Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Connection with GUI works, but not with CLI using the same credentials #443

Open
kzawad1-ces opened this issue Nov 21, 2024 · 9 comments
Open

Comments

@kzawad1-ces
Copy link

Describe the bug
Connection using GlobalProtect-openconnect GUI works (with Linux client), but fails with CLI. The error indicates that it "Invalid user name", but I have used that same username and password as the GUI. Even clear the credentials within the GUI and it worked copying and pasting same credentials from text file.

Expected behavior
Should be able to connect using the CLI just as easily as the GUI.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs

  • For the GUI version, you can find the logs at ~/.local/share/gpclient/gpclient.log
  • For the CLI version, copy the output of the gpclient command.

(NOTE: remove the personal data from log)

kris@dev-1:~$ gpclient --ignore-tls-errors connect z.z.z.z
[2024-11-21T19:13:49Z INFO  gpclient::cli] gpclient started: 2.1.2 (2024-03-29)
[2024-11-21T19:13:49Z INFO  gpclient::cli] TLS errors will be ignored
[2024-11-21T19:13:49Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Portal: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-21T19:14:02Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-11-21T19:14:03Z INFO  gpclient::connect] Connecting to the only available gateway: ROC-GW (z.z.z.z)
[2024-11-21T19:14:03Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-21T19:14:03Z WARN  gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
    var respStatus = "Error";
    var respMsg = "Authentication failure: Invalid username or password";
    thisForm.inputStr.value = "";
    
    
[2024-11-21T19:14:03Z INFO  gpclient::connect] Gateway login failed: Gateway login error, reason: <none>
[2024-11-21T19:14:03Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-11-21T19:14:03Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-21T19:14:21Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-21T19:14:21Z INFO  openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-21T19:14:21Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-21T19:14:21Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-21T19:14:21Z INFO  openconnect::ffi] OS: linux
[2024-11-21T19:14:21Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-11-21T19:14:21Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-21T19:14:21Z INFO  openconnect::ffi] MTU: 0
[2024-11-21T19:14:21Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-21T19:14:21Z INFO  openconnect::ffi] Connected to z.z.z.z:443
[2024-11-21T19:14:21Z INFO  openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-21T19:14:22Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-21T19:14:22Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-21T19:14:22Z INFO  openconnect::ffi] ESP session established with server
[2024-11-21T19:14:22Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-11-21T19:14:22Z WARN  openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-11-21T19:14:22Z WARN  openconnect::ffi] To configure local networking, openconnect must be running as root
    See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-11-21T19:14:22Z WARN  openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted
[2024-11-21T19:14:22Z WARN  openconnect::ffi] To configure local networking, openconnect must be running as root
    See https://www.infradead.org/openconnect/nonroot.html for more information
[2024-11-21T19:14:22Z WARN  openconnect::ffi] Set up tun device failed
[2024-11-21T19:14:22Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/logout.esp
[2024-11-21T19:14:22Z INFO  openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-11-21T19:14:22Z INFO  openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-21T19:14:22Z WARN  openconnect::ffi] Invalid user name
[2024-11-21T19:14:22Z WARN  openconnect::ffi] Logout failed.
[2024-11-21T19:14:22Z INFO  openconnect::ffi] openconnect_mainloop returned -5, exiting
kris@dev-1:~$ 
GlobalProtect-openconnect_GUI

Environment:

  • OS: [e.g. Ubuntu 22.04]
    Ubuntu 24.04.1 LTS
  • Desktop Environment: [e.g. GNOME or KDE]
    GNOME
  • Output of ps aux | grep 'gnome-keyring\|kwalletd5' | grep -v grep: [Required for secure store error]
    kris 4755 0.0 0.1 316632 9984 ? SLsl 10:05 0:00 /usr/bin/gnome-keyring-daemon --foreground --components=pkcs11,secrets --control-directory=/run/user/1000/keyring
  • Is remote SSH? [Yes/No]
    No

Additional context
Add any other context about the problem here.

