The openconnect server expects to be configured using the uci interface. It is recommended to setup a dynamic DNS address with openwrt prior to starting the server. That is because during the first startup a certificate file which contain the setup dynamic DNS name will be created. To setup a server the provides access to LAN with network address 10.100.2.0/255.255.255.0 using the VPN address range 10.100.3.0/255.255.255.0 add the following to /etc/config/ocserv: ----/etc/config/ocserv------------------------------------------- config ocserv 'config' option port '4443' option dpd '120' option max_clients '8' option max_same '2' option netmask '255.255.255.0' option ipaddr '10.100.3.0' option auth 'plain' option zone 'vpn' option default_domain 'lan' option compression '1' option enable '1' config dns option ip '10.100.2.1' config routes option ip '10.100.2.0' option netmask '255.255.255.0' config ocservusers option name 'test' option password '$5$unl8uKAGNsdTh9zm$PnUHEGhDc5VHbFE2EfWwW38Bub6Y6EZ5hrFwZE1r2F1' ----------------------------------------------------------------- This configuration also adds the user "test" with password "test". The password is specified in the crypt(3) format. The server can be enabled and started using: # /etc/init.d/ocserv enable # /etc/init.d/ocserv start To simplify firewall configuration, you should setup an unmanaged interface (e.g., called vpn), and will have assigned the 'vpns+' interfaces. Then a zone called vpn should be setup to handle interactions with lan. An example follows: ----/etc/config/network------------------------------------------ config interface 'vpn' option proto 'none' option ifname 'vpns+' ----------------------------------------------------------------- ----/etc/config/firewall----------------------------------------- config zone option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option name 'vpn' option device 'vpns+' option network 'vpn' config forwarding option dest 'lan' option src 'vpn' config forwarding option dest 'vpn' option src 'lan' config rule option target 'ACCEPT' option src 'wan' option proto 'tcp' option dest_port '4443' option name 'vpn' config rule option target 'ACCEPT' option src 'wan' option proto 'udp' option dest_port '4443' option name 'vpn' ----------------------------------------------------------------- There is a luci plugin to allow configuring the server from the web environment; see the package luci-app-ocserv.