23

I want to connect to my work place PaloAlto GlobalProtect VPN. The problem: there is no linux client (or I can use linux but it requires cooperation of the IT group...)

ozma
  • 426
  • 1
  • 4
  • 10

4 Answers4

31

I have recently extended the fantastic open-source VPN client OpenConnect to support the PAN GlobalProtect VPN, both in its SSL-VPN and IPsec/ESP modes.

This is a work in progress, but I've been using it for real work already and it works very well for me. Having other people test it would be awesome and I welcome your feedback!

Build the globalprotect branch from this repository: https://github.com/dlenski/openconnect

... and then run it like this to test it (you can omit the --certificate part if your VPN doesn't use a client certificate):

$ ./openconnect --protocol=gp [--certificate=my_cert_with_pk.pem] \
              server.company.com --dump -vvv
Please enter your username and password.
Username: 
Password:

Currently it only supports username, password, and optionally client certificate authentication… since that's the only example I have. But I'd welcome feedback if there are other authentication methods in use out there.

PS- For my VPN, the VPN tunnel server is the same as the VPN "portal" server, but your VPN may differ. Try using both the "Portal address" and the "GlobalProtect Gateway IP" shown in the Windows client with OpenConnect:

[GlobalProtect Windows client]

Dan
  • 651
  • 1
    That's just perfect! The only solution that worked for me without asking the admins any extra configuration questions! I hope it makes its way to the official release – Eugene Sh. Oct 23 '16 at 23:05
  • Awesome! You are the second person to use it successfully :). Please report any issues on the Github tracker, so I don't bug the official mailing list too much until it makes it into the release. – Dan Oct 23 '16 at 23:35
  • BTW, I am not much into VPNs, so forgive my question. when I am connecting via GP client, I am using a specific gateway (vpn.company.com), which is then somehow allowing me to connect to one of different other locations (vpn1.company.com, vpn2.company.com etc). With OpenConnect I can connect to either vpn.company.com or to any of the other vpnx explicitely. Is there a way of choosing the specific location when connecting to the main gateway? – Eugene Sh. Oct 24 '16 at 13:54
  • I'm not sure what you're asking. OpenConnect should work with any of the gateway servers... does it? The official client can be "locked down" to direct you to a specific gateway, but openconnect does not care about the profile which directs you to a particular server. – Dan Oct 24 '16 at 14:34
  • Oh well, I guess it's the terminology... So I think my "portal" is vpn.company.com, while it allows me to connect to either of multiple "gateways". So I guess I am asking about the way to get the list of the gateways from the portal? – Eugene Sh. Oct 24 '16 at 14:52
  • Ah, yes. There is a configuration page at /global-protect/getconfig.esp which gives a user-specific list of allowed gateways, but it's not actually necessary for connecting so I haven't added any support for fetching it to OC yet. Generally, the easiest approach is just to connect to the desired server in the Windows client and then copy the gateway address. – Dan Oct 24 '16 at 15:03
  • @EugeneSh., I added a quick Python script called globalprotect-list-gateways.py to pull up the list of gateway servers from the portal server: ./globalprotect-list-gateways.py --user Username --password Password --certificate certfile.pem portal.company.com – Dan Oct 24 '16 at 18:49
  • 1
    Cool, thanks. Now I need it to be packaged for Fedora and have a NetworkManager plugin (well, just kidding. It is working now pretty well) :) – Eugene Sh. Oct 24 '16 at 18:54
  • Don't hold your breath ;-). But I think adding it to the NM plugin will be rather straightforward. – Dan Oct 24 '16 at 19:03
  • By the way, @EugeneSh., is the IPsec/ESP connection working for you, or only the slower SSL-VPN? OpenConnect should output ESP session established with server if ESP setup is successful. Figuring out the ESP part was trickier and I'm not 100% my version will work for all servers. – Dan Oct 25 '16 at 18:50
  • @Dan: Hello there, I have been trying to get this to work with my setup i.e. from within my Ubuntu VM (guest) running on my Mac (host). The Mac comes installed with the GP VPN client and works fine. But within the VM, I am unable to work with entities that are behind the VPN. I gave your instructions a try and openconnect seems to connect fine (I think), but then it keeps repeatedly scrolling these messages: 'Send ESP probes for DPD; No work to do; sleeping for 5000 ms...; Received ESP packet of 85 bytes'. (Splitting this into two comments due to length limitations) [Part 1 of 2] – decimus phostle Nov 17 '17 at 06:48
  • Unfortunately I am still not able to connect to the corp LAN - name resolution is not working and neither am I able to ping/connect to the machines. Any chance you would be able to help debug? Thanks in advance. [Part 2 of 2] – decimus phostle Nov 17 '17 at 06:48
  • See recent issue reports in Github about HIP spoofing. You may need to try this (currently experimental) trick in order to get your VPN working. – Dan Nov 17 '17 at 21:24
  • Awesome!!! connect with "--protocol=gp" can work – 蔡宗容 Sep 25 '19 at 07:10
1

