Divan Santana <di...@santanas.co.za> writes: > Divan Santana <di...@santanas.co.za> writes: > >> Divan Santana <di...@santanas.co.za> writes: >> >>> Denis Fondras <de...@openbsd.org> writes: >>> >>>> Le Mon, Feb 10, 2025 at 09:09:17AM +0200, Divan Santana a écrit : >>>>> Hi Denis, >>>>> >>>>> Denis Fondras <de...@openbsd.org> writes: >>>>> >>>>> > A CLI GlobalProtect VPN client, written in Rust, based on OpenConnect >>>>> > and Tauri, supports SSO with MFA, Yubikey, and client certificate >>>>> > authentication, etc. >>>>> > >>>>> > https://github.com/yuezk/GlobalProtect-openconnect/ >>>>> > >>>>> > I disabled the GUI build because it requires nodejs. >>>>> >>>>> This is great - thanks for this. I hope it's in ports for the upcoming >>>>> openbsd release. >>>>> >>>>> I'm compiled this and got it to auth successfully via the browser, but >>>>> after auth completes in the browser chrome prompts to open the vpn >>>>> client and that's as far as it goes. >>>>> >>>>> It doesn't return the cookie on the command line or launch openconnect >>>>> for me. >>>>> >>>>> Perhaps I'm using it wrong. >>>>> >>>>> I'm trying: >>>>> >>>>> gpauth gp.example.com --browser default 2>/dev/null | doas gpclient >>>>> connect gp.example.com --cookie-on-stdin >>>> >>>> I don't use Chrome but Firefox. I could not make it pass the cookie to the >>>> gpclient with an handler (even when disabling unveil/pledge). Instead I am >>>> using : >>>> `gpauth vpn.example.com --browser firefox 2>/dev/null | doas gpclient >>>> connect >>>> vpn.example.com --cookie-on-stdin` >>>> >>>> Once authenticated, I copy the globalprotectcallback:[...] link and do >>>> ```echo -n >>>> "globalprotectcallback:[...]" | nc -w1 127.0.0.1 `cat >>>> /tmp/gpcallback.port```` >>>> (acually, I have a bash function for this : >>>> globalprotect () >>>> { >>>> echo -n "$1" | nc -w1 127.0.0.1 `cat /tmp/gpcallback.port` >>>> } >>>> ) >>>> >>>> This is not ideal but at least it works. >>> >>> Yeah, not ideal, but works is much better then not working. Thanks for >>> this package and help. >>> >>> This last bit of info, helped me, I have it almost working. >>> >>> It now gets further, but ultimately doesn't bring up the vpn connection. >>> >>> I think it may be because I need to pass in >>> -csd-wrapper=/usr/libexec/openconnect/hipreport.sh --disable-ipv6 though >>> I'm not sure how to do this, because the gpclient, seems to call >>> openconnect. >>> >>> Any idea? >>> >>> >>> ds@swift ~ $ gpauth gp.example.com --browser chrome 2>/dev/null | doas >>> gpclient connect gp.example.com --cookie-on-stdin >>> [2025-02-10T18:52:02Z INFO gpclient::cli] gpclient started: 2.4.1 >>> (2025-02-10) >>> [2025-02-10T18:52:02Z INFO gpapi::portal::prelogin] Portal prelogin with >>> user_agent: PAN GlobalProtect >>> [2025-02-10T18:52:03Z INFO gpclient::connect] Reading cookie from standard >>> input >>> [2025-02-10T18:52:39Z INFO gpapi::portal::config] Retrieve the portal >>> config, user_agent: PAN GlobalProtect >>> [2025-02-10T18:52:39Z INFO gpapi::gateway::parse_gateways] Try to parse >>> the external gateways... >>> [2025-02-10T18:52:39Z INFO gpclient::connect] Connecting to the only >>> available gateway: ext-gw-1 (gp.example.com) >>> [2025-02-10T18:52:39Z INFO gpapi::gateway::login] Perform gateway login, >>> user_agent: PAN GlobalProtect >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] openconnect version: >>> v8.20-unknown >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] User agent: PAN GlobalProtect >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] VPNC script: >>> /usr/local/share/vpnc-scripts/vpnc-script >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] OS: