Issues running OpenConnect on an Asuswrt-Merlin router

Daniel Lenski dlenski at gmail.com
Tue Aug 22 23:06:01 PDT 2017


On Tue, Aug 22, 2017 at 6:14 PM, Aube, Jeremy <aube at mykolab.com> wrote:
> Asuswrt-Merlin doesn't have OpenConnect support for their interface (I wish they did), so I've been running openconnect from the command line. Here's the output (let me know if I've redacted too much):
>
> # openconnect vpn.example.com:22 -v -u username -s /mnt/sda1/vpnc-script-infradead
> POST https://vpn.example.com:22/
> Attempting to connect to server y.y.y.y:22
> Connected to y.y.y.y:22
> SSL negotiation with vpn.example.com
> Server certificate verify failed: signer not found
>
> Certificate from VPN server "vpn.example.com" failed verification.
> Reason: signer not found
> To trust this server in future, perhaps add this to your command line:
>     --servercert sha256:******************************************
> Enter 'yes' to accept, 'no' to abort; anything else to view: yes
> ...
> X-CSTP-Address: x.x.x.x
> X-CSTP-Netmask: 255.255.0.0
> X-CSTP-DNS: 10.9.0.1
> X-CSTP-DNS: 10.8.0.1

Ah, thanks for clarifying… I was thinking you might be using something
like OpenWRT's LuCI web interface. Hmm… all of that looks fine. (It's
a bit strange that your VPN uses port 22, which is normally for SSH,
but whatever.)

It might help to shed some light about what's going on if you try
using a "fake" vpnc-script which does nothing but print the
environment variables with which it's called and run 'openconnect
--script /path/to/fake.sh'. For example:

    #!/bin/sh
    echo "===== FAKE VPNC-SCRIPT ====="
    env
    echo "===== /FAKE VPNC-SCRIPT ====="

-Dan



More information about the openconnect-devel mailing list