yuezk / globalprotect-openconnect Goto Github PK

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, etc.

License: GNU General Public License v3.0

Dockerfile 1.28% Rust 85.77% HTML 0.52% C 3.20% Makefile 6.23% JavaScript 0.43% TypeScript 2.38% CSS 0.08% Shell 0.10%

openconnect gui linux vpn globalprotect saml paloaltonetworks okta authentication azure

globalprotect-openconnect's Introduction

GlobalProtect-openconnect

A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by gp-saml-gui.

Features

Usage

CLI

The CLI version is always free and open source in this repo. It has almost the same features as the GUI version.

Usage: gpclient [OPTIONS] <COMMAND>

Commands:
  connect     Connect to a portal server
  disconnect  Disconnect from the server
  launch-gui  Launch the GUI
  help        Print this message or the help of the given subcommand(s)

Options:
      --fix-openssl        Get around the OpenSSL `unsafe legacy renegotiation` error
      --ignore-tls-errors  Ignore the TLS errors
  -h, --help               Print help
  -V, --version            Print version

See 'gpclient help <command>' for more information on a specific command.

To use the default browser for authentication with the CLI version, you need to use the following command:

sudo -E gpclient connect --default-browser <portal>

GUI

The GUI version is also available after you installed it. You can launch it from the application menu or run gpclient launch-gui in the terminal.

Note

The GUI version is partially open source. Its background service is open sourced in this repo as gpservice. The GUI part is a wrapper of the background service, which is not open sourced.

Installation

Debian/Ubuntu based distributions

Install from PPA (Ubuntu 18.04 and later, except 24.04)

sudo apt-get install gir1.2-gtk-3.0 gir1.2-webkit2-4.0
sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
sudo apt-get update
sudo apt-get install globalprotect-openconnect

Note

For Linux Mint, you might need to import the GPG key with: sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761 if you encountered an error gpg: keyserver receive failed: General error.

Ubuntu 24.04

The libwebkit2gtk-4.0-37 package was removed from its repo, before the issue gets resolved, you need to install them manually:

wget http://launchpadlibrarian.net/704701349/libwebkit2gtk-4.0-37_2.43.3-1_amd64.deb
wget http://launchpadlibrarian.net/704701345/libjavascriptcoregtk-4.0-18_2.43.3-1_amd64.deb

sudo dpkg --install *.deb

And the latest package is not available in the PPA, you can follow the Install from deb package section to install the latest package.

Ubuntu 18.04

The latest package is not available in the PPA either, but you still needs to add the ppa:yuezk/globalprotect-openconnect repo beforehand to use the required openconnect package. Then you can follow the Install from deb package section to install the latest package.

Install from deb package

Download the latest deb package from releases page. Then install it with apt:

sudo apt install --fix-broken globalprotect-openconnect_*.deb

Arch Linux / Manjaro

Install from AUR

Install from AUR: globalprotect-openconnect-git

yay -S globalprotect-openconnect-git

Install from package

Download the latest package from releases page. Then install it with pacman:

sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst

Fedora 38 and later / Fedora Rawhide

Install from COPR

The package is available on COPR for various RPM-based distributions. You can install it with the following commands:

sudo dnf copr enable yuezk/globalprotect-openconnect
sudo dnf install globalprotect-openconnect

openSUSE Leap 15.6 / openSUSE Tumbleweed

Install from OBS (openSUSE Build Service)

The package is also available on OBS for various RPM-based distributions. You can follow the instructions on this page to install it.

Other RPM-based distributions

Install from RPM package

Download the latest RPM package from releases page.

sudo rpm -i globalprotect-openconnect-*.rpm

Gentoo

Install from the rios or slonko overlays. Example using rios:

1. Enable the overlay

sudo eselect repository enable rios

2. Sync with the repository

If you have eix installed, use it:

sudo eix-sync

Otherwise, use:

sudo emerge --sync

3. Install

sudo emerge globalprotect-openconnect

Other distributions

Install openconnect >= 8.20, webkit2gtk, libsecret, libayatana-appindicator or libappindicator-gtk3.
Download globalprotect-openconnect_${version}_${arch}.bin.tar.xz from releases page.
Extract the tarball with tar -xJf globalprotect-openconnect_${version}_${arch}.bin.tar.xz.
Run sudo make install to install the client.

Build from source

You can also build the client from source, steps are as follows:

Prerequisites

Install Rust
Install Tauri dependencies: https://tauri.app/v1/guides/getting-started/prerequisites/#setting-up-linux
Install perl
Install openconnect >= 8.20 and libopenconnect-dev (or openconnect-devel on RPM-based distributions)
Install pkexec, gnome-keyring (or pam_kwallet on KDE)

Build

Download the source code tarball from releases page. Choose globalprotect-openconnect-${version}.tar.gz.
Extract the tarball with tar -xzf globalprotect-openconnect-${version}.tar.gz.
Enter the source directory and run make build BUILD_FE=0 to build the client.
Run sudo make install to install the client. (Note, DESTDIR is not supported)

FAQ

How to deal with error Secure Storage not ready

Try upgrade the client to 2.2.0 or later, which will use a file-based storage as a fallback.

You need to install the gnome-keyring package, and restart the system (See #321, #316).
How to deal with error (gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:

If you encounter this error when using the CLI version, try to run the command with sudo -E (See #316).

About Trial

The CLI version is always free, while the GUI version is paid. There are two trial modes for the GUI version:

10-day trial: You can use the GUI stable release for 10 days after the installation.
14-day trial: Each beta release has a fresh trial period (at most 14 days) after released.

License

GPLv3

globalprotect-openconnect's People

Stargazers

Watchers

Forkers

havocbane pauloluna a-joshi junkfactory nat-as deliveryhero slgauravsharma dehon marnando avanzelli ngortheone thatnerdjosh zhenze12345 0ofta michaelarnauts fangyuanfyo jmflorezff sarnowski jerith666 rmflight affix pluederitz dariocc tommoa cam404 janvlug neumachen aallrd kenkoooo muse117 lk26 kaapelikala devcamcar abg1979 aloisdg koraa y-projects caokang taragolis rogueai cbuschka tflair-nu g3rg0 osimarr crackercat beardredmachine galitz zhuxj0217 onemanbucket supair techgaun ze-yang joeesteves bferrema policarpoc nealmt cocsos noahc77 simonleary42 gmarco jreo chandan07cse etherealy xavier2020-cloud vjatla nigoroll catteacup emilyastranova mamunpw01 dmikushin sorin-ristache shulix li-yunshuang 511473 tomtomlie heshamh96 m-arson ekir flexirylate pirr dawnadvent danilojns bagnaram lattic juanrdzbaeza yucelkilic nitrogl kokizzu pturmel reanimatedmanx iamtalhaasghar ncsokas mikemhenry flohoff rogama25 dchorazkiewicz zegab1 gustavoclay rho24 ovuncyayla

globalprotect-openconnect's Issues

.deb package build error

On the last step of the debian build process I get this error in the terminal:

dpkg-source: error: can't build with source format '3.0 (quilt)': no upstream tarball found at ../globalprotect-openconnect_1.2.7.orig.tar.{bz2,gz,lzma,xz}
dpkg-buildpackage: error: dpkg-source -b globalprotect-openconnect-1.3.0 subprocess returned exit status 25

Debian package

Thought it would be good to have a debian package. I have added a debian repository and created a package. Would you like a pull request for it?

