Difference between revisions of "OpenConnect"

From ArchWiki
Jump to: navigation, search
(Manual)
(Usage: - add info on split routing)
 
(50 intermediate revisions by 21 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
From [http://www.infradead.org/openconnect.html OpenConnect]:
+
[[ja:OpenConnect]]
 +
[http://www.infradead.org/openconnect/ OpenConnect] is a client for Cisco's [https://www.cisco.com/go/asm AnyConnect SSL VPN] and Pulse Secure's [[Pulse Connect Secure]].
  
:''OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.''
+
== Installation ==
  
==Installation==
+
[[Install]] the {{pkg|openconnect}} package.
Install the {{pkg|openconnect}} package from the [[Official Repositories]].
 
  
==Usage==
+
== Usage ==
===With NetworkManager===
 
Install the {{pkg|networkmanager-openconnect}} package from the [[Official Repositories]]. Then configure and connect with {{ic|nm-applet}} (network manager's tray icon) or other utility.
 
  
===Manual===
+
See {{man|8|openconnect}}. Simply run openconnect as root and enter your username and password when prompted:
  
Download a more up-to-date script that OpenConnect will use to setup routing and DNS information
+
# openconnect ''vpnserver''
(should be an AUR package for this eventually):
 
  
# wget http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
+
More advanced invocation with username and password. Input the password after running the command.
 
 
Make it executable:
+
# openconnect -u ''user'' --passwd-on-stdin ''vpnserver''
  
# chmod +x vpnc-script
+
Often VPN provider are offering different authentication groups for different access configurations like for example for a full tunnel or split tunnel connection. To show the different offered auth-groups and to get more information about the connection to the server in general use:
  
Now run OpenConnect as root with the script downloaded above, and provide the gateway:
+
# openconnect --authenticate ''vpnserver''
  
# openconnect --script ./vpnc-script mygateway.com
+
==== Juniper Pulse Client ====
  
{{Warning|The script has not been adapted to Arch Linux. You will probably need to set your /etc/resolv.conf manually with the proper information. After you run the <code>openconnect</code> command.}}
+
In order to connect to a [[Pulse Connect Secure]] server you need to know the SHA-1 of its certificate.
  
More advanced invocation with username and password:
+
  # openconnect --servercert=sha1:<HASH> --authgroup="single-Factor Pulse Clients" --protocol=nc <VPN_SERVER_ADDRESS>/dana-na/auth/url_6/welcome.cgi --pid-file="/var/run/work-vpn.pid" --user=<USERNAME>
  # echo -n 'passwd' | openconnect -u user --passwd-on-stdin mygateway.com
 
  
==External links==
+
==== Split Routing ====
*[http://www.infradead.org/openconnect.html OpenConnect]
+
 
 +
Split routing can be achieved using {{AUR|vpn-slice-git}} in place of vpnc-script, so that you can selectively access hosts over the VPN but otherwise remain on your own LAN. Example:
 +
 
 +
    sh
 +
    $ sudo openconnect gateway.bigcorp.com -u user1234 \
 +
        -s 'vpn-slice 192.168.1.0/24 hostname1 alias2=alias2.bigcorp.com=192.168.1.43'
 +
    $ cat /etc/hosts
 +
    ...
 +
    192.168.1.1 dns0.tun0 # vpn-slice-tun0 AUTOCREATED
 +
    192.168.1.2 dns1.tun0 # vpn-slice-tun0 AUTOCREATED
 +
    192.168.1.57 hostname1 hostname1.bigcorp.com # vpn-slice-tun0 AUTOCREATED
 +
    192.168.1.43 alias2 alias2.bigcorp.com # vpn-slice-tun0 AUTOCREATED
 +
 
 +
== Integration ==
 +
 
 +
=== NetworkManager ===
 +
 
 +
[[Install]] the {{pkg|networkmanager-openconnect}} package. Then configure and connect with ''nm-applet'' (network manager's tray icon utility from {{pkg|network-manager-applet}}) or similar utility.
 +
After installation, [[restart]] the {{ic|NetworkManager.service}}.
 +
 
 +
See [[NetworkManager]] for details.
 +
 
 +
=== netctl ===
 +
 
 +
A simple {{ic|tuntap}} netctl.profile(5) can be used to integrate OpenConnect in the normal [[Netctl]] workflow. For example:
 +
 
 +
{{hc|/etc/netctl/vpn|<nowiki>
 +
Description='VPN'
 +
Interface=vpn
 +
Connection=tuntap
 +
Mode=tun
 +
#User=root
 +
#Group=root
 +
 
 +
BindsToInterfaces=(enp0s25 wlp2s0)
 +
IP=no
 +
 
 +
PIDFILE=/run/openconnect_${Interface}.pid
 +
SERVER=vpn.example.net
 +
AUTHGROUP='<AUTHGROUP>'
 +
LOCAL_USERNAME=<USERNAME>
 +
REMOTE_USERNAME=<VPN_USERNAME>
 +
# Assuming the use of pass(1):
 +
PASSWORD="`su ${LOCAL_USERNAME} -c "pass ${REMOTE_USERNAME}" | head -n 1`"
 +
 
