OpenConnect is an open SSL VPN protocol. The tunnel is created on the https-port and looks like an absolutely normal https session.
Thanks to this, it's not trivial job for Deep Packet Inspection systems to detect such tunnel. Благодаря этому для систем анализа трафика обнаружить подобный туннель - задача довольно сложная. According to feedbacks, OpenConnect is one of the few types of VPNs operating in China and some other countries in Asia.
In addition to the 443 tcp port, OpenConnect also works on 53 udp port (usually used by DNS services and not blocked by ISP's). If this port is available and unblocked, the data on the tunnel follows through the UDP protocol, with a noticeably higher speed than would go through TCP. However, in the case of blocking 53 ports - the tunnel continues to work exclusively on the 443 / TCP port, albeit noticeably slower.
To configure OpenConnect, you will need to install the appropriate application:
- Windows: openconnect-gui
- Android: OpenConnect
- Mac OS X: openconnect-gui is available for install by using MacPorts. If you have MacPorts installed, just run the following command:
sudo port install openconnect-gui
- iOS: on iOS devices connection setup is done by built-in OS facilities. When creating a new VPN connection, you must select "Cisco AnyConnect".
- Linux, *BSD - OpenConnect is available on any *nix platform. However, the way it is used depends on the distribution, the presence of the package in the repository, and so on. In general, in most popular Linux distributions, you can configure OpenConnect to work with Network Manager.
Generally, setting up the connection is to specify the URL of the location you need in the https profile.
The current list of locations for vpn-connection you can always get in the bot menu, in the "Other" -> "OpenConnect" section.
After adding a vpn profile, you will be prompted for a login and password while connecting, you can always get them in the bot's main menu.
Authorization certificates are needed in order to exclude the possibility of a "Man-In-The-Middle" attack, when an attacker wedges into your traffic and appears as a fake VPN server instead of ours.
To avoid this situation, click the "Certificates" button in the "Other" -> "OpenConnect" section.
Bot will send you three files: a public root certificate and a user certificate and a key.
It is enough to download these files and specify them in the appropriate sections of the OpenConnect client when editing the profile (or on the command line when using the console client):
To ensure that openconnect-gui does not request a password every time you connect, in the profile settings, tick the "Batch mode" checkbox.
Unfortunately, if the connection fails, the password will be reset and the next time you will have to enter it again. Unfortunately, this is not a very convenient behavior for the OpenConnect client at the moment.
We remind you that your login and password for connecting to the service you can see at any time in the main menu of the bot.