Divan Santana <di...@santanas.co.za> writes: > Denis Fondras <de...@openbsd.org> writes: > >> Le Mon, Feb 10, 2025 at 09:09:17AM +0200, Divan Santana a écrit : >>> Hi Denis, >>> >>> Denis Fondras <de...@openbsd.org> writes: >>> >>> > A CLI GlobalProtect VPN client, written in Rust, based on OpenConnect >>> > and Tauri, supports SSO with MFA, Yubikey, and client certificate >>> > authentication, etc. >>> > >>> > https://github.com/yuezk/GlobalProtect-openconnect/ >>> > >>> > I disabled the GUI build because it requires nodejs. >>> >>> This is great - thanks for this. I hope it's in ports for the upcoming >>> openbsd release. >>> >>> I'm compiled this and got it to auth successfully via the browser, but >>> after auth completes in the browser chrome prompts to open the vpn >>> client and that's as far as it goes. >>> >>> It doesn't return the cookie on the command line or launch openconnect >>> for me. >>> >>> Perhaps I'm using it wrong. >>> >>> I'm trying: >>> >>> gpauth gp.example.com --browser default 2>/dev/null | doas gpclient connect >>> gp.example.com --cookie-on-stdin >> >> I don't use Chrome but Firefox. I could not make it pass the cookie to the >> gpclient with an handler (even when disabling unveil/pledge). Instead I am >> using : >> `gpauth vpn.example.com --browser firefox 2>/dev/null | doas gpclient connect >> vpn.example.com --cookie-on-stdin` >> >> Once authenticated, I copy the globalprotectcallback:[...] link and do >> ```echo -n >> "globalprotectcallback:[...]" | nc -w1 127.0.0.1 `cat >> /tmp/gpcallback.port```` >> (acually, I have a bash function for this : >> globalprotect () >> { >> echo -n "$1" | nc -w1 127.0.0.1 `cat /tmp/gpcallback.port` >> } >> ) >> >> This is not ideal but at least it works. > > Yeah, not ideal, but works is much better then not working. Thanks for > this package and help. > > This last bit of info, helped me, I have it almost working. > > It now gets further, but ultimately doesn't bring up the vpn connection. > > I think it may be because I need to pass in > -csd-wrapper=/usr/libexec/openconnect/hipreport.sh --disable-ipv6 though > I'm not sure how to do this, because the gpclient, seems to call > openconnect. > > Any idea? > > > ds@swift ~ $ gpauth gp.example.com --browser chrome 2>/dev/null | doas > gpclient connect gp.example.com --cookie-on-stdin > [2025-02-10T18:52:02Z INFO gpclient::cli] gpclient started: 2.4.1 > (2025-02-10) > [2025-02-10T18:52:02Z INFO gpapi::portal::prelogin] Portal prelogin with > user_agent: PAN GlobalProtect > [2025-02-10T18:52:03Z INFO gpclient::connect] Reading cookie from standard > input > [2025-02-10T18:52:39Z INFO gpapi::portal::config] Retrieve the portal > config, user_agent: PAN GlobalProtect > [2025-02-10T18:52:39Z INFO gpapi::gateway::parse_gateways] Try to parse the > external gateways... > [2025-02-10T18:52:39Z INFO gpclient::connect] Connecting to the only > available gateway: ext-gw-1 (gp.example.com) > [2025-02-10T18:52:39Z INFO gpapi::gateway::login] Perform gateway login, > user_agent: PAN GlobalProtect > [2025-02-10T18:52:40Z INFO openconnect::ffi] openconnect version: > v8.20-unknown > [2025-02-10T18:52:40Z INFO openconnect::ffi] User agent: PAN GlobalProtect > [2025-02-10T18:52:40Z INFO openconnect::ffi] VPNC script: > /usr/local/share/vpnc-scripts/vpnc-script > [2025-02-10T18:52:40Z INFO openconnect::ffi] OS: linux > [2025-02-10T18:52:40Z INFO openconnect::ffi] CSD_USER: 0 > [2025-02-10T18:52:40Z INFO openconnect::ffi] CSD_WRAPPER: (null) > [2025-02-10T18:52:40Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 > [2025-02-10T18:52:40Z INFO openconnect::ffi] MTU: 0 > [2025-02-10T18:52:40Z INFO openconnect::ffi] DISABLE_IPV6: 0 > [2025-02-10T18:52:40Z INFO openconnect::ffi] NO_DTLS: 0 > [2025-02-10T18:52:40Z INFO openconnect::ffi] POST > https://gp.example.com/ssl-vpn/getconfig.esp > [2025-02-10T18:52:40Z INFO openconnect::ffi] Connected to someipaddress:443 > [2025-02-10T18:52:40Z INFO openconnect::ffi] SSL negotiation with > gp.example.com > [2025-02-10T18:52:40Z INFO openconnect::ffi] Connected to HTTPS on > gp.example.com with ciphersuite > (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) > [2025-02-10T18:52:40Z INFO openconnect::ffi] Tunnel timeout (rekey interval) > is 180 minutes. > [2025-02-10T18:52:40Z INFO openconnect::ffi] Idle timeout is 180 minutes. > [2025-02-10T18:52:40Z WARN openconnect::ffi] No MTU received. Calculated > 1326 for ESP tunnel > [2025-02-10T18:52:40Z INFO openconnect::ffi] POST > https://gp.example.com/ssl-vpn/hipreportcheck.esp > [2025-02-10T18:52:40Z WARN openconnect::ffi] WARNING: Server asked us to > submit HIP report with md5sum 72858a67afbb5c74eeec30a6bb59a6a0. > VPN connectivity may be disabled or limited without HIP report > submission. > You need to provide a --csd-wrapper argument with the HIP report > submission script. > [2025-02-10T18:52:45Z WARN openconnect::ffi] Failed to connect ESP tunnel; > using HTTPS instead. > add host someipaddress: gateway 192.168.77.1 > add net 10.50.200.11: gateway 10.50.200.11: File exists > add net 10.50.100.160: gateway 10.50.200.11 > add net 194.32.161.172: gateway 10.50.200.11 > add net 194.32.161.171: gateway 10.50.200.11 > add net 192.168.128.95: gateway 10.50.200.11 > add net 192.168.128.52: gateway 10.50.200.11 > add net 192.168.20.72: gateway 10.50.200.11 > add net 192.168.20.71: gateway 10.50.200.11 > add net 192.168.20.70: gateway 10.50.200.11 > add net 192.168.20.68: gateway 10.50.200.11 > add net 192.168.20.36: gateway 10.50.200.11 > add net 192.168.20.35: gateway 10.50.200.11 > add net 172.20.55.171: gateway 10.50.200.11 > add net 172.20.45.37: gateway 10.50.200.11 > add net 91.229.33.6: gateway 10.50.200.11 > add net 91.229.33.1: gateway 10.50.200.11 > add net 10.0.0.0: gateway 10.50.200.11 > add net 10.50.100.160: gateway 10.50.200.11: File exists > [2025-02-10T18:52:47Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 11 > [2025-02-10T18:52:47Z INFO gpclient::connect] Wrote PID 94463 to > /var/run/gpclient.lock > > ^[[C^[[C
scratch that, it is working. I tried same as above, but with ``` gpauth gp.example.com --browser chrome 2>/dev/null | doas gpclient connect --hip gp.example.com --cookie-on-stdin ``` not sure the --hip worked, but the connection is up, even though the background openconnect proc is not running. Thanks Denis for this package. It would be great if you got it added to ports officially.
