search

jamesmcm / vopono

Run applications through VPN tunnels with temporary network namespaces
GNU General Public License v3.0
827 stars 44 forks source link

Add Cisco OpenConnect support #39

Closed jamesmcm closed 2 years ago

jamesmcm commented 3 years ago

For Custom VPN config files, add support for Cisco OpenConnect protocol when openconnect client is installed.

Could possibly test with ocserv server: https://ocserv.gitlab.io/www/manual.html

mrbluecoat commented 3 years ago

ReadMe mentions support now. Is there a quickstart guide?

jamesmcm commented 3 years ago

Yep, but I couldn't really test it.

Try:

vopono -v exec --provider custom --protocol openconnect --custom ./openconnect_config.conf
adRn-s commented 2 years ago

I was unable to connect to my work vpn. I translated the CLI command (working) to a CFG file and used it to feed the --custom parameter from vopono. I am running gnome-terminal, this launches OK. But immediatly the vopono namespace is killed telling there's no process running... of course, the remaining gnome-terminal is unable to ssh into any local machine as in any normal vpn work session I have normally.

Here's the command, and output:

❯ vopono -v exec --provider custom --protocol openconnect --custom /data/xx/vpn.conf gnome-terminal
 2022-02-22T18:51:59.976Z DEBUG vopono::util > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:51:59.976Z DEBUG vopono::util > Cleaning dead lock files...
 2022-02-22T18:52:00.981Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2022-02-22T18:52:00.981Z INFO  vopono::util       > Calling sudo for elevated privileges, current user will be used as default user
 2022-02-22T18:52:00.981Z DEBUG vopono::util       > Args: ["vopono", "-v", "exec", "--provider", "custom", "--protocol", "openconnect", "--custom", "/data/xx/vpn.conf", "gnome-terminal"]
 2022-02-22T18:52:01.183Z DEBUG vopono::util > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:01.183Z DEBUG vopono::util > Cleaning dead lock files...
 2022-02-22T18:52:02.188Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2022-02-22T18:52:02.188Z DEBUG vopono::util       > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:02.188Z DEBUG vopono::util       > Existing namespaces: []
 2022-02-22T18:52:02.188Z DEBUG vopono::util       > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:02.188Z DEBUG vopono::util       > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "firewall" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "postup" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "predown" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "user" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "dns" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::network_interface > ip addr
 2022-02-22T18:52:02.189Z DEBUG vopono::exec              > Interface: wlp0x00x2
 2022-02-22T18:52:02.190Z DEBUG vopono::util              > Existing namespaces: []
 2022-02-22T18:52:02.190Z DEBUG vopono::util              > ip netns add vopono_custom_vpn.
 2022-02-22T18:52:02.191Z INFO  vopono::netns             > Created new network namespace: vopono_custom_vpn.
 2022-02-22T18:52:02.192Z DEBUG vopono::util              > Existing interfaces: 
 2022-02-22T18:52:02.192Z DEBUG vopono::util              > Assigned IPs: []
 2022-02-22T18:52:02.192Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip addr add 127.0.0.1/8 dev lo
 2022-02-22T18:52:02.194Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip link set lo up
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN    
connected  full          enabled  enabled  enabled  enabled 
 2022-02-22T18:52:02.207Z DEBUG vopono::veth_pair         > Detected NetworkManager running
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "firewall" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "postup" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "predown" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "user" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::exec       > vopono config.toml: configuration property "dns" not found
 2022-02-22T18:52:02.189Z DEBUG vopono::network_interface > ip addr
 2022-02-22T18:52:02.189Z DEBUG vopono::exec              > Interface: wlp0x00x2
 2022-02-22T18:52:02.190Z DEBUG vopono::util              > Existing namespaces: []
 2022-02-22T18:52:02.190Z DEBUG vopono::util              > ip netns add vopono_custom_vpn.
 2022-02-22T18:52:02.191Z INFO  vopono::netns             > Created new network namespace: vopono_custom_vpn.
 2022-02-22T18:52:02.192Z DEBUG vopono::util              > Existing interfaces: 
 2022-02-22T18:52:02.192Z DEBUG vopono::util              > Assigned IPs: []
 2022-02-22T18:52:02.192Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip addr add 127.0.0.1/8 dev lo
 2022-02-22T18:52:02.194Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip link set lo upSTATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN    
