Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openconnect-args --certificate not working #363

Closed
jon-larsen opened this issue May 13, 2024 · 15 comments
Closed

openconnect-args --certificate not working #363

jon-larsen opened this issue May 13, 2024 · 15 comments

Comments

@jon-larsen
Copy link

Describe the bug
I have added openconnect-args=--certificate ~/work/paloalto/mycert.pem configuration in /etc/gpservice/gp.conf according to wiki, but the connection fails with Failed to connect portal with prelogin: Prelogin error: Valid client certificate is required.

Expected behavior
The connection should not fail, but instead accept the certificate and connect.

Logs

[2024-05-13T05:23:59Z INFO  gpclient::cli] gpclient started: 2.2.1 (2024-05-07)
[2024-05-13T05:23:59Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-05-13T05:24:01Z WARN  gpapi::portal::prelogin] Parse response error, response: <?xml version="1.0" encoding="UTF-8" ?>
    <prelogin-response>
    <status>Error</status>
    <ccusername></ccusername>
    <autosubmit>false</autosubmit>
    <msg>Valid client certificate is required</msg>
    <newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
    <authentication-message>Enter login credentials</authentication-message>
    <username-label>Username</username-label>
    <password-label>Password</password-label>
    <panos-version>1</panos-version>
    <saml-default-browser>yes</saml-default-browser>
    
    <auth-api>no</auth-api><region>XXXXX</region>
    </prelogin-response>
[2024-05-13T05:24:01Z INFO  gpclient::connect] Failed to connect portal with prelogin: Prelogin error: Valid client certificate is required
[2024-05-13T05:24:01Z INFO  gpclient::connect] Trying the gateway authentication workflow...
[2024-05-13T05:24:01Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-05-13T05:24:01Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-05-13T05:24:02Z WARN  gpapi::portal::prelogin] Parse response error, response: <?xml version="1.0" encoding="UTF-8" ?>
    <prelogin-response>
    <status>Error</status>
    <ccusername></ccusername>
    <autosubmit>false</autosubmit>
    <msg>Valid client certificate is required</msg>
    <newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
    <license>no</license>
    <authentication-message>Enter login credentials</authentication-message>
    <username-label>Username</username-label>
    <password-label>Password</password-label>
    <panos-version>1</panos-version>
    <saml-default-browser>yes</saml-default-browser>
    <auth-api>no</auth-api><region>XXXXX</region>
    </prelogin-response>

Error: Prelogin error: Valid client certificate is required

Environment:

  • OS: 22.04
  • Desktop Environment: KDE
  • Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep: [Required for secure store error]
  • Is remote SSH? No

Additional context

  • If I add the client certificate to my browser and open up the GlobalProtect portal through the browser, the client certificate is accepted.
  • If try to connect directly with openconnect, it accepts the certificate, but it fails because of SAML.
@yuezk
Copy link
Owner

yuezk commented May 13, 2024

Hi @jon-larsen /etc/gpservice/gp.conf is not supported in 2.0. The openconnect-args support will be moved to the gpclient command.

So if you used openconnect-args=--certificate ~/work/paloalto/mycert.pem before, then I can add support for usage like gpclient --certificate ~/work/paloalto/mycert.pem.

@jon-larsen
Copy link
Author

Ok, sounds very good 👍 Thanks!

@Captain-Barge
Copy link

I believe I might be having a similar issue. When I have previously used gpclient v1 I could successfully connect after adding openconnect-args=--servercert pin-sha256:xxxxxxx to /etc/gpservice/gp.conf.

On v2.2.1 I don't know how to specify this information, and when I run with sudo gpclient --ignore-tls-errors --fix-openssl connect vpn.myvpn.com:port -u myusername I get the error message below on repeat after inputting my password and 2FA.

