[OPEN] Issue with Openconnect via gnome-network-manager GUI

Post Reply
tdascal
Crewman
Posts: 3
Joined: Sun Nov 24, 2019 11:10 am

[OPEN] Issue with Openconnect via gnome-network-manager GUI

Post by tdascal »

Hi Folks,

I am running ArcoLinux D with Gnome. Full details bellow:

Code: Select all

System:    Host: T490 Kernel: 5.8.10-arch1-1 x86_64 bits: 64 Desktop: GNOME 3.36.6 Distro: ArcoLinux 
Machine:   Type: Laptop System: LENOVO product: 20N2006MMX v: ThinkPad T490 serial: <superuser/root required> 
           Mobo: LENOVO model: 20N2006MMX v: SDK0J40697 WIN serial: <superuser/root required> UEFI: LENOVO v: N2IET87W (1.65 ) 
           date: 04/07/2020 
Battery:   ID-1: BAT0 charge: 41.8 Wh condition: 46.4/50.5 Wh (92%) 
CPU:       Info: Quad Core model: Intel Core i5-8265U bits: 64 type: MT MCP L2 cache: 6144 KiB 
           Speed: 625 MHz min/max: 400/3900 MHz Core speeds (MHz): 1: 600 2: 610 3: 600 4: 602 5: 600 6: 600 7: 600 8: 600 
Graphics:  Device-1: Intel UHD Graphics 620 driver: i915 v: kernel 
           Device-2: IMC Networks Integrated Camera type: USB driver: uvcvideo 
           Display: wayland server: X.Org 1.20.9 driver: modesetting resolution: 1920x1080~60Hz 
           OpenGL: renderer: Mesa Intel UHD Graphics 620 (WHL GT2) v: 4.6 Mesa 20.1.8 
Audio:     Device-1: Intel Cannon Point-LP High Definition Audio driver: snd_hda_intel 
           Sound Server: ALSA v: k5.8.10-arch1-1 
Network:   Device-1: Intel Cannon Point-LP CNVi [Wireless-AC] driver: iwlwifi 
           IF: wlp0s20f3 state: up mac: 50:e0:85:3d:d0:8d 
           Device-2: Intel Ethernet I219-V driver: e1000e 
           IF: enp0s31f6 state: down mac: 98:fa:9b:a8:01:f9 
Drives:    Local Storage: total: 238.47 GiB used: 22.27 GiB (9.3%) 
           ID-1: /dev/nvme0n1 vendor: Intel model: SSDPEKKF256G8L size: 238.47 GiB 
Partition: ID-1: / size: 224.77 GiB used: 22.27 GiB (9.9%) fs: ext4 dev: /dev/nvme0n1p2 
Swap:      ID-1: swap-1 type: partition size: 8.80 GiB used: 0 KiB (0.0%) dev: /dev/nvme0n1p3 
Sensors:   System Temperatures: cpu: 43.0 C mobo: N/A 
           Fan Speeds (RPM): cpu: 0 
Info:      Processes: 276 Uptime: 32m Memory: 38.85 GiB used: 2.02 GiB (5.2%) Shell: Bash inxi: 3.1.06 
My issue is with the vpn connection, when I try to activate it via GUI, it always fails with Login Failed
When I try to connect via the command line with my account:

Code: Select all

[tdascal@T490 ~]$ openconnect -u tdascal -v vpnserver
it generates the below log (modified for security reasons)

Code: Select all

POST https://vpnserver
Attempting to connect to server 1.1.1.1:443
Connected to 1.1.1.1:443
SSL negotiation with vpnserver
Connected to HTTPS on vpnserver with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 24 Sep 2020 16:40:38 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
GROUP: GROUP
POST https://vpnserver/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 24 Sep 2020 16:40:38 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
Please enter your username and password.
Password:
Password:
POST https://vpnserver/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Thu, 24 Sep 2020 16:40:45 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Aggregate-Auth: 1
HTTP body chunked (-2)
TCP_INFO rcv mss 1379, snd mss 1448, adv mss 1448, pmtu 1500
Got CONNECT response: HTTP/1.1 200 OK
X-CSTP-Version: 1
X-CSTP-Protocol: Copyright (c) 2004 Cisco Systems, Inc.
Set up UDP failed; using SSL instead
Connected as 1.2.3.4 using SSL, with DTLS disabled
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Unknown error; exiting.
If I run the above command with pkexec everything runs fine, but that is beside the point as I can easily make a bash script to toggle it on and off.