connected  full          enabled  enabled  enabled  enabled 
 2022-02-22T18:52:02.207Z DEBUG vopono::veth_pair         > Detected NetworkManager running
 2022-02-22T18:52:02.207Z DEBUG vopono::veth_pair         > NetworkManager detected, adding custom_vpn._d to unmanaged devices
 2022-02-22T18:52:02.207Z DEBUG vopono::veth_pair         > Appending to existing NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
 2022-02-22T18:52:02.208Z DEBUG vopono::util              > nmcli connection reload
 2022-02-22T18:52:02.216Z DEBUG vopono::veth_pair         > firewalld not detected running
 2022-02-22T18:52:02.216Z DEBUG vopono::util              > ip link add custom_vpn._d type veth peer name custom_vpn._s
 2022-02-22T18:52:02.217Z DEBUG vopono::util              > ip link set custom_vpn._d up
 2022-02-22T18:52:02.218Z DEBUG vopono::util              > ip link set custom_vpn._s netns vopono_custom_vpn. up
 2022-02-22T18:52:02.227Z DEBUG vopono::util              > ip addr add 10.200.1.1/24 dev custom_vpn._d
 2022-02-22T18:52:02.233Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip addr add 10.200.1.2/24 dev custom_vpn._s
 2022-02-22T18:52:02.236Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. ip route add default via 10.200.1.1 dev custom_vpn._s
 2022-02-22T18:52:02.238Z INFO  vopono::netns             > IP address of namespace as seen from host: 10.200.1.2
 2022-02-22T18:52:02.238Z INFO  vopono::netns             > IP address of host as seen from namespace: 10.200.1.1
 2022-02-22T18:52:02.238Z DEBUG vopono::util              > nft add table inet vopono_nat
 2022-02-22T18:52:02.239Z DEBUG vopono::util              > nft add chain inet vopono_nat postrouting { type nat hook postrouting priority 100 ; }
 2022-02-22T18:52:02.241Z DEBUG vopono::util              > nft add rule inet vopono_nat postrouting oifname wlp0s20f3 ip saddr 10.200.1.0/24 counter masquerade
 2022-02-22T18:52:02.243Z DEBUG vopono::util              > nft add table inet vopono_bridge
 2022-02-22T18:52:02.244Z DEBUG vopono::util              > nft add chain inet vopono_bridge forward { type filter hook forward priority -10 ; }
 2022-02-22T18:52:02.246Z DEBUG vopono::util              > nft add rule inet vopono_bridge forward iifname custom_vpn._d oifname wlp0s20f3 counter accept
 2022-02-22T18:52:02.248Z DEBUG vopono::util              > nft add rule inet vopono_bridge forward oifname custom_vpn._d iifname wlp0s20f3 counter accept
 2022-02-22T18:52:02.251Z DEBUG vopono::util              > sysctl -q net.ipv4.ip_forward=1
 2022-02-22T18:52:02.251Z DEBUG vopono::dns_config        > Setting namespace vopono_custom_vpn. DNS server to 8.8.8.8
OpenConnect username: [removed-by-myself]
OpenConnect password: [hidden]
 2022-02-22T18:52:08.234Z INFO  vopono::openconnect       > Launching OpenConnect...
 2022-02-22T18:52:08.234Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. openconnect --user=myremoteuser --passwd-on-stdin vpn. 2022-02-22T18:52:08.234Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.234Z DEBUG vopono::netns             > Writing lockfile: /home/myname/.config/vopono/locks/vopono_custom_vpn.
 2022-02-22T18:52:08.234Z DEBUG vopono::netns             > Lockfile written: /home/myname/.config/vopono/locks/vopono_custom_vpn./392004
 2022-02-22T18:52:08.234Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.360Z DEBUG vopono::netns             > ip netns exec vopono_custom_vpn. sudo -Eu myname gnome-terminal
 2022-02-22T18:52:08.361Z INFO  vopono::exec              > Application gnome-terminal launched in network namespace vopono_custom_vpn. with pid 392679
 2022-02-22T18:52:08.649Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.649Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.649Z INFO  vopono::netns             > Shutting down vopono namespace - as there are no processes left running inside
 2022-02-22T18:52:08.649Z DEBUG vopono::util              > ip link delete custom_vpn._d
 2022-02-22T18:52:08.665Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.666Z DEBUG vopono::util              > nmcli connection reload
 2022-02-22T18:52:08.673Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.673Z DEBUG vopono::host_masquerade   > Remaining namespaces: Ok({})
 2022-02-22T18:52:08.673Z DEBUG vopono::util              > nft delete table inet vopono_nat
 2022-02-22T18:52:08.676Z DEBUG vopono::util              > Using config dir from $HOME config: /home/myname/.config
 2022-02-22T18:52:08.676Z DEBUG vopono::host_masquerade   > Remaining namespaces: Ok({})
 2022-02-22T18:52:08.676Z DEBUG vopono::util              > nft delete table inet vopono_bridge
 2022-02-22T18:52:08.677Z DEBUG vopono::util              > ip netns delete vopono_custom_vpn.
 2022-02-22T18:52:08.678Z DEBUG vopono::openconnect       > Killed OpenConnect (pid: 392678)