[2024-05-16T18:28:05Z INFO openconnect::ffi] POST https://vpn.myvpn.com/ssl-vpn/hipreportcheck.esp
[2024-05-16T18:28:27Z WARN openconnect::ffi] GPST Dead Peer Detection detected dead peer!
[2024-05-16T18:28:27Z INFO openconnect::ffi] POST https://vpn.myvpn.com/ssl-vpn/getconfig.esp
[2024-05-16T18:28:27Z INFO openconnect::ffi] SSL negotiation with vpn.myvpn.com
[2024-05-16T18:28:27Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-05-16T18:28:27Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-05-16T18:28:27Z INFO openconnect::ffi] Connected to HTTPS on vpn.myvpn.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-16T18:28:27Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-16T18:28:27Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-16T18:28:27Z WARN openconnect::ffi] Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.

How do I do the equivalent of adding openconnect-args=--servercert pin-sha256:xxxxxxx to /etc/gpservice/gp.conf in gpclient v2.2.1?

@martindorey
Copy link

Hi @jon-larsen /etc/gpservice/gp.conf is not supported in 2.0.

Be great if https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration knew about that. (Off topic here but I wanted to try --reconnect-timeout 604800 --disable-ipv6.)

yuezk added a commit that referenced this issue May 19, 2024
@yuezk
feat: support client certificate authentication (related #363)
52b6fa6
@yuezk
Copy link
Owner

yuezk commented May 20, 2024
edited
Loading

Hi @jon-larsen, just added the client certificate authentication in 2.3.0, can you upgrade it to see if it works for you?

gpclient connect --certificate /path/to/your/certificate <...>

@Captain-Barge
Copy link

Captain-Barge commented May 20, 2024
edited
Loading

I believe I'm having the same issue as jon-larsen (I described my issue above). I've tried the new gpclient 2.3.0 (2024-05-20) this morning without success. Below are the commands I'm using along with what I expect are the relevant snippets of the console outputs. In both cases I get a GUI window prompt for my password, followed by another for my 2FA code. They both fail after I enter the 2FA code. I'm on Debian 12 x86_64.

Attempt with --fix-openssl

$ gpclient --ignore-tls-errors --fix-openssl connect vpn.my_vpn.com:123 -u my_username@my_vpn.com

[2024-05-20T18:06:06Z INFO gpclient::connect] Connecting to the selected gateway: XXX-gw-1 (vpn.my_vpn.com)
[2024-05-20T18:06:06Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-20T18:07:12Z WARN gpapi::gateway::login] GP response error: reason=, status=512 , body=


var respStatus = "Error";
var respMsg = "";
thisForm.inputStr.value = "";


[2024-05-20T18:07:12Z INFO gpclient::connect] Gateway login failed: Gateway login error:

Attempt without --fix-openssl

$ gpclient --ignore-tls-errors connect vpn.my_vpn.com:123 -u my_username@my_vpn.com

[2024-05-20T18:16:40Z INFO openconnect::ffi] Connected to 12.345.678.910:123
[2024-05-20T18:16:40Z INFO openconnect::ffi] SSL negotiation with vpn.my_vpn.com
[2024-05-20T18:16:40Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-05-20T18:16:40Z INFO openconnect::ffi] Validating peer cert: signer not found
[2024-05-20T18:16:40Z INFO openconnect::ffi] Connected to HTTPS on vpn.my_vpn.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-20T18:16:40Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-20T18:16:40Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-20T18:16:40Z WARN openconnect::ffi] Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
[2024-05-20T18:16:40Z WARN openconnect::ffi] No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
[2024-05-20T18:16:40Z INFO openconnect::ffi] POST https://vpn.my_vpn.com/ssl-vpn/hipreportcheck.esp

@yuezk
Copy link
Owner

yuezk commented May 21, 2024

Hi @Captain-Barge the --fix-openssl option may not be necessary in your case. I have set openconnect to ignore the server certificate error in 2.x, so the --servercert option may not required.

Can you post the full logs of the following two commands, so that I can have a full picture of the problem? Thanks.

