RockyLinux8 へ OpenConnect をインストールし AnyConnect の代替として利用する

OpenConnect は以下の VPN クライアントの代替として利用することが可能です。

• Cisco AnyConnect (--protocol=anyconnect)
• Array Networks AG SSL VPN (--protocol=array)
• Juniper SSL VPN (--protocol=nc)
• Pulse Connect Secure (--protocol=pulse
• Palo Alto Networks GlobalProtect SSL VPN (--protocol=gp)
• F5 Big-IP SSL VPN (--protocol=f5)
• Fortinet Fortigate SSL VPN (--protocol=fortinet)

今回は RockyLinux8 へ OpenConnect をインストールし、AnyConnect の代替として利用する手順をメモしておきます。

インストール

OpenConnect は EPEL で提供されています。

# dnf info openconnect
Last metadata expiration check: 2:38:03 ago on Sat Nov  6 19:40:25 2021.
Available Packages
Name         : openconnect
Version      : 8.10
Release      : 1.el8
Architecture : x86_64
Size         : 623 k
Source       : openconnect-8.10-1.el8.src.rpm
Repository   : epel
Summary      : Open client for Cisco AnyConnect VPN, Juniper Network
             : Connect/Pulse, PAN GlobalProtect
URL          : http://www.infradead.org/openconnect.html
License      : LGPLv2+
Description  : This package provides a multiprotocol VPN client for Cisco
             : AnyConnect, Juniper SSL VPN / Pulse Connect Secure, and Palo Alto
             : Networks GlobalProtect SSL VPN.

EPEL リポジトリを利用できるようにしてから OpenConnect をインストールします。

dnf install -y epel-release
dnf install -y openconnect

基本的な使い方

基本的な使い方は以下の通りです。 但し、このまま実行するとフォアグラウンドで実行されます。

openconnect \
  --protocol=anyconnect \
  --user=USERNAME
  --authgroup=GROUP \
  vpn.example.com

バックグラウンドで動作させる

バックグラウンドで動作させる為には --background オプションを指定します。

openconnect \
  --background \
  --protocol=anyconnect \
  --user=USERNAME
  --authgroup=GROUP \
  vpn.example.com

証明書の警告を処理する

自己証明書を利用している環境へ SSL-VPN 接続しようとした場合、以下のような警告が表示されます。

Certificate from VPN server "vpn.example.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:0123456789abcdef0123456789abcdef0123456789a=
Enter 'yes' to accept, 'no' to abort; anything else to view:

こういった場合は Fingerprint を --servercert オプションに指定することで証明書を認めるか、否か、というダイアログが表示されなくなります。 以前は --no-cert-check というオプションが利用出来たようなのですが、現在はセキュリティ上の問題からこのオプションは利用出来なくなっているようです。

openconnect \
  --background \
  --servercert pin-sha256:0123456789abcdef0123456789abcdef0123456789a= \
  --protocol=anyconnect \
  --user=USERNAME
  --authgroup=GROUP \
  vpn.example.com

参考

# openconnect --help
Usage:  openconnect [options] <server>
Open client for multiple VPN protocols, version v8.10

Using GnuTLS 3.6.14. Features present: TPM, TPMv2, PKCS#11, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
      --config=CONFIGFILE         Read options from config file
  -V, --version                   Report version number
  -h, --help                      Display help text

Set VPN protocol:
      --protocol=anyconnect       Compatible with Cisco AnyConnect SSL VPN, as well as ocserv (default)
      --protocol=nc               Compatible with Juniper Network Connect
      --protocol=gp               Compatible with Palo Alto Networks (PAN) GlobalProtect SSL VPN
      --protocol=pulse            Compatible with Pulse Connect Secure SSL VPN

