Add Cisco OpenConnect support #39
Comments
jamesmcm
added
enhancement
|
ReadMe mentions support now. Is there a quickstart guide? |
|
Yep, but I couldn't really test it. Try: |
|
I was unable to connect to my work vpn. I translated the CLI command (working) to a CFG file and used it to feed the Here's the command, and output: My vpn.conf file has: This vpn.conf file is working with this command:
|
|
Where can I find the openconnect file format? I need to specify vpn.server.address.com in the CFG file... I tried some common field names for this but I wasn't able to do much. Maybe this issue doesn't belong here... sorry :$ |
|
Can you test it with curl directly? Gnome has a lot of issues with using daemons that run outside the network namespace - see issue #65 Like (and look for the output in the logs): |
|
Switched to kitty, and tried alacritty too. In both cases the terminal is opened but I am unable to ssh into any local machines like I normally would given the vpn session. I see this message, like if all is normal...
Also, I have noticed that this vopono execution asks for my username and passwords, even when the username was given (as in the vpn.conf already posted). So, when prompted for this login details I wrote 'a' and 'b' as username and password. Instead of a wrong auth, I got the same message:
With a useless kitty or alacritty terminal that is not able to connect to "vpn-local" servers. |
|
When running "curl ifconfig.co/country" I got my country. (Workplace is also in same country, not informative actually). So, I tried launching "curl <LAN_server_address>" and I got the unable to resolve host, so the program (curl, in this case) is not inside the network namespace, that is the error. |
|
Please let me know if any further tests are needed to debug. |
|
Does it work if you connect with As it's only running openconnect inside the namespace - https://github.com/jamesmcm/vopono/blob/master/src/openconnect.rs#L44 Also in general it's best to run the shell itself via vopono, rather than the terminal emulator. i.e. run alacritty and then run bash via vopono inside it. I don't think that's the issue here anyway though. It's hard to check as I don't have access to an OpenConnect VPN myself anymore. |
|
Yes, my vpn.conf file is working with this command:
I tried launching bash instead of a tty, and the process got killed too. Actually, first it was suspended. So, I executed |
|
Hmm, could you try running firefox (when no other firefox instances are running) and specifying the server name explicitly like: I think the issue might be from this code truncating the server name (introduced to correctly handle long OpenVPN config filenames in #115 since device names can only be 16 characters, but weirdly it doesn't appear hashed in your log output. Are you running the latest version of vopono too? But even that would lead it not to connect, but shouldn't kill the application running in the namespace. Line 129 in a664d5c |
|
I was using version 0.8.8, sorry I didn't check for updates. After upgrading, the problem persists. Now the namespace was 'vopono_c_2y1ZUKMPLZ3'. But the same behavior is in place, even after expliciting server address with vopono parameter |
|
|
|
I am launching alacritty now. So far, the application is not terminated anymore... And I am not using vopono config.toml anymore (still it is created and empty). I have found that using the openconnect command with my config file, my IP doesn't change when I do Also, when using openconnect command, I dont get prompted for the username. Yet, when using vopono, I get the prompt. This hints me that the parsing of the openconnect config file is amiss. In both cases, obviously, the password is asked. That is correct because it is not written in this config. Could it be that vopono is not parsing my openconnect config file correctly? (masked contents are on the first post, if any other field is not being used, aside from the username that I am anyway being prompted... it would explain my situation). |
- Openconnect will now use the custom config provided to Vopono. - Openconnect is now able to authenticate with the provided password - It's not possible to provide a username via Vopono to Openconnect - Openconnect will use the optionally provided server, or the server from its custom config Fixes jamesmcm#39
|
Looking at the source-code openconnect wasn't given the provided custom-conf (vopono was ignoring that one). I've created a PR where Vopono passes the config to openconnect which should make openconnect work. There are a few rough edges in the process (user needs to be provided via the openconnect-conf and server can either be provided to the conf or via vopono and not both, or there will be an error), but this worked for me to connect vopono with openconnect and launch a browser in there. |
|
I look forward to the next release so that I can try this out! thanks!! |
|
@EorlBruder Could you provide me with a working example? I'm afraid this is still not working for me (using release 0.10.0). Here's my This is the command: |
|
So my openconnect.conf doesn't really look that different: What is the output of vopono? You get prompted a password and then there should be the output of openconnect connecting - is that different from your general openconnect-output? |
|
I don't remember it was like this before: now I have to type the password twice. I'm using bash, and I changed the command to be executed by vopono to This is the output/ error I get: Of course, using openconnect directly works. Not only |
|
Btw, I have an empty |
|
The vopono config.toml won't be read anyways in this scenario, so it being empty is okay.
Have you double checked which password it's asking you for? Because for me it first asks me for my user-password and then it asks me for the VPN-password. Regarding the logs I meant more the output of vopono directly, which should look something like this: Here it asks you for you user password Now it's time for the OpenConnect-VPN password. This will only be asked once. If it fails it should be visible in the following output of openconnect: Only when thos openconnect messages confirm, that it managed to connect, you are connected to the vpn. It might take a sec though, till it is connected (as you can see I'm launching chromium and in the first few seconds I won't have connectivity yet. |
|
I've a passwordless sudo user on my local machine (I know, I shouldn't), so I don't get asked that password. The password prompt when using vopono: The output when using openconnect without vopono, informs of a deprecated TLS (1.0), I think this is the issue I'm hitting... see the first lin here: This connection, without vopono, works for me. Even if it's using tls 1.0 This might be more related to the server I'm connecting to, rather than to the client (vopono). But that is just a guess. Here's the full output when this fails, with debug info included. I can't seem to find what's actually wrong. |
Could this be related to different openconnect versions? Here's mine: |
|
I'm on the same OpencConnect version. I'm slightly confused as to why you get prompted for the password twice, but that might actually be something not connected. It looks a bit like you're not getting connection (or at least dns) inside of the network namespace. What you could try is running all those ip-commands to create and configure the namespace manually and see if that works. Vopono does log the commands in debug-mode so you could use those. Maybe something is going wrong with your firewall? Are you using a firewall here? Before debugging everything with ip, maybe you could try running vopono with the firewall turned off? |
For Custom VPN config files, add support for Cisco OpenConnect protocol when openconnect client is installed.
Could possibly test with ocserv server: https://ocserv.gitlab.io/www/manual.html
The text was updated successfully, but these errors were encountered: