how to launch cli on openbsd?

[divansantana]

Hi

I have the client installed on openbsd, but I'm not quite sure how to launch it correctly? The package on openbsd is cli only, no gui. There is no gpgui.desktop.

I try,

gpauth gp.example.com --browser default 2>/dev/null | doas gpclient connect gp.example.com --cookie-on-stdin

it opens in my browser, authenticates successfully, but then nothing further happens and I can't see any cookie information returned to the shell.

I get this in the browser:

Authentication Complete.

Please click Open GlobalProtect if you see the system dialog. If nothing prompts from browser, click here to launch GlobalProtect

Can I get the "${COOKIE}" so I can pass this to openconnect directly?

[divansantana]

ds@swift ~ $ gpauth -v --fix-openssl --ignore-tls-errors gp.example.com --browser default
[2025-02-10T12:12:16Z INFO  gpauth::cli] gpauth started: 2.4.1 (2025-02-10)
[2025-02-10T12:12:16Z INFO  gpauth::cli] TLS errors will be ignored
[2025-02-10T12:12:16Z INFO  gpauth::cli] Fixing OpenSSL environment
[2025-02-10T12:12:16Z WARN  gpapi::utils::openssl] Failed to extract OpenSSL version from 'LibreSSL 4.0.0'
[2025-02-10T12:12:16Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-02-10T12:12:16Z DEBUG reqwest::connect] starting new connection: https://gp.example.com/
[2025-02-10T12:12:16Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=gp.example.com
[2025-02-10T12:12:16Z DEBUG hyper_util::client::legacy::connect::http] connecting to someipaddress:443
[2025-02-10T12:12:16Z DEBUG hyper_util::client::legacy::connect::http] connected to someipaddress:443
[2025-02-10T12:12:17Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", gp.example.com)
[2025-02-10T12:12:17Z DEBUG tiny_http] Server listening on 127.0.0.1:43334
[2025-02-10T12:12:17Z INFO  auth::browser::browser_auth] Launching the default browser...
[2025-02-10T12:12:17Z DEBUG webbrowser::common] background spawn: "/home/ds/.local/bin/chrome" "http://127.0.0.1:43334/c66e0d8f-1a4a-45a8-8ff0-52673ed33d6b"
[2025-02-10T12:12:17Z INFO  auth::browser::auth_server] auth server started at: http://127.0.0.1:43334/c66e0d8f-1a4a-45a8-8ff0-52673ed33d6b
[2025-02-10T12:12:17Z INFO  auth::browser::browser_auth] Please continue the authentication process in the default browser
[2025-02-10T12:12:17Z DEBUG tiny_http] Running accept thread
[2025-02-10T12:12:17Z INFO  auth::browser::browser_auth] Listening authentication data on port 44249
[2025-02-10T12:12:17Z INFO  auth::browser::browser_auth] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-02-10T12:12:17Z INFO  auth::browser::auth_server] received request, method: GET, url: /c66e0d8f-1a4a-45a8-8ff0-52673ed33d6b
[2025-02-10T12:12:17Z INFO  auth::browser::auth_server] stop the auth server
[2025-02-10T12:12:17Z DEBUG tiny_http] Terminating accept thread

[divansantana]

