- The openconnect client expects to be configured using the uci interface.
-
- To setup a VPN connection, add the following to /etc/config/network:
-
- config interface 'MYVPN'
- option proto 'openconnect'
- option interface 'wan'
- option server 'vpn.example.com'
- option port '4443'
- option username 'test'
- option password 'secret'
- option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
- option defaultroute '0'
- option authgroup 'DEFAULT'
- # usergroup option, if required by some servers
- # option usergroup 'USERGROUP'
-
- # For second factor auth:
-
- # when a fixed 2FA password can be used
- #option password2 'my-fixed-2fa-password'
-
- # RSA tokens, must be built with stoken support
- #option token_mode 'rsa'
- #option token_secret 'secret'
-
- # HOTP/TOTP tokens
- #option token_mode 'hotp'
- #option token_secret '00'
-
- # tokens from script
- #option token_mode 'script'
- #option token_script '/lib/custom/getocpass.sh'
-
- # For non-anyconnect vpn protocols
- # Cisco AnyConnect (default)
- #option vpn_protocol 'anyconnect'
- # Juniper Network Connect
- #option vpn_protocol 'nc'
- # Palo Alto Networks GlobalProtect
- #option vpn_protocol 'gp'
- # Pulse Connect Secure
- #option vpn_protocol 'pulse'
-
- # Authentication form responses
- #list form_entry FORM:OPT=VAL
-
- The additional files are also used:
- /etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
- /etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
- /etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
-
- After these are setup you can initiate the VPN using "ifup MYVPN", and
- deinitialize it using ifdown. You may also use the luci web interface
- (Network -> Interfaces -> MYVPN Connect).
-
- Note that you need to configure the firewall to allow communication between
- the MYVPN interface and lan.
-
- There is a luci plugin to allow configuring an openconnect interface from
- the web environment; see the luci-proto-openconnect package.
|