OpenConnect Issues

[Deku]

I have two OpenConnect issues.

1) The Certificate Hash will not accept my hash, but it works fine if I directly write it to the config.  The log is telling me what it wants (Server SSL certificate didn't match: pin-sha256:SD.....), but it gets reset upon reboot.  Here is the Certificate Hash (modified).

Code Select Expand

pin-sha256:SDqgu8gcbxiE487woYrZPslpdoib7+R4Xrgsj3vn8yA= (obfuscated)

2) When I do connect to the Cisco VPN, all my traffic is being routed through it, instead of just the VPN subnet.  The OpenConnect VPN is assuming the default route.  How can I fix this?  :)

[mimugmail]

1)
What is "pin-"? Is this a new option from openconnect8?
Normally you choose SHA1 or SHA256 from dropdown and only paste the hash.

2)
You have to tell your Admin to only tunnel specific networks and not all.

[Deku]

Public-Key-Pinning I think...  using sha256 with the fingerprint hash fails.  So I gave it what the log was asking for.
https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

[mimugmail]

Can you connect via console when calling openconnect hostname ... Then you will see the correct hash either Sha1 or Sha256

[Deku]

Yes, when running openconnect via the console, I get this in response:

To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:SDqgu8gcbxiE487woYrZPslpdoib7+R4Xrgsj3vn8yA=

And on the default gateway, it's doing this...

stablished DTLS connection (using OpenSSL). Ciphersuite DHE-RSA-AES256-SHA.
add host VPNSRV: gateway WANIP
add net 10.10.1.0: gateway 10.10.1.102
delete net default: gateway WANIP
add net default: gateway 10.10.1.102

[mimugmail]

I see, seems I have to add this feature. Can you open an issue here so I dont forget about it?
https://github.com/opnsense/plugins/issues