os-openconnect as Cisco AnyConnect

[mrpsycho]

Hello,

i'm migrating to  OPNsense from pfsense... and found great module - os-openconnect.
on pf i was using plain openconnect from pkgs.

and it was not very comfortable to use, cause i had to manage NAT rules manually (i wrote a simple script, but it needs to be updated sometimes)
so.

problem is - there is no way to add authgroup, certificate and key in web GUI on opnsense.
So, my workaround - is to edit

Code: [Select]

/usr/local/etc/rc.d/opnsense-openconnect  and add needed keys to the start function:

Code: [Select]

openconnect_start()
{
        echo "starting openconnect"
          echo ${openconnect_flags}
/usr/local/sbin/openconnect --authgroup SSLVPNClient -c /path/to/crt.cer -k /path/to/crt.key ${openconnect_flags} < /usr/local/etc/openconnect.secret 2>&1 > /dev/null
        sleep 5
ifconfig tun30000 name ocvpn0
ifconfig ocvpn0 group ocvpn
return 0
}

and it works fine.
Where can i create Feature Request for it?


And there is a bug - some servers asks for username with case sensitive requrements. Web GUI doesn't allow it. So i had to remove it in config and put it on rc.d script too

[mimugmail]

Can you open an issue in github / plugins?
I'll have a look next week.

[mrpsycho]

did it.
thanks for suggestion!

[drivera]

Hi!

I see the changes are already done and merged into Master, but I'm new to OPNSense and I'm not sure how I can (easily) install that code (which, from what I've seen, should be relatively bugless and safe to use) on my production instance.

Can you point me in the right direction for deploying (building?) development-grade plugins into a production instance?

Thanks!

[mimugmail]

Via CLI:

pkg install os-openconnect-devel


(or wait for 18.7.7)

[drivera]

Any ETA on 18.7.7?

[mimugmail]

1 or 2 weeks .. but I would be very happy if you can test the features before release
I you want to roll back, just to a pkg remove os-openconnect-devel and install the stable via pkg install os-openconnect.

Cant break anything ..

[drivera]

I've been testing it, and here's what I've found:

* The tunnel comes up fine, and the vpnc scripts do their job of adding the routes
* I can traverse the tunnel fine from within the firewall itself, but wasn't able to get it to forward traffic (my company's VPN adds multiple networks on the far side, which may be a factor)
* There's some hijinks with regards to the DNS config in /etc/resolv.conf - the file gets clobbered (presumably by the vpnc-scripts), and isn't restored when the VPN is taken down (the clobbering alone is a problem, tho)

I might look through the docs and help you develop a nice OPNsensitized (ha!) vpnc-scripts package that will help resolve some of these issues.

Also, the ability to add multiple tunnels would be nice in a future iteration (I'm afraid I'm not well-versed in OPN dev yet to contribute towards that at this point )

Cheers!

[drivera]

Perhaps you can help me find the docs for the following, correct OPNsensitive (ha! again ) ways to do the following:

* add a route to a remote network via a given interface/gateway IP
* assign a DNS to an interface
* add a DNS to the base system's DNS configuration (optional: with a "numeral" priority?)

Doing these things via the O/S is "easy" - but I'd like to do them so the rest of OPNSense is also aware of what's going on.

Another question: does OPNSense support the use of a DNS server that can "split" DNS lookups by domain a-la MacOS?  I.e.  "mydomain.com is resolved via DNS A, B and C,  whereas alt-domain.com is through D and E, all others via F, G, H..."?  I know in bind one can add forwarding zones, and I think one can also do that in dnsmasq - perhaps this would be the clean way?  We'd probably have to add a comma-separated field for the user to indicate what domains "live" on the other side of the VPN.  This might also be useful for other VPN services, btw...

Cheers!

[mimugmail]

If you can look at vpnc scripts and how to write them, this would be fine.
Alls DNS etc. things are managed via it but I don't have the time to dive into it.

When you get multiple routes pushed it's not a problem.

If you want your internal systems reach the networks you have to assign this interface and add lock prevent.
No need to configure an IP. Then you can add an outbound nat entry where your LAN is natted to the interface address of your openconnect interface.

[drivera]

What about the "split DNS"? I'll look into whether dnsmasq supports this or if BIND is required. I agree with what you said above, though.

Is there a set of OPNSense-integrated CLI commands that should be used in lieu of the lower-level O/S equivalents? I.e. "Add a route", "add a DNS", etc.?  If they were documented somewhere that'd go a long way...

Cheers!

[mimugmail]

Normally all should be don with vpnc scripts since they work with linux and bsd

[drivera]

So making the changes at the O/S level is good enough? OPNSense will pick it up and make sense of it automagically?

[mrpsycho]

Any ETA on 18.7.7?

i can say that dev version works fine in 18.7.9.

and main version still doesn't support groups.


DNS problem i semi-solved only with overriding option on "Unbound DNS"

[mimugmail]

Which option in Unbound exactly?