Difference between revisions of "OpenConnect"

From ArchWiki
Jump to: navigation, search
(Explain difference in "up-to-date" script, since I wondered myself and don't like getting scripts from random git repos without knowing why.)
(Integration in netctl: restore dns)
 
(33 intermediate revisions by 15 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
 +
[[ja:OpenConnect]]
 
From [http://www.infradead.org/openconnect.html OpenConnect]:
 
From [http://www.infradead.org/openconnect.html OpenConnect]:
  
:''OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.''
+
:OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.
  
==Installation==
+
== Installation ==
Install the {{pkg|openconnect}} package from the [[Official Repositories]].
+
  
==Usage==
+
[[Install]] the {{pkg|openconnect}} package.
===With NetworkManager===
+
Install the {{pkg|networkmanager-openconnect}} package from the [[Official Repositories]]. Then configure and connect with {{ic|nm-applet}} (network manager's tray icon) or other utility.
+
  
===Manual===
+
== Usage ==
  
Download a more up-to-date script that OpenConnect will use to setup routing and DNS information
+
OpenConnect can be used with NetworkManager, or manually via the command line.
(the only difference, currently, between this script and the one that comes with vpnc is using /usr/sbin/resolvconf instead of /sbin/resolvconf, there should be an AUR package for this eventually):
+
  
# wget http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
+
=== NetworkManager ===
+
Make it executable:
+
  
# chmod +x vpnc-script
+
[[Install]] the {{pkg|networkmanager-openconnect}} package. Then configure and connect with ''nm-applet'' (network manager's tray icon utility from {{pkg|network-manager-applet}}) or similar utility.
 +
After installation, [[restart]] the {{ic|NetworkManager.service}}.
  
Now run OpenConnect as root with the script downloaded above, and provide the gateway:
+
See [[NetworkManager]] for details.
  
# openconnect --script ./vpnc-script mygateway.com
+
=== Command Line ===
  
{{Warning|The script has not been adapted to Arch Linux. You will probably need to set your /etc/resolv.conf manually with the proper information. After you run the <code>openconnect</code> command.}}
+
Simply run openconnect as root and enter your username and password when prompted:
 +
 
 +
# openconnect ''vpnserver''
  
 
More advanced invocation with username and password:
 
More advanced invocation with username and password:
  # echo -n 'passwd' | openconnect -u user --passwd-on-stdin mygateway.com
+
 +
  # echo -n ''password'' | openconnect -u ''user'' --passwd-on-stdin ''vpnserver''
 +
 
 +
Often VPN provider are offering different authentication groups for different access configurations like for example for a full tunnel or split tunnel connection. To show the different offered auth-groups and to get more information about the connection to the server in general use:
 +
 
 +
# openconnect --authenticate ''vpnserver''
 +
 
 +
Here is an example of how to to connect to a Juniper Pulse Secure Pulse Client. Only version 7.06 and higher are compatible.
 +
 
 +
# sudo openconnect --no-cert-check --authgroup="Single-Factor Pulse Clients" --juniper ''example.com''/dana-na/auth/url_6/welcome.cgi
 +
 
 +
=== Integration in netctl ===
 +
 
 +
A simple <tt>tuntap</tt> netctl.profile(5) can be used to integrate OpenConnect in the normal [[Netctl]] workflow. For example:
 +
 
 +
{{hc|/etc/netctl/vpn|<nowiki>
 +
Description='VPN'
 +
Interface=vpn
 +
Connection=tuntap
 +
Mode=tun
 +
#User=root
 +
#Group=root
 +
 
 +
BindsToInterfaces=(enp0s25 wlp2s0)
 +
IP=no
 +
 
 +
PIDFILE=/run/openconnect_${Interface}.pid
 +
SERVER=vpn.example.net
 +
AUTHGROUP='<AUTHGROUP>'
 +
LOCAL_USERNAME=<USERNAME>
 +
REMOTE_USERNAME=<VPN_USERNAME>
 +
# Assuming the use of pass(1):
 +
PASSWORD="`su ${LOCAL_USERNAME} -c "pass ${REMOTE_USERNAME}" | head -n 1`"
 +
 
