On Tue, Jul 27, 2021 at 3:32 AM Hossein H <haji...@gmail.com> wrote: > > Hi Daniel > I set up my server as this tutorial: > https://www.linuxbabe.com/ubuntu/openconnect-vpn-server-ocserv-ubuntu-20-04-lets-encrypt > The ocerv and the web server have the same IP address and I set two different > A recorded for them.
Okay… so you are asking for help configuring ocserv (the *server*) rather than the OpenConnect *client* software. I still don't understand the configuration you're describing. You have one computer which is running *both* a web server *and* ocserv, on the same IP address? How does that work? How could a client connecting to https://[your.domain.name]:443 or https://[your.IP.address]:443 distinguish whether it intends to connect to the web server or ocserv? > "openconnet doesn't work for my site" means I can access it with other VPNs > but not with the openconnect VPN on the same server (the site is not > accessible in my country). What does "my site" refer to here? Presumably a *different* web server? > I reckon the source of the problem is that the openconnect routes the ocerv > IP address, which is the same as the website one by adding this line to the > route table: > > 178.62.8.100 via 192.168.1.1 dev wlp2s0 src 192.168.1.6 > > 178.62.8.100 is ocerv address > 192.168.1.1 is my modem address > wlp2s0 is the name of my network card > 192.168.1.6 is my computer address > > Is there a way to prevent openconnect from doing so? No, there is not. The VPN client *has to* set an explicit route to the VPN server in order to be able to communicate with it. The ocserv/AnyConnect protocol is a Layer3 VPN protocol (like most VPNs). This means that you *cannot* have the same IP address for the VPN server as well as for a service that you expect to access via the VPN tunnel… at least not without a whole bunch of packet-filtering/rewriting logic. As I said, I don't fully understand the configuration you're describing, but it appears that you need to assign a different IP address for the web server that is accessible over the VPN. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