ds@swift ~ $ gpauth -v --fix-openssl --ignore-tls-errors gp.example.com --browser default | doas gpclient connect gp.example.com --cookie-on-stdindoas ([email protected]) password: [2025-02-10T12:14:47Z INFO  gpauth::cli] gpauth started: 2.4.1 (2025-02-10)
[2025-02-10T12:14:47Z INFO  gpauth::cli] TLS errors will be ignored
[2025-02-10T12:14:47Z INFO  gpauth::cli] Fixing OpenSSL environment
[2025-02-10T12:14:47Z WARN  gpapi::utils::openssl] Failed to extract OpenSSL version from 'LibreSSL 4.0.0'
[2025-02-10T12:14:47Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-02-10T12:14:47Z DEBUG reqwest::connect] starting new connection: https://gp.example.com/
[2025-02-10T12:14:47Z DEBUG hyper_util::client::legacy::connect::dns] resolve; host=gp.example.com
[2025-02-10T12:14:47Z DEBUG hyper_util::client::legacy::connect::http] connecting to someipaddress:443
[2025-02-10T12:14:47Z DEBUG hyper_util::client::legacy::connect::http] connected to someipaddress:443
[2025-02-10T12:14:47Z DEBUG hyper_util::client::legacy::pool] pooling idle connection for ("https", gp.example.com)
[2025-02-10T12:14:47Z DEBUG tiny_http] Server listening on 127.0.0.1:19628
[2025-02-10T12:14:47Z INFO  auth::browser::browser_auth] Launching the default browser...
[2025-02-10T12:14:47Z DEBUG webbrowser::common] background spawn: "/home/ds/.local/bin/chrome" "http://127.0.0.1:19628/0b517136-24d7-48d2-b3c6-3cbfef06598a"
[2025-02-10T12:14:47Z INFO  auth::browser::auth_server] auth server started at: http://127.0.0.1:19628/0b517136-24d7-48d2-b3c6-3cbfef06598a
[2025-02-10T12:14:47Z INFO  auth::browser::browser_auth] Please continue the authentication process in the default browser
[2025-02-10T12:14:47Z DEBUG tiny_http] Running accept thread
[2025-02-10T12:14:47Z INFO  auth::browser::browser_auth] Listening authentication data on port 26631
[2025-02-10T12:14:47Z INFO  auth::browser::browser_auth] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-02-10T12:14:47Z INFO  auth::browser::auth_server] received request, method: GET, url: /0b517136-24d7-48d2-b3c6-3cbfef06598a
[2025-02-10T12:14:47Z INFO  auth::browser::auth_server] stop the auth server
[2025-02-10T12:14:47Z DEBUG tiny_http] Terminating accept thread

[2025-02-10T12:14:53Z INFO  gpclient::cli] gpclient started: 2.4.1 (2025-02-10)
[2025-02-10T12:14:53Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-02-10T12:14:53Z INFO  gpclient::connect] Reading cookie from standard input

[divansantana]

OK, progress:

gpauth gp.example.com --browser chrome 2>/dev/null | doas gpclient connect gp.example.com --cookie-on-stdin

followed by taking the auth link and pasting that link like so:

echo -n "globalprotectcallback:[...]" | nc -w1 127.0.0.1 `cat /tmp/gpcallback.port`