 +
ExecUpPost="echo '${PASSWORD}' | /usr/bin/openconnect --background --pid-file=${PIDFILE} --interface='${Interface}' --authgroup='${AUTHGROUP}' --user='${REMOTE_USERNAME}' --passwd-on-stdin ${SERVER}"
 +
ExecDownPre="kill -INT $(cat ${PIDFILE}) ; ip link delete ${Interface} ; resolvconf -d ${Interface}"
 +
</nowiki>}}
 +
 
 +
This allows execution like:
 +
 
 +
$ netctl start vpn
 +
$ netctl restart vpn
 +
$ netctl stop vpn
 +
 
 +
Note that this relies on {{ic|LOCAL_USERNAME}} having a [[GnuPG#gpg-agent|gpg-agent]] running, with the passphrase for the PGP key already cached, as it is not possible for [[pass]] to trigger an interactive query from this environment.
 +
 
 +
== See also ==
  
==External links==
+
* [http://www.infradead.org/openconnect.html OpenConnect]
*[http://www.infradead.org/openconnect.html OpenConnect]
+

Latest revision as of 19:39, 22 October 2016

From OpenConnect:

OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is supported by the ASA5500 Series, by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, 3800, 7200 Series and Cisco 7301 Routers, and probably others.

Installation

Install the openconnect package.

Usage

OpenConnect can be used with NetworkManager, or manually via the command line.

NetworkManager

Install the networkmanager-openconnect package. Then configure and connect with nm-applet (network manager's tray icon utility from network-manager-applet) or similar utility. After installation, restart the NetworkManager.service.

See NetworkManager for details.

Command Line

Simply run openconnect as root and enter your username and password when prompted:

# openconnect vpnserver

More advanced invocation with username and password:

# echo -n password | openconnect -u user --passwd-on-stdin vpnserver

Often VPN provider are offering different authentication groups for different access configurations like for example for a full tunnel or split tunnel connection. To show the different offered auth-groups and to get more information about the connection to the server in general use:

# openconnect --authenticate vpnserver

Here is an example of how to to connect to a Juniper Pulse Secure Pulse Client. Only version 7.06 and higher are compatible.

# sudo openconnect --no-cert-check --authgroup="Single-Factor Pulse Clients" --juniper example.com/dana-na/auth/url_6/welcome.cgi

Integration in netctl

A simple tuntap netctl.profile(5) can be used to integrate OpenConnect in the normal Netctl workflow. For example:

/etc/netctl/vpn
Description='VPN'
Interface=vpn
Connection=tuntap
Mode=tun
#User=root
#Group=root

BindsToInterfaces=(enp0s25 wlp2s0)
IP=no

PIDFILE=/run/openconnect_${Interface}.pid
SERVER=vpn.example.net
AUTHGROUP='<AUTHGROUP>'
LOCAL_USERNAME=<USERNAME>
REMOTE_USERNAME=<VPN_USERNAME>
# Assuming the use of pass(1): 
PASSWORD="`su ${LOCAL_USERNAME} -c "pass ${REMOTE_USERNAME}" | head -n 1`" 

ExecUpPost="echo '${PASSWORD}' | /usr/bin/openconnect --background --pid-file=${PIDFILE} --interface='${Interface}' --authgroup='${AUTHGROUP}' --user='${REMOTE_USERNAME}' --passwd-on-stdin ${SERVER}"
ExecDownPre="kill -INT $(cat ${PIDFILE}) ; ip link delete ${Interface} ; resolvconf -d ${Interface}"

This allows execution like:

$ netctl start vpn
$ netctl restart vpn
$ netctl stop vpn

Note that this relies on LOCAL_USERNAME having a gpg-agent running, with the passphrase for the PGP key already cached, as it is not possible for pass to trigger an interactive query from this environment.

See also