Ability to cancel normal auth after successful SAML login

GP configuration in my company is kinda wonky and I get a second login screen after successful SAML auth, it looks like this on macOS:

I have to click "Cancel" here. After that GP client completes auth flow and establishes VPN connection.

Now to the problem. Using gpclient I'm able to pass SAML auth, but normal auth form (which appears after SAML auth) doesn't let me through. There is no "Cancel" button and pressing "Login" with empty fields does nothing.

Certificate from VPN server "domain.com" failed verification

Hi yuezk,

I tried to install your app via AUR of Arch Linux.
It looks like I meet some error as below. And the GUI is still connecting.
Do you have any suggestion for me?

Thank you so much.

➜  ~ gpclient           
2021-04-30 21:08:16.741 INFO  [107907] [main@22] GlobalProtect started, version: v1.2.8
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
2021-04-30 21:08:16.882 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@205] Start connecting...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::gatewayLogin@316] Performing gateway login...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2021-04-30 21:08:21.953 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:22.252 ERROR [107907] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://domain.com/ssl-vpn/login.esp, Error transferring https://domain.com/ssl-vpn/login.esp - server replied: Custom error
2021-04-30 21:08:22.252 INFO  [107907] [GatewayAuthenticator::doAuth@70] Perform the gateway prelogin at https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::onPreloginFinished@87] Gateway prelogin succeeded.
2021-04-30 21:08:22.306 INFO  [107907] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::samlAuth@145] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/1eefecdc-97b0-4c30-b482-70ae4a11d9bf
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2021-04-30 21:08:22.548 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/html;charset=UTF-8,%3Chtml%3E%0A%3Cbody%3E%0A%3Cform%20id%3D%22myform%22%20method%3D%22POST%22%20action%3D%22https%3A%2F%2Fampere.okta.com%2Fapp%2Fpanw_globalprotect%2Fexk1bxl9ruNWn42ag2p7%2Fsso%2Fsaml%22%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22SAMLRequest%22%20value%3D%22PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D%22%20%2F%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22RelayState%22%20value%3D%22X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D%22%20%2F%3E%0A%3C%2Fform%3E%0A%3Cscript%3E%0A%20%20document.getElementById%28%27myform%27%29.submit%28%29%3B%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
2021-04-30 21:08:22.566 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.596 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:23.543 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.801 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.819 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:31.839 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.971 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.988 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:40.747 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/auth/services/devicefingerprint
2021-04-30 21:08:45.963 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.018 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers [email protected]
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: [email protected], preloginCookie: 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj, userAuthCookie: 
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::onSAMLLoginSuccess@159] SAML login succeeded, got the prelogin-cookie 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&passwd=&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&ipv6-support=yes&user=user%40amperecomputing.com&prelogin-cookie=7VLebqohAbwpiC%2Fd8LXKQ5ZbcT5aSEwBfVfS6CQT%2FDfvh%2F37td4QXMXlcH2H%2BeVj&portal-userauthcookie=
2021-04-30 21:08:46.262 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@51] The gateway response is: <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>b7d318507e558f08fbfc57f64d29fb31</argument><argument>60fcc526263bf76ebcaa5e44853be0880054aa50</argument><argument>AMPERE-GP-GATEWAY-N</argument><argument>[email protected]</argument><argument>OKTA-SAML-AUTH</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument>GLmRKlUXLCPtfZ4JNr0nKyxZX7Winfenli2kV3FkSPaPC5auGXY+g2ggevZr/kD1NqafK6vHrZyPzlhaNRt0SqxL/5YavDqD9oI9zRjPGnXhM/jjE30EUr6g+HrUmPOwu/aMu7yKmDXas0uWnyzrny7GEgCkxFDKYwiIzm4plcPXP6TJrMCiOanSOu0YDzvgWTnyKaT7VkXe49OxkOQ72LAj8D6JscPrRktjTRYc23g09RF6Pgf/Phb9jAApyrFYz4Me29z5erqbkNLIpbPUDIkgcIGqhN31/UevAzPvl1ghthR/eYlWAYbwG+Vv8f3sj2ajaDlXzUyED4D+cbL96w==</argument><argument>nCbwhcE2l1YKs2LQ1YyhgnMImoSy1toM0bX9gFhgdOhMmdGhBe75Bh66FKistKS8Rjy8qNQREGKraa4lfJYCt2dx87Qi7xY3lID21239WbPgkrKMkdAv0zR7GNbcBotoDtKPfv3f0VM2HEJcpvoInz9bpskuTdQnQLKMXFW7GBXKGs5F8tlDQbKyD97H6W6oGBd7Ey5mbVDH/ks40rlf1pDNVXOY9AL2cSa8qH1+lbJpOE5ZlQQBpLNqms37YJXg8k2qYOx/cgw1avVT2iS/C8cAaGyskl/BvkrmrBEfgDJD/rChqYPVxKu1pHN/kHfMUDvD45Q6jL799Zv0zIOSjQ==</argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
2021-04-30 21:08:46.568 INFO  [107907] [GPClient::onGatewaySuccess@330] Gateway login succeeded, got the cookie authcookie=b7d318507e558f08fbfc57f64d29fb31&portal=AMPERE-GP-GATEWAY-N&user=user%40amperecomputing.com&domain=%2528empty_domain%2529&preferred-ip=&computer=archlinux
2021-04-30 21:08:46.578 INFO  [107907] [GPClient::onVPNLogAvailable@440] Openconnect started successfully, PID=107979
2021-04-30 21:08:46.593 INFO  [107907] [GPClient::onVPNLogAvailable@440] POST https://domain.com/ssl-vpn/getconfig.esp

2021-04-30 21:08:46.613 INFO  [107907] [GPClient::onVPNLogAvailable@440] Connected to 118.222.222.222:443

2021-04-30 21:08:46.655 INFO  [107907] [GPClient::onVPNLogAvailable@440] SSL negotiation with domain.com

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] Server certificate verify failed: signer not found

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] 
Certificate from VPN server "domain.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:6Fgnj5yL0P2eRa6h0l22NE4RmadyuojpJGXWadVYqxI=
Enter 'yes' to accept, 'no' to abort; anything else to view: 
yes

Stuck after successfully login via SAML

I have problem with app. It stops on "Connecting" state after successfully login.
My OS: Ubuntu 20.04
APP version: 1.2.7
Logs:

