GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
yuezk
Gpclient does not recognize vpnc-script as executable
Describe the bug When attempting to use a script with gpclient to utilize more nuanced vpn-slice, I get an error that "vpnc script is not executabe". The vpnc-script script is on the system, is executable, and has manually been added to the path as a double check.
It was installed to /usr/share/vpnc-scripts/
To exclude any issue with my specific script, I was able to recreate the issue with an empty script; specifying any script is triggering this error.
If I exclude the --script switch, the connection works just fine (albeit without my split tunnel configuration)
Expected behavior The client should prompt for authentication (or used cached authentication) and connect.
Screenshots
Error run as root:
Error run as sudo:
Successful connection without --script:
Environment:
- OS: Ubuntu 24.04
- Desktop Environment: Mate
- Is remote SSH? No, Proxmox VM accessed by local console or VNC.
One more datapoint, here's the actual vpn-slice command, in this case I showed that the vpn-slice script is executable and it's referenced in the full path, but I get the same result:
The vpn-slice command is passing it's own tests:
Hi @surfrock66, the --script parameter accepts an executable script file path. But it doesn't support passing a command.
So for your case, you can save the command as an executable file and pass that file to the --script parameter, for example.
A file named path/to/your/script.sh
#!/bin/bash
vpn-slice xxx.xxx.xxx.xxx/24
Then use the script parameter like: --script path/to/your/script.sh.
But it looks like the --script parameter can be improved to support passing a command.
Let me know if you have any questions. Thanks.
Ok perfect that worked; In researching vpn-slice a lot of the documentation has the script inline with openconnect commands which was confusing, supporting in-line scrips would be great but maybe more up-front documentation on it would be enough in case it's a bigger programming lift. https://github.com/dlenski/vpn-slice?tab=readme-ov-file#usage
Apologies, I may have closed this prematurely. I'm having a lot of trouble with routing and split tunnel. I've been through the documentation for vpn-slice and it shows that you can specify inverted subnets to exclude from going over the tunnel. https://github.com/dlenski/vpn-slice?tab=readme-ov-file#usage When I do that, I'm getting the following in my logs:
surfrock66@sr66-vdi-02:~$ sudo -E gpclient --fix-openssl connect --script "/home/surfrock66/.scripts/vpn-split-tunnel.sh" REDACTEDADDRESS
[sudo] password for surfrock66:
[2024-05-09T16:27:59Z INFO gpclient::cli] gpclient started: 2.1.2 (2024-03-29)
[2024-05-09T16:27:59Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-05-09T16:28:01Z INFO gpauth::cli] gpauth started: 2.1.2 (2024-03-29)
[2024-05-09T16:28:01Z INFO gpauth::cli] Fixing OpenSSL environment
[2024-05-09T16:28:01Z INFO gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect
** (gpauth:12897): WARNING **: 09:28:01.452: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
MESA: error: ZINK: failed to choose pdev
libEGL warning: egl: failed to create dri2 screen
[2024-05-09T16:28:01Z INFO gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-09T16:28:01Z INFO gpauth::auth_window] Load the SAML request as URI...
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Loaded uri: https://l**********m/c9324e90-3192-4368-b40d-c16169c276de/saml2?SAMLRequest=h**********C&RelayState=0**********%3D
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-09T16:28:02Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-09T16:28:02Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-09T16:28:02Z INFO gpauth::auth_window] No auth data found in HTML
[2024-05-09T16:28:02Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Raise window in 1 second(s)
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Raise window cancelled
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Loaded uri: https://v**********u/SAML20/SP/ACS
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-09T16:28:02Z INFO gpauth::auth_window] Got auth data from headers
[2024-05-09T16:28:02Z INFO gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-05-09T16:28:02Z INFO gpclient::connect] Connecting to the only available gateway: vpn (REDACTEDADDRESS)
[2024-05-09T16:28:02Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-09T16:28:02Z INFO openconnect::ffi] openconnect version: v9.12-1build5
[2024-05-09T16:28:02Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-05-09T16:28:02Z INFO openconnect::ffi] VPNC script: /home/surfrock66/.scripts/vpn-split-tunnel.sh
[2024-05-09T16:28:02Z INFO openconnect::ffi] OS: linux
[2024-05-09T16:28:02Z INFO openconnect::ffi] CSD_USER: 1000
[2024-05-09T16:28:02Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-09T16:28:02Z INFO openconnect::ffi] MTU: 0
[2024-05-09T16:28:02Z INFO openconnect::ffi] POST https://REDACTEDADDRESS/ssl-vpn/getconfig.esp
[2024-05-09T16:28:02Z INFO openconnect::ffi] Connected to REDACTEDADDRESS:443
[2024-05-09T16:28:02Z INFO openconnect::ffi] SSL negotiation with REDACTEDADDRESS
[2024-05-09T16:28:03Z INFO openconnect::ffi] Connected to HTTPS on REDACTEDADDRESS with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-09T16:28:03Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-09T16:28:03Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-09T16:28:03Z WARN openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-05-09T16:28:03Z INFO openconnect::ffi] POST https://REDACTEDADDRESS/ssl-vpn/hipreportcheck.esp
[2024-05-09T16:28:03Z INFO openconnect::ffi] ESP session established with server
[2024-05-09T16:28:03Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
Warning: /16 as prefix is invalid, only /32 (or none) is supported.
[2024-05-09T16:28:03Z INFO openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-05-09T16:28:03Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 12
[2024-05-09T16:28:03Z INFO gpclient::connect] Wrote PID 12891 to /var/run/gpclient.lock
Those warnings make no sense, but I'm not sure which component they're coming from, the routes get created. Looking at the routes on the system, I think it's 1) not replacing the default route (I can research that) and 2) it's adding the whitelisted routes (going through my local gateway named sr66-prosafe-00). Ultimately, I cannot ping VPN resources by IP:
surfrock66@sr66-vdi-02:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default sr66-prosafe-00 0.0.0.0 UG 100 0 0 ens18
10.2.0.0 sr66-prosafe-00 255.255.0.0 UG 0 0 0 ens18
10.3.0.0 sr66-prosafe-00 255.255.0.0 UG 0 0 0 ens18
10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ens18
10.4.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens18
10.5.0.0 sr66-prosafe-00 255.255.0.0 UG 0 0 0 ens18
10.6.0.0 sr66-prosafe-00 255.255.0.0 UG 0 0 0 ens18
dns0.tun0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
dns1.tun0 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.99.0.0 sr66-prosafe-00 255.255.0.0 UG 0 0 0 ens18
mail.DOMAIN.TLD 10.4.1.254 255.255.255.255 UG 100 0 0 ens18
Turning off the VPN, these are my expected routes:
surfrock66@sr66-vdi-02:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default sr66-prosafe-00 0.0.0.0 UG 100 0 0 ens18
10.4.0.0 0.0.0.0 255.255.0.0 U 100 0 0 ens18
if I connect to the vpn without the script, I get this:
The redacted names are my domain controllers (and DNS servers), and the 172 is the correct IP for my VPN subnet.
I'm not sure where the issue is; is there something wrong with the way routes are handled when doing vpn-slice? I wouldn't think there would need to be additional default route commands in my script, but does the utilization of vpn-slice necessitate some other routing commands?
Hi @surfrock66 sorry for the late reply.
It looks like a problem regarding the vpn-slice package. I'm not familiar with it, you may need to report it to dlenski/vpn-slice
The client should support passing a command as the --script parameter, which has been implemented in the dev branch. I will keep this issue open until I release it.