OCServ Setup on OPNSense

[Lurick]

This was an adventure for sure so I figured a guide was in order for anyone else looking to setup openconnect (ocserv) server on OPNSense. It was an adventure so here is a guide to getting going.

 

 

Start Installing Packages:

To start login to OPNSense and become root then paste in:

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

 

Now you can go in the GUI and go to System > Firmware > Plugins and find ocserv and install (it may "hang" for a couple minutes, just wait)

-or-

From the CLI run: pkg install ocserv

 

 

Initial Setup:

Once installed then you can setup OCServ from the GUI. VPN > OCServ > General

This assumes you're using a certificate, if not you should be fine to leave the first to (Server and Root) set to none and you can leave out the following three lines from the config box:

WARNING: Even if you define a cert and root you still need to define them in the config!*

server-cert=/usr/local/etc/ocserv/server-cert.pem
server-key = /usr/local/etc/ocserv/server-key.pem
ca-cert = /usr/local/etc/ocserv/ca.pem

 

Replace with your ipv6 and ipv4 networks as applicable. If you don't use one (IPv6) then leave that out.

Update DNS to whatever you want, local DNS or public DNS is fine. Remove any unused lines.

By default you should generally pass in specific routes unless you want to tunnel everything, then you can just do route = default which should cover everything and not do split tunneling.

GUI Config:

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
isolate-workers = false
ipv4-network = [ipv4 network]
ipv4-netmask = [255.255.255.0]
ipv6-network = [subnet]::/64
ipv6-subnet-prefix = 128
dtls-legacy = true
tunnel-all-dns = true
dns = [server 1]
dns = [server 2]
route = [route]/[mask]
route = [second route]/[mask]
route = [third route...etc]/[mask]
default-domain = [localdomain.test]
socket-file = /var/run/ocserv-socket
server-cert=/usr/local/etc/ocserv/server-cert.pem
server-key = /usr/local/etc/ocserv/server-key.pem
ca-cert = /usr/local/etc/ocserv/ca.pem
device = vpns
max-clients = 6
ping-leases = true
try-mtu-discovery = true
#Applicable only for Cisco Anyconnect#
cisco-client-compat = true
user-profile = /etc/ocserv/profile.xml

If using Cisco Anyconnect clients then create an xml profile as well and add it to the location specified above on the CLI (if you don't configure users before doing this then you will need make the /etc/ocserv/ directory first)

 

Configure Users:

From the OPNSense CLI (as root) do the following:

mkdir /etc/ocserv/

ocpasswd -c /etc/ocserv/ocpasswd generaluser

(Repeat the ocpasswd as needed for each user and enter the password)

# ocpasswd -c /etc/ocserv/ocpasswd user1
Enter password: 
Re-enter password: 

 

 

Setup Firewall

Once everything is setup and working go ahead and connect from a client at this point just to verify things work outside to the WAN.

Now in the OPNSense GUI go to Firewall > Aliases and create a new group

Add your IPv4 and/or IPv6 subnet(s) for the VPN:

Then click Save.

Now go to Firewall > Rules > Floating:

Add a pass rule

Direction: In

Source will be your Alias name (ocserv in my case)

Everything else can be default.

Save

 

 

Debugging:

By default if you miss something or typo something the GUI will not give you any information as to what is missing. You can login to the CLI, become root, and go to /usr/local/etc/rc.d and then ./ocserv start and it will give you error messages as to what is missing.

*Failure to define the ca-cert will cause anyconnect to hang on Checking for customization updates... and you'll need to bounce the ocserv process to get it to cancel out. OpenConnect clients will connect fine without this.

 

 

References:

https://www.routerperformance.net/opnsense-repo/

https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-20-04-lets-encrypt

https://gist.github.com/wongsyrone/55165ce767f7248656cc#file-ocserv-conf

https://www.linuxbabe.com/linux-server/ocserv-openconnect-vpn-advanced

 

 

Edit:

Updated interfaces config/floating firewall rule documentation

Fixed IPv6 address assignment and routing rules.

[Oshino Shinobu]

Funny you should post this now, literally only yesterday I got my OpenVPN server working on OPNSense using SSL + MFA, though I used the built in OpenVPN server features.

[Lurick]

41 minutes ago, Oshino Shinobu said:

Funny you should post this now, literally only yesterday I got my OpenVPN server working on OPNSense using SSL + MFA, though I used the built in OpenVPN server features.

The only issue I have is that disconnect and reconnect can sometimes make a new interface which is a pita. I haven't found a way in OPNSense to just group all interfaces with vpns into one so I don't have to assign each new one to an opt interface.

 

Edit:

Just realized I can make a floating rule, lol

[Lurick]

Fixed the interfaces issue, just add a floating rule for IPv4 and IPv6 networks handed out over the VPN instead.

Updated to include IPv6 network assignment and handing out a /128 per client.

[Steve P.]

Hi there,

 

Is the route and domain config from the perspective of outbound from the FW or inbound to the FW?

 

Steve

[Lurick]

On 11/29/2023 at 8:13 PM, Steve P. said:

Hi there,

 

Is the route and domain config from the perspective of outbound from the FW or inbound to the FW?

 

Steve

It's from the perspective of what routes you want to pass to the client devices with destination inside the FW