GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
Published
20 hours ago •
yuezk
yuezk
Connection with GUI works, but not with CLI using the same credentials
Describe the bug Connection using GlobalProtect-openconnect GUI works (with Linux client), but fails with CLI. The error indicates that it "Invalid user name", but I have used that same username and password as the GUI. Even clear the credentials within the GUI and it worked copying and pasting same credentials from text file.
Expected behavior Should be able to connect using the CLI just as easily as the GUI.
Screenshots If applicable, add screenshots to help explain your problem.
Logs
- For the GUI version, you can find the logs at
~/.local/share/gpclient/gpclient.log - For the CLI version, copy the output of the
gpclientcommand.
(NOTE: remove the personal data from log)
kris@dev-1:~$ gpclient --ignore-tls-errors connect z.z.z.z
[2024-11-21T19:13:49Z INFO gpclient::cli] gpclient started: 2.1.2 (2024-03-29)
[2024-11-21T19:13:49Z INFO gpclient::cli] TLS errors will be ignored
[2024-11-21T19:13:49Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Portal: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-21T19:14:02Z INFO gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-11-21T19:14:03Z INFO gpclient::connect] Connecting to the only available gateway: ROC-GW (z.z.z.z)
[2024-11-21T19:14:03Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-21T19:14:03Z WARN gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";
[2024-11-21T19:14:03Z INFO gpclient::connect] Gateway login failed: Gateway login error, reason: <none>
[2024-11-21T19:14:03Z INFO gpclient::connect] Performing the gateway authentication...
[2024-11-21T19:14:03Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-21T19:14:21Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-21T19:14:21Z INFO openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-21T19:14:21Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-21T19:14:21Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-21T19:14:21Z INFO openconnect::ffi] OS: linux
[2024-11-21T19:14:21Z INFO openconnect::ffi] CSD_USER: 1000
[2024-11-21T19:14:21Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-21T19:14:21Z INFO openconnect::ffi] MTU: 0
[2024-11-21T19:14:21Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-21T19:14:21Z INFO openconnect::ffi] Connected to z.z.z.z:443
[2024-11-21T19:14:21Z INFO openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-21T19:14:22Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-21T19:14:22Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-11-21T19:14:22Z INFO openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-21T19:14:22Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-21T19:14:22Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-21T19:14:22Z WARN openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-21T19:14:22Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-21T19:14:22Z INFO openconnect::ffi] ESP session established with server
[2024-11-21T19:14:22Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-11-21T19:14:22Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-11-21T19:14:22Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-11-21T19:14:22Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-11-21T19:14:22Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-11-21T19:14:22Z WARN openconnect::ffi] Set up tun device failed
[2024-11-21T19:14:22Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/logout.esp
[2024-11-21T19:14:22Z INFO openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-21T19:14:22Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-21T19:14:22Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-11-21T19:14:22Z INFO openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-21T19:14:22Z WARN openconnect::ffi] Invalid user name
[2024-11-21T19:14:22Z WARN openconnect::ffi] Logout failed.
[2024-11-21T19:14:22Z INFO openconnect::ffi] openconnect_mainloop returned -5, exiting
kris@dev-1:~$
Environment:
- OS: [e.g. Ubuntu 22.04] Ubuntu 24.04.1 LTS
- Desktop Environment: [e.g. GNOME or KDE] GNOME
- Output of
ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep: [Required for secure store error]kris 4755 0.0 0.1 316632 9984 ? SLsl 10:05 0:00 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring - Is remote SSH? [Yes/No] No
Additional context Add any other context about the problem here.
@yuezk I see what is happening now.
I tried the following commands:
sudo gpclient --ignore-tls-errors connect z.z.z.z
sudo gpauth z.z.z.z | sudo gpclient --ignore-tls-errors connect z.z.z.z
I thought that the reason why it was prompting for a second login was because the credentials were not input correctly or it had a bug in the software since it does not do it in the GUI, so it is not submitted correctly. However, this is not the case and if I inspect the output carefully it is logging into two separate entities: PORTAL and GATEWAY. This is why it prompts twice.
kris@dev-1:~$ sudo gpclient --ignore-tls-errors connect z.z.z.z
[2024-11-22T14:23:50Z INFO gpclient::cli] gpclient started: 2.1.2 (2024-03-29)
[2024-11-22T14:23:50Z INFO gpclient::cli] TLS errors will be ignored
[2024-11-22T14:23:50Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Portal: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T14:24:05Z INFO gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-11-22T14:24:06Z INFO gpclient::connect] Connecting to the only available gateway: ROC-GW (z.z.z.z)
[2024-11-22T14:24:06Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T14:24:06Z WARN gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";
[2024-11-22T14:24:06Z INFO gpclient::connect] Gateway login failed: Gateway login error, reason: <none>
[2024-11-22T14:24:06Z INFO gpclient::connect] Performing the gateway authentication...
