Cannot open browser for MFA

[gonneman]

I am running gpclient 2.0.0 (2024-02-05) on an openSUSE 15.5 system. I am trying to connect to a VPN server that uses MFA.

The command I am using is
gpclient connect [path to gateway]

If I run this command as an ordinary user a browser window opens for MFA. After I've authenticated myself successfully gpclient cannot finish setting up the VPN because it lacks root privileges.
[2024-02-07T10:38:44Z WARN openconnect::ffi] Failed to bind local tun device (TUNSETIFF): Operation not permitted [2024-02-07T10:38:44Z WARN openconnect::ffi] To configure local networking, openconnect must be running as root See https://www.infradead.org/openconnect/nonroot.html for more information
I didn't understand the instructions linked to in the error well enough to implement because they seem to refer to openconnect directly. Is there a way to pass some of the workarounds listed there to gpclient?

If I run gpclient with sudo then I get the error
(gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:

If I switch to root via su and run gpclient then I get the error
Error: Command { std: "/usr/bin/gpauth" "[server]" "--saml-request" "[long url]" "--user-agent" "PAN GlobalProtect" "--os" "Linux" "--os-version" "Linux openSUSE Leap 15.5", kill_on_drop: false } cannot be run as root

What is the way around this? How can I run the authentication part as a normal user with the VPN tunnel creation part run with root privileges?

[yuezk]

Running sudo gpclient connect xxx is the correct way. Are you using the remote SSH?

[gonneman]

Thank you for the extremely fast reply!

No, I'm running the client locally on my laptop.

[yuezk]

What's the output of echo $DISPLAY?

[gonneman]

The output is
:0

[yuezk]

Does the GUI client work for you?

[gonneman]

It doesn't. The command
gpclient launch-gui
results in
[2024-02-07T11:08:12Z INFO gpclient::cli] gpclient started: 2.0.0 (2024-02-05)
[2024-02-07T11:08:12Z INFO gpclient::launch_gui] Log file: /[home path]/.local/share/gpclient/gpclient.log

Error: No such file or directory (os error 2)

However, gpclient.log exists. It is just empty.

[yuezk]

Weird, I'm trying to set up a 15.5 VM to test it. Does your OS have any special setup you think could be related?

[gonneman]

I can't think of anything, sorry. It is a stock openSUSE 15.5 running KDE in X11 (rather than Wayland).

Are there any other log files I could supply that would be helpful?

[yuezk]

No, let me try to reproduce it first.

[yuezk]

@gonneman Where did you install the client?

[gonneman]

I installed it from the openSUSE package whose repository is
https://download.opensuse.org/repositories/home:/yuezk/15.5/
I'm guessing you maintain this repository. Installing this way places files in
/usr/share and /usr/bin.
The binaries gpauth, gpclient, gpgui and gpservice are all in /usr/bin.

[yuezk]

Ok, I'll verify it soon.

[yuezk]

Ok, I'll verify it soon.

I'm able to reproduce it, trying to fix.

[gonneman]

Great. Thank you for keeping me informed.

[yuezk]

@gonneman Sorry for the late response. I found that the sudo command in SUSE 15.5 doesn't preserve the DISPLAY environment variable.

Running sudo -E gpclient connect ... will preserve the environment variable and can connect to the VPN server after authentication.

gpclient launch-gui still has a problem, I'm working on it.

[yuezk]

Here is the summary of the solution for this issue:

1. Use sudo -E to launch gpclient if you want to use the CLI version. The reason is that in SUSE, it doesn't preserve the DISPLAY environment variable when running a command with sudo. The -E option tells the sudo command to preserve the environment variables.
2. For the GUI version, install pkexec and gnome-keyring package with sudo zypper install pkexec gnome-keyring and restart. Launch the GUI version from the application dashboard.

[gonneman]

Thank you! I can confirm that MFA now works for me both through gpclient connect and the gui.

I've tried to also run the VPN client through KDE Network manager, but I get new errors. Should I post these here or open a new thread?

[yuezk]

Just update under this thread.

[Comnenus]

I think I am running into the same problem, but sudo -E did not work. I am on Ubuntu 22.04, without a GUI.

sudo -E gpclient --fix-openssl connect

and I get:

[2024-02-15T02:15:38Z INFO  gpclient::cli] gpclient started: 2.0.0 (2024-02-05)
[2024-02-15T02:15:38Z INFO  gpclient::cli] TLS errors will be ignored
[2024-02-15T02:15:38Z INFO  gpapi::portal::prelogin] Prelogin with user_agent: PAN GlobalProtect
[2024-02-15T02:15:38Z INFO  gpauth::cli] gpauth started: 2.0.0 (2024-02-05)
[2024-02-15T02:15:38Z INFO  gpauth::cli] TLS errors will be ignored
[2024-02-15T02:15:38Z INFO  gpauth::cli] Fixing OpenSSL environment

(gpauth:3509): Gtk-WARNING **: 21:15:38.225: cannot open display: :0
[2024-02-15T02:15:38Z INFO  gpclient::connect] Failed to connect portal with prelogin: Failed to parse auth data

Error: Failed to parse auth data

Am I running this correctly?

[yuezk]

@Comnenus I'm using Ubuntu as well. It may not be the same, in your case, we could get the display as :0, while we got empty for the original issue. What's the output of the following commands?

• sudo printenv | grep DISPLAY
• sudo -E printenv | grep DISPLAY

Questions:

• Are you using a remote shell to run the command?
• Does the GUI version work for you?

[Comnenus]

@yuezk It does work where I have GUI's available. I get the same display error in both WSL2 and Ubuntu in multi-user.target. I'm using the console on both. The only difference is that on the VM DISPLAY is not set, but in WSL2 it is :0.

