search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.41k stars 157 forks source link

Support for client cerificate authentication #21

Closed DonMushr00m closed 3 years ago

DonMushr00m commented 4 years ago

Does the client currently support authentication using a client certificate in order to verify the clients authenticity? Is it possible to specify a certain certificate that is used during authentication?

yuezk commented 4 years ago

Honestly, I'm not sure about that. If OpenConnect support it, then we can consider adding it into this GUI client.

petobens commented 4 years ago

Not sure if it is related but I'm unable to connect and getting the following error:

2020-09-22 17:13:43.641 INFO  [24307] [GPClient::onVPNLogAvailable@440] POST https://arpd-gateway-01.networking-is.net/ssl-vpn/getconfig.esp

2020-09-22 17:13:43.752 INFO  [24307] [GPClient::onVPNLogAvailable@440] Connected to 190.x.x.x:443

2020-09-22 17:13:43.859 INFO  [24307] [GPClient::onVPNLogAvailable@440] SSL negotiation with xx.xx.net

2020-09-22 17:13:43.899 INFO  [24307] [GPClient::onVPNLogAvailable@440] Server certificate verify failed: certificate does not match hostname

2020-09-22 17:13:43.899 INFO  [24307] [GPClient::onVPNLogAvailable@440]
Certificate from VPN server "xx.xx.net" failed verification.
Reason: certificate does not match hostname
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:zgSDv+qnvS3Q9bkucWruq8tgs4MvRxZjhT6WlTic1so=
Enter 'yes' to accept, 'no' to abort; anything else to view:
"No carrier"
"No carrier"
"No carrier"
yes
"No carrier"

Any pointers are greatly appreciated @yuezk (I can open a new issue if needed)

rodricels commented 3 years ago

Same problem here, openconnect requires "--servercert pin-sha256:xxxxxx" to work.

Is it possible to add parameters to vpn/openconnect service?

yuezk commented 3 years ago

Same problem here, openconnect requires "--servercert pin-sha256:xxxxxx" to work.

Is it possible to add parameters to vpn/openconnect service?

@rodricels Yes, you can open /etc/systemd/system/gpservice.service and append any arguments supported by the OpenConnect cli to /usr/bin/gpservice, including the --servercert argument.

https://github.com/yuezk/GlobalProtect-openconnect/blob/76a4977e9260a8123c39fc439944355ff6bff9aa/GPService/systemd/gpservice.service#L7

rodricels commented 3 years ago

Thanks @yuezk works like a charm!

yuezk commented 3 years ago

It should have been resolved in 1.3.0, as described in https://github.com/yuezk/GlobalProtect-openconnect#passing-the-custom-parameters-to-openconnect-cli

Mart-Bogdan commented 1 year ago

I would like to add, that you also need to restart service after changing /etc/gpservice/gp.conf using command:

sudo systemctl restart gpservice.service