[2024-11-22T14:24:06Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T14:24:24Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T14:24:24Z INFO openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-22T14:24:24Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-22T14:24:24Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-22T14:24:24Z INFO openconnect::ffi] OS: linux
[2024-11-22T14:24:24Z INFO openconnect::ffi] CSD_USER: 1000
[2024-11-22T14:24:24Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-22T14:24:24Z INFO openconnect::ffi] MTU: 0
[2024-11-22T14:24:24Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-22T14:24:24Z INFO openconnect::ffi] Connected to z.z.z.z:443
[2024-11-22T14:24:24Z INFO openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T14:24:24Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T14:24:24Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T14:24:24Z INFO openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T14:24:24Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-22T14:24:24Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-22T14:24:24Z WARN openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-22T14:24:24Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-22T14:24:24Z INFO openconnect::ffi] ESP session established with server
[2024-11-22T14:24:24Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
/usr/share/vpnc-scripts/vpnc-script: 600: cannot open /var/run/vpnc/resolv.conf-backup.99525: No such file
[2024-11-22T14:24:26Z WARN openconnect::ffi] Script '/usr/share/vpnc-scripts/vpnc-script' returned error 2
[2024-11-22T14:24:26Z INFO openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-11-22T14:24:26Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-11-22T14:24:26Z INFO gpclient::connect] Wrote PID 99525 to /var/run/gpclient.lock
^C[2024-11-22T14:24:33Z INFO gpclient::connect] Received the interrupt signal, disconnecting...
[2024-11-22T14:24:33Z INFO openconnect::ffi] Stopping VPN connection: 14
[2024-11-22T14:24:33Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/logout.esp
[2024-11-22T14:24:33Z INFO openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T14:24:33Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T14:24:33Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T14:24:33Z INFO openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T14:24:33Z WARN openconnect::ffi] Invalid user name
[2024-11-22T14:24:33Z WARN openconnect::ffi] Logout failed.
[2024-11-22T14:24:33Z INFO openconnect::ffi] openconnect_mainloop returned -4, exiting
[2024-11-22T14:24:33Z INFO gpclient::connect] Removing PID file
kris@dev-1:~$
Now, I am trying to figure out how to make this usable from the point of view that this software ties up the Terminal. It is not organized in a background process and separate commands to configure and start stop the process. So to make it more usable. @yuezk can you tell how to:
- How do I save the credentials (as maybe a profile) and tell it to use the save credentials to login, instead of having to put in the username and password every time.
To resolve the login two times issue, try pass the '--as-gateway' option to see if it works for you.
@yuezk , I don't think this is available in my version because I am getting the following error:
kris@dev-1:~$ sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
error: unexpected argument '--as-gateway' found
tip: a similar argument exists: '--gateway'
Usage: gpclient connect <SERVER|--gateway <GATEWAY>|--user <USER>|--script <SCRIPT>|--hip|--csd-user <CSD_USER>|--csd-wrapper <CSD_WRAPPER>|--mtu <MTU>|--user-agent <USER_AGENT>|--os <OS>|--os-version <OS_VERSION>|--hidpi|--clean>
For more information, try '--help'.
kris@dev-1:~$
The help information is the following and it does not have the option to pass in:
kris@dev-1:~$ sudo gpauth --help
Usage: gpauth [OPTIONS] <SERVER>
Arguments:
<SERVER>
Options:
--gateway
--saml-request <SAML_REQUEST>
--user-agent <USER_AGENT> [default: "PAN GlobalProtect"]
--os <OS> [default: Linux] [possible values: Linux, Windows, Mac]
--os-version <OS_VERSION>
--hidpi
--fix-openssl
--ignore-tls-errors
--clean
-h, --help Print help
-V, --version Print version
kris@dev-1:~$ sudo gpclient --help
gpclient 2.1.2 (2024-03-29)
Kevin Yue <[email protected]>
The GlobalProtect VPN client, based on OpenConnect, supports the SSO authentication method.
