[solved] Connecting to openconnect globalprotect VPN

cfr · 2022-12-09 19:00:27

I use netctl-auto@<interface>.service to manage wireless connections and automatically switch between profiles. This generally works well.

I now need to connect to a VPN. I'm pretty clueless about VPNs and the instructions I have are for Ubuntu Linux 20.04 (LTS) which uses NetworkManager. They say to install

openconnect network-manager-openconnect network-manager-openconnect-gnome

and for LTS

globalprotect-openconnect

So I installed openconnect and globalprotect-openconnect. In the NetworkManager case, they say to select Palo Alto Networks GlobalProtect as the Protocol VPN and provide the value for Gateway. Beyond that, they say to select the 'defaults' in the IPv4 and IPv6 tabs, which is less than helpful.

Edit: I thought I would start by just seeing if I could figure out how to connect.

$ sudo openconnect --protocol=gp https://<address-given-as-gateway-value>/
POST https://<address-given-as-gateway-value>/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to <ip-address>:443
SSL negotiation with <address-given-as-gateway-value>
Connected to HTTPS on <address-given-as-gateway-value> with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/<longish-string>/saml2?SAMLRequest=<incredibly-long-string>&RelayState=<longish-string>
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse server response
Failed to complete authentication

If I put <incredibly-long-string> into a browser, I get a prompt to use MFA and then a login failure. If I repeat the exercise from the beginning, I get a successful login, but I have no idea what to do next. How do I actually use it? For example, how do I access a web page which is only available via VPN from off-campus?

Edit 2: OK, so if I launch gpclient and put the gateway value in when asked for the portal to connect to, I get the MFA prompt and login screens. It now says I'm connected, but I can't figure out how to **use** that connection. Moreover, the globalprotect-openconnect package doesn't seem to include any documentation. Do I need a special application to access an internet site over the VPN? gpclient said it had moved the configuration file to /etc, so I peeked at /etc/gpservice.conf:

# Configuration file for GlobalProtect-openconnect
#
# Description:
#
# Each section is a VPN gateway address, and [*] is a special section that defines the default configuration.
# See https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration for more details.
#
# Example:
#
# [*]
# openconnect-args=<value>
#
# [vpn1.company.com]
# openconnect-args=--script=/path/to/vpnc-script

[*]
openconnect-args=

https://github.com/yuezk/GlobalProtect- … figuration isn't much more enlightening. The journal shows the connection is there and the authentication succeeds. I think the problem is I don't know how to use the connection i.e. how to send things over the tun interface I can see in the log.

Ultimately, I would like to figure out two things:

whether I can use netctl to configure the connection while using netctl-auto@.service to manage profiles and, if so, how;
how to create a netctl configuration for the VPN I'm trying to connect to.

The wiki has an example profile and instructions for GlobalProtect but I'm not clear how I'm supposed to put things together or how to adapt the profile.

For example, the wiki says to switch to/from the VPN with

$ netctl start vpn
$ netctl restart vpn
$ netctl stop vpn

but the netctl command doesn't work with netctl-auto@.service. netctl-auto doesn't seem to offer equivalent functionality.

What's really confusing me is that I'm not adding another profile for netctl to consider selecting. Instead, I'm trying to use something on top of whichever profile is currently active. Is that correct?

Some parts of the profile are also unclear to me. I can't find all of the keys (e.g. LOCAL_USER) in the netctl.profile documentation. I can't even figure out if

Interface=vpn
Connection=tuntap
Mode=tun

would be appropriate for the kind of VPN I'm trying to connect to.

Last edited by cfr (2022-12-16 01:42:39)

-thc · 2022-12-10 09:57:04

Since I'm neither using netctl nor openconnect I can only (hopefully) assist you a little in a general sense.

Your "netctl-auto@<interface>.service" configurations provide your PC with working network/internet connections. Every VPN depends on a fully working internet connection. A "full tunnel" VPN (see below) may replace DNS and the connectivity to every IP address except it's own VPN tunnel endpoint. Connectivity to the latter still relies on the underlying pre-VPN internet connection.

So your VPN does not substitute your "netctl-auto" profiles - it adds to them.

Some VPNs can be setup in "tunnel mode" or "bridge mode" (rare) which require different server and client configurations. If your VPN provider doesn't explicitly tell you to set up a client in "bridge mode" you have a "tunnel mode" VPN. The correct tuntap device mode for the latter is "tun".

Every VPN alters (at least) the routing table after successfully connecting to the endpoint. The "internal" on-campus resources can be accessed as if your PC is physically on-campus and connected to the on-campus network - no special applications or tricks are required.

VPNs can be set up in different scopes: "Full tunnel" or "Split tunnel". Your VPN provider may provide you with one of them or both.