2021-03-05 07:44:12.016 INFO  [4607] [main@22] GlobalProtect started, version: v1.2.7
2021-03-05 07:44:12.128 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:22.326 INFO  [4607] [GPClient::doConnect@205] Start connecting...
2021-03-05 07:44:22.327 INFO  [4607] [GPClient::doConnect@226] Start portal login...
2021-03-05 07:44:22.333 INFO  [4607] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://***/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-03-05 07:44:22.337 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:22.881 INFO  [4607] [PortalAuthenticator::onPreloginFinished@46] Portal prelogin succeeded.
2021-03-05 07:44:22.881 INFO  [4607] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-03-05 07:44:22.882 INFO  [4607] [PortalAuthenticator::onPreloginFinished@50] Finished parsing the prelogin response. The region field is: UA
2021-03-05 07:44:22.882 INFO  [4607] [PortalAuthenticator::samlAuth@117] Trying to perform SAML login with saml-method POST
2021-03-05 07:44:22.978 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from ***
2021-03-05 07:44:22.992 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-03-05 07:44:23.008 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:23.539 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/app/panw_globalprotect/***/sso/saml
2021-03-05 07:44:23.687 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/app/panw_globalprotect/***/sso/saml
2021-03-05 07:44:23.699 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/discovery/iframe.html
2021-03-05 07:44:27.904 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/auth/services/devicefingerprint
2021-03-05 07:44:29.441 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/login/sessionCookieRedirect
2021-03-05 07:44:29.503 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/login/sessionCookieRedirect
2021-03-05 07:44:29.508 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/discovery/iframe.html
2021-03-05 07:44:38.455 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/login/sessionCookieRedirect
2021-03-05 07:44:38.499 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/login/sessionCookieRedirect
2021-03-05 07:44:38.889 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/SAML20/SP/ACS
2021-03-05 07:44:38.890 INFO  [4607] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers ***
2021-03-05 07:44:38.890 INFO  [4607] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers ***
2021-03-05 07:44:38.890 INFO  [4607] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: ***, preloginCookie: ***, userAuthCookie: 
2021-03-05 07:44:38.890 INFO  [4607] [PortalAuthenticator::onSAMLLoginSuccess@131] SAML login succeeded, got the prelogin-cookie ***
2021-03-05 07:44:38.890 INFO  [4607] [PortalAuthenticator::fetchConfig@157] Fetching the portal config from https://***/global-protect/getconfig.esp for user: ***
2021-03-05 07:44:38.897 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:39.373 INFO  [4607] [PortalAuthenticator::onFetchConfigFinished@183] Fetch the portal config succeeded.
2021-03-05 07:44:39.373 INFO  [4607] [PortalConfigResponse::parse@20] Start parsing the portal configuration...
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parseGateways@64] Start parsing the gateways from portal configuration...
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parsePriorityRules@96] Start parsing the priority rules...
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parsePriorityRules@114] Finished parsing the priority rules.
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parseGatewayName@121] Start parsing the gateway name...
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parseGatewayName@126] Finished parsing the gateway name
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parseGateways@89] Finished parsing the gateways.
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parse@32] Start reading portal-userauthcookie
2021-03-05 07:44:39.374 INFO  [4607] [PortalConfigResponse::parse@35] Start reading portal-prelogonuserauthcookie
2021-03-05 07:44:39.375 INFO  [4607] [PortalConfigResponse::parse@42] Finished parsing portal configuration.
2021-03-05 07:44:39.375 INFO  [4607] [GPClient::onPortalSuccess@257] Portal authentication succeeded.
2021-03-05 07:44:39.375 INFO  [4607] [gpclient::helper::filterPreferredGateway@34] 1 gateway(s) avaiable, filter the gateways with rule: UA
2021-03-05 07:44:39.375 INFO  [4607] [GPClient::setAllGateways@384] Updating all the gateways...
2021-03-05 07:44:39.375 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:39.377 INFO  [4607] [GPClient::setCurrentGateway@404] Updating the current gateway to ***
2021-03-05 07:44:39.377 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:39.378 INFO  [4607] [GPClient::gatewayLogin@316] Performing gateway login...
2021-03-05 07:44:39.380 INFO  [4607] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2021-03-05 07:44:39.380 INFO  [4607] [GatewayAuthenticator::login@38] Trying to login the gateway at https://***/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=***&ok=Login&direct=yes&clientVer=4100&os-version=Ubuntu 20.04.2 LTS&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=***&passwd=&portal-userauthcookie=empty
2021-03-05 07:44:39.875 ERROR [4607] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://***/ssl-vpn/login.esp, Error transferring https://***/ssl-vpn/login.esp - server replied: Custom error
2021-03-05 07:44:39.876 INFO  [4607] [GatewayAuthenticator::doAuth@70] Perform the gateway prelogin at https://***/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-03-05 07:44:40.090 INFO  [4607] [GatewayAuthenticator::onPreloginFinished@87] Gateway prelogin succeeded.
2021-03-05 07:44:40.090 INFO  [4607] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-03-05 07:44:40.091 INFO  [4607] [GatewayAuthenticator::samlAuth@145] Trying to perform SAML login with saml-method POST
2021-03-05 07:44:40.114 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from ***
2021-03-05 07:44:40.132 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-03-05 07:44:40.158 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:40.503 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/app/panw_globalprotect/***/sso/saml
2021-03-05 07:44:40.557 INFO  [4607] [SAMLLoginWindow::onLoadFinished@98] Load finished https://***/app/panw_globalprotect/***/sso/saml
2021-03-05 07:44:40.673 INFO  [4607] [SAMLLoginWindow::onResponseReceived@64] Response received from https://***/SAML20/SP/ACS
2021-03-05 07:44:40.673 INFO  [4607] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers ***
2021-03-05 07:44:40.673 INFO  [4607] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers ***
2021-03-05 07:44:40.673 INFO  [4607] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: ***, preloginCookie: ***, userAuthCookie: 
2021-03-05 07:44:40.673 INFO  [4607] [GatewayAuthenticator::onSAMLLoginSuccess@159] SAML login succeeded, got the prelogin-cookie ***
2021-03-05 07:44:40.674 INFO  [4607] [GatewayAuthenticator::login@38] Trying to login the gateway at https://***/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&passwd=&computer=***&ok=Login&direct=yes&clientVer=4100&os-version=Ubuntu 20.04.2 LTS&clientos=Linux&portal-prelogonuserauthcookie=&ipv6-support=yes&user=***&prelogin-cookie=***&portal-userauthcookie=
2021-03-05 07:44:40.681 INFO  [4607] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-03-05 07:44:41.110 INFO  [4607] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2021-03-05 07:44:41.110 INFO  [4607] [gpclient::helper::parseGatewayResponse@51] The gateway response is: ***
2021-03-05 07:44:41.110 INFO  [4607] [GPClient::onGatewaySuccess@330] Gateway login succeeded, got the cookie authcookie=***&portal=FullTunnel-N&user=***&domain=%2528empty_domain%2529&preferred-ip=&computer=***

Fails on VPNs with multiple gateways.

