736 main received worker's message 'session info' of 66 bytes
Jan 05 17:02:30 ruvds-r0jos ocserv[701208]: worker: 176.59.19.45 User-agent: 'AnyConnect Android 5.0.05042'worker: 176.59.19.45 Detected Cisco AnyConnect
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:5736 worker terminatedmain:176.59.19.45:5736 user disconnected (reason: unspecified, rx: 0, tx: 0)main: queue_length retval:0 rqueue:0 wqueue:1024
Jan 05 17:02:30 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701209 and uid 0sec-mod: cmd [size=57] sm: sign
Jan 05 17:02:30 ruvds-r0jos ocserv[701209]: worker: 176.59.19.45 accepted connection
Jan 05 17:02:30 ruvds-r0jos ocserv[701092]: sec-mod: received request from pid 701209 and uid 998sec-mod: cmd [size=38] sm: sign hash
Jan 05 17:02:30 ruvds-r0jos ocserv[701209]: worker: 176.59.19.45 TLS handshake completedworker: 176.59.19.45 sending message 'session info' to main
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:64890 main received worker's message 'session info' of 66 bytes
Jan 05 17:02:30 ruvds-r0jos ocserv[701209]: worker: 176.59.19.45 User-agent: 'Cisco AnyConnect VPN Agent for Android 5.0.05042'worker: 176.59.19.45 Detected Cisco AnyConnectworker: 176.59.19.45 Platform: 'android' (mobile)worker: 176.59.19.45 Device-type: 'Xiaomi M2103K>
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:64890 main received worker's message 'auth cookie request' of 45 bytes
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main:176.59.19.45:64890 sending msg sm: session open to sec-mod
Jan 05 17:02:30 ruvds-r0jos ocserv[701092]: sec-mod: received request sm: session opensec-mod: cmd [size=34] sm: session open
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main[any_user]:176.59.19.45:64890 new user sessionmain[any_user]:176.59.19.45:64890 selected IP: 192.168.10.79main[any_user]:176.59.19.45:64890 assigned IPv4: 192.168.10.79main[any_user]:176.59.19.45:64890 assigning tun de>
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main[any_user]:176.59.19.45:64890 user of group '[unknown]' authenticated (using cookie)main[any_user]:176.59.19.45:64890 sending (socket) message 2 to workermain[any_user]:176.59.19.45:64890 user logged in
Jan 05 17:02:30 ruvds-r0jos ocserv[701209]: worker: 176.59.19.45 received auth reply message (value: 1)worker[any_user]: 176.59.19.45 suggesting DPD of 1800 secsworker[any_user]: 176.59.19.45 disabling UDP (DTLS) connectionworker[any_user]: 176.59.19.45 configured li>
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main[any_user]:176.59.19.45:64890 main received worker's message 'tun mtu change' of 3 bytes
Jan 05 17:02:30 ruvds-r0jos ocserv[701081]: main[any_user]:176.59.19.45:64890 setting vpns0 MTU to 1472
Jan 05 17:02:31 ruvds-r0jos ocserv[701092]: sec-mod: initiating session for user 'any_user' (session: yvQLLJ)

sys log

Fri Jan  5 14:11:42 2024 daemon.notice netifd: Interface 'vpn' is setting up now
Fri Jan  5 14:11:42 2024 user.notice openconnect: initializing...
Fri Jan  5 14:11:42 2024 user.notice openconnect: adding host dependency for https://xkmxw.webhop.me at vpn
Fri Jan  5 14:11:42 2024 user.notice openconnect: executing 'openconnect 'https://xkmxw.webhop.me:443' '-i' 'vpn-vpn' '--non-inter' '--syslog' '--script' '/lib/netifd/vpnc-script' '--protocol' 'anyconnect' '--servercert=pin-sha256:dmOEtRuGpEnurJ9y9UmmEzDJ1PhmQnhwpzh6Y6J9RvM=' '--no-system-trust' '-u' 'any_user' '--passwd-on-stdin''
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): POST https://xkmxw.webhop.me/
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Connected to 195.133.48.165:443
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): SSL negotiation with xkmxw.webhop.me
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Server certificate verify failed: signer not found
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Connected to HTTPS on xkmxw.webhop.me with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): XML POST enabled
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Please enter your username.
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): POST https://xkmxw.webhop.me/auth
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Please enter your password.
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): POST https://xkmxw.webhop.me/auth
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Got CONNECT response: HTTP/1.1 200 CONNECTED
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): CSTP connected. DPD 90, Keepalive 32400
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): No DTLS address
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Set up UDP failed; using SSL instead
Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Configured as 192.168.10.32, with SSL connected and DTLS disabled
Fri Jan  5 14:11:44 2024 daemon.notice netifd: Interface 'vpn' is now up
Fri Jan  5 14:11:44 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Fri Jan  5 14:11:44 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53 for domain xkmxw.webhop.me
Fri Jan  5 14:11:44 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53 for domain xkmxw.webhop.me

One line alarmed

Fri Jan  5 14:11:43 2024 daemon.notice netifd: vpn (4868): Server certificate verify failed: signer not found

But I'm sure I'm passing the key correctly --servercert=

Maybe we need to somehow install a certificate on the router itself?
On the server I use the leletscriptt certificate.