Does the CLI version still need a GUI to run? I was hoping to run this on lightweight clients that won't be able to have them.

[yuezk]

Does the CLI version still need a GUI to run?

It depends. If the portal requires SSO, then it needs to launch a web view to do the authentication, then it needs the DISPLAY env variable to be set.

[gonneman]

Sorry for taking so long to get back to you. There are two issues. Please let me know, if I should split these into two reports.

Firs issue regarding using Network Manager. Here is the log that I get when I try to connect using Network Manager.

POST https://ras.cf.ac.uk/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 131.251.255.229:443
Connected to 131.251.255.229:443
SSL negotiation with ras.cf.ac.uk
Connected to HTTPS on ras.cf.ac.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 19 Feb 2024 10:15:42 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1544
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=6bf7bd7e-8dee-4848-b471-c69b7d0ca56e; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (1544)
SAML REDIRECT authentication is required via https://login.microsoftonline.com/bdb74b30-9568-4856-bdbf-06759778fcbc/saml2?SAMLRequest=hVHLTsMwEPyVyPe8XOdlNZFCe6BSEVETOHBBjuO0FoldvA7i80lbEOVSjrs7O7MzuwQ2DkdaTvagduJ9EmCdz3FQQM%2BDHE1GUc1AAlVsFEAtp3X5sKXYC%2BjRaKu5HpBTAghjpVYrrWAahamF%2BZBcPO22OTpYewTq%2B4aBx3uPcW96o4Qs%2FBMRDvy68stVjZz1LC4VO9H8Lg16L5U3Sm406N5qNUglPK5Hv%2B3ahLSLwM2iOHVJGsXu3OrdIE6iLEnSnrfcP7nAyNmsc%2FSaxISxqI%2B7TGAiwrbr%2BqTDPEtZGnQxCWcYwCQ2CixTNkc4wMQNsBtmTRjQMKIEvyCn%2BjZ9J1Un1f52Qu0FBPS%2BaSq3eqwb5DwLA2eLMwAVy9OF9CxsrpK%2FTct%2B4kbF%2F%2BEu%2FSuJ4lL9%2FXjxBQ%3D%3D&RelayState=6OEFAKUOnWU2YmY3YmQ3ZS04ZGVlLTQ4NDgtYjQ3MS1jNjliN2QwY2E1NmU%3D
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.
Failed to parse XML server response
Response was:
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id>
<saml-request>aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2JkYjc0YjMwLTk1NjgtNDg1Ni1iZGJmLTA2NzU5Nzc4ZmNiYy9zYW1sMj9TQU1MUmVxdWVzdD1oVkhMVHNNd0VQeVZ5UGU4WE9kbE5aRkNlNkJTRVZFVE9IQkJqdU8wRm9sZHZBN2k4MGxiRU9WU2pyczdPN016dXdRMkRrZGFUdmFnZHVKOUVtQ2R6M0ZRUU0lMkJESEUxR1VjMUFBbFZzRkVBdHAzWDVzS1hZQyUyQmpSYUt1NUhwQlRBZ2hqcFZZcnJXQWFoYW1GJTJCWkJjUE8yMk9UcFlld1RxJTJCNGFCeDN1UGNXOTZvNFFzJTJGQk1SRHZ5NjhzdFZqWnoxTEM0Vk85SDhMZzE2TDVVM1NtNDA2TjVxTlVnbFBLNUh2JTJCM2FoTFNMd00yaU9IVkpHc1h1M09yZElFNmlMRW5TbnJmY1A3bkF5Tm1zYyUyRlNheElTeHFJJTJCN1RHQWl3cmJyJTJCcVREUEV0WkduUXhDV2NZd0NRMkNpeFROa2M0d01RTnNCdG1UUmpRTUtJRXZ5Q24lMkJqWjlKMVVuMWY1MlF1MEZCUFMlMkJhU3EzZXF3YjVEd0xBMmVMTXdBVnk5T0Y5Q3hzcnBLJTJGVGN0JTJCNGtiRiUyRiUyQkV1JTJGU3VKNGxMOSUyRlhqeEJRJTNEJTNEJlJlbGF5U3RhdGU9Nk9FRkFLVU9uV1UyWW1ZM1ltUTNaUzA0WkdWbExUUTRORGd0WWpRM01TMWpOamxpTjJRd1kyRTFObVUlM0Q=</saml-request>
<auth-api>no</auth-api><region>GB</region>
</prelogin-response>

Network Manager does not manage to open a browser window for MFA. So I'm guessing that the relevant display variables are not being passed on. Is there a way to include these in Network Manager?

Then the other problem:
When I connect via sudo -E gpclient connect then a tun0 device is created but its state is DOWN and I don't have access to the IPs of the network I am trying to connect to. Here is what I believe to be the relevant part of the error log.

[2024-02-19T10:04:45Z INFO openconnect::ffi] POST https://ras-int.cf.ac.uk/ssl-vpn/hipreportcheck.esp
[2024-02-19T10:04:45Z WARN openconnect::ffi] WARNING: Server asked us to submit HIP report with md5sum 71b3f5351c2388741513b6942fe06701.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
[2024-02-19T10:04:45Z INFO openconnect::ffi] ESP session established with server
[2024-02-19T10:04:45Z INFO openconnect::ffi] ESP tunnel connected; exiting HTTPS mainloop.
[2024-02-19T10:04:46Z INFO openconnect::ffi] Using vhost-net for tun acceleration, ring size 32
[2024-02-19T10:04:46Z INFO openconnect::vpn] Connected to VPN, pipe_fd: 11
[2024-02-19T10:04:46Z INFO gpclient::connect] Wrote PID 6234 to /var/run/gpclient.lock

[gonneman]

@yuezk Did you have a moment to look at the issues above?

[yuezk]

@gonneman Moved to #335 and #336.