 +
ExecUpPost="echo '${PASSWORD}' | /usr/bin/openconnect --background --pid-file=${PIDFILE} --interface='${Interface}' --authgroup='${AUTHGROUP}' --user='${REMOTE_USERNAME}' --passwd-on-stdin ${SERVER}"
 +
ExecDownPre="kill -INT $(cat ${PIDFILE}) ; resolvconf -d ${Interface} ; ip link delete ${Interface}"
 +
</nowiki>}}
 +
 
 +
This allows execution like:
 +
 
 +
$ netctl start vpn
 +
$ netctl restart vpn
 +
$ netctl stop vpn
 +
 
 +
Note that this relies on {{ic|LOCAL_USERNAME}} having a [[GnuPG#gpg-agent|gpg-agent]] running, with the passphrase for the PGP key already cached.
 +
 
 +
If [[pass]]’ interactive query is wanted, use the following line for {{ic|PASSWORD}}:
 +
 
 +
DISPLAY=":0"
 +
PASSWORD="`su ${LOCAL_USERNAME} -c "DISPLAY=${DISPLAY} pass ${REMOTE_USERNAME}" | head -n 1`"
 +
 
 +
Adjust the {{ic|DISPLAY}} variable as necessary.

Latest revision as of 15:10, 31 May 2018

OpenConnect is a client for Cisco's AnyConnect SSL VPN and Pulse Secure's Pulse Connect Secure.

Installation

Install the openconnect package.

Usage

See openconnect(8). Simply run openconnect as root and enter your username and password when prompted:

# openconnect vpnserver

More advanced invocation with username and password. Input the password after running the command.

# openconnect -u user --passwd-on-stdin vpnserver

Often VPN provider are offering different authentication groups for different access configurations like for example for a full tunnel or split tunnel connection. To show the different offered auth-groups and to get more information about the connection to the server in general use:

# openconnect --authenticate vpnserver

Juniper Pulse Client

In order to connect to a Pulse Connect Secure server you need to know the SHA-1 of its certificate.

# openconnect --servercert=sha1:<HASH> --authgroup="single-Factor Pulse Clients" --protocol=nc <VPN_SERVER_ADDRESS>/dana-na/auth/url_6/welcome.cgi --pid-file="/var/run/work-vpn.pid" --user=<USERNAME>

Split Routing

Split routing can be achieved using vpn-slice-gitAUR in place of vpnc-script, so that you can selectively access hosts over the VPN but otherwise remain on your own LAN. Example:

   sh
   $ sudo openconnect gateway.bigcorp.com -u user1234 \
       -s 'vpn-slice 192.168.1.0/24 hostname1 alias2=alias2.bigcorp.com=192.168.1.43'
   $ cat /etc/hosts
   ...
   192.168.1.1 dns0.tun0					# vpn-slice-tun0 AUTOCREATED
   192.168.1.2 dns1.tun0					# vpn-slice-tun0 AUTOCREATED
   192.168.1.57 hostname1 hostname1.bigcorp.com		# vpn-slice-tun0 AUTOCREATED
   192.168.1.43 alias2 alias2.bigcorp.com		# vpn-slice-tun0 AUTOCREATED

Integration

NetworkManager

Install the networkmanager-openconnect package. Then configure and connect with nm-applet (network manager's tray icon utility from network-manager-applet) or similar utility. After installation, restart the NetworkManager.service.

See NetworkManager for details.

netctl

A simple tuntap netctl.profile(5) can be used to integrate OpenConnect in the normal Netctl workflow. For example:

/etc/netctl/vpn
Description='VPN'
Interface=vpn
Connection=tuntap
Mode=tun
#User=root
#Group=root

BindsToInterfaces=(enp0s25 wlp2s0)
IP=no

PIDFILE=/run/openconnect_${Interface}.pid
SERVER=vpn.example.net
AUTHGROUP='<AUTHGROUP>'
LOCAL_USERNAME=<USERNAME>
REMOTE_USERNAME=<VPN_USERNAME>
# Assuming the use of pass(1): 
PASSWORD="`su ${LOCAL_USERNAME} -c "pass ${REMOTE_USERNAME}" | head -n 1`" 

ExecUpPost="echo '${PASSWORD}' | /usr/bin/openconnect --background --pid-file=${PIDFILE} --interface='${Interface}' --authgroup='${AUTHGROUP}' --user='${REMOTE_USERNAME}' --passwd-on-stdin ${SERVER}"
ExecDownPre="kill -INT $(cat ${PIDFILE}) ; resolvconf -d ${Interface} ; ip link delete ${Interface}"

This allows execution like:

$ netctl start vpn
$ netctl restart vpn
$ netctl stop vpn

Note that this relies on LOCAL_USERNAME having a gpg-agent running, with the passphrase for the PGP key already cached.

If pass’ interactive query is wanted, use the following line for PASSWORD:

DISPLAY=":0"
PASSWORD="`su ${LOCAL_USERNAME} -c "DISPLAY=${DISPLAY} pass ${REMOTE_USERNAME}" | head -n 1`"

Adjust the DISPLAY variable as necessary.