My vpn.conf file has:

no-dtls
user = [removed]
authgroup = zzzz
certificate = /data/xx/vpn.p12
key-password = xxxxxxx
servercert = sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...

This vpn.conf file is working with this command:

sudo openconnect --config /data/xx/vpn.conf vpn.server.address.com

adRn-s commented 2 years ago

Where can I find the openconnect file format? I need to specify vpn.server.address.com in the CFG file... I tried some common field names for this but I wasn't able to do much.

Maybe this issue doesn't belong here... sorry :$

jamesmcm commented 2 years ago

Can you test it with curl directly? Gnome has a lot of issues with using daemons that run outside the network namespace - see issue #65

Like (and look for the output in the logs): $ vopono -v exec --provider custom --protocol openconnect --custom /data/xx/vpn.conf "curl ifconfig.co/country"

adRn-s commented 2 years ago

Switched to kitty, and tried alacritty too. In both cases the terminal is opened but I am unable to ssh into any local machines like I normally would given the vpn session. I see this message, like if all is normal...

> Application [[kitty|alacritty]] launched in network namespace vopono_custom_vpn. with pid NNNNNNNNN

Also, I have noticed that this vopono execution asks for my username and passwords, even when the username was given (as in the vpn.conf already posted).

So, when prompted for this login details I wrote 'a' and 'b' as username and password. Instead of a wrong auth, I got the same message:

> Application [[terminal]] launched in network namespace vopono_custom_vpn. with pid NNNNNNNNN

With a useless kitty or alacritty terminal that is not able to connect to "vpn-local" servers.

adRn-s commented 2 years ago

When running "curl ifconfig.co/country" I got my country. (Workplace is also in same country, not informative actually). So, I tried launching "curl " and I got the unable to resolve host, so the program (curl, in this case) is not inside the network namespace, that is the error.

adRn-s commented 2 years ago

Please let me know if any further tests are needed to debug.

jamesmcm commented 2 years ago

Does it work if you connect with openconnect normally, outside of vopono ?

As it's only running openconnect inside the namespace - https://github.com/jamesmcm/vopono/blob/master/src/openconnect.rs#L44

Also in general it's best to run the shell itself via vopono, rather than the terminal emulator. i.e. run alacritty and then run bash via vopono inside it. I don't think that's the issue here anyway though.