When connecting to a VPN with multiple gateways I receive the error:
This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)

Will try to look into it more this weekend but believe that additional branching logic might need to be added based on the prelogin response containing a list of gateways.

ubuntu 20.04 lts

sudo apt install qt5-default libqt5websockets5-dev qtwebengine5-dev

That fails to install on ubuntu 20.04 LTS. In fact, I'm having trouble getting any of the qt5 packages to install. Not sure what I'm doing wrong.

Trying to Build in openSUSE Tumbleweed

I realize I'm probably something of an odd ball, here. I apologize for being weird. I'm running openSUSE Tumbleweed, version 20200314.

I've been trying to build GlobalProtect-openconnect, and I'm pretty certain I have all necessary dependencies. However, when I try to run make, I run into something of a perplexing error.

Again, I believe I have the necessary dependencies installed. I think the 'devel_qt5' pattern includes all necessary packages.

I'm just looking for a decent starting point as I seem unable to figure out what might be wrong. I'm willing to do a bit of leg work if someone can get me started, at least.

After logging in using SAML, no open connect instance launches.

After logging in using SAML, no openconnect instance launches. Authentication using my Azure AD Credentials succeeds. Then the client just stops saying the SAML succeeds. No actual VPN connection starts.

I do get this error at the start:
2021-04-21 04:30:27.997 ERROR [43321] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://myjob.mywork.com/ssl-vpn/login.esp, Error transferring https://myjob.mywork.com/ssl-vpn/login.esp - server replied: Custom error

Seg Fault after login

It seems I'm logging in successfully, but immediately segfault when trying to bring up the token window.
Arch Linux
Any ideas?

2020-09-01 14:02:42.609 INFO [127473] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2020-09-01 14:02:42.609 INFO [127473] [gpclient::helper::parseGatewayResponse@51] The gateway response is:
var respStatus = "Challenge";
var respMsg = "Krontech Single Connect Please Enter OTP";
thisForm.inputStr.value = "5f323dea0000bc23";
Segmentation fault

Add HIP report script option

Hello,

Is there any chance of adding a HIP report script option to pass it to openconnect via "--csd-wrapper" argument?

Request: Keep in tray when closing

I'm using i3wm. It would be great if when I close the window after connecting it would stay in the system tray. It seems to keep running in the background, I don't disconnect from VPN, but I don't see it in the tray and have to run the application again to be able to disconnect.

Handle SSL Error

From https://aur.archlinux.org/packages/globalprotect-openconnect/#comment-755587

Gateway Authentication fail...Need help. 2020-07-11 20:44:39.119 ERROR [4823] [GatewayAuthenticator::onPreloginFinished@81] Failed to prelogin the gateway at https://X.X.X.X/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux, SSL handshake failed

Build Erro..! Doesn't compiler

I'm try to compile source, but receive this erro below..!

/usr/bin/ld: main.o: na função "main.cold":
main.cpp:(.text.unlikely+0xa3): reference not defined for "SingleApplication::~SingleApplication()"
/usr/bin/ld: main.o: in function "main":
main.cpp:(.text.startup+0x2a2): reference not defined for "SingleApplication::SingleApplication(int&, char**, bool, QFlagsSingleApplication::Mode, int, QString const&)"
/usr/bin/ld: main.cpp:(.text.startup+0x2d3): reference not defined for "SingleApplication::instanceStarted()"
/usr/bin/ld: main.cpp:(.text.startup+0x35e): reference not defined for "SingleApplication::staticMetaObject"
/usr/bin/ld: main.cpp:(.text.startup+0x38e): reference not defined for "SingleApplication::~SingleApplication()"
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:238: gpclient] Erro 1
make[1]: Saindo do diretório '/usr/src/GlobalProtect-openconnect-master/GPClient'
make: *** [Makefile:48: sub-GPClient-make_first] Erro 2
root@BBWL0607-LNX:/usr/src/GlobalProtect-openconnect-master#

O.S: Ubuntu 20.10.1

any ideas to solve?

GlobalProtect SAML login: This site can’t be reached

When I try to login to my corporate VPN a login dialog appears and I can enter my email address, but when it tries to redirect to the SSO endpoint it fails.

However when I copy the SSO URL and paste it in a browser I can connect without any problems.

Is there a way to debug the app ?

Any help appreciated!

Refactor constant URL parameters in a single place.

Currently, there are some constant URL parameters that are hardcoded in the code in the files GPClient/{loginparams.cpp,portalauthenticator.cpp,gatewayauthenticator.cpp}.

Especially clientos, os-version and version are three common parameters that should be refactored to be in a single place and (at a future date) customizable.

cant find executable in arch

im using arch linux with no desktop environment (i3 only) and installed this package from aur. but i cant find this executeable in my bin directories? how do i run this?

error: #include expects "FILENAME" or <FILENAME>

When attempting to follow the OpenSUSE instructions, having installed the pre-requisites and following the documentation, I hit the following point, and the build fails (I am on Tumbleweed, a version of OpenSUSE):

$ make
cd GPClient/ && make -f Makefile 
make[1]: Entering directory '/home/torysa/workspace/Misc/GlobalProtect-openconnect/GPClient'
g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQAPPLICATION_CLASS=QApplication -DQT_DEPRECATED_WARNINGS -DQT_NO_DEBUG -DQT_DBUS_LIB -DQT_GUI_LIB -DQT_NETWORK_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/share/qt4/mkspecs/default -I. -I/usr/include/QtCore -I/usr/include/QtNetwork -I/usr/include/QtGui -I/usr/include/QtDBus -I/usr/include -I../singleapplication -I../plog/include -I. -I. -o singleapplication.o ../singleapplication/singleapplication.cpp
In file included from ../singleapplication/singleapplication.cpp:33:
../singleapplication/singleapplication.h:33:10: error: #include expects "FILENAME" or <FILENAME>
   33 | #include QT_STRINGIFY(QAPPLICATION_CLASS)
      |          ^~~~~~~~~~~~
../singleapplication/singleapplication.h:43:1: error: expected class-name before ‘{’ token
   43 | {
      | ^
<command-line>: error: ‘QApplication’ does not name a type
../singleapplication/singleapplication.h:46:13: note: in expansion of macro ‘QAPPLICATION_CLASS’
   46 |     typedef QAPPLICATION_CLASS app_t;
      |             ^~~~~~~~~~~~~~~~~~
../singleapplication/singleapplication.cpp: In constructor ‘SingleApplication::SingleApplication(int&, char**, bool, SingleApplication::Options, int)’:
../singleapplication/singleapplication.cpp:44:7: error: class ‘SingleApplication’ does not have any field named ‘app_t’
   44 |     : app_t( argc, argv ), d_ptr( new SingleApplicationPrivate( this ) )
      |       ^~~~~
../singleapplication/singleapplication.cpp:110:107: error: ‘static void QThread::sleep(long unsigned int)’ is protected within this context
  110 |         QThread::sleep( 8 + static_cast <unsigned long>( static_cast <float>( qrand() ) / RAND_MAX * 10 ) );
      |                                                                                                           ^
In file included from /usr/include/QtCore/QThread:1,
                 from ../singleapplication/singleapplication.cpp:24:
/usr/include/QtCore/qthread.h:115:17: note: declared protected here
  115 |     static void sleep(unsigned long);
      |                 ^~~~~
make[1]: *** [Makefile:375: singleapplication.o] Error 1
make[1]: Leaving directory '/home/torysa/workspace/Misc/GlobalProtect-openconnect/GPClient'
make: *** [Makefile:40: sub-GPClient-make_default] Error 2

Save credentials

Once disconnected, I need to put my username and password in again. Is there a way to automate this process please?