linux >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] CSD_USER: 0 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] CSD_WRAPPER: (null) >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] MTU: 0 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] DISABLE_IPV6: 0 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] NO_DTLS: 0 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] POST >>> https://gp.example.com/ssl-vpn/getconfig.esp >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] Connected to someipaddress:443 >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] SSL negotiation with >>> gp.example.com >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] Connected to HTTPS on >>> gp.example.com with ciphersuite >>> (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] Tunnel timeout (rekey >>> interval) is 180 minutes. >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] Idle timeout is 180 minutes. >>> [2025-02-10T18:52:40Z WARN openconnect::ffi] No MTU received. Calculated >>> 1326 for ESP tunnel >>> [2025-02-10T18:52:40Z INFO openconnect::ffi] POST >>> https://gp.example.com/ssl-vpn/hipreportcheck.esp >>> [2025-02-10T18:52:40Z WARN openconnect::ffi] WARNING: Server asked us to >>> submit HIP report with md5sum 72858a67afbb5c74eeec30a6bb59a6a0. >>> VPN connectivity may be disabled or limited without HIP report >>> submission. >>> You need to provide a --csd-wrapper argument with the HIP report >>> submission script. >>> [2025-02-10T18:52:45Z WARN openconnect::ffi] Failed to connect ESP tunnel; >>> using HTTPS instead. >>> add host someipaddress: gateway 192.168.77.1 >>> add net 10.50.200.11: gateway 10.50.200.11: File exists >>> add net 10.50.100.160: gateway 10.50.200.11 >>> add net 194.32.161.172: gateway 10.50.200.11 >>> add net 194.32.161.171: gateway 10.50.200.11 >>> add net 192.168.128.95: gateway 10.50.200.11 >>> add net 192.168.128.52: gateway 10.50.200.11 >>> add net 192.168.20.72: gateway 10.50.200.11 >>> add net 192.168.20.71: gateway 10.50.200.11 >>> add net 192.168.20.70: gateway 10.50.200.11 >>> add net 192.168.20.68: gateway 10.50.200.11 >>> add net 192.168.20.36: gateway 10.50.200.11 >>> add net 192.168.20.35: gateway 10.50.200.11 >>> add net 172.20.55.171: gateway 10.50.200.11 >>> add net 172.20.45.37: gateway 10.50.200.11 >>> add net 91.229.33.6: gateway 10.50.200.11 >>> add net 91.229.33.1: gateway 10.50.200.11 >>> add net 10.0.0.0: gateway 10.50.200.11 >>> add net 10.50.100.160: gateway 10.50.200.11: File exists >>> [2025-02-10T18:52:47Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 11 >>> [2025-02-10T18:52:47Z INFO gpclient::connect] Wrote PID 94463 to >>> /var/run/gpclient.lock >>> >>> ^[[C^[[C >> >> scratch that, it is working. >> >> I tried same as above, but with >> >> ``` >> gpauth gp.example.com --browser chrome 2>/dev/null | doas gpclient connect >> --hip gp.example.com --cookie-on-stdin >> ``` >> >> not sure the --hip worked, but the connection is up, even though the >> background openconnect proc is not running. >> >> Thanks Denis for this package. It would be great if you got it added to >> ports officially. > > > OK, actually, it connects, sometimes, but it's very intermittent and > slow. > > Some sites work over the vpn, but then don't. It seems the connection > is much slower then previously. > > I've read adding --no-dtls to openconnect may help. > > but again, I don't know how to pass this through to openconnect. > > Any idea?
OK, one can't pass any options through to openconnect. this package and setup works fine for me. I think my VPN instability issues are as a result of something else.