Now I do understand that openconnect needs to run as root, but how can I make it so that when I activate the VPN profile from the menu on the top right corner, the system will ask for the sudo password?

Thank you in advance for your feedback.
If I missed any relevant detail, please let me know.

Regards,
Tiberiu

Arcolinux Natto
recruit crewman
Posts: 2
Joined: Sun May 31, 2020 3:09 pm

Re: [OPEN] Issue with Openconnect via gnome-network-manager GUI

Post by Arcolinux Natto »

Link provided in the log file shows how resolve this issue.
http://www.infradead.org/openconnect/nonroot.html

tdascal
Crewman
Posts: 3
Joined: Sun Nov 24, 2019 11:10 am

Re: [OPEN] Issue with Openconnect via gnome-network-manager GUI

Post by tdascal »

Thank you for your reply Natto.

I wish that was true, however I did test that specific solution before posting here, and had no positive results (also, tunsocks failed to install).

A workaround that I went with, until I find a proper solution, is as follows:
- I created a bash script that checks if the any openconnect process is running, if yes, I can stop that process, or I can exit the script, otherwise, I start a openconnect process in the background with my specific details.
- I created a custom shortcut and attached it to a terminal that will execute the above bash script (e.g. alacritty -e my_vpn_script).

Now I have a different issue: when I close the terminal spawned through the shortcut, openconnect process stops, but if I run the command from a normal terminal window, and I close that one, I do not have the same results.

I did tried to attach the shortcut directly to the script, but then I do not have the terminal window to prompt me if I have already started the process, and give me the option to stop or cancel.

Any suggestion, idea will be highly appreciated.

Regards,
Tiberiu

tdascal
Crewman
Posts: 3
Joined: Sun Nov 24, 2019 11:10 am

Re: [OPEN] Issue with Openconnect via gnome-network-manager GUI

Post by tdascal »

Howdy Folks,

So I did not found a more user friendly solution to my issue, thus my final approach is based on bash script.
The code is below:

Code: Select all

#!/bin/bash

# check is pkexec is available, otherwise quit
if ! command -v pkexec &> /dev/null
then
	echo "This script cannot continue without pkexec.\nInstall pkexec for your distro and try again!"
	exit 1
fi

if ! command -v openconnect &> /dev/null
then
	echo "Openconnect is needed for this script to work.\nInstall openconnect and networkmanager-openconnect and try again"
	exit 1
fi


# set status 
STATUS=$(pgrep -x openconnect)	

# use STATUS to build the logic
if [ ! -z "${STATUS}" ]
then
	echo "Process is already running ..."
	read -r -p "Do you want to end the current connection? [y/N] " response
		case "$response" in 
			[yY])
				pkexec pkill openconnect &> /dev/null
				if [ -z "${STATUS}" ]
				then
					echo $STATUS
					echo "VPN connection was closed"
				fi
				echo -ne '\n'
				exit 0
				;;
			*)
				echo "Curent operation canceled ... "
				echo "VPN is running in background with PID $(pgrep openconnect)!"
				;;
		esac
else
	echo "Trying to enable VPN connection ..."
	echo -e "$VPN_PASSWORD\n$VPN_SECRET" | pkexec openconnect -u your_username -b your_vpn_server
	if [ $? -eq 0 ] 
	then
		echo "VPN connection enabled ..."
		echo -ne '\n'
	else
		echo "Something went wrong. Connection not established!"
	fi
fi
CAUTION
If you want to use this script you will need to perform a few operations before hand:
1. Add user variables in your .bashrc / .zshrc

Code: Select all

export VPN_PASSWORD="yourpassword"
export VPN_SECRET="yoursecret"
2. Reload .bashrc / .zshrc (or whatever shell you use)

Code: Select all

source ~/.bashrc
3. Change the connection line to match your needs:

Code: Select all

echo -e "$VPN_PASSWORD\n$VPN_SECRET" | pkexec openconnect -u your_username -b your_vpn_server
4. Test and share your feedback.

If you have ideas to improve the script, you can either update it yourself, or contact me and I will try to implement your ideea.

Post Reply

Return to “GNOME”