SAML auth succeeds, but openconnect fails to get config

When running gpclient in the terminal, this is what I see:

"Openconnect started successfully, PID=136056"
"[2020-05-01 19:46:39] POST https://my.portal.server/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux\n"
"[2020-05-01 19:46:39] Connected to XXX.XXX.XXX.XXX:443\n"
"[2020-05-01 19:46:39] SSL negotiation with my.portal.server\n"
"[2020-05-01 19:46:40] Connected to HTTPS on my.portal.server\n"
"SAML login is required via REDIRECT to this URL:\n\thttps://login.microsoftonline.com/REDACTEDnEnter login credentials\n"
"[2020-05-01 19:46:40] POST https://my.portal.server/ssl-vpn/login.esp\n"
"[2020-05-01 19:46:40] GlobalProtect login returned authentication-source=XXXXXXX-SAML\n[2020-05-01 19:46:40] POST https://my.portal.server/ssl-vpn/getconfig.esp\n"
"[2020-05-01 19:46:40] Matching client config not found\nCreating SSL connection failed\n"
"Openconnect process exited with code 1 and exit status NormalExit"

I am able to complete the SAML login prompt (including 2FA authentication), but it disconnects shortly afterward. I took the redirect URL and opened it in my browser, did the auth there, and then from the auth'ed session I navigated to the getconfig.esp URL and saw an almost empty page with no visible text. Upon viewing the source of this page, it simply said errors getting SSL/VPN config.

Please let me know if there's anything I can do to get you more useful information.

gpclient hangs and does not connect

Hi,
gpclient does not connect, but hangs on "Start parsing the priority rules..."
Complete log follows

020-10-12 21:10:11.452 INFO  [15995] [main@22] GlobalProtect started, version: v1.2.5
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root'
2020-10-12 21:10:11.755 INFO  [15995] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-10-12 21:10:18.109 INFO  [15995] [GPClient::doConnect@205] Start connecting...
2020-10-12 21:10:18.109 INFO  [15995] [GPClient::doConnect@226] Start portal login...
2020-10-12 21:10:18.129 INFO  [15995] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://portal.test.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2020-10-12 21:10:18.137 INFO  [15995] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-10-12 21:10:18.555 INFO  [15995] [PortalAuthenticator::onPreloginFinished@46] Portal prelogin succeeded.
2020-10-12 21:10:18.555 INFO  [15995] [PreloginResponse::parse@26] Start parsing the prelogin response...
2020-10-12 21:10:18.556 INFO  [15995] [PortalAuthenticator::onPreloginFinished@50] Finished parsing the prelogin response. The region field is: 192.168.0.0-192.168.255.255
2020-10-12 21:10:18.556 INFO  [15995] [PortalAuthenticator::normalAuth@82] Trying to launch the normal login window...
2020-10-12 21:10:18.629 INFO  [15995] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-10-12 21:11:03.606 INFO  [15995] [PortalAuthenticator::fetchConfig@157] Fetching the portal config from https://portal.test.com/global-protect/getconfig.esp for user: jochristian
2020-10-12 21:11:05.190 INFO  [15995] [PortalAuthenticator::onFetchConfigFinished@183] Fetch the portal config succeeded.
2020-10-12 21:11:05.190 INFO  [15995] [PortalConfigResponse::parse@20] Start parsing the portal configuration...
2020-10-12 21:11:05.190 INFO  [15995] [PortalConfigResponse::parseGateways@64] Start parsing the gateways from portal configuration...
2020-10-12 21:11:05.191 INFO  [15995] [PortalConfigResponse::parsePriorityRules@88] Start parsing the priority rules...

Let me know if you need any more information.
Palo Alto firewall is running 10.0.1. But I have seen the same issue on 9.1.4.

BTW, openconnect --protocol=gp works without any issues.

Thanks

/Jo Christian

help parameter missing

It would be nice to get some parameters like:

help
username
password
server
mtu
token-mode (from openconnect)
token-secret (from openconnect)

How do you start the client on debian?

How do you start the client? Thank you.

Connection stuck at "Login Successful!" after SAML login

Since the latest release, I cannot establish a successful connection, as after passing the SAML login step (I am using Okta), the login window just displays "Login Successful!", it does not close, and openconnect does not seem to be invoked to create the actual connection.

I am on Arch Linux, with the following packages:
globalprotect-openconnect 1.2.0-1 (installed from AUR)
openconnect 1:8.10-1

A screenshot:

I get the below logs:

❯ gpclient
2020-05-28 23:04:19.354 INFO  [10272] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://my-vpn.corporation.com/global-protect/prelogin.esp
2020-05-28 23:04:20.337 INFO  [10272] [PortalAuthenticator::onPreloginFinished@46] Portal prelogin succeeded.
2020-05-28 23:04:20.337 INFO  [10272] [PortalAuthenticator::samlAuth@114] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/6a7a4658-2184-46bc-b22d-bb19bf5b0793
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2020-05-28 23:04:20.722 INFO  [10272] [SAMLLoginWindow::onLoadFinished@71] Load finished https://my-vpn.corporation.com/global-protect/prelogin.esp
2020-05-28 23:04:25.413 INFO  [10272] [SAMLLoginWindow::onLoadFinished@71] Load finished https://corporation.okta.com/app/panw_globalprotect/exk123456789ABCDEFGH/sso/saml
2020-05-28 23:04:43.202 INFO  [10272] [SAMLLoginWindow::onLoadFinished@71] Load finished https://corporation.okta.com/login/sessionCookieRedirect

Thank you for help.

Allow ignoring ERR_CERT_INVALID after SAML redirect login

I am able to successfully open the login screen and enter my credentials. Afterward, however, I encounter this screen:

I would file a PR myself but I'm unfortunately not well-versed in C++. I found this reference that might be helpful though: https://stackoverflow.com/questions/58875159/how-to-ignore-ssl-certificate-errors-with-qwebengineview

Succeeds in connecting, but GUI stuck in "Connecting"

It's seems to be working fine, but the GUI gets stuck in "Connecting", which won't minimize, nor let me switch gateways. Thank you.

