openconnect-cli

pamoedo's picture
Submitted by pamoedo on Thu, 2018/01/04 - 03:48
Rating: 
3
Your rating: None Average: 3 (4 votes)

OpenConnect (with RSA securid support)

OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN which is now known as Pulse Connect Secure.

OpenConnect is released under the GNU Lesser Public License, version 2.1.

Like vpnc, OpenConnect is not officially supported by, or associated in any way with, Cisco Systems, Juniper Networks or Pulse Secure. It just happens to interoperate with their equipment.

Development of OpenConnect was started after a trial of the Cisco client under Linux found it to have many deficiencies:

  • Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
  • Lack of support for Linux platforms other than i386.
  • Lack of integration with NetworkManager on the Linux desktop.
  • Lack of proper (RPM/DEB) packaging for Linux distributions.
  • "Stealth" use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed
  • Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
  • Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
  • Inability to audit the source code for further such "Security 101" bugs.

Naturally, OpenConnect addresses all of the above issues, and more.

http://www.infradead.org/openconnect/

IMPORTANT NOTE:

This is a SailfishOS compilation of the latest openconnect version 7.08 including RSA securid support, in order to avoid conflicts with native SailfishOS VPN beta support (present at least on SailfishOS 2.1.3.7) which already includes package openconnect-3.15-1.1.15.armv7hl, this package has been renamed to openconnect-cli and it will also provide a new binary called openconnect_7 and all libraries and related files will be stored under /usr/local instead of /usr to avoid any conflict with preinstalled openconnect version.

EXAMPLE USAGE:

$ devel-su
# ln -s /home/nemo/.stokenrc /root/.stokenrc
# openconnect_7 -u USERNAME --token-mode=rsa HOSTNAME

 

DEPENDENCIES:

stoken >= 0.92

Category:

Keywords:

Application versions: 
AttachmentSizeDate
File openconnect-cli-7.08-1.armv7hl.rpm1.23 MB04/01/2018 - 03:48
Changelog: 

As per original source: http://www.infradead.org/openconnect/download.html

The latest release is OpenConnect v7.08 (PGP signature), released on 2016-12-13 with the following changelog:

  • Add SHA256 support for server cert hashes.
  • Enable DHE ciphers for Cisco DTLS.
  • Increase initial oNCP configuration buffer size.
  • Reopen CONIN$ when stdin is redirected on Windows.
  • Improve support for point-to-point routing on Windows.
  • Check for non-resumed DTLS sessions which may indicate a MiTM attack.
  • Add TUNIDX environment variable on Windows.
  • Fix compatibility with Pulse Secure 8.2R5.
  • Fix IPv6 support in Solaris.
  • Support DTLS automatic negotiation.
  • Support --key-password for GnuTLS PKCS#11 PIN.
  • Support automatic DTLS MTU detection with OpenSSL.
  • Drop support for combined GnuTLS/OpenSSL build.
  • Update OpenSSL to allow TLSv1.2, improve compatibility options.
  • Remove --no-cert-check option. It was being (mis)used.
  • Fix OpenSSL support for PKCS#11 EC keys without public key.
  • Support for final OpenSSL 1.1 release.
  • Fix polling/retry on "tun" socket when buffers full.
  • Fix AnyConnect server-side MTU setting.
  • Fix ESP replay detection.
  • Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken).
  • Add certificate torture test suite.
  • Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL.
  • Fix integer overflow issues with ESP packet replay detection.
  • Add --pass-tos option as in OpenVPN.
  • Support rôle selection form in Juniper VPN.
  • Support DER-format certificates, add certificate format torture tests.
  • For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option.
  • Support Juniper "Pre Sign-in Message".

Comments

1chb's picture

1chb

Wed, 2018/03/07 - 13:31

Can this work with Sailfish X?

pamoedo's picture

pamoedo

Thu, 2018/03/08 - 18:47

Of course it works, I have tested it with SailfishX, have you followed the instructions? please note that once connected via terminal, you must keep that window minimized to remain the VPN tunnel active.