Usage: gpclient [OPTIONS] <COMMAND>
Commands:
connect Connect to a portal server
disconnect Disconnect from the server
launch-gui Launch the GUI
help Print this message or the help of the given subcommand(s)
Options:
--fix-openssl Get around the OpenSSL `unsafe legacy renegotiation` error
--ignore-tls-errors Ignore the TLS errors
-h, --help Print help
-V, --version Print version
See 'gpclient help <command>' for more information on a specific command.
kris@dev-1:~$ sudo gpclient connect --help
Connect to a portal server
Usage: gpclient connect [OPTIONS] <SERVER>
Arguments:
<SERVER> The portal server to connect to
Options:
-g, --gateway <GATEWAY> The gateway to connect to, it will prompt if not specified
-u, --user <USER> The username to use, it will prompt if not specified
-s, --script <SCRIPT> The VPNC script to use
--hip Use the default CSD wrapper to generate the HIP report and send it to the server
--csd-user <CSD_USER> Same as the '--csd-user' option in the openconnect command
--csd-wrapper <CSD_WRAPPER> Same as the '--csd-wrapper' option in the openconnect command
-m, --mtu <MTU> Request MTU from server (legacy servers only)
--user-agent <USER_AGENT> The user agent to use [default: "PAN GlobalProtect"]
--os <OS> [default: Linux] [possible values: Linux, Windows, Mac]
--os-version <OS_VERSION>
--hidpi The HiDPI mode, useful for high resolution screens
--clean Do not reuse the remembered authentication cookie
-h, --help Print help
kris@dev-1:~$
The version information is the following:
kris@dev-1:~$ sudo gpauth --version
gpauth 2.1.2 (2024-03-29)
kris@dev-1:~$ sudo gpclient --version
gpclient 2.1.2 (2024-03-29)
kris@dev-1:~$
Do I need to get a different version of the software?
it is released in https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/v2.1.3, try to upgrade the client
Ok, so that new version has that "as-gateway" command input. Now, I only get one prompt
To upgrade, did the following:
sudo apt remove globalprotect-openconnect
wget https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.3/globalprotect-openconnect_2.1.3-1_amd64.deb
chmod 0777 globalprotect-openconnect_2.1.3-1_amd64.deb
sudo apt install -y ./globalprotect-openconnect_2.1.3-1_amd64.deb
Then connecting:
kris@dev-1:~/Downloads$ sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
[2024-11-22T15:43:38Z INFO gpclient::cli] gpclient started: 2.1.3 (2024-04-07)
[2024-11-22T15:43:38Z INFO gpclient::cli] TLS errors will be ignored
[2024-11-22T15:43:38Z INFO gpclient::connect] Treating the server as a gateway
[2024-11-22T15:43:38Z INFO gpclient::connect] Performing the gateway authentication...
[2024-11-22T15:43:38Z INFO gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-11-22T15:43:38Z INFO gpapi::portal::prelogin] Prelogin with params: {"ipv6-support": "yes", "clientos": "Linux", "cas-support": "yes", "clientVer": "4100", "tmp": "tmp", "default-browser": "1", "os-version": "Linux Ubuntu 24.04.1 LTS"}
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T15:44:06Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T15:44:06Z INFO openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-22T15:44:06Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-22T15:44:06Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-22T15:44:06Z INFO openconnect::ffi] OS: linux
[2024-11-22T15:44:06Z INFO openconnect::ffi] CSD_USER: 1000
[2024-11-22T15:44:06Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-22T15:44:06Z INFO openconnect::ffi] MTU: 0
[2024-11-22T15:44:06Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-22T15:44:06Z INFO openconnect::ffi] Connected to z.z.z.z:443
[2024-11-22T15:44:06Z INFO openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T15:44:06Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T15:44:06Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T15:44:06Z INFO openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T15:44:06Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-22T15:44:06Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-22T15:44:06Z WARN openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-22T15:44:06Z INFO openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-22T15:44:06Z INFO openconnect::ffi] ESP session established with server
[2024-11-22T15:44:06Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-11-22T15:44:07Z INFO openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-11-22T15:44:07Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-11-22T15:44:07Z INFO gpclient::connect] Wrote PID 7437 to /var/run/gpclient.lock
^Z
[1]+ Stopped sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
kris@dev-1:~/Downloads$
Now, how do I save the credentials, just like in the GUI app?
Try this https://github.com/yuezk/GlobalProtect-openconnect/issues/381#issuecomment-2217591395, which is available in 2.3.4.
@yuezk , that example does work.
Now the struggle is having this run like a process. Linux has something called "network maanger" and "nmcli" command. The nmcli is used to control the process in the background. Network manager allows me to create different connection and then tell the service to make a connection. I was hoping this would be similar.
However, this software is not designed/architected in the same way. I was trying to see if I can do this with "&" and have that session run in the background or if I need to setup a systemd process for this.
Do you have a recommend way of running this "gpclient" on a Ubunutu server with no UI. Then running gpclient in the background?
Do you have a recommend way of running this "gpclient" on a Ubunutu server with no UI. Then running gpclient in the background?
I prefer the systemd service if it works.