This is a modified version of the fantastic open-source VPN client OpenConnect which supports the PAN GlobalProtect VPN in its native modes (SSL and ESP)—with no assistance or cooperation needed from your VPN administrators.
This is a work in progress.
That said, I've been using it for real work for many weeks, and it works very well for me.
Having other people test it would be awesome and I welcome your feedback! Please report any problems here on Github rather than bothering the OpenConnect mailing list, since this is not part of any official OpenConnect release.
If you are having trouble
authenticating to your GlobalProtect server, please run OpenConnect
with the --dump -vvv
flags to dump the authentication flow; please
compare the back-and-forth configuration requests to this anonymized
transcript
and include information about relevant differences in your issue
report.
Ubuntu 16.04 users can install from this PPA.
Please refer to the build requirements for the official releases of OpenConnect. This version has the exact same build dependencies as OpenConnect v7.06; modern versions of autoconf
, automake
, gcc
, libxml
, etc.
Under Debian-based or Ubuntu-based distributions, this should install the requirements:
$ sudo apt-get install build-essential autoconf automake libgnutls-dev libproxy-dev libxml2-dev libtool vpnc-scripts
Once you have all the build dependencies installed, checkout and build the globalprotect
branch from this repository.
$ git clone https://github.com/dlenski/openconnect.git
$ cd openconnect
$ git checkout globalprotect
$ ./autogen.sh
$ ./configure
$ make
Homebrew is required. To build and install into /usr/local
:
$ brew install pkg-config gettext gnutls lz4
$ export LIBTOOLIZE=glibtoolize
$ ./autogen.sh
$ ./configure --prefix=/usr/local --with-vpnc-script=/usr/local/etc/vpnc-script --disable-nls
$ make
$ make install
Please see this Gist on how to set up and use OpenConnect on the Mac. Don't forget to install vpnc-script
into /usr/local/etc
.
Run openconnect like this to test it with your GlobalProtect VPN
provider. (Include --certificate cert_with_privkey.pem
if your VPN
requires a client certificate and/or private key.)
$ ./openconnect --protocol=gp server.company.com --dump -vvv
Please enter your username and password.
Username:
Password:
Currently it only supports username, password, and optionally client certificate authentication… since that's the only example I have. But I'd welcome feedback if there are other authentication methods in use out there.
For my VPN, the VPN tunnel server is the same as the VPN "portal" server, but your VPN may differ. Try using both the "Portal address" and the "GlobalProtect Gateway IP" shown in the Windows client with OpenConnect:
You can also use get-globalprotect-config.py
to list the available gateway servers:
$ ./get-globalprotect-config.py [--cert client_cert_with_privkey.pem] portal.company.com
...
<gateways>
<cutoff-time>5</cutoff-time>
<external>
<list>
<entry name="gateway.company.com">
<priority>1</priority>
<manual>yes</manual>
<description>WowSuchGateway</description>
</entry>
</list>
</external>
</gateways>
...