The openconnect client expects to be configured using the uci interface.
To setup a VPN connection, add the following to /etc/config/network:
config interface 'MYVPN'
option proto 'openconnect'
option interface 'wan'
option server 'vpn.example.com'
option port '4443'
option username 'test'
option password 'secret'
option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
option defaultroute '0'
# option proxy 'http://proxy.example.com:8080'
option authgroup 'DEFAULT'
# usergroup option, if required by some servers
# option usergroup 'USERGROUP'
# Reconnect after a temporary network down time (in seconds)
#option reconnect_timeout '30'
# For second factor auth:
# when a fixed 2FA password can be used
#option password2 'my-fixed-2fa-password'
# RSA tokens, must be built with stoken support
#option token_mode 'rsa'
#option token_secret 'secret'
# HOTP/TOTP tokens
#option token_mode 'hotp'
#option token_secret '00'
# tokens from script
#option token_mode 'script'
#option token_script '/lib/custom/getocpass.sh'
# For non-anyconnect vpn protocols
# Cisco AnyConnect (default)
#option vpn_protocol 'anyconnect'
# Juniper Network Connect
#option vpn_protocol 'nc'
# Palo Alto Networks GlobalProtect
#option vpn_protocol 'gp'
# Pulse Connect Secure
#option vpn_protocol 'pulse'
# Authentication form responses
#list form_entry FORM:OPT=VAL
The additional files are also used:
/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
After these are setup you can initiate the VPN using "ifup MYVPN", and
deinitialize it using ifdown. You may also use the luci web interface
(Network -> Interfaces -> MYVPN Connect).
Note that you need to configure the firewall to allow communication between
the MYVPN interface and lan.
There is a luci plugin to allow configuring an openconnect interface from
the web environment; see the luci-proto-openconnect package.
565866a472