Build globalprotect-openconnect_1.3.0-1ppa1_amd64.deb on:
NAME="Linux Mint"
VERSION="20.1 (Ulyssa)"
OpenConnect version v8.10-170-gca7bc365
Using OpenSSL 1.1.1f  31 Mar 2020. Features present: TPM (OpenSSL ENGINE not present), PKCS#11, HOTP software token, TOTP software token, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

SSL error

I'm trying to connect to a GlobalProtect VPN and get an SSL error. Here are the relevant lines:

2020-09-09 22:31:26.820 INFO  [17969] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://gpvpn.mit.edu/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2020-09-09 22:31:26.904 ERROR [17969] [PortalAuthenticator::onPreloginFinished@40] Error occurred while accessing https://gpvpn.mit.edu/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux, SSL handshake failed
2020-09-09 22:31:26.904 INFO  [17969] [GPClient::onPortalPreloginFail@276] Portal prelogin failed: Error occurred on the portal prelogin interface.

Docker image [help wanted]

https://github.com/thatnerdjosh/GlobalProtect-openconnect/blob/feature/js-add_dockerfile/Dockerfile

I started working on a docker image for this client... and got it mostly working, except it crashes once it tries to redirect to the login page with this error:

Failed to create OpenGL context for format QSurfaceFormat(version 2.0, options QFlags<QSurfaceFormat::FormatOption>(), depthBufferSize 24, redBufferSize -1, greenBufferSize -1, blueBufferSize -1, alphaBufferSize -1, stencilBufferSize 8, samples 0, swapBehavior QSurfaceFormat::DefaultSwapBehavior, swapInterval 1, colorSpace QSurfaceFormat::DefaultColorSpace, profile  QSurfaceFormat::NoProfile)

I am not an experienced QT (or C++ for that matter) developer... so I am quite stuck figuring this one out. I am guessing it has something to do with opengl support inside the container

QGLXContext: Failed to create dummy context

...
2020-11-06 11:12:03.815 INFO  [3313324] [PortalAuthenticator::samlAuth@117] Trying to perform SAML login with saml-method POST
QGLXContext: Failed to create dummy context
WebEngineContext used before QtWebEngine::initialize() or OpenGL context creation failed.

DevTools listening on ws://127.0.0.1:12315/devtools/browser/40e1461f-1c39-44eb-9d7d-fe3d59573c38
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2020-11-06 11:12:03.940 INFO  [3313324] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/html;charset=UTF-8,%3Chtml%3E%0A%3Cbody%3E%0A%3Cform%20id%3D%22myform%22%20method%3D%22POST%22%20action%3D%22https%3A%2F%2Fidp.smu.edu%2Fidp%2Fprofile%2FSAML2%2FPOST%2FSSO%22%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22SAMLRequest%22%20value%3D%22PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vZ3AtdnBuLnNtdS5lZHU6NDQzL1NBTUwyMC9TUC9BQ1MiIERlc3RpbmF0aW9uPSJodHRwczovL2lkcC5zbXUuZWR1L2lkcC9wcm9maWxlL1NBTUwyL1BPU1QvU1NPIiBJRD0iXzcwMzc2ZmQxYzk3ODIwMTJjNjI1OTgwNjIzOTUxOGYyIiBJc3N1ZUluc3RhbnQ9IjIwMjAtMTEtMDZUMDM6MTI6MDNaIiBQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIFZlcnNpb249IjIuMCI%2BPHNhbWw6SXNzdWVyIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHBzOi8vZ3AtdnBuLnNtdS5lZHU6NDQzL1NBTUwyMC9TUDwvc2FtbDpJc3N1ZXI%2BPC9zYW1scDpBdXRoblJlcXVlc3Q%2B%22%20%2F%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22RelayState%22%20value%3D%22BLkBAKUk%2B140OGQzODMyYmZjZmY3MjA1M2MzMGM1NjJkZjk0ZjhjNA%3D%3D%22%20%2F%3E%0A%3C%2Fform%3E%0A%3Cscript%3E%0A%20%20document.getElementById%28%27myform%27%29.submit%28%29%3B%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
Failed to create OpenGL context for format QSurfaceFormat(version 2.0, options QFlags<QSurfaceFormat::FormatOption>(), depthBufferSize 24, redBufferSize -1, greenBufferSize -1, blueBufferSize -1, alphaBufferSize -1, stencilBufferSize 8, samples 0, swapBehavior QSurfaceFormat::DefaultSwapBehavior, swapInterval 1, colorSpace QSurfaceFormat::DefaultColorSpace, profile  QSurfaceFormat::NoProfile) 
fish: “gpclient” terminated by signal SIGABRT (Abort)

Above is the respond. The version is v1.2.5. I use Manjaro linux.

I have no idea about this issues.

Segmentation fault during gateway authentication

I'm seeing a segmentation fault immediately after pressing "Connect". This didn't start happening until yesterday. I tried uninstalling/reinstalling globalprotect-openconnect from the AUR to no avail. Looks like the server is responding with "Invalid username or password" before I even get to the SAML authentication screen...

2020-12-01 08:36:44.673 INFO [3820] [main@22] GlobalProtect started, version: v1.2.5
2020-12-01 08:36:44.776 INFO [3820] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-12-01 08:36:45.957 INFO [3820] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2020-12-01 08:36:46.649 INFO [3820] [GPClient::doConnect@205] Start connecting...
2020-12-01 08:36:46.649 INFO [3820] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2020-12-01 08:36:46.650 INFO [3820] [GPClient::gatewayLogin@316] Performing gateway login...
2020-12-01 08:36:46.655 INFO [3820] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2020-12-01 08:36:46.655 INFO [3820] [GatewayAuthenticator::login@38] Trying to login the gateway at https://vpn.stryker.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=arch-precision7520&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2020-12-01 08:36:47.290 INFO [3820] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2020-12-01 08:36:47.290 INFO [3820] [gpclient::helper::parseGatewayResponse@51] The gateway response is:
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";

Segmentation fault (core dumped)

Update: sorry - adding code does not seem to be working for me so I'm not sure how to get the log formatted nicely.

resolv.conf no longer being updated

I had my setup working great for a couple of months, and today my resolv.conf stopped updating.

Any idea how to fix or debug this?

Incorrect MTU set or not set at all?

It seems like GP either doesn't set the MTU correctly or doesn't at all on connection. My tun0 defaults to 1500, which doesn't work as the actual MTU is much lower.

After connecting I use incrementing pings to detect it (really hacky), then set it manually:

last=1300; 
for s in {1300..1500}; do
    ping -c 1 -W 1 -s $s 1.1.1.1 &>/dev/null; 
    if [ "$?" -eq 0 ]; then 
        last=$s; 
    else 
        echo "$last+28"|bc;  
        break; 
    fi
done

In my case the MTU varies between 1372 and 1390 depending on the vpn I am connecting to.

OS: Arch Linux
Kernel: Linux no 5.8.1-arch1-1
Network: systemd-networkd (systemd 246.1-1)

I am curious if this might be an issue with my network stack or GP, but it seems like GP might be at fault here.

