OpenConnect VPN doesn't work for sites on the same server

Daniel Lenski dlenski at gmail.com
Tue Jul 27 07:27:19 PDT 2021 

On Tue, Jul 27, 2021 at 3:32 AM Hossein H <haji309 at gmail.com> wrote:
>
> Hi Daniel
> I set up my server as this tutorial: https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-20-04-lets-encrypt
> The ocerv and the web server have the same IP address and I set two different A recorded for them.

Okay… so you are asking for help configuring ocserv (the *server*)
rather than the OpenConnect *client* software.

I still don't understand the configuration you're describing.

You have one computer which is running *both* a web server *and*
ocserv, on the same IP address?
How does that work?
How could a client connecting to https://[your.domain.name]:443 or
https://[your.IP.address]:443 distinguish whether it intends to
connect to the web server or ocserv?

> "openconnet doesn't work for my site" means I can access it with other VPNs but not with the openconnect VPN on the same server (the site is not accessible in my country).

What does "my site" refer to here? Presumably a *different* web server?

> I reckon the source of the problem is that the openconnect routes the ocerv IP address, which is the same as the website one by adding this line to the route table:
>
> 178.62.8.100 via 192.168.1.1 dev wlp2s0 src 192.168.1.6
>
> 178.62.8.100 is ocerv address
> 192.168.1.1 is my modem address
> wlp2s0 is the name of my network card
> 192.168.1.6 is my computer address
>
> Is there a way to prevent openconnect from doing so?

No, there is not. The VPN client *has to* set an explicit route to the
VPN server in order to be able to communicate with it. The
ocserv/AnyConnect protocol is a Layer3 VPN protocol (like most VPNs).
This means that you *cannot* have the same IP address for the VPN
server as well as for a service that you expect to access via the VPN
tunnel… at least not without a whole bunch of
packet-filtering/rewriting logic.

As I said, I don't fully understand the configuration you're
describing, but it appears that you need to assign a different IP
address for the web server that is accessible over the VPN.

Dan

More information about the openconnect-devel mailing list