search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.3k stars 150 forks source link

gp.conf syntax #153

Closed ysiivan closed 5 months ago

ysiivan commented 2 years ago

I can connect with command line openconnect with the following command from a shell script 

echo "$password" |
        sudo openconnect \
            --protocol=gp \
            $access_point \
            --user=mydomain\\myuser \
            --certificate ~/work/paloalto/mycert.pem \
            --servercert pin-sha256:y4vQpQl/w0NPJ4eKY11kC3jvg6Dvx0FzxYArz4/X6x0= \
            --script 'vpn-slice 10.0.0.0/8 10.171.63.202 myvm1 mydev1 myub18 --domain mydomain.mydomain2.com'

1.4.4 compiled from sources fails to connect. Log doesn't tell me much

2022-05-19 15:03:22.146 ERROR [4022] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://<redacted>/ssl-vpn/login.esp, Unknown error

Seems no matter what I type for user/password I get the above. The settings screen tells me that settings are now in /etc/gpservice/gp.conf. Created that file and tried different combinations (including with only --certiface and --servercert options) of the command line params syntax. No change.

So, what's the gp.conf syntax? If gpclient is a GUI driving openconnect how do I make it call openconnect the same way like I do from command line?

yuezk commented 2 years ago

Append all the parameters to openconnect-args=

Tokens with spaces can be surrounded by double quotes; three consecutive double quotes represent the quote character itself.

https://doc.qt.io/qt-5/qprocess.html#splitCommand

yuezk commented 2 years ago

@ysiivan The configuration support multi-line, your configuration can be configured as below:

openconnect-args=--certificate ~/work/paloalto/mycert.pem
        --servercert pin-sha256:y4vQpQl/w0NPJ4eKY11kC3jvg6Dvx0FzxYArz4/X6x0=
        --script "vpn-slice 10.0.0.0/8 10.171.63.202 myvm1 mydev1 myub18 --domain mydomain.mydomain2.com"
ysiivan commented 2 years ago

@yuezk Made no difference. Login from command line is fine, doesn't work from gpclient. 

2022-05-27 15:08:38.175 ERROR [46261] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://<my gateway>/ssl-vpn/login.esp, Unknown error
yuezk commented 2 years ago

Has the custom parameter worked before with gpclient, or did it just get broken when switching to /etc/gpservice/gp.conf?

BTW, I'm not clear about the authentication workflow when using --certificate parameter. Do you still need to input the credentials when you use the OpenConnect command with the --certificate parameter?

ysiivan commented 2 years ago

Has the custom parameter worked before with gpclient, or did it just get broken when switching to /etc/gpservice/gp.conf?

Never tried gpclient before the gp.conf change.

Do you still need to input the credentials when you use the OpenConnect command with the --certificate parameter?

Yes

yuezk commented 2 years ago

Does https://github.com/dlenski/gp-saml-gui work for you?

ysiivan commented 2 years ago

I'm not dealing with SAML

yuezk commented 2 years ago

I see. I didn't handle the certificate in this client, that could be the reason why it doesn't work for you.