@yuezk
Copy link
Owner

yuezk commented Nov 21, 2024

@kzawad1-ces you should run the cli as root.

@kzawad1-ces
Copy link
Author

@yuezk I see what is happening now.

I tried the following commands:

sudo gpclient --ignore-tls-errors connect z.z.z.z
sudo gpauth z.z.z.z | sudo gpclient --ignore-tls-errors connect z.z.z.z

I thought that the reason why it was prompting for a second login was because the credentials were not input correctly or it had a bug in the software since it does not do it in the GUI, so it is not submitted correctly. However, this is not the case and if I inspect the output carefully it is logging into two separate entities: PORTAL and GATEWAY. This is why it prompts twice.

kris@dev-1:~$ sudo gpclient --ignore-tls-errors connect z.z.z.z
[2024-11-22T14:23:50Z INFO  gpclient::cli] gpclient started: 2.1.2 (2024-03-29)
[2024-11-22T14:23:50Z INFO  gpclient::cli] TLS errors will be ignored
[2024-11-22T14:23:50Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Portal: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T14:24:05Z INFO  gpapi::portal::config] Portal config, user_agent: PAN GlobalProtect
[2024-11-22T14:24:06Z INFO  gpclient::connect] Connecting to the only available gateway: ROC-GW (z.z.z.z)
[2024-11-22T14:24:06Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T14:24:06Z WARN  gpapi::gateway::login] Gateway login error: reason=<none>, status=512 <unknown status code>, response=
    var respStatus = "Error";
    var respMsg = "Authentication failure: Invalid username or password";
    thisForm.inputStr.value = "";
    
    
[2024-11-22T14:24:06Z INFO  gpclient::connect] Gateway login failed: Gateway login error, reason: <none>
[2024-11-22T14:24:06Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-11-22T14:24:06Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T14:24:24Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T14:24:24Z INFO  openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-22T14:24:24Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-22T14:24:24Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-22T14:24:24Z INFO  openconnect::ffi] OS: linux
[2024-11-22T14:24:24Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-11-22T14:24:24Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-22T14:24:24Z INFO  openconnect::ffi] MTU: 0
[2024-11-22T14:24:24Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Connected to z.z.z.z:443
[2024-11-22T14:24:24Z INFO  openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-22T14:24:24Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-22T14:24:24Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-22T14:24:24Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-22T14:24:24Z INFO  openconnect::ffi] ESP session established with server
[2024-11-22T14:24:24Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
/usr/share/vpnc-scripts/vpnc-script: 600: cannot open /var/run/vpnc/resolv.conf-backup.99525: No such file
[2024-11-22T14:24:26Z WARN  openconnect::ffi] Script '/usr/share/vpnc-scripts/vpnc-script' returned error 2
[2024-11-22T14:24:26Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-11-22T14:24:26Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-11-22T14:24:26Z INFO  gpclient::connect] Wrote PID 99525 to /var/run/gpclient.lock
^C[2024-11-22T14:24:33Z INFO  gpclient::connect] Received the interrupt signal, disconnecting...
[2024-11-22T14:24:33Z INFO  openconnect::ffi] Stopping VPN connection: 14
[2024-11-22T14:24:33Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/logout.esp
[2024-11-22T14:24:33Z INFO  openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T14:24:33Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T14:24:33Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T14:24:33Z INFO  openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T14:24:33Z WARN  openconnect::ffi] Invalid user name
[2024-11-22T14:24:33Z WARN  openconnect::ffi] Logout failed.
[2024-11-22T14:24:33Z INFO  openconnect::ffi] openconnect_mainloop returned -4, exiting
[2024-11-22T14:24:33Z INFO  gpclient::connect] Removing PID file
kris@dev-1:~$ 

Now, I am trying to figure out how to make this usable from the point of view that this software ties up the Terminal. It is not organized in a background process and separate commands to configure and start stop the process. So to make it more usable. @yuezk can you tell how to:

  • How do I save the credentials (as maybe a profile) and tell it to use the save credentials to login, instead of having to put in the username and password every time.

