2020-08-20 VPN, free software, security, updated

Avoiding Proprietary VPN Clients

Update

2023–06–22

Note use of OBS repos to address possible incompatibilities;

2022–04–14

Note the possibility of modifying the NetworkManager script for GlobalProtect to provide credentials non-interactively.

The Issue(s)

Typically these days universities and similar require external connexions to the campus net to go through some sort of VPN (the network is secure).Businesses also, of course, but they probably issue work kit which they can dictate is set up their way.

 In my case that’s Palo Alto’s GlobalProtect. You’re probably also expected to use a nasty proprietary client for it (which may not even be available for your system) on your own computer.

There are several problems with that, even if the client will install and run. You may object to running proprietary software on principle, and also because you can’t tell what it’s doing, which may be quite invasive. It also probably doesn’t integrate with your GNU/Linux system, specifically with NetworkManager (Or Connman in some distributions). It quite likely doesn’t even work very well.Long ago the Cisco ‘Linux’ client for ‘VPN concentrator’ was a known shambles, and you really wanted VPNC instead.

Here’s a thing. When the ‘beta’(?) x86_64-only ‘Linux’ client became availableOpenConnect (below) already worked.

 I looked into it. I found that ‘security’ application was statically linked with a distinctly old version of OpenSSL with multiple CVEs. Not only that but, at least as it was made available to us, it didn’t obey the conditions of the OpenSSL licence — specifically the requirement to reproduce it with the binary distribution. So it was distributed unlawfully, not that that cut any ice. I haven’t checked a recent version to see if that has changed.

Anyway, here’s some information on solutions for what you may be faced with. It’s difficult to provide completely general advice, however, given the possibilities for differences between sites. If necessary, I hope you can find a local guru.

Solutions

OpenConnect

Quite likely you want the OpenConnect client, which supports various ‘enterprise’ VPNs; otherwise see below. It runs on assorted systems other than GNU/Linux, including MS Windows and MacOS, but I’m not sure of its status on Android, which seems only to have an old version. If you’re running a proprietary operating system anyway, you may not care too much about the official client being proprietary, but you might about reliability. My experience is with it on GNU/Linux with respect to the issues above. You may need a quite recent version for your particular VPN, e.g. v8.0+ for GlobalProtect, but an up-to-date package is probably available for your distro anyway. A recent enough package is was installable on current Debian, RHEL-ish and Fedora systems, SUSE, and Arch, at least. However, that may no longer be true for recent versions, e.g. v6 GlobalProtect at my site. If your distribution version doesn’t work according to instructions, try the Open Build Server repos of the current version. E.g. for Debian 12, add a .list file to /etc/apt/sources.list.d/ containing

deb http://download.opensuse.org/repositories/home:/bluca:/openconnect:/release/Debian_12/ /

and update.

You may need some non-trivial configuration, perhaps including a certificate chain.OpenConnect provides good information on how the various VPN types work, which isn’t available from the vendors at least in all cases.

 If that’s not made available separately, you may be able to extract it from a proprietary client installation. If you can’t, perhaps someone else has done it for your site.You might find that the computing services group supporting research is a good source of local configurations for GNU/Linux in particular.

 However, for our GlobalProtect thing, when you connect with an appropriate account all you need is the gateway address (different for staff and students), and a 2FA code (appended to your password after a comma in NetworkManager) or out-of-band 2FA.

Regardless of integration, or possible security or legal issues as above, OpenConnect just seems a lot less troublesome than at least the proprietary GlobalProtect client.That may be related to bypassing the ‘portal’ in favour of going directly to the gateway, as recommended.

 There are continual problems reported with that, and necessary un-announced updates to solve them. Meanwhile, in my experience OpenConnect has just worked when the gateway was actually up.

One gotcha is that if you need the command line you can’t simply use nmcli to bring a NetworkManagered GlobalProtect VPN up and down as with other VPNs. The maintainer explained that you need a wrapper to call openconnect and then nmcli. I made one that works; with it executable on PATH, use

nmcli-gp-up VPN [ username ]

where VPN is the name of the GlobalProtect VPN configured in NetworkManager, and username is the VPN account name if it’s not the same as your local uname. You’ll be prompted for your password (and 2FA, if that’s required as a password,code pair). You may be able to run that as an unprivileged user rather than root, depending, I think, on whether or not the VPN is configured for all users to connect. You will see errors when bringing up the VPN (as of OpenConnect 8.09 and networkmanager-openconnect 1.2.6 — whichever is relevant); they can be ignored.

You could modify the script to avoid providing the password interactively using the openconnect option --passwd-on-stdin, possibly concatenated with a 2FA code from oathtool.Perhaps see the notes for Duo.

To take the VPN down, just use nmcli c down as normal.

Connman, the alternative to NetworkManager, has a VPN plugin (connman-vpn on Debian), but I haven’t tried it.

Other Clients

If the VPN has a suitably configured gateway, you might not actually need OpenConnect. I found the GlobalProtect documentation suggested configuring the IPSec/Xauth(?) mode to allow it to work with an IPSec client on essentially anything — built in to Android, for instance. That hasn’t been done for ours.

For older Cisco ‘VPN concentrator’ VPNs, install a vpnc package; for an OpenVPN system, the openvpn package; for IPSec probably strongswan. Otherwise, softether may be worth looking at for support for several protocols, but I haven’t used it. You probably also want the appropriate ‘plugin’ for NetworkManager (or Connman?).

As with OpenConnect, you may need non-trivial configuration.

A Modern VPN/tunnel

These days, what you probably really want rather than the ‘enterprise’ VPNs and their raft of CVEs and known instances of intrusions — check them out! — is an overlay network with WireGuard.Or maybe Nebula, which also uses the Noise protocol.

 Except for very simple cases with a handful of hosts, especially an organization, you’ll want one of the management frameworks which are (being) developed for it. I don’t have experience to recommend any, and such things are still burgeoning. Most likely you don’t control both ends to use it, but there are things like Tailscale/Headscale which might allow external access to work desktops, say, even without with a permissive enough firewall at least to let through UDP. Of course, that’s probably not sanctioned at your site!

WireGuard or Nebula may appeal if you know number four of the fallacies of distributed computing.