Development/Documentation > Documentation

pFsense with Openconnect

(1/1)

mike3y:
Here is a small guide to get your pfsense machine up and running with a Cisco Anyconnect VPN Server.

The first thing you're going to need is the openconnect and the vpnc_scripts packages.

Step 1.)

a.) Login to your pFsense server via SSH.

b.) Run the following.

pkg add nano
pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/vpnc-scripts-20150318.txz
pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/openconnect-7.06.txz

Step 2.)

Create the following script under /root. (it doesn't matter where this script is) Remember to chmod +x the script once you're done.


Custom script I pulled offline and made some adjustments. I've added the authgroup which is optional, along with the --no-cert-check. Depending on the VPN server the client might not be able to verify the cert. This will allow it to skip verifying.

a.) nano openconnect.sh and paste the following in. Remember to make adjustments to match your server.

#!/bin/sh

# settings
user="username"
pass="password"
host="server_address"
tmpif="tun0"
iface="oc0"
pidfile="/tmp/${iface}.pid"
script="/usr/local/sbin/vpnc-script"


# env
openconnect="/usr/local/sbin/openconnect"
ifconfig="/sbin/ifconfig"


# func
ifkill()
{
        $ifconfig "$1" down 2>/dev/null || :
        $ifconfig "$1" destroy 2>/dev/null || :
}


# check if we're already running
if [ -n "$test" ] && $test; then
        echo "Connection is already up"
        exit 0
fi


# clean up previous instance, if any
if [ -e "$pidfile" ]; then
        read pid <"$pidfile"
        echo "Killing previous pid: $pid"
        kill -TERM "$pid"
        rm "$pidfile"
fi
ifkill "$tmpif"
ifkill "$iface"


# open vpn connection
echo "$pass" |\
$openconnect \
        --background \
        --pid-file="$pidfile" \
        --interface="$tmpif" \
        --user="$user" \
        --passwd-on-stdin \
        --authgroup=<if any. remove if not needed> \
        --no-cert-check \
        --script="$script" \
        "$host"


# rename the interface
if [ "$iface" != "$tmpif" ]; then
        echo "Renaming $tmpif to $iface"
        $ifconfig "$tmpif" name "$iface"
fi

Step 3.)

Open your pFsense website and do the following.

a.) Select interfaces (assign)
b.) Choose the oc0 interface and click add.
c.) Click on the oc0 interface and select "enable"

Step 4.)

a.) Click on System/Routing
b.) In the interface drop down select your interface oc0. Give it a description at the bottom and click save and apply.

Step 5.)

a.) Click on Firewall/NAT. Select Outbound and turn on "Manual Outbound NAT"
b.) Click on Add. Choose to add this rule to the top.
c.) Select the oc0 interface and put in your source network CIDR.

Step 6.)

a.) Click on Firewall / Rules.
b.) Click on LAN
c.) Create a new rule at the top
d.) Change the source to a single IP address or an alias. (If you choose an alias you'll have to back out and create an alias with all the IP addresses you want routed over the Openconnect VPN.) Scroll down near the bottom and specify to use the oc0 gateway.

Step 7.)

This is where things get a bit messy. When assigning and creating everything in the GUI it breaks the VPN connection. We will have to reconnect to your Anyconnect VPN server.

a.) Log back into SSH
b.) killall openconnect
c.) ifconfig oc0 down
d.) ifconfig oc0 destroy
e.) Launch the openconnect script so it reconnects to the Cisco Anyconnect VPN server.


That's it. It's probably a good idea to make a cron job that will re-launch the openconnect script before the connection times out. So put your a time that makes sense to you.

reinderien:
This is broken. As soon as you background the openconnect process, there's a race condition where the interface may not be up yet when you attempt to rename it. Having a central script to do half of this stuff goes against the design principles of openconnect. This should be rewritten as a set of hook scripts in /etc/vpnc, particularly the IF renaming chunk.

Or, really, vpnc-script itself should be written to detect the presence of pfSense, and understand that tun devices need to be renamed.

Navigation

[0] Message Index

Go to full version