After connect UI still showing as connecting status

Hi I've installed the app recent in PoP Os 20.04 following the steps to build the debian package and got a small issue even after a successfull connection the GUI keeps showing the connecting message without any return.
Attached images of the issue.;

Server asked us to submit HIP report with md5sum

Hi! I am using saml authentication but after connection I can not access any resource in vpn. In the log I see the warning about md5sum of HIP report.

2021-04-29 09:31:44.174 INFO  [36636] [GPClient::onVPNLogAvailable@440] No MTU received. Calculated 1422 for ESP tunnel

2021-04-29 09:31:44.175 INFO  [36636] [GPClient::onVPNLogAvailable@440] POST https://some.server.com/ssl-vpn/hipreportcheck.esp

2021-04-29 09:31:44.372 INFO  [36636] [GPClient::onVPNLogAvailable@440] WARNING: Server asked us to submit HIP report with md5sum 1c9c4f1f793378a88e5be9711d3c8d21.
    VPN connectivity may be disabled or limited without HIP report submission.
    You need to provide a --csd-wrapper argument with the HIP report submission script.

2021-04-29 09:31:44.372 INFO  [36636] [GPClient::onVPNLogAvailable@440] Connected as xx.x.xxx.106, using SSL, with ESP in progress

2021-04-29 09:31:49.462 INFO  [36636] [GPClient::onVPNLogAvailable@440] Failed to connect ESP tunnel; using HTTPS instead.

Conncted but cannot ping or access hosts

I am trying to connect to a PaloAlto VPN with SAML authenticate. I am able to make the authenticate and the client says "Connected", but i am not able to navigate in the hosts in the VPN or ping.

I have the following output from gpcclient

2020-09-18 13:28:54.079 INFO  [12429] [GPClient::onVPNLogAvailable@440] Call failed: The name org.freedesktop.resolve1 was not provided by any .service files

2020-09-18 13:28:54.083 INFO  [12429] [GPClient::onVPNLogAvailable@440] Call failed: The name org.freedesktop.resolve1 was not provided by any .service files

2020-09-18 13:28:58.087 INFO  [12429] [GPClient::onVPNLogAvailable@440] Failed to connect ESP tunnel; using HTTPS instead.

Linux version 5.8.8-artix1-1 (linux@artixlinux) (gcc (GCC) 10.2.0, GNU ld (GNU Binutils) 2.35) #1 SMP PREEMPT Wed, 09 Sep 2020 20:39:21 +0000

I try to connect using the GlobalProtect Client and it works.

Add support for --os

Hello,

I work for a managed service provider and really like your software. Seems that some of our customers support windows clients only, which results in the following error message:

Matching client config not found
Creating SSL connection failed
Unknown error; exiting.

All that needs to be done to fix it is appending the following option:

--os=win

I already edited my local copy, would be great if you added support for it via command line arguments, or better, the GUI.

Thank you!

SAML - Okta Not working

This is looking great, but for me currently not quite working. Get the window to enter the portal address. When I click on connect I get the SAML/Okta window, in which I can login and get the sms push. After that the SAML window disappears and I am back at the globalprotect window where it just says "Authenticating".

Doing it from the command line it simply seems to stop at "Start parsing the priority rules"

 2020-07-28 13:35:32.739 INFO  [2594] [SAMLLoginWindow::onLoadFinished@98] Load finished https://access.xxxxxxx.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
 2020-07-28 13:35:33.336 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxxxxxx.okta.com/app/xxxxxxx_globalprotectexternalgateways_1/........................../sso/saml
 2020-07-28 13:35:33.543 INFO  [2594] [SAMLLoginWindow::onLoadFinished@98] Load finished https://xxxxxxx.okta.com/app/xxxxxxx_globalprotectexternalgateways_1/........................../sso/saml
 2020-07-28 13:35:33.573 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
 2020-07-28 13:35:40.353 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxxxxxx.okta.com/auth/services/devicefingerprint
 2020-07-28 13:35:42.813 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxxxxxx.okta.com/login/sessionCookieRedirect
 2020-07-28 13:35:42.911 INFO  [2594] [SAMLLoginWindow::onLoadFinished@98] Load finished https://xxxxxxx.okta.com/login/sessionCookieRedirect
 2020-07-28 13:35:42.923 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
 2020-07-28 13:35:55.410 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxxxxxx.okta.com/login/sessionCookieRedirect
 2020-07-28 13:35:55.468 INFO  [2594] [SAMLLoginWindow::onLoadFinished@98] Load finished https://xxxxxxx.okta.com/login/sessionCookieRedirect
 2020-07-28 13:35:56.629 INFO  [2594] [SAMLLoginWindow::onResponseReceived@64] Response received from https://access.xxxxxxx.com/SAML20/SP/ACS
 2020-07-28 13:35:56.629 INFO  [2594] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers [email protected]
 2020-07-28 13:35:56.629 INFO  [2594] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers ------------------------------------------------------
 2020-07-28 13:35:56.629 INFO  [2594] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: [email protected], preloginCookie: ------------------------------------------------------, userAuthCookie: 
 2020-07-28 13:35:56.629 INFO  [2594] [PortalAuthenticator::onSAMLLoginSuccess@131] SAML login succeeded, got the prelogin-cookie ------------------------------------------------------
 2020-07-28 13:35:56.629 INFO  [2594] [PortalAuthenticator::fetchConfig@157] Fetching the portal config from https://access.xxxxxxx.com/global-protect/getconfig.esp for user: [email protected] qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 1190, resource id: 14686854, major code: 40 (TranslateCoords), minor code: 0
 2020-07-28 13:35:57.687 INFO  [2594] [PortalAuthenticator::onFetchConfigFinished@183] Fetch the portal config succeeded.
 2020-07-28 13:35:57.687 INFO  [2594] [PortalConfigResponse::parse@20] Start parsing the portal configuration...
 2020-07-28 13:35:57.687 INFO  [2594] [PortalConfigResponse::parseGateways@64] Start parsing the gateways from portal configuration...
 2020-07-28 13:35:57.687 INFO  [2594] [PortalConfigResponse::parsePriorityRules@88] Start parsing the priority rules...

Failed to fetch the portal config

Hi. I am getting this error message:

2020-06-19 15:27:00.550 INFO  [8731] [main@22] GlobalProtect started, version: v1.2.4
2020-06-19 15:27:23.025 INFO  [7093] [GPClient::doConnect@205] Start connecting...
2020-06-19 15:27:23.025 INFO  [7093] [GPClient::doConnect@226] Start portal login...
2020-06-19 15:27:23.037 INFO  [7093] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://vpn.example.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2020-06-19 15:27:23.431 INFO  [7093] [PortalAuthenticator::onPreloginFinished@46] Portal prelogin succeeded.
2020-06-19 15:27:23.431 INFO  [7093] [PreloginResponse::parse@26] Start parsing the prelogin response...
2020-06-19 15:27:23.431 INFO  [7093] [PortalAuthenticator::onPreloginFinished@50] Finished parsing the prelogin response. The region field is: XX
2020-06-19 15:27:23.431 INFO  [7093] [PortalAuthenticator::normalAuth@82] Trying to launch the normal login window...
2020-06-19 15:27:38.961 INFO  [7093] [PortalAuthenticator::fetchConfig@157] Fetching the portal config from https://vpn.example.com/global-protect/getconfig.esp for user: [email protected]
2020-06-19 15:28:04.050 ERROR [7093] [PortalAuthenticator::onFetchConfigFinished@168] Failed to fetch the portal config from https://vpn.example.com/global-protect/getconfig.esp, Error transferring https://vpn.example.com/global-protect/getconfig.esp - server replied: Custom error

Split tunnel support?