I spend some hours in that project and it really works:

https://github.com/dlenski/openconnect

I do not understand that today there is android application for Global Project and is not present any solution for Ubuntu or others Linux users.

So, I have to install many packages to perform this steps:

./autogen.sh
./configure

don't give up! Best Regards

edwinksl
  • 23,789
LeoJava
  • 11
  • Is it possible you could expand on this further, and explain how it would work from within a Windows Virtual Machine, hosted on an Ubuntu machine? – AnotherKiwiGuy Nov 18 '16 at 03:36
0

(assuming the VPN subnet is "10.0.0.0/255.0.0.0" you can adjust to your needs)

  1. Install win 7 VM.
  2. Install and configure VPN access in the win VM and share the internet connection of the VPN virtual adapter
  3. In virtualbox go to: File -> Preferences -> Network -> Host-only Networks -> add a network and modify it to have the folowing IP 192.168.137.100 *see troubleshooting 1
  4. make a backup of /etc/resolve.conf
  5. (i am now with ubuntu 15.10) set DNS manually in your connection config to be 192.168.137.1 and some other dns which is not in the VM and not in the VPN (e.g your router IP, ISP dns ip etc.). (the old trick was not perfect: replace "nameserver whatever" with "nameserver 192.168.137.1") you can "nslookup google.com" and see the dns IP in the reply
  6. add route - "route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.137.1"

Troubleshooting: 1. In the win VM check the IP of the host-only then make sure the vboxnet0 is in the same subnet, try to ping the vbox-net-adapter ip that is in the win machine

ozma
  • 426
  • 1
  • 4
  • 10
0

My working configuration Linux host ifconfig:

vboxnet0  Link encap:Ethernet  HWaddr 0a:ee:27:00:09:00  
        inet addr:192.168.137.100  Bcast:192.168.137.255  Mask:255.255.255.0
        inet6 addr: fe80::800:27ff:fe00:0/64 Scope:Link
        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
        RX packets:0 errors:0 dropped:0 overruns:0 frame:0
        TX packets:1340 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:429784 (429.7 KB)

wlan0     Link encap:Ethernet  HWaddr 82:49:34:1a:a6:e9  
          inet addr:10.157.48.55  Bcast:10.157.48.255  Mask:255.255.255.0
          inet6 addr: fe80::8219:34ff:fe15:a6e9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10935 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9571 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6235519 (6.2 MB)  TX bytes:2625822 (2.6 MB)

Linux host route:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.157.48.1     0.0.0.0         UG    400    0        0 wlan0
10.0.0.0        192.168.137.1   255.0.0.0       UG    0      0        0 vboxnet0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
192.168.137.0   *               255.255.255.0   U     100    0        0 vboxnet0

~$ netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.157.48.1     0.0.0.0         UG        0 0          0 wlan0
10.0.0.0        192.168.137.1   255.0.0.0       UG        0 0          0 vboxnet0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlan0
192.168.137.0   0.0.0.0         255.255.255.0   U         0 0          0 vboxnet0

Windows igconfig:

Ethernet adapter VPN:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a0fd:e08a:6a52:87db%12
   IPv4 Address. . . . . . . . . . . : 10.7.8.23
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter vboxnet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::a4bb:6e53:572:5682%13
   IPv4 Address. . . . . . . . . . . : 192.168.137.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::90de:f93f:b73d:871f%11
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.2
ozma
  • 426
  • 1
  • 4
  • 10