  1. gpclient --ignore-tls-errors connect vpn.my_vpn.com:123 -u my_username@my_vpn.com
  2. gpclient connect vpn.my_vpn.com:123 -u my_username@my_vpn.com

@jon-larsen
Copy link
Author

Hi @jon-larsen, just added the client certificate authentication in 2.3.0, can you upgrade it to see if it works for you?

gpclient connect --certificate /path/to/your/certificate <...>

It works! Nice! :) Tested both with password protected and non-password protected certificate. Both works.
Openconnect also have an option to specify the certificate key separately, if you want to add the same functionality.

@yuezk
Copy link
Owner

yuezk commented May 21, 2024

Openconnect also have an option to specify the certificate key separately, if you want to add the same functionality.

This client has this option as well. If the certificate specified via the --certificate option doesn't include the private key, it will ask you to specify the private key via the -k (--sslkey) option.

@yuezk
Copy link
Owner

yuezk commented May 21, 2024

Also, the key password can be specified via the -p (--key-password) option, to align with the OpenConnect client. @jon-larsen

@jon-larsen
Copy link
Author

Openconnect also have an option to specify the certificate key separately, if you want to add the same functionality.

This client has this option as well. If the certificate specified via the --certificate option doesn't include the private key, it will ask you to specify the private key via the -k (--sslkey) option.

I see, okay!

I just did a test, but it failed:

[2024-05-21T02:44:51Z INFO  gpapi::gp_params] Using client certificate authentication...
[2024-05-21T02:44:51Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-21T02:44:52Z INFO  openconnect::ffi] openconnect version: v8.20-1
[2024-05-21T02:44:52Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-05-21T02:44:52Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-21T02:44:52Z INFO  openconnect::ffi] OS: linux
[2024-05-21T02:44:52Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-05-21T02:44:52Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-21T02:44:52Z INFO  openconnect::ffi] CERTIFICATE: ./xxx.cer
[2024-05-21T02:44:52Z INFO  openconnect::ffi] SSLKEY: ./xxx.key
[2024-05-21T02:44:52Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-05-21T02:44:52Z INFO  openconnect::ffi] MTU: 0
[2024-05-21T02:44:52Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2024-05-21T02:44:52Z INFO  openconnect::ffi] Setting client certificate: ./xxx.cer
[2024-05-21T02:44:52Z INFO  openconnect::ffi] POST https://xxxxxxxxxxxxxx/ssl-vpn/getconfig.esp
[2024-05-21T02:44:53Z INFO  openconnect::ffi] Connected to x.x.x.x:443
[2024-05-21T02:44:53Z WARN  openconnect::ffi] Failed to determine type of private key ./xxx.cer
[2024-05-21T02:44:53Z WARN  openconnect::ffi] Loading certificate failed. Aborting.
[2024-05-21T02:44:53Z WARN  openconnect::ffi] Failed to open HTTPS connection to xxxxxxxxxxxxxxxx
[2024-05-21T02:44:53Z WARN  openconnect::ffi] openconnect_make_cstp_connection failed

@yuezk
Copy link
Owner

yuezk commented May 21, 2024

@jon-larsen Thanks for your feedback, there is a bug in the implementation. I will fix it soon.

yuezk added a commit that referenced this issue May 21, 2024
@yuezk
fix: sslkey not working (related #363)
6caa8fc
@jon-larsen
Copy link
Author

I've tested the --sslkey argument in 2.3.1, and it works perfectly :)

@Captain-Barge
Copy link

Hi @Captain-Barge the --fix-openssl option may not be necessary in your case. I have set openconnect to ignore the server certificate error in 2.x, so the --servercert option may not required.

Can you post the full logs of the following two commands, so that I can have a full picture of the problem? Thanks.