Wondering if there is a command switch or an option somewhere to do a split tunnel. I'm being lazy and don't want to manually delete the additional default gateway every time I connect.

Microsoft Authentication: SAML Issue

Any idea of what is going on? I've also tried this one with Windows and Linux flag, but I still got the same error.

Cant change clientos

my work disables linux client os on vpn is there a way to use the clientos flag from openconnect

Unknown prelogin response

Hi,
I've come across a portal that is not supported.
The prelogin response is similar to this:
https://github.com/gabrielmuras/openconnect-docker/blob/master/PAN_GlobalProtect_protocol_doc.md#pre-login-response

Response is as of follow:
<?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Success</status> <ccusername></ccusername> <autosubmit>false</autosubmit> <msg></msg> <newmsg></newmsg> <authentication-message>Enter login credentials</authentication-message> <panos-version>1</panos-version><region>NO</region> </prelogin-response>

hipreport

Does this support any settings or configuration?
Or inclusion of a hipreport.sh file?

Thanks!

Connection Failure

I installed the GP VPN Client from the AUR repository (Manjaro).

Then I insert the address from my portal and clicked the connect button.
But then the Text: "Not Connected" changes only for about a half second to I think "Authentification".
It is to short to read the whole word...
Then the text changes back to Not Connected with no more effect.

Annotation:
The openconnect-palo-git (another AUR package) works currently fine

Have you any idea what can be the problem?

Thank you!

Can't sign in to Microsoft SAML (unknown device)

I'm able to install and connect just fine, but when I try to log in to Microsoft I get the following error:

I saw something in some other issue about connecting with the --os=win parameter for openconnect but even recompiling with that parameter didn't work.

How does Microsoft know what OS I'm connecting from?

How can I fix this?

Request: Launch minimized

I would like to launch the client application at startup, but minimized to tray. A gpclient --start-minimized flag would be nice that would let me configure the application for autostart without being distracting.

Support for client cerificate authentication

Does the client currently support authentication using a client certificate in order to verify the clients authenticity? Is it possible to specify a certain certificate that is used during authentication?

Doesn't work on Arch Linux

~  gpclient
2021-04-24 18:22:53.951 INFO [33452] [main@22] GlobalProtect started, version: v1.2.7
2021-04-24 18:22:54.115 INFO [33452] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-24 18:22:57.406 INFO [33452] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-24 18:23:03.617 INFO [33452] [GPClient::doConnect@205] Start connecting...
2021-04-24 18:23:03.617 INFO [33452] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2021-04-24 18:23:03.617 INFO [33452] [GPClient::gatewayLogin@316] Performing gateway login...
2021-04-24 18:23:03.628 INFO [33452] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2021-04-24 18:23:03.628 INFO [33452] [GatewayAuthenticator::login@38] Trying to login the gateway at https://hidden/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=thinkpad&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2021-04-24 18:23:03.984 ERROR [33452] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://hidden/ssl-vpn/login.esp, Error transferring https://hidden/ssl-vpn/login.esp - server replied: Custom error
2021-04-24 18:23:03.984 INFO [33452] [GatewayAuthenticator::doAuth@70] Perform the gateway prelogin at https://hidden/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-24 18:23:04.017 INFO [33452] [GatewayAuthenticator::onPreloginFinished@87] Gateway prelogin succeeded.
2021-04-24 18:23:04.018 INFO [33452] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-04-24 18:23:04.018 INFO [33452] [GatewayAuthenticator::normalAuth@105] Trying to perform the normal login with Username / Password credentials
2021-04-24 18:23:51.055 INFO [33452] [GatewayAuthenticator::onPerformNormalLogin@123] Start to perform normal login...
2021-04-24 18:23:51.056 INFO [33452] [GatewayAuthenticator::login@38] Trying to login the gateway at https://hidden/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=thinkpad&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-userauthcookie=&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=hidden&passwd=hidden
2021-04-24 18:23:51.983 INFO [33452] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2021-04-24 18:23:51.983 INFO [33452] [gpclient::helper::parseGatewayResponse@51] The gateway response is:
var respStatus = "Challenge";
var respMsg = "Multiple challenges submitted.";
thisForm.inputStr.value = "5fb02dbc00023c38";

[1] 33452 segmentation fault (core dumped) gpclient

Lost connection after connecting to the VPN

I can connect successfully, but then I lose internet connection.

After fiddling a little bit around it, I found out that if I add the --no-dtls argument to the openconnect command everything works as expected.

Right now, we can't set this flag using the GUI.

AFAIK, this flags forces the communication to go through TCP which might be slower than using UDP. Security wise should be equivalent.

Here's how I tested:
A) make sure the gpservice is running: systemctl status gpservice.service
If it's not running, start it with sudo systemctl start gpservice.service

B) Open gpclient and login as usual (you should get the Connected state)

C) Get the openconnect full command with systemctl status gpservice.service
You should have something like this

Now, copy the openconnect ... command and add the --no-dtls at the end (be careful because there are some & in the string that can break your command)
You need to use sudo

You should end with a command like this:
sudo /usr/bin/openconnect --protocol=gp -u <email> -C 'authcookie=<long string>' <globalprotect.company.com> --no-dtls

Run this command and you should be good to go

You can add the following to make sure only the expected connections go through the VPN
sudo /usr/bin/openconnect --protocol=gp ... -s 'vpn-slice internal.company.com host2.company.net'

Does not seem to support MFA

After I login, the application segfaults. Normally I would be prompted to enter my MFA info.
$ ./gpclient
2020-05-29 16:03:00.002 INFO [106401] [PortalAuthenticator::authenticate@29] Preform portal prelogin at https://vpn.foo.com/global-protect/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2020-05-29 16:03:00.620 INFO [106401] [PortalAuthenticator::onPreloginFinished@46] Portal prelogin succeeded.
2020-05-29 16:03:00.621 INFO [106401] [PortalAuthenticator::normalAuth@79] Trying to launch the normal login window...
2020-05-29 16:03:13.675 INFO [106401] [PortalAuthenticator::fetchConfig@154] Fetching the portal config from https://vpn.foo.com/global-protect/getconfig.esp for user: gdanko
2020-05-29 16:03:14.744 INFO [106401] [PortalAuthenticator::onFetchConfigFinished@180] Fetch the portal config succeeded.
Segmentation fault (core dumped)