"Full tunnel" VPNs redirect the complete internet connectivity (including DNS) through the VPN - except it's own IP tunnel connection to the VPN endpoint. To all off-campus servers it looks like your PC is on campus - this is why VPNs are used to circumvent geoblocking.

"Split tunnel" (rare) VPNs redirect only the campus IP addresses (and possibly DNS) through the VPN. This way only connections to on-campus resources (and possibly DNS) traverse the VPN - everything else takes the normal route.

cfr · 2022-12-10 16:17:06

-thc wrote:

Since I'm neither using netctl nor openconnect I can only (hopefully) assist you a little in a general sense.

Thanks. Even though that doesn't directly solve anything, that's really helpful because it gives me at least some idea of how it is supposed to work. I'll have another go and see if I can get any further. Is there a way to check whether the routing table has been modified?

Slithery · 2022-12-10 16:20:19

cfr wrote:

Is there a way to check whether the routing table has been modified?

Run...

ip r

...to print the routing table before and after you've connected and compare the two.

cfr · 2022-12-10 18:35:31

When I'm connected (omitting local and ethernet, which isn't connected):

$ ip addr
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:96:34:dc:aa:f5 brd ff:ff:ff:ff:ff:ff
    inet <home lan ip address>0/24 brd 192.168.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::f696:34ff:fedc:aaf5/64 scope link 
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1422 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 172.18.146.4/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::f0ed:c08e:f0aa:e643/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
$ ip r
default via <home lan ip address> dev wlan0 
10.0.0.0/8 dev tun0 scope link 
10.239.204.21 dev tun0 scope link 
10.239.204.22 dev tun0 scope link 
10.255.232.63 via <home lan ip address> dev wlan0 
10.255.232.64 via <home lan ip address> dev wlan0 
YY.140.181.106 dev tun0 scope link 
YY.140.190.1 dev tun0 scope link 
YY.143.168.247 dev tun0 scope link 
ZZZ.238.176.204 dev tun0 scope link 
XXX.251.128.0/17 dev tun0 scope link 
XXX.251.255.229 via <home lan ip address> dev wlan0 
VVV.155.131.154 dev tun0 scope link 
WWW.86.128.193 dev tun0 scope link 
WWW.86.128.195 dev tun0 scope link 
172.16.62.0/24 dev tun0 scope link 
172.18.146.4 dev tun0 scope link 
172.19.0.0/17 dev tun0 scope link 
172.20.32.0/24 dev tun0 scope link 
172.20.40.0/24 dev tun0 scope link 
172.21.0.0/16 dev tun0 scope link 
172.25.0.0/16 dev tun0 scope link 
172.26.0.0/16 dev tun0 scope link 
172.27.0.0/17 dev tun0 scope link 
172.27.33.0/24 dev tun0 scope link 
172.29.0.0/16 dev tun0 scope link 
172.30.0.0/16 dev tun0 scope link 
172.31.210.0/23 dev tun0 scope link 
MMM.107.63.105 dev tun0 scope link 
NNN.64.253.1 dev tun0 scope link 
NNN.64.255.149 dev tun0 scope link 
NNN.146.180.32/29 dev tun0 scope link 
NNN.146.180.152/29 dev tun0 scope link 
<home router ip addr>/24 dev wlan0 proto kernel scope link src <home lan ip address>0

When I'm not (omitting local and ethernet):

$ ip addr
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether f4:96:34:dc:aa:f5 brd ff:ff:ff:ff:ff:ff
    inet <home lan ip address>0/24 brd 192.168.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::f696:34ff:fedc:aaf5/64 scope link 
       valid_lft forever preferred_lft forever
$ ip r
default via <home lan ip address> dev wlan0 
<home router ip addr>/24 dev wlan0 proto kernel scope link src <home lan ip address>0

So I have achieved something, even if I don't know exactly what?

But I can't access the page I'm trying to access even when I am connected, so whatever I've done, I haven't done it right?

cfr · 2022-12-16 01:44:41

Pretty sure it was right. The problem was chromium. Switching to firefox makes it work as expected - or as expected so far, at least.

I haven't figured out how to connect to the VPN neatly, but just getting it to work seems to have been enough for one thread .

Arch Linux

#1 2022-12-09 19:00:27

[solved] Connecting to openconnect globalprotect VPN

#2 2022-12-10 09:57:04

Re: [solved] Connecting to openconnect globalprotect VPN

#3 2022-12-10 16:17:06

Re: [solved] Connecting to openconnect globalprotect VPN

#4 2022-12-10 16:20:19

Re: [solved] Connecting to openconnect globalprotect VPN

#5 2022-12-10 18:35:31

Re: [solved] Connecting to openconnect globalprotect VPN

#6 2022-12-16 01:44:41

Re: [solved] Connecting to openconnect globalprotect VPN

Board footer