@yuezk
Copy link
Owner

yuezk commented Nov 22, 2024

To resolve the login two times issue, try pass the '--as-gateway' option to see if it works for you.

@kzawad1-ces
Copy link
Author

@yuezk , I don't think this is available in my version because I am getting the following error:

kris@dev-1:~$ sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
error: unexpected argument '--as-gateway' found

  tip: a similar argument exists: '--gateway'

Usage: gpclient connect <SERVER|--gateway <GATEWAY>|--user <USER>|--script <SCRIPT>|--hip|--csd-user <CSD_USER>|--csd-wrapper <CSD_WRAPPER>|--mtu <MTU>|--user-agent <USER_AGENT>|--os <OS>|--os-version <OS_VERSION>|--hidpi|--clean>

For more information, try '--help'.
kris@dev-1:~$ 

The help information is the following and it does not have the option to pass in:

kris@dev-1:~$ sudo gpauth  --help
Usage: gpauth [OPTIONS] <SERVER>

Arguments:
  <SERVER>  

Options:
      --gateway                      
      --saml-request <SAML_REQUEST>  
      --user-agent <USER_AGENT>      [default: "PAN GlobalProtect"]
      --os <OS>                      [default: Linux] [possible values: Linux, Windows, Mac]
      --os-version <OS_VERSION>      
      --hidpi                        
      --fix-openssl                  
      --ignore-tls-errors            
      --clean                        
  -h, --help                         Print help
  -V, --version                      Print version
kris@dev-1:~$ sudo gpclient --help
gpclient 2.1.2 (2024-03-29)
Kevin Yue <k3vinyue@gmail.com>

The GlobalProtect VPN client, based on OpenConnect, supports the SSO authentication method.

Usage: gpclient [OPTIONS] <COMMAND>

Commands:
  connect     Connect to a portal server
  disconnect  Disconnect from the server
  launch-gui  Launch the GUI
  help        Print this message or the help of the given subcommand(s)

Options:
      --fix-openssl        Get around the OpenSSL `unsafe legacy renegotiation` error
      --ignore-tls-errors  Ignore the TLS errors
  -h, --help               Print help
  -V, --version            Print version

See 'gpclient help <command>' for more information on a specific command.
kris@dev-1:~$ sudo gpclient connect --help
Connect to a portal server

Usage: gpclient connect [OPTIONS] <SERVER>

Arguments:
  <SERVER>  The portal server to connect to

Options:
  -g, --gateway <GATEWAY>          The gateway to connect to, it will prompt if not specified
  -u, --user <USER>                The username to use, it will prompt if not specified
  -s, --script <SCRIPT>            The VPNC script to use
      --hip                        Use the default CSD wrapper to generate the HIP report and send it to the server
      --csd-user <CSD_USER>        Same as the '--csd-user' option in the openconnect command
      --csd-wrapper <CSD_WRAPPER>  Same as the '--csd-wrapper' option in the openconnect command
  -m, --mtu <MTU>                  Request MTU from server (legacy servers only)
      --user-agent <USER_AGENT>    The user agent to use [default: "PAN GlobalProtect"]
      --os <OS>                    [default: Linux] [possible values: Linux, Windows, Mac]
      --os-version <OS_VERSION>    
      --hidpi                      The HiDPI mode, useful for high resolution screens
      --clean                      Do not reuse the remembered authentication cookie
  -h, --help                       Print help
kris@dev-1:~$ 

The version information is the following:

kris@dev-1:~$ sudo gpauth  --version
gpauth 2.1.2 (2024-03-29)
kris@dev-1:~$ sudo gpclient --version
gpclient 2.1.2 (2024-03-29)
kris@dev-1:~$ 

Do I need to get a different version of the software?