1. `gpclient --ignore-tls-errors connect vpn.my_vpn.com:123 -u my_username@my_vpn.com`

2. `gpclient connect vpn.my_vpn.com:123 -u my_username@my_vpn.com`

Sorry for the delay (life got busy). Below is that info you requested (on gpclient 2.3.1):

$ gpclient connect vpn.my_vpn.com:123 -u username@my_vpn.com

[2024-05-27T14:12:09Z INFO gpclient::cli] gpclient started: 2.3.1 (2024-05-22)
[2024-05-27T14:12:09Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-05-27T14:12:09Z INFO gpclient::connect] Failed to connect portal with prelogin: Network error: error sending request for url (https://vpn.my_vpn.com/global-protect/prelogin.esp): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2092: (unable to get local issuer certificate)
[2024-05-27T14:12:09Z INFO gpclient::connect] Trying the gateway authentication workflow...
[2024-05-27T14:12:09Z INFO gpclient::connect] Performing the gateway authentication...
[2024-05-27T14:12:09Z INFO gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect

Error: Network error: error sending request for url (https://vpn.my_vpn.com/ssl-vpn/prelogin.esp): error trying to connect: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2092: (unable to get local issuer certificate)

Re-run it with the --ignore-tls-errors option to ignore the certificate error, e.g.:

gpclient --ignore-tls-errors connect vpn.my_vpn.com:123 -u username@my_vpn.com

$ gpclient --ignore-tls-errors connect vpn.my_vpn.com:123 -u username@my_vpn.com

[2024-05-27T14:12:57Z INFO gpclient::cli] gpclient started: 2.3.1 (2024-05-22)
[2024-05-27T14:12:57Z INFO gpclient::cli] TLS errors will be ignored
[2024-05-27T14:12:57Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-05-27T14:12:57Z INFO gpauth::cli] gpauth started: 2.3.1 (2024-05-22)
[2024-05-27T14:12:57Z INFO gpauth::cli] TLS errors will be ignored
[2024-05-27T14:12:57Z INFO gpauth::auth_window] Open auth window, user_agent: PAN GlobalProtect

** (gpauth:59680): WARNING **: 07:12:57.650: webkit_settings_set_enable_offline_web_application_cache is deprecated and does nothing.
[2024-05-27T14:12:57Z INFO gpauth::auth_window] Auth window user agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
[2024-05-27T14:12:57Z INFO gpauth::auth_window] Load the SAML request as URI...
[2024-05-27T14:12:58Z INFO gpauth::auth_window] Loaded uri: https://s**********m/saml2/sp/DIAEXA2BG1C05XZP84KM/sso?SAMLRequest=h**********b&RelayState=%2B**********x
[2024-05-27T14:12:58Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:12:58Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:12:58Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:12:58Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:12:58Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:12:58Z INFO gpauth::auth_window] Raise window in 1 second(s)
[2024-05-27T14:13:00Z INFO gpauth::auth_window] Loaded uri: https://a**********m/login/?authkey=A**********M&scid=e**********a
[2024-05-27T14:13:00Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:00Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:13:00Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:13:00Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:13:00Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:13:07Z INFO gpauth::auth_window] Loaded uri: https://a**********m/frame/frameless/v4/auth?sid=f**********8&tx=e**********Q&req-trace-group=9**********c
[2024-05-27T14:13:07Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:07Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:13:07Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:13:07Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:13:07Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Loaded uri: https://a**********m/frame/v4/preauth/healthcheck?sid=f**********8
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Loaded uri: https://a**********m/frame/frameless/v4/auth?sid=f**********8&tx=e**********Q
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:13:08Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:13:08Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Loaded uri: https://a**********m/duo/ASLXGJK4TX2JLUBMWJJA/callback?state=w**********h&duo_code=e**********o
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:10Z INFO gpauth::auth_window] No saml-auth-status header found
[2024-05-27T14:13:10Z INFO gpauth::auth_window] No auth data found in headers, trying to read from body...
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Failed to read auth data from body: No auth data found
[2024-05-27T14:13:10Z INFO gpauth::auth_window] No auth data found, it may not be the /SAML20/SP/ACS endpoint
[2024-05-27T14:13:10Z WARN gpauth::auth_window] Failed to load uri: https://v**********m/SAML20/SP/ACS with error: Load request cancelled
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Loaded uri: https://v**********m/SAML20/SP/ACS
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Trying to read auth data from response headers...
[2024-05-27T14:13:10Z INFO gpauth::auth_window] Got auth data from headers
[2024-05-27T14:13:10Z INFO gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect

