PFS in openconnect package

Hi, I'm a newbie in openwrt and trying to learn.
I installed the openconnect package to connect to a commercial server I have credentials for. The problem I'm facing is that I can connect to the server from my android phone using the openconnect application but I can't get it to connect in openwrt even though I'm using the same server address, port, user and pass. The only thing that differs between the interface on my openwrt router and the openconnect app is the "Require PFS" option for the server. I couldn't find any way to enable this option for my interface in openwrt. Sorry if this is ver foolish or something but I'm very new to OpenWrt.
Thanks in advance.

1 Like

The command-line option '--pfs' (for openconnect) should do what you want. I'm not 100% sure how you'd get that into the config on OpenWRT though - looks likely to need a patch to both the openconnect and luci-proto-openconnect packages to add the relevant option and pass it through to the wrapper script that calls openconnect.

1 Like

Yeah, I know. That's exactly what I'm looking for. the PFS option for openconnect and an option to change server port for sstp connection. I'm pretty sure that these 2 options are available for both packages but it is me who can't use them. Thanks for the advise.
I hope someone can help me with either of these two.

Any ideas guys?!

Doesn't look like you can have this as an option

It will need to be added into the package.

A bit hacky but you could edit openconnect.sh and add the following to line 130.

append_args "--pfs"
1 Like

Ok, will try this and see what happens.
Where can I find this file to edit it?
Do I have to edit it before installing the package or after?

This is a script that is part of the openconnect package. When an interface of proto openconnect is instantiated, the script runs to build a transient native openconnect configuration file from the UCI configuration.

It would be in /lib/netifd/proto/openconnect.sh after installing the package.

2 Likes

Yeah, I found it and edited it, but it seems that it had no effect :frowning:

Ok, so I'm now trying to an anyconnect server and this one gives me a certificate verify error.
It says this:

to trust this server in future, perhaps add this to your command line:
--servercert pin-sha256:XXXXXXXXXXXXXXXXXXX

I tried to add this into openconnect.sh by using append_args and it does execute after restarting the interface but the package doesn't recognise it as a valid command. What to do?
Is there anyway to make the package accept untrusted certificates? because I have to uncheck the "Block Untrusted Servers" option in the android app to be able to connect to the server

Alright, I finally got it working by adding this line to openconnect.sh:

append_args "--servercert=pin-sha256:XXXXXXXXXXXXXXXXXXX"

in which XXXXXXXXXXXXXXXXXXX is the certificate hash of the server.
Now I only have to learn to enable pfs in this package somehow

You should use the UCI option serverhash instead.

1 Like

What exactly does the --nosystemtrust option do?! Does it mean that it will connect to the server no matter what the certificate is?

--no-system-trust @ openconnect(8)

1 Like

Apparently, this doesn't solve my problem because if I remove my argument --servercert=pin-sha256:XXXXXXXXXXXXXXXXXXX and put --no-system-trust instead, I still get certificate verification error.

Yes because the option needs to be used with the cafile parameter. But as you've suggested previously, you don't have their certificate.

Do not trust the system default certificate authorities. If this option is given, only certificate authorities given with the --cafile option, if any, will be trusted automatically.

Obtain the CA file from the server owner. A CA certificate by itself (without key) is not secret. It can be used to confirm that the server certificate was trusted or issued by the entity that holds the key to the corresponding CA certificate.

It's possible the PFS feature was compiled out of the OpenWrt build of openconnect to save space.

BTW, the UCI option serverhash enables both --servercert and --no-system-trust:

1 Like

Do you suggest that I remove it from the file?

Excuse me but I'm still learning openwrt, where exactly should I make this edition?

Oh ok, I get it now. Thank you.

Will try it and see how it goes, thanks again :slight_smile:

I tried what you said, it was the same as adding append_args "--pfs" and had no effect.
It's strange because it doesn't even give an errors