@yuezk
Copy link
Owner

yuezk commented Nov 22, 2024

it is released in https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/v2.1.3, try to upgrade the client

@kzawad1-ces
Copy link
Author

Ok, so that new version has that "as-gateway" command input. Now, I only get one prompt

To upgrade, did the following:

sudo apt remove globalprotect-openconnect
wget https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v2.1.3/globalprotect-openconnect_2.1.3-1_amd64.deb
chmod 0777 globalprotect-openconnect_2.1.3-1_amd64.deb 
sudo apt install -y ./globalprotect-openconnect_2.1.3-1_amd64.deb 

Then connecting:

kris@dev-1:~/Downloads$ sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
[2024-11-22T15:43:38Z INFO  gpclient::cli] gpclient started: 2.1.3 (2024-04-07)
[2024-11-22T15:43:38Z INFO  gpclient::cli] TLS errors will be ignored
[2024-11-22T15:43:38Z INFO  gpclient::connect] Treating the server as a gateway
[2024-11-22T15:43:38Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-11-22T15:43:38Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-11-22T15:43:38Z INFO  gpapi::portal::prelogin] Prelogin with params: {"ipv6-support": "yes", "clientos": "Linux", "cas-support": "yes", "clientVer": "4100", "tmp": "tmp", "default-browser": "1", "os-version": "Linux Ubuntu 24.04.1 LTS"}
Enter login credentials (Gateway: z.z.z.z)
> Username: User1
> Password: ********
[2024-11-22T15:44:06Z INFO  gpapi::gateway::login] Gateway login, user_agent: PAN GlobalProtect
[2024-11-22T15:44:06Z INFO  openconnect::ffi] openconnect version: v9.12-1build5
[2024-11-22T15:44:06Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2024-11-22T15:44:06Z INFO  openconnect::ffi] VPNC script: /usr/share/vpnc-scripts/vpnc-script
[2024-11-22T15:44:06Z INFO  openconnect::ffi] OS: linux
[2024-11-22T15:44:06Z INFO  openconnect::ffi] CSD_USER: 1000
[2024-11-22T15:44:06Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2024-11-22T15:44:06Z INFO  openconnect::ffi] MTU: 0
[2024-11-22T15:44:06Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/getconfig.esp
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Connected to z.z.z.z:443
[2024-11-22T15:44:06Z INFO  openconnect::ffi] SSL negotiation with z.z.z.z
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Server certificate verify failed: signer not found
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Validating peer cert: signer not found
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Connected to HTTPS on z.z.z.z with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2024-11-22T15:44:06Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2024-11-22T15:44:06Z WARN  openconnect::ffi] No MTU received. Calculated 1422 for ESP tunnel
[2024-11-22T15:44:06Z INFO  openconnect::ffi] POST https://z.z.z.z/ssl-vpn/hipreportcheck.esp
[2024-11-22T15:44:06Z INFO  openconnect::ffi] ESP session established with server
[2024-11-22T15:44:06Z INFO  openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-11-22T15:44:07Z INFO  openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-11-22T15:44:07Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 14
[2024-11-22T15:44:07Z INFO  gpclient::connect] Wrote PID 7437 to /var/run/gpclient.lock
^Z
[1]+  Stopped                 sudo gpclient --ignore-tls-errors connect z.z.z.z --as-gateway
kris@dev-1:~/Downloads$ 

Now, how do I save the credentials, just like in the GUI app?

@yuezk
Copy link
Owner

yuezk commented Nov 25, 2024

Try this #381 (comment), which is available in 2.3.4.

@kzawad1-ces
Copy link
Author

@yuezk , that example does work.

Now the struggle is having this run like a process. Linux has something called "network maanger" and "nmcli" command. The nmcli is used to control the process in the background. Network manager allows me to create different connection and then tell the service to make a connection. I was hoping this would be similar.

However, this software is not designed/architected in the same way. I was trying to see if I can do this with "&" and have that session run in the background or if I need to setup a systemd process for this.

Do you have a recommend way of running this "gpclient" on a Ubunutu server with no UI. Then running gpclient in the background?

@yuezk
Copy link
Owner

yuezk commented Nov 28, 2024

Do you have a recommend way of running this "gpclient" on a Ubunutu server with no UI. Then running gpclient in the background?

I prefer the systemd service if it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants