net/ocserv/README

   1 Setting up OpenConnect VPN server
   2 =================================
   3
   4 The openconnect server expects to be configured using the uci interface.
   5
   6 It is recommended to setup a dynamic DNS address with openwrt prior
   7 to starting the server. That is because during the first startup
   8 a certificate file which will contain the dynamic DNS name will be
   9 created. You can always regenerate the certificate by deleting
  10 /etc/ocserv/server-key.pem.
  11
  12 There are two approaches to setup the VPN. The proxy-arp approach (1)
  13 which provides clients with addresses of the LAN, and the "forwarding"
  14 approach (2) which provides clients with addresses of a separate private
  15 network. The former is suitable when you have "roadwarrior" type of clients
  16 connecting to the LAN, and the latter when you may need to connect
  17 multiple networks with the LAN.
  18
  19 If for the client side you use OpenWRT it is recommended to check you
  20 have the latest vpnc-scripts and openconnect packages.
  21
  22
  23 1. Proxy-ARP Approach
  24 =====================
  25
  26 [This option is available since ocserv-0.10.9-2 package]
  27
  28 To setup a server the provides access to LAN with network address
  29 10.100.2.0/255.255.255.0 add the following to /etc/config/ocserv.
  30 The following setup will assign the upper 62 addresses for VPN use.
  31
  32 ```
  33 ----/etc/config/ocserv-------------------------------------------
  34 config ocserv 'config'
  35         option port '443'
  36         option dpd '120'
  37         option max_clients '8'
  38         option max_same '2'
  39         option netmask '255.255.255.192'
  40         option ipaddr '10.100.2.192'
  41         option auth 'plain'
  42         option default_domain 'lan'
  43         option compression '1'
  44         option proxy_arp '1'
  45         option ping_leases '1'
  46         option enable '1'
  47
  48 config dns
  49         option ip '10.100.2.1'
  50
  51 config routes
  52         option ip '10.100.2.0'
  53         option netmask '255.255.255.0'
  54
  55 config ocservusers
  56         option name 'test'
  57         option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
  58
  59 -----------------------------------------------------------------
  60 ```
  61
  62 This setup re-utilizes the addresses assigned to LAN for the VPN clients.
  63 To ensure that there are no conflicts with the DHCP server use the following
  64 commands. These will set the maximum address assigned by DHCP to be 10.100.2.191
  65 which is below the first VPN assigned address (10.100.2.192).
  66
  67 ```
  68 # uci set dhcp.lan.start=100
  69 # uci set dhcp.lan.limit=91
  70 ```
  71
  72 For simple networks like that you may also leave the 'netmask' and 'ipaddr'
  73 fields empty and ocserv on startup will set the necessary values.
  74
  75
  76 2. Forwarding Approach
  77 ======================
  78
  79 To setup a server the provides access to LAN with network address
  80 10.100.2.0/255.255.255.0 using the VPN address range
  81 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv:
  82
  83 ```
  84 ----/etc/config/ocserv-------------------------------------------
  85 config ocserv 'config'
  86         option port '443'
  87         option dpd '120'
  88         option max_clients '8'
  89         option max_same '2'
  90         option netmask '255.255.255.0'
  91         option ipaddr '10.100.3.0'
  92         option auth 'plain'
  93         option default_domain 'lan'
  94         option compression '1'
  95         option enable '1'
  96
  97 config dns
  98         option ip '10.100.2.1'
  99
 100 config routes
 101         option ip '10.100.2.0'
 102         option netmask '255.255.255.0'
 103
 104 config ocservusers
 105         option name 'test'
 106         option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1'
 107
 108 -----------------------------------------------------------------
 109 ```
 110
 111 Setting up split-dns
 112 ====================
 113
 114 To allow the clients to resolv with the local domain add the following
 115 to the ocserv configuration file.
 116
 117 ```
 118 ----/etc/config/ocserv-------------------------------------------
 119 config ocserv 'config'
 120         option split_dns '1'
 121         option default_domain 'mydomain'
 122 ```
 123
 124 The ```default_domain``` is optional and if not set, it will be autodetected
 125 from dnsmasq's configuration.
 126
 127
 128 Setting up the firewall
 129 =======================
 130
 131 Since the connected users will be assigned to other interfaces than the LAN
 132 one, it is required to assign the VPN clients to an interface, and enable
 133 forwarding for them. That is, you should setup an unmanaged interface (e.g.,
 134 called vpn), which will have assigned the 'vpns+' interfaces (i.e., all vpns
 135 interfaces). Then a zone called vpn should be setup to handle interactions
 136 with lan. An example, which alls all forwarding between LAN and VPN clients,
 137 follows.
 138
 139 ```
 140 ----/etc/config/network------------------------------------------
 141 config interface 'vpn'
 142         option proto 'none'
 143         option ifname 'vpns+'
 144 -----------------------------------------------------------------
 145
 146 ----/etc/config/firewall-----------------------------------------
 147 config zone
 148         option input 'ACCEPT'
 149         option forward 'ACCEPT'
 150         option output 'ACCEPT'
 151         option name 'vpn'
 152         option device 'vpns+'
 153         option network 'vpn'
 154
 155 config forwarding
 156         option dest 'lan'
 157         option src 'vpn'
 158
 159 config forwarding
 160         option dest 'vpn'
 161         option src 'lan'
 162
 163 config rule
 164         option target 'ACCEPT'
 165         option src 'wan'
 166         option proto 'tcp'
 167         option dest_port '443'
 168         option name 'vpn'
 169
 170 config rule
 171         option target 'ACCEPT'
 172         option src 'wan'
 173         option proto 'udp'
 174         option dest_port '443'
 175         option name 'vpn'
 176 -----------------------------------------------------------------
 177 ```
 178
 179 Note, that the last two rules, enable connections to port 443 from the
 180 Internet. That is the port used by OpenConnect VPN.
 181
 182
 183 Starting the server
 184 ===================
 185
 186 Note that both configurations above add the user "test" with password "test". The
 187 password is specified in the crypt(3) format.
 188
 189 The server can be enabled and started using:
 190 # /etc/init.d/ocserv enable
 191 # /etc/init.d/ocserv start
 192
 193 For any custom configuration options of ocserv you may add values in
 194 /etc/ocserv/ocserv.conf.local.
 195
 196 There is a luci plugin to allow configuring the server from
 197 the web environment; see the package luci-app-ocserv.
 198