It's hard to check as I don't have access to an OpenConnect VPN myself anymore.

adRn-s commented 2 years ago

Yes, my vpn.conf file is working with this command:

sudo openconnect --config /data/xx/vpn.conf vpn.server.address.com

I tried launching bash instead of a tty, and the process got killed too. Actually, first it was suspended. So, I executed fg and that brought it to foreground; but only to see it killed... so the namespace was removed... usual process I already described. This is odd.

jamesmcm commented 2 years ago

Hmm, could you try running firefox (when no other firefox instances are running) and specifying the server name explicitly like:

$ vopono -v exec --provider custom --protocol openconnect --custom /data/xx/vpn.conf --server vpn.XXXXX.com firefox

I think the issue might be from this code truncating the server name (introduced to correctly handle long OpenVPN config filenames in #115 since device names can only be 16 characters, but weirdly it doesn't appear hashed in your log output. Are you running the latest version of vopono too?

But even that would lead it not to connect, but shouldn't kill the application running in the namespace.

https://github.com/jamesmcm/vopono/blob/a664d5c1205424937da6c61eccef96d45caef6e7/src/exec.rs#L129

adRn-s commented 2 years ago

I was using version 0.8.8, sorry I didn't check for updates. After upgrading, the problem persists. Now the namespace was 'vopono_c_2y1ZUKMPLZ3'. But the same behavior is in place, even after expliciting server address with vopono parameter --server

adRn-s commented 2 years ago

Could it be that my ~/.config/vopono/config.toml is getting in the middle? This one I am using for another VPN... I see in the output the message: "Using config dir from $HOME config". << EDIT: Removing it didn't help.

adRn-s commented 2 years ago

I am launching alacritty now. So far, the application is not terminated anymore... And I am not using vopono config.toml anymore (still it is created and empty).

I have found that using the openconnect command with my config file, my IP doesn't change when I do curl ifconfig.co. But, when I use vopono, my IP address does change for ifconfig.co ... of course, bringing another player further complicates things. But I found this interesting. It makes sense that my workplace doesn't mask my IP address with this configuration file. Maybe vopono has more strict interpretation of this openconnect config file?

Also, when using openconnect command, I dont get prompted for the username. Yet, when using vopono, I get the prompt. This hints me that the parsing of the openconnect config file is amiss. In both cases, obviously, the password is asked. That is correct because it is not written in this config.

Could it be that vopono is not parsing my openconnect config file correctly? (masked contents are on the first post, if any other field is not being used, aside from the username that I am anyway being prompted... it would explain my situation).

david-jointech commented 2 years ago

Looking at the source-code openconnect wasn't given the provided custom-conf (vopono was ignoring that one). I've created a PR where Vopono passes the config to openconnect which should make openconnect work.

There are a few rough edges in the process (user needs to be provided via the openconnect-conf and server can either be provided to the conf or via vopono and not both, or there will be an error), but this worked for me to connect vopono with openconnect and launch a browser in there.

adRn-s commented 2 years ago

I look forward to the next release so that I can try this out! thanks!!

adRn-s commented 2 years ago

@EorlBruder Could you provide me with a working example?

I'm afraid this is still not working for me (using release 0.10.0). Here's my openconnect.conf file:

no-dtls
user = username
authgroup = activegroup
certificate = /path/to/vpn.cert.p12
key-password = something
servercert = sha256:hash

This is the command: vopono -v exec --provider custom --protocol openconnect --custom /path/to/openconnect.conf --server xxx.xxx.xx.xxx:443 alacritty. This runs as expected, I get the term inside the newly created network space. Yet, I can't reach any of the servers available inside the network, as I do when I run openconnect directly (I will paste it here for reference: sudo openconnect --config /path/to/openconnect.conf xxx.xxx.xx.xxx:443).

david-jointech commented 2 years ago

So my openconnect.conf doesn't really look that different:

server = <domain>
user = <user>
authgroup = <authgroup>
no-dtls

What is the output of vopono? You get prompted a password and then there should be the output of openconnect connecting - is that different from your general openconnect-output? If it looks like openconnect connected succesfully, you could try running the command you want to connect with the server directly with vopono (instead of alacritty), cause I remember having problems running something like zsh with vopono - maybe some config there destroys things.

adRn-s commented 2 years ago

I don't remember it was like this before: now I have to type the password twice.

