GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard

Published 20 hours ago verified publisher icon yuezk

VPN Slice Configuration

Open techgique opened this issue 4 years ago • 7 comments

I was able to successfully compile and run the program in Fedora 34 Workstation for use with our university's GlobalProtect VPN. It uses SAML auth with the university's SSO and works great with one small bump. I have to click the "Reset Settings" button in the tray icon menu to connect for attempts after the first successful connection. I think it's because the client caches the SAML auth tokens and they are stale for future connections. The university's SAML auth page will say the request is invalid if I don't click "Reset Settings". Just fyi, but that's not the main reason for me making this issue.

After figuring out the above, I wanted to see if it was possible to use this client with vpn-slice and searched the issues. I found https://github.com/yuezk/GlobalProtect-openconnect/issues/37 and understood that the client just calls openconnect internally where the vpn-slice script could be used. So I found the source code which must be modified to do this: https://github.com/yuezk/GlobalProtect-openconnect/blob/v1.2.8/GPService/gpservice.cpp#L65

I found that by modifying the code to add the openconnect script option -s as such:

     << "-C" << passwd
     << "-s vpn-slice ____"
     << server;

, rebuilding with make -B, stopping the service with sudo systemctl stop gpservice, and reinstalling with sudo make install worked! It'd be great if this vpn-slice use could be a configuration option built into the client so that vpn-slice option changes wouldn't require a recompile, but wanted to share how it can be done for others if such a feature is never added. Cheers!

techgique avatar Jul 26 '21 23:07 techgique

Note that running gpclient from the command line and watching the output, as well as checking sudo systemctl status gpservice and route output after the client has connected are good ways to debug any troubles one might have. I ran into problems initially by trying to wrap my -s script command in single quotes. Openconnect seems to automatically add single quotes around what follows the -s, so I was seeing the script options double-wrapped in single quotes which caused the script call to fail and result in no VPN connection at all even though the client showed it was connected because the SAML auth had succeeded. :v:

techgique avatar Jul 27 '21 00:07 techgique

@techgique https://github.com/yuezk/GlobalProtect-openconnect/issues/21#issuecomment-745918352 described a workaround of adding the extra arguments to OpenConnect without recompiling the code. And I'm working on exposing a GUI configuration to configure the extra arguments. Before it is finished, the workaround should be a choice.

yuezk avatar Jul 27 '21 07:07 yuezk

Adding to ExecStart in GlobalProtect-openconnect/GPService/systemd/gpservice.service with ExecStart=/usr/bin/gpservice -s 'vpn-slice ____' did the trick.

And I see how https://github.com/yuezk/GlobalProtect-openconnect/blob/v1.2.8/GPService/gpservice.cpp#L66 is passing the arguments along now. Thanks, @yuezk. Much appreciated!

techgique avatar Jul 30 '21 00:07 techgique

It should have been resolved in 1.3.0, as described in https://github.com/yuezk/GlobalProtect-openconnect#passing-the-custom-parameters-to-openconnect-cli

yuezk avatar Aug 15 '21 13:08 yuezk

@yuezk This new UI works, though I did have to do a little trial and error to figure out that the vpn-slice args had to be enclosed in double-quotes to be properly handled.

The need to "Reset Settings" that I mentioned above still makes this approach awkward for me though

I have to click the "Reset Settings" button in the tray icon menu to connect for attempts after the first successful connection. I think it's because the client caches the SAML auth tokens and they are stale for future connections. The university's SAML auth page will say the request is invalid if I don't click "Reset Settings".

Having to do this also clears out the custom params, so I need to re-add my vpn-slice config after each reset if I go this route rather than through the systemd unit file. Would you be interested in looking into this further in another issue?

techgique avatar Aug 20 '21 15:08 techgique

@techgique Thanks for your feedback.

The latest code won't clear the settings in the Settings dialog, it was fixed by #80

On the other side, I have no idea of the problem you encountered.

I have to click the "Reset Settings" button in the tray icon menu to connect for attempts after the first successful connection. I think it's because the client caches the SAML auth tokens and they are stale for future connections. The university's SAML auth page will say the request is invalid if I don't click "Reset Settings".

Please provide the logs if possible.

yuezk avatar Aug 21 '21 10:08 yuezk

The changes to have custom params and clientos persist through Reset Settings work great! :+1:

I'll email you the logs rather than paste them in here due to length and potential sensitivity of contents.

techgique avatar Aug 23 '21 22:08 techgique