PFS in openconnect package

mortezaghafoori · April 20, 2023, 4:57pm

Hi, I'm a newbie in openwrt and trying to learn.
I installed the openconnect package to connect to a commercial server I have credentials for. The problem I'm facing is that I can connect to the server from my android phone using the openconnect application but I can't get it to connect in openwrt even though I'm using the same server address, port, user and pass. The only thing that differs between the interface on my openwrt router and the openconnect app is the "Require PFS" option for the server. I couldn't find any way to enable this option for my interface in openwrt. Sorry if this is ver foolish or something but I'm very new to OpenWrt.
Thanks in advance.

greem · April 20, 2023, 6:32pm

The command-line option '--pfs' (for openconnect) should do what you want. I'm not 100% sure how you'd get that into the config on OpenWRT though - looks likely to need a patch to both the openconnect and luci-proto-openconnect packages to add the relevant option and pass it through to the wrapper script that calls openconnect.

mortezaghafoori · April 20, 2023, 9:10pm

Yeah, I know. That's exactly what I'm looking for. the PFS option for openconnect and an option to change server port for sstp connection. I'm pretty sure that these 2 options are available for both packages but it is me who can't use them. Thanks for the advise.
I hope someone can help me with either of these two.

mortezaghafoori · April 21, 2023, 2:00pm

Any ideas guys?!

d687r02j8g · April 21, 2023, 3:33pm

Doesn't look like you can have this as an option

github.com

openwrt/packages/blob/openwrt-22.03/net/openconnect/files/openconnect.sh

#!/bin/sh
. /lib/functions.sh
. ../netifd-proto.sh
init_proto "$@"

append_args() {
	while [ $# -gt 0 ]; do
		append cmdline "'${1//\'/\'\\\'\'}'"
		shift
	done
}

proto_openconnect_init_config() {
	proto_config_add_string "server"
	proto_config_add_int "port"
	proto_config_add_int "mtu"
	proto_config_add_int "juniper"
	proto_config_add_string "vpn_protocol"
	proto_config_add_boolean "no_dtls"
	proto_config_add_string "interface"

This file has been truncated. show original

It will need to be added into the package.

A bit hacky but you could edit openconnect.sh and add the following to line 130.

append_args "--pfs"

mortezaghafoori · April 22, 2023, 1:10am

Ok, will try this and see what happens.
Where can I find this file to edit it?
Do I have to edit it before installing the package or after?

mk24 · April 22, 2023, 3:11am

This is a script that is part of the openconnect package. When an interface of proto openconnect is instantiated, the script runs to build a transient native openconnect configuration file from the UCI configuration.

It would be in /lib/netifd/proto/openconnect.sh after installing the package.

mortezaghafoori · April 22, 2023, 3:55am

Yeah, I found it and edited it, but it seems that it had no effect

mortezaghafoori · April 22, 2023, 4:11am

Ok, so I'm now trying to an anyconnect server and this one gives me a certificate verify error.
It says this:

to trust this server in future, perhaps add this to your command line:
--servercert pin-sha256:XXXXXXXXXXXXXXXXXXX

I tried to add this into openconnect.sh by using append_args and it does execute after restarting the interface but the package doesn't recognise it as a valid command. What to do?
Is there anyway to make the package accept untrusted certificates? because I have to uncheck the "Block Untrusted Servers" option in the android app to be able to connect to the server

mortezaghafoori · April 22, 2023, 4:26am

Alright, I finally got it working by adding this line to openconnect.sh:

append_args "--servercert=pin-sha256:XXXXXXXXXXXXXXXXXXX"

in which XXXXXXXXXXXXXXXXXXX is the certificate hash of the server.
Now I only have to learn to enable pfs in this package somehow

vgaetera · April 22, 2023, 6:31am

You should use the UCI option serverhash instead.

mortezaghafoori · April 24, 2023, 4:02am

What exactly does the --nosystemtrust option do?! Does it mean that it will connect to the server no matter what the certificate is?

vgaetera · April 24, 2023, 5:48am

--no-system-trust @ openconnect(8)

mortezaghafoori · April 24, 2023, 2:41pm

Apparently, this doesn't solve my problem because if I remove my argument --servercert=pin-sha256:XXXXXXXXXXXXXXXXXXX and put --no-system-trust instead, I still get certificate verification error.

d687r02j8g · April 24, 2023, 2:56pm

Yes because the option needs to be used with the cafile parameter. But as you've suggested previously, you don't have their certificate.

Do not trust the system default certificate authorities. If this option is given, only certificate authorities given with the --cafile option, if any, will be trusted automatically.

mk24 · April 24, 2023, 3:04pm

Obtain the CA file from the server owner. A CA certificate by itself (without key) is not secret. It can be used to confirm that the server certificate was trusted or issued by the entity that holds the key to the corresponding CA certificate.

It's possible the PFS feature was compiled out of the OpenWrt build of openconnect to save space.

vgaetera · April 24, 2023, 6:47pm

The UCI option serverhash enables both --servercert and --no-system-trust:

github.com

openwrt/packages/blob/master/net/openconnect/files/openconnect.sh#L110-L113


      
          	[ -n "$serverhash" ] && {
          		append_args "--servercert=$serverhash"
          		append_args --no-system-trust
          	}

mortezaghafoori · April 25, 2023, 3:05am

Do you suggest that I remove it from the file?

Excuse me but I'm still learning openwrt, where exactly should I make this edition?

mortezaghafoori · April 25, 2023, 3:11am

Oh ok, I get it now. Thank you.

Will try it and see how it goes, thanks again

mortezaghafoori · April 25, 2023, 1:58pm

I tried what you said, it was the same as adding append_args "--pfs" and had no effect.
It's strange because it doesn't even give an errors