Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFsense with Openconnect

    Documentation
    2
    2
    11.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mike3y
      last edited by

      Here is a small guide to get your pfsense machine up and running with a Cisco Anyconnect VPN Server.

      The first thing you're going to need is the openconnect and the vpnc_scripts packages.

      Step 1.)

      a.) Login to your pFsense server via SSH.

      b.) Run the following.

      pkg add nano
      pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/vpnc-scripts-20150318.txz
      pkg add http://pkg.freebsd.org/freebsd:10:x86:64/release_3/All/openconnect-7.06.txz

      Step 2.)

      Create the following script under /root. (it doesn't matter where this script is) Remember to chmod +x the script once you're done.

      Custom script I pulled offline and made some adjustments. I've added the authgroup which is optional, along with the –no-cert-check. Depending on the VPN server the client might not be able to verify the cert. This will allow it to skip verifying.

      a.) nano openconnect.sh and paste the following in. Remember to make adjustments to match your server.

      #!/bin/sh

      settings

      user="username"
      pass="password"
      host="server_address"
      tmpif="tun0"
      iface="oc0"
      pidfile="/tmp/${iface}.pid"
      script="/usr/local/sbin/vpnc-script"

      env

      openconnect="/usr/local/sbin/openconnect"
      ifconfig="/sbin/ifconfig"

      func

      ifkill()
      {
              $ifconfig "$1" down 2>/dev/null || :
              $ifconfig "$1" destroy 2>/dev/null || :
      }

      check if we're already running

      if [ -n "$test" ] && $test; then
              echo "Connection is already up"
              exit 0
      fi

      clean up previous instance, if any

      if [ -e "$pidfile" ]; then
              read pid <"$pidfile"
              echo "Killing previous pid: $pid"
              kill -TERM "$pid"
              rm "$pidfile"
      fi
      ifkill "$tmpif"
      ifkill "$iface"

      open vpn connection

      echo "$pass" |
      $openconnect
              –background
              --pid-file="$pidfile"
              --interface="$tmpif"
              --user="$user"
              --passwd-on-stdin
              --authgroup= <if any.="" remove="" if="" not="" needed="">
              --no-cert-check
              --script="$script"
              "$host"

      rename the interface

      if [ "$iface" != "$tmpif" ]; then
              echo "Renaming $tmpif to $iface"
              $ifconfig "$tmpif" name "$iface"
      fi

      Step 3.)

      Open your pFsense website and do the following.

      a.) Select interfaces (assign)
      b.) Choose the oc0 interface and click add.
      c.) Click on the oc0 interface and select "enable"

      Step 4.)

      a.) Click on System/Routing
      b.) In the interface drop down select your interface oc0. Give it a description at the bottom and click save and apply.

      Step 5.)

      a.) Click on Firewall/NAT. Select Outbound and turn on "Manual Outbound NAT"
      b.) Click on Add. Choose to add this rule to the top.
      c.) Select the oc0 interface and put in your source network CIDR.

      Step 6.)

      a.) Click on Firewall / Rules.
      b.) Click on LAN
      c.) Create a new rule at the top
      d.) Change the source to a single IP address or an alias. (If you choose an alias you'll have to back out and create an alias with all the IP addresses you want routed over the Openconnect VPN.) Scroll down near the bottom and specify to use the oc0 gateway.

      Step 7.)

      This is where things get a bit messy. When assigning and creating everything in the GUI it breaks the VPN connection. We will have to reconnect to your Anyconnect VPN server.

      a.) Log back into SSH
      b.) killall openconnect
      c.) ifconfig oc0 down
      d.) ifconfig oc0 destroy
      e.) Launch the openconnect script so it reconnects to the Cisco Anyconnect VPN server.

      That's it. It's probably a good idea to make a cron job that will re-launch the openconnect script before the connection times out. So put your a time that makes sense to you.</if>

      1 Reply Last reply Reply Quote 0
      • R
        reinderien
        last edited by

        This is broken. As soon as you background the openconnect process, there's a race condition where the interface may not be up yet when you attempt to rename it. Having a central script to do half of this stuff goes against the design principles of openconnect. This should be rewritten as a set of hook scripts in /etc/vpnc, particularly the IF renaming chunk.

        Or, really, vpnc-script itself should be written to detect the presence of pfSense, and understand that tun devices need to be renamed.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.