Authentication:
  -u, --user=NAME                 Set login username
      --no-passwd                 Disable password/SecurID authentication
      --non-inter                 Do not expect user input; exit if it is required
      --passwd-on-stdin           Read password from standard input
      --authgroup=GROUP           Choose authentication login selection
  -F, --form-entry=FORM:OPT=VALUE Provide authentication form responses
  -c, --certificate=CERT          Use SSL client certificate CERT
  -k, --sslkey=KEY                Use SSL private key file KEY
  -e, --cert-expire-warning=DAYS  Warn when certificate lifetime < DAYS
  -g, --usergroup=GROUP           Set login usergroup
  -p, --key-password=PASS         Set key passphrase or TPM SRK PIN
      --key-password-from-fsid    Key passphrase is fsid of file system
      --token-mode=MODE           Software token type: rsa, totp, hotp or oidc
      --token-secret=STRING       Software token secret or oidc token
                                  (NOTE: libstoken (RSA SecurID) disabled in this build)

Server validation:
      --servercert=FINGERPRINT    Server's certificate SHA1 fingerprint
      --no-cert-check             Do not require server SSL cert to be valid
      --no-system-trust           Disable default system certificate authorities
      --cafile=FILE               Cert file for server verification

Internet connectivity:
  -P, --proxy=URL                 Set proxy server
      --proxy-auth=METHODS        Set proxy authentication methods
      --no-proxy                  Disable proxy
      --libproxy                  Use libproxy to automatically configure proxy
      --reconnect-timeout         Connection retry timeout in seconds
      --resolve=HOST:IP           Use IP when connecting to HOST
      --passtos                   Copy TOS / TCLASS field into DTLS and ESP packets
      --dtls-local-port=PORT      Set local port for DTLS and ESP datagrams

Authentication (two-phase):
  -C, --cookie=COOKIE             Use authentication cookie COOKIE
      --cookie-on-stdin           Read cookie from standard input
      --authenticate              Authenticate only and print login info
      --cookieonly                Fetch and print cookie only; don't connect
      --printcookie               Print cookie before connecting

Process control:
  -b, --background                Continue in background after startup
      --pid-file=PIDFILE          Write the daemon's PID to this file
  -U, --setuid=USER               Drop privileges after connecting

Logging (two-phase):
  -l, --syslog                    Use syslog for progress messages
  -v, --verbose                   More output
  -q, --quiet                     Less output
      --dump-http-traffic         Dump HTTP authentication traffic (implies --verbose)
      --timestamp                 Prepend timestamp to progress messages

VPN configuration script:
  -i, --interface=IFNAME          Use IFNAME for tunnel interface
  -s, --script=SCRIPT             Shell command line for using a vpnc-compatible config script
                                  default: "/etc/vpnc/vpnc-script"
  -S, --script-tun                Pass traffic to 'script' program, not tun

Tunnel control:
      --disable-ipv6              Do not ask for IPv6 connectivity
  -x, --xmlconfig=CONFIG          XML config file
  -m, --mtu=MTU                   Request MTU from server (legacy servers only)
      --base-mtu=MTU              Indicate path MTU to/from server
  -d, --deflate                   Enable stateful compression (default is stateless only)
  -D, --no-deflate                Disable all compression
      --force-dpd=INTERVAL        Set minimum Dead Peer Detection interval (in seconds)
      --pfs                       Require perfect forward secrecy
      --no-dtls                   Disable DTLS and ESP
      --dtls-ciphers=LIST         OpenSSL ciphers to support for DTLS
  -Q, --queue-len=LEN             Set packet queue limit to LEN pkts

Local system information:
      --useragent=STRING          HTTP header User-Agent: field
      --local-hostname=STRING     Local hostname to advertise to server
      --os=STRING                 OS type (linux,linux-64,win,...) to report
      --version-string=STRING     reported version string during authentication
                                  (default: v8.10)

Trojan binary (CSD) execution:
      --csd-user=USER             Drop privileges during trojan execution
      --csd-wrapper=SCRIPT        Run SCRIPT instead of trojan binary
      --force-trojan=INTERVAL     Set minimum interval for rerunning trojan (in seconds)

Server bugs:
      --no-http-keepalive         Disable HTTP connection re-use
      --no-xmlpost                Do not attempt XML POST authentication

For assistance with OpenConnect, please see the web page at
  http://www.infradead.org/openconnect/mail.html