Pardon my language. I use a translator

pavelgl · January 5, 2024, 3:11pm

Change the default input policy of the vpn firewall zone to ACCEPT and try pinging the IP address assigned to the client again.

After that the vpn interface goes up, so please do the ping test again after changing the firewall settings.

Also check the routing table when vpn is active.

Did you follow the procedure described in the wiki?

https://openwrt.org/docs/guide-user/services/vpn/openconnect/client#key_management

DmtryJS · January 5, 2024, 5:30pm

Yes, pings are works! from server, and from client too.
But ping works only if I unset "Use default gateway" checkbox in vpn settings, and after restart vpn interface.
But internet doesn't work.

these routes with checkbox "Use default gateway" in vpn settings (pings not working)
ip route show table all

root@OpenWrt:~# ip route show table all
default dev vpn-vpn scope link
default via 192.168.1.1 dev eth0.2  src 192.168.1.8  metric 10
10.10.10.0/24 dev br-lan scope link  src 10.10.10.1
192.168.1.0/24 dev eth0.2 scope link  metric 10
192.168.10.0/24 dev vpn-vpn scope link
local 10.10.10.1 dev br-lan table local scope host  src 10.10.10.1
broadcast 10.10.10.255 dev br-lan table local scope link  src 10.10.10.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.8 dev eth0.2 table local scope host  src 192.168.1.8
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.8
local 192.168.10.79 dev vpn-vpn table local scope host  src 192.168.10.79
fd09:28a1:7d80::/64 dev br-lan  metric 1024
unreachable fd09:28a1:7d80::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev vpn-vpn  metric 256
local ::1 dev lo table local  metric 0
anycast fd09:28a1:7d80:: dev br-lan table local  metric 0
local fd09:28a1:7d80::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev eth0.2 table local  metric 0
anycast fe80:: dev vpn-vpn table local  metric 0
local fe80::43a1:faef:2f8b:5df6 dev vpn-vpn table local  metric 0
local fe80::9683:c4ff:fe1f:5716 dev eth0 table local  metric 0
local fe80::9683:c4ff:fe1f:5716 dev br-lan table local  metric 0
local fe80::9683:c4ff:fe1f:5716 dev eth0.2 table local  metric 0
multicast ff00::/8 dev eth0 table local  metric 256
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev eth0.2 table local  metric 256
multicast ff00::/8 dev vpn-vpn table local  metric 256

ip address show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd09:28a1:7d80::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 94:83:c4:1f:57:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.8/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe1f:5716/64 scope link
       valid_lft forever preferred_lft forever
12: vpn-vpn: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534]
    inet 192.168.10.79/32 brd 255.255.255.255 scope global vpn-vpn
       valid_lft forever preferred_lft forever
    inet6 fe80::43a1:faef:2f8b:5df6/64 scope link flags 800
       valid_lft forever preferred_lft forever

if uncheck checkbox
ping start working and one of the routes disappears default dev vpn-vpn scope link from table

and my network

root@OpenWrt:~# uci show network;
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd09:28a1:7d80::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='10.10.10.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan.metric='10'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='0 6t'
network.vpn=interface
network.vpn.proto='openconnect'
network.vpn.vpn_protocol='anyconnect'
network.vpn.server='https://xkmxw.webhop.me'
network.vpn.port='443'
network.vpn.serverhash='pin-sha256:dmOEtRuGpEnurJ1y1UmmEzDJ9PhmQnhwpzh6Y6J1RvM='
network.vpn.username='any_user'
network.vpn.password='secret'
network.vpn.defaultroute='0'

and firewall

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='REJECT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='ACCEPT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@zone[2]=zone
firewall.@zone[2].name='vpn'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='vpn'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='lan'
firewall.@forwarding[1].dest='vpn'

Yes I did. To determine the hash I started the command

I tried update firmware until OpenWrt 23.05.0 but it didn't work.

Thanks for help Pavel.

pavelgl · January 6, 2024, 11:48am

When the box is checked, two static routes should be created automatically - the default gateway via the vpn interface and a route for the openconnect server via the wan interface.

The second one seems to be missing, so try creating it manually in /etc/config/network:

config route
        option interface 'wan'
        option gateway '192.168.1.1'
        option target 'server_IP/32'

DmtryJS · January 6, 2024, 1:13pm

Thanks Pavel! It works!

system · January 16, 2024, 1:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.