blob: a409ed9d20abc9a1cf17a781145949babb9140a9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
.. _vpn-openconnect:
###########
OpenConnect
###########
OpenConnect-compatible server feature is available from this release.
Openconnect VPN supports SSL connection and offers full network access. SSL VPN
network extension connects the end-user system to the corporate network with
access controls based only on network layer information, such as destination IP
address and port number. So, it provides safe communication for all types of
device traffic across public networks and private networks, also encrypts the
traffic with SSL protocol.
The remote user will use the openconnect client to connect to the router and
will receive an IP address from a VPN pool, allowing full access to the network.
.. note:: All certificates should be stored on VyOS under /config/auth. If
certificates are not stored in the /config directory they will not be
migrated during a software update.
*************
Configuration
*************
SSL Certificates
================
We need to generate the certificate which authenticates users who attempt to
access the network resource through the SSL VPN tunnels. The following command
will create a self signed certificates and will be stored in the file path
`/config/auth`.
.. code-block:: none
openssl req -newkey rsa:4096 -new -nodes -x509 -days 3650 -keyout /config/auth/server.key -out /config/auth/server.crt
openssl req -new -x509 -key /config/auth/server.key -out /config/auth/ca.crt
We can also create the certificates using Cerbort which is an easy-to-use client
that fetches a certificate from Let's Encrypt an open certificate authority
launched by the EFF, Mozilla, and others and deploys it to a web server.
.. code-block:: none
sudo certbot certonly --standalone --preferred-challenges http -d <domain name>
Server Configuration
====================
.. code-block:: none
set vpn openconnect authentication local-users username <user> password <pass>
set vpn openconnect authentication mode <local|radius>
set vpn opneconnect network-settings client-ip-settings subnet <subnet>
set vpn openconnect network-settings name-server <address>
set vpn openconnect network-settings name-server <address>
set vpn openconnect ssl ca-cert-file <file>
set vpn openconnect ssl cert-file <file>
set vpn openconnect ssl key-file <file>
*******
Example
*******
Use local user name "user4" with password "SecretPassword"
Client IP addresses will be provided from pool 100.64.0.0/24
The Gateway IP Address must be in one of the router´s interfaces.
.. code-block:: none
set vpn openconnect authentication local-users username user4 password 'SecretPassword'
set vpn openconnect authentication mode 'local'
set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect network-settings name-server '1.1.1.1'
set vpn openconnect network-settings name-server '8.8.8.8'
set vpn openconnect ssl ca-cert-file '/config/auth/fullchain.pem'
set vpn openconnect ssl cert-file '/config/auth/cert.pem'
set vpn openconnect ssl key-file '/config/auth/privkey.pem'
************
Verification
************
.. code-block:: none
vyos@RTR1:~$ show openconnect-server sessions
interface username ip remote IP RX TX state uptime
----------- ---------- ------------ ------------- -------- -------- --------- --------
sslvpn0 user4 100.64.0.105 xx.xxx.49.253 127.3 KB 160.0 KB connected 12m:28s
.. note:: It is compatible with Cisco (R) AnyConnect (R) clients.
|