I'm using bash, and I changed the command to be executed by vopono to ssh instead of my term/ web browser.

This is the output/ error I get:

getaddrinfo failed for host 'theserveraddress.com': Temporary failure in name resolution
Failed to open HTTPS connection to theserveraddress.com
Failed to complete authentication
ssh: Could not resolve hostname nameofserverthatshouldbereachable: Temporary failure in name resolution

Of course, using openconnect directly works. Not only theserveraddress.com, also I can ssh into nameofserverthatshouldbereachable.

adRn-s commented 2 years ago

Btw, I have an empty ~/.config/vopono/config.toml

david-jointech commented 2 years ago

The vopono config.toml won't be read anyways in this scenario, so it being empty is okay.

now I have to type the password twice.

Have you double checked which password it's asking you for? Because for me it first asks me for my user-password and then it asks me for the VPN-password.

Regarding the logs I meant more the output of vopono directly, which should look something like this:

2022-08-13T16:34:04.125Z INFO  vopono::util > Calling sudo for elevated privileges, current user will be used as default user
[sudo] password for <user>:

Here it asks you for you user password

 2022-08-13T16:34:08.188Z INFO  vopono::netns > Created new network namespace: vopono_c_
STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN
connected  full          enabled  enabled  missing  enabled
 2022-08-13T16:34:08.442Z INFO  vopono::netns > IP address of namespace as seen from host: 10.200.1.2
 2022-08-13T16:34:08.443Z INFO  vopono::netns > IP address of host as seen from namespace: 10.200.1.1
OpenConnect password: [hidden]

Now it's time for the OpenConnect-VPN password. This will only be asked once. If it fails it should be visible in the following output of openconnect:

 2022-08-13T16:34:27.967Z INFO  vopono::openconnect > Launching OpenConnect...
POST https://<host>/
Connected to <ip>:443
SSL negotiation with <host>
 2022-08-13T16:34:28.178Z INFO  vopono::exec        > Application chromium launched in network namespace vopono_c_ with pid 443367
Connected to HTTPS on <host> with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Domain account and password [ without <domain>\  ].
POST<host>
XML POST enabled
Domain account and password [ without <domain>\  ].
POST <host>
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Configured as <local-ip>, with SSL connected and DTLS disabled
Session authentication will expire at Sun Aug 14 05:34:28 2022

Only when thos openconnect messages confirm, that it managed to connect, you are connected to the vpn. It might take a sec though, till it is connected (as you can see I'm launching chromium and in the first few seconds I won't have connectivity yet.

adRn-s commented 2 years ago

I've a passwordless sudo user on my local machine (I know, I shouldn't), so I don't get asked that password.

The password prompt when using vopono:

 2022-08-15T09:57:06.490Z INFO  vopono_core::network::netns             > IP address of namespace as seen from host: 10.200.1.2
 2022-08-15T09:57:06.490Z INFO  vopono_core::network::netns             > IP address of host as seen from namespace: 10.200.1.1
OpenConnect password:
Confirm password:

The output when using openconnect without vopono, informs of a deprecated TLS (1.0), I think this is the issue I'm hitting... see the first lin here:

Connected to HTTPS on **subdomain.domain.tld** with ciphersuite (TLS1.0)-(DHE-CUSTOM1024)-(AES-256-CBC)-(SHA1)
XML POST enabled
My Server Title Is Printed Here
Please enter your credentials
Password:
POST https://subdomain.domain.tld/
Got CONNECT response: HTTP/1.1 200 OK

This connection, without vopono, works for me. Even if it's using tls 1.0

This might be more related to the server I'm connecting to, rather than to the client (vopono).