results in

[2025-02-10T18:52:02Z INFO  gpclient::cli] gpclient started: 2.4.1 (2025-02-10)
[2025-02-10T18:52:02Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-02-10T18:52:03Z INFO  gpclient::connect] Reading cookie from standard input
[2025-02-10T18:52:39Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-02-10T18:52:39Z INFO  gpapi::gateway::parse_gateways] Try to parse the external gateways...
[2025-02-10T18:52:39Z INFO  gpclient::connect] Connecting to the only available gateway: ext-gw-1 (gp.example.com)
[2025-02-10T18:52:39Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2025-02-10T18:52:40Z INFO  openconnect::ffi] openconnect version: v8.20-unknown
[2025-02-10T18:52:40Z INFO  openconnect::ffi] User agent: PAN GlobalProtect
[2025-02-10T18:52:40Z INFO  openconnect::ffi] VPNC script: /usr/local/share/vpnc-scripts/vpnc-script
[2025-02-10T18:52:40Z INFO  openconnect::ffi] OS: linux
[2025-02-10T18:52:40Z INFO  openconnect::ffi] CSD_USER: 0
[2025-02-10T18:52:40Z INFO  openconnect::ffi] CSD_WRAPPER: (null)
[2025-02-10T18:52:40Z INFO  openconnect::ffi] RECONNECT_TIMEOUT: 300
[2025-02-10T18:52:40Z INFO  openconnect::ffi] MTU: 0
[2025-02-10T18:52:40Z INFO  openconnect::ffi] DISABLE_IPV6: 0
[2025-02-10T18:52:40Z INFO  openconnect::ffi] NO_DTLS: 0
[2025-02-10T18:52:40Z INFO  openconnect::ffi] POST https://gp.example.com/ssl-vpn/getconfig.esp
[2025-02-10T18:52:40Z INFO  openconnect::ffi] Connected to someipaddress:443
[2025-02-10T18:52:40Z INFO  openconnect::ffi] SSL negotiation with gp.example.com
[2025-02-10T18:52:40Z INFO  openconnect::ffi] Connected to HTTPS on gp.example.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
[2025-02-10T18:52:40Z INFO  openconnect::ffi] Tunnel timeout (rekey interval) is 180 minutes.
[2025-02-10T18:52:40Z INFO  openconnect::ffi] Idle timeout is 180 minutes.
[2025-02-10T18:52:40Z WARN  openconnect::ffi] No MTU received. Calculated 1326 for ESP tunnel
[2025-02-10T18:52:40Z INFO  openconnect::ffi] POST https://gp.example.com/ssl-vpn/hipreportcheck.esp
[2025-02-10T18:52:40Z WARN  openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum 72858a67afbb5c74eeec30a6bb59a6a0.
        VPN connectivity may be disabled or limited without HIP report submission.
        You need to provide a --csd-wrapper argument with the HIP report submission script.
[2025-02-10T18:52:45Z WARN  openconnect::ffi] Failed to connect ESP tunnel; using HTTPS instead.
add host someipaddress: gateway 192.168.77.1
add net 10.50.200.11: gateway 10.50.200.11: File exists
add net 10.50.100.160: gateway 10.50.200.11
add net 194.32.161.172: gateway 10.50.200.11
add net 194.32.161.171: gateway 10.50.200.11
add net 192.168.128.95: gateway 10.50.200.11
add net 192.168.128.52: gateway 10.50.200.11
add net 192.168.20.72: gateway 10.50.200.11
add net 192.168.20.71: gateway 10.50.200.11
add net 192.168.20.70: gateway 10.50.200.11
add net 192.168.20.68: gateway 10.50.200.11
add net 192.168.20.36: gateway 10.50.200.11
add net 192.168.20.35: gateway 10.50.200.11
add net 172.20.55.171: gateway 10.50.200.11
add net 172.20.45.37: gateway 10.50.200.11
add net 91.229.33.6: gateway 10.50.200.11
add net 91.229.33.1: gateway 10.50.200.11
add net 10.0.0.0: gateway 10.50.200.11
add net 10.50.100.160: gateway 10.50.200.11: File exists
[2025-02-10T18:52:47Z INFO  openconnect::vpn] Connected to VPN, pipe_fd: 11
[2025-02-10T18:52:47Z INFO  gpclient::connect] Wrote PID 94463 to /var/run/gpclient.lock

it almost works, but didn't bring ip the interface. I think perhaps I need to disable ipv6 or submit a hip report, but I'm not sure how to pass that through to openconnect, since gpclient calls openconnect on my behalf.

🤔

[divansantana]

OK, it is working now.

I tried same as above, but with

gpauth gp.example.com --browser chrome 2>/dev/null | doas gpclient connect --hip gp.example.com --cookie-on-stdin

not sure the --hip worked, but the connection is up, even though the background openconnect proc is not running.

the package btw, is on the ports mailing list currently.

[divansantana]

Actually, it connects, sometimes, but it's very intermittent and slow.

perhaps adding --no-dtls would help.

but again, I don't know how to pass this through to openconnect.

Anyone know?

[yuezk]

The gpclient connect supports the --no-dtls parameter. Did you try it?