Which gateway do you want to connect to? XYZ-gw-1 (vpn.my_vpn.com)
[2024-05-27T14:13:12Z INFO gpclient::connect] Connecting to the selected gateway: XYZ-gw-1 (vpn.my_vpn.com)
[2024-05-27T14:13:12Z INFO gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-05-27T14:13:12Z INFO openconnect::ffi] openconnect version: v9.01-3
[2024-05-27T14:13:12Z INFO openconnect::ffi] User agent: PAN GlobalProtect
[2024-05-27T14:13:12Z INFO openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-05-27T14:13:12Z INFO openconnect::ffi] OS: linux
[2024-05-27T14:13:12Z INFO openconnect::ffi] CSD_USER: 1000
[2024-05-27T14:13:12Z INFO openconnect::ffi] CSD_WRAPPER: (null)
[2024-05-27T14:13:12Z INFO openconnect::ffi] RECONNECT_TIMEOUT: 300
[2024-05-27T14:13:12Z INFO openconnect::ffi] MTU: 0
[2024-05-27T14:13:12Z INFO openconnect::ffi] DISABLE_IPV6: 0
[2024-05-27T14:13:12Z INFO openconnect::ffi] POST https://vpn.my_vpn.com/ssl-vpn/getconfig.esp
[2024-05-27T14:13:12Z INFO openconnect::ffi] Connected to 12.345.678.910:123
[2024-05-27T14:13:12Z INFO openconnect::ffi] SSL negotiation with vpn.my_vpn.com
[2024-05-27T14:13:12Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-05-27T14:13:12Z INFO openconnect::ffi] Accepting the server certificate though signer not found
[2024-05-27T14:13:12Z INFO openconnect::ffi] Connected to HTTPS on vpn.my_vpn.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-27T14:13:12Z INFO openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-05-27T14:13:12Z INFO openconnect::ffi] Idle timeout is 180 minutes.
[2024-05-27T14:13:12Z WARN openconnect::ffi] Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
[2024-05-27T14:13:12Z WARN openconnect::ffi] No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
[2024-05-27T14:13:12Z INFO openconnect::ffi] POST https://vpn.my_vpn.com/ssl-vpn/hipreportcheck.esp
[2024-05-27T14:13:12Z WARN openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum 949ed8b133603e351a4db5783fd2988f.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
mkdir: cannot create directory ‘/var/run/vpnc’: Permission denied
[2024-05-27T14:13:12Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-05-27T14:13:12Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
mkdir: cannot create directory ‘/var/run/vpnc’: Permission denied
[2024-05-27T14:13:12Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-05-27T14:13:12Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root
See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-05-27T14:13:12Z WARN openconnect::ffi] Set up tun device failed
[2024-05-27T14:13:12Z INFO openconnect::ffi] POST https://vpn.my_vpn.com/ssl-vpn/logout.esp
[2024-05-27T14:13:12Z INFO openconnect::ffi] SSL negotiation with vpn.my_vpn.com
[2024-05-27T14:13:12Z INFO openconnect::ffi] Server certificate verify failed: signer not found
[2024-05-27T14:13:12Z INFO openconnect::ffi] Accepting the server certificate though signer not found
[2024-05-27T14:13:12Z INFO openconnect::ffi] Connected to HTTPS on vpn.my_vpn.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-05-27T14:13:12Z INFO openconnect::ffi] Logout successful.
[2024-05-27T14:13:12Z INFO openconnect::ffi] openconnect_mainloop returned -5, exiting

@yuezk
Copy link
Owner

yuezk commented Jul 7, 2024

I'm closing this because the original issue has been fixed.

@Captain-Barge feel free to file a new issue if it still doesn't work for you.

@yuezk yuezk closed this as completed Jul 7, 2024
@WillieMaddox WillieMaddox mentioned this issue Jul 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yuezk @martindorey @jon-larsen @Captain-Barge