But that is just a guess.

Here's the full output when this fails, with debug info included. I can't seem to find what's actually wrong.

OpenConnect password: [hidden]
 2022-08-15T10:01:34.884Z INFO  vopono_core::network::openconnect       > Launching OpenConnect...
 2022-08-15T10:01:34.884Z DEBUG vopono_core::network::netns             > ip netns exec vopono_c_ openconnect --config /mydata/opencon/vpn.conf --passwd-on-stdin
 2022-08-15T10:01:34.884Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:34.884Z DEBUG vopono_core::network::netns             > Writing lockfile: /home/mylocaluser/.config/vopono/locks/vopono_c_
 2022-08-15T10:01:34.884Z DEBUG vopono_core::network::netns             > Lockfile written: /home/mylocaluser/.config/vopono/locks/vopono_c_/1280086
 2022-08-15T10:01:34.884Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
POST https://subdomain.domain.tld/
 2022-08-15T10:01:34.896Z DEBUG vopono_core::network::netns             > ip netns exec vopono_c_ sudo -Eu localUsername ssh myuser@somedevice
 2022-08-15T10:01:34.896Z INFO  vopono::exec                            > Application ssh myuser@somedevice launched in network namespace vopono_c_ with pid 1280310
getaddrinfo failed for host 'subdomain.domain.tld': Temporary failure in name resolution
Failed to open HTTPS connection to subdomain.domain.tld
Failed to complete authentication
ssh: Could not resolve hostname somedevice: Temporary failure in name resolution
 2022-08-15T10:01:44.925Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:44.925Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:44.925Z INFO  vopono_core::network::netns             > Shutting down vopono namespace - as there are no processes left running inside
 2022-08-15T10:01:44.925Z DEBUG vopono_core::util                       > ip link delete vopono_c__d
 2022-08-15T10:01:44.942Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:44.942Z DEBUG vopono_core::util                       > nmcli connection reload
 2022-08-15T10:01:44.948Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:44.948Z DEBUG vopono_core::network::host_masquerade   > Remaining namespaces: Ok({})
 2022-08-15T10:01:44.948Z DEBUG vopono_core::util                       > nft delete table inet vopono_nat
 2022-08-15T10:01:44.950Z DEBUG vopono_core::util                       > Using config dir from $HOME config: /home/mylocaluser/.config
 2022-08-15T10:01:44.950Z DEBUG vopono_core::network::host_masquerade   > Remaining namespaces: Ok({})
 2022-08-15T10:01:44.950Z DEBUG vopono_core::util                       > nft delete table inet vopono_bridge
 2022-08-15T10:01:44.952Z DEBUG vopono_core::util                       > ip netns delete vopono_c_
 2022-08-15T10:01:44.953Z DEBUG vopono_core::network::openconnect       > Killed OpenConnect (pid: 1280309)
adRn-s commented 2 years ago

The password prompt when using vopono:

 2022-08-15T09:57:06.490Z INFO  vopono_core::network::netns             > IP address of namespace as seen from host: 10.200.1.2
 2022-08-15T09:57:06.490Z INFO  vopono_core::network::netns             > IP address of host as seen from namespace: 10.200.1.1
OpenConnect password:
Confirm password:

Could this be related to different openconnect versions? Here's mine:

$ openconnect --version
OpenConnect version v9.01
Using GnuTLS 3.7.6. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script
david-jointech commented 2 years ago

I'm on the same OpencConnect version. I'm slightly confused as to why you get prompted for the password twice, but that might actually be something not connected.

It looks a bit like you're not getting connection (or at least dns) inside of the network namespace. What you could try is running all those ip-commands to create and configure the namespace manually and see if that works. Vopono does log the commands in debug-mode so you could use those.

Maybe something is going wrong with your firewall? Are you using a firewall here? Before debugging everything with ip, maybe you could try running vopono with the firewall turned off?