search

tlslink / anylink-client

AnyLink Secure Client: An SSL VPN client that supports OpenConnect or Cisco's AnyConnect VPN Protocol.
GNU General Public License v3.0
57 stars 66 forks source link

Openconnect compatibility #25

Closed papiru5 closed 11 months ago

papiru5 commented 11 months ago

Hi! I'm using Openconnect server v.1.2.2 with AnyLink Secure Client v.0.8.4. Then I try to use "camouflage" option in server config (https://ocserv.gitlab.io/www/manual.html) and change Host field in profile settings to something like "https://example.com/?mysecretkey" I got error with https:// изображение without https:// изображение

Without this option set I connect smoothly with Host address without "https://" and "/?mysecretkey". This option is not compatible with your client?

itviewer commented 11 months ago

@papiru5 Sorry, I didn't realize this was an ocserv-specific feature, but I still don't think it would do much to increase security.

itviewer commented 11 months ago

@papiru5 Sorry again, I think this is a feature worth implementing and maybe it will be added in some future version

itviewer commented 11 months ago

@papiru5 Thanks, It should work with v0.8.8 The host and secretkey fields should be filled in to the corresponding fields respectively.

papiru5 commented 11 months ago

Hi! Thank you for your passionate work for this application, it's the most convenient client of OpenConnect server for Windows. I'll try the new build on Monday.

papiru5 commented 11 months ago

I've tested the new build by upgrading v.0.8.4 without any changes in configs on client and server side (camouflage option is false in ocserv config) and got this error: изображение Then I uninstall v.0.8.8 and install v.0.8.4 again also without touching configs and after that I can connect smoothly. Maybe the new build as of now can't work with ocserv camouflage option set to false in ocserv config (so it can't connect to all versions of ocserv prior to 1.2.0 with camouflage option set to true)? When I turn camouflage option in ocserv config to true and change profile in AnyLink Secure Client v.0.8.8 adding Secret field, I can connect without any problem.

itviewer commented 11 months ago

Maybe the new build as of now can't work with ocserv camouflage option set to false in ocserv config

For me,so far, the application logic is in line with expectations, and there is no situation where camouflage is false and the client cannot connect.

papiru5 commented 11 months ago

Maybe the latest version changes camouflage option logic (https://ocserv.gitlab.io/www/changelog.html). I can't compile ocserv by myself, so I can only test the existing 1.1.6-3 in debian bookworm and 1.2.2 in rocky linux 9 epel repositories. In both cases I can't connect to ocserv server with AnyLink Secure Client v.0.8.8 with old working in v.0.8.4 profiles (in ocserv 1.1.6-3 camouflage option is absent, in 1.2.2 set to false). The only case when I can use v.0.8.8 flawlessly is ocserv 1.2.2 with camouflage option set to true adding secret field to old v.0.8.4 config.

papiru5 commented 11 months ago

I think about connection logic that way: if secret field is filled the client uses v.0.8.8 connection method, if not - v.0.8.4. So in that case we will get both old and new versions of ocserv working. Maybe I'm wrong, cause I'm not a developer...

itviewer commented 11 months ago

Well, after testing again, for ocserv 1.1.6, it did cause a bug because it could not recognize ?, but for 1.2.2, there would be no such problem. Anyway, I recompiled and uploaded the release file without adding a new version. Please download and install again. It should be able to support the old version of ocserv. Thanks!

papiru5 commented 11 months ago

I redownloaded v.0.8.8 release file, got anylink-windows10-amd64.exe with change date 14/10/23 12:34, install it over v.0.8.4 without config change and got the same error on my old 1.1.6-3 debian bookworm ocserv: изображение But now on v.1.2.2 rocky linux 9 ocserv with camouflage option set to false or true there is no problem to connect. So I guess on ocserv v.1.2.0 or above with new AnyLink Secure Client v.0.8.8 we got camouflage option working flawlessly in both true of false cases. On ocserv v.1.1.6-3 from debian bookworm repositories error connecting v.0.8.8 with old v.0.8.4 profile still exist. v.0.8.4 of the client works good with v.1.1.6 with same profile. This is my test results, maybe I'm doing something wrong?

itviewer commented 11 months ago

secretkey should be empty for 1.1.6

papiru5 commented 11 months ago

Yes, it's empty, I didn't change it at all: изображение This profile is working with v.0.8.4 flawlessly, but not in old and new v.0.8.8

papiru5 commented 11 months ago

The "outside-rf" profile is also profile for old debian bookworm ocserv v.1.1.6-3 and also not working with the same error. And I also don't change it during upgrade from v.0.8.4 to v.0.8.8.

itviewer commented 11 months ago

I'm sure the new build will support ocserv 1.1.6 with empty secretkey , maybe you didn't overwrite the previous files after unzipping? Or you can uninstall and delete the previous files and re-download it.

Oct 14 09:34 anylink-windows10-amd64.exe

md5sum
d1caf551531282eefe31f5964193def9  anylink-windows10-amd64.exe

If you still have problems, maybe you can set up a test environment and test account for me to see if I can troubleshoot the problem.

papiru5 commented 11 months ago

Downloaded file anylink-windows10-amd64.exe has d1caf551531282eefe31f5964193def9 md5sum which is equal to yours. Now I tried to recreate old profiles from v.0.8.4 in the new v.0.8.8 and they works flawlessly, so the problem was in old profiles! Thank you very much again! Now everything works flawlessly both with v.1.1.6 and v.1.2.2 versions of ocserv. Nice to collaborate with you, hope I helped a little to improve your great application!