3

I want to access my personal network drive at my university via VPN from home. In the past I have been using NetworkManager for this what worked completely fine. However, recently I moved to ConnMan and I don't know very well how to set it up there.

Thanks to GAD3R I figured out there is a graphical input mask available to set up a VPN-connection in ConnMan's CMST interface.

The previous (successfully working) VPN configuration from NetworkManager looked like that:

[openconnect]
Description=My Company
Host=vpngw2-out.net.provider.com
CACert=(null)
Protocol=anyconnect
Proxy=
CSDEnable=1
CSDWrapper=/home/user/.cisco/csd-wrapper.sh
UserCertificate=(null)
PrivateKey=(null)
FSID=0
StokenSource=disabled
StokenString=

However, this successfully working VPN config from NetworkManager was using a so called CSD-wrapper from Cisco.

The challenge in ConnMan now is: When creating the necessary VPN provisioning file which variant of OpenConnect do I have to select to match the upper specifications? When creating the new provisioning file via ConnMan-CMST there are several OpenConnect-options available:

  • Provider OpenConnect
  • OpenConnect.ServerCert
  • OpenConnect.CACert
  • OpenConnect.ClientCert
  • OpenConnect.MTU
  • OpenConnect.Cookie
  • OpenConnect.VPNHost

Which one do I have to choose to match the previous configuration of the NetworkManager config? Do I have to mention something special to include the CSD-Wrapper file in ConnMan?

Dave
  • 996
  • 4
  • 17
  • 36
  • See EXAMPLES on https://manpages.debian.org/testing/connman/connman-vpn-provider.config.5.en.html – GAD3R Jun 13 '18 at 22:05
  • @GAD3R: Maybe can you help me on how to set it up correctly? Unfortunately I don't understand the manpage very well... :-( – Dave Aug 22 '18 at 21:20
  • [This is an example on github](https://gist.github.com/vvavrychuk/8bf49d06e6f89db69315c7dc708acdc9). Remove NetworkManager (It is important) then create the `/var/lib/connman-vpn/name.config` file and follow the instruction. – GAD3R Aug 22 '18 at 21:28
  • @GAD3R: Thanks a lot for this manual! Unfortunately there is no further explanation on how to consider this ugly `CSD-Wrapper`. Any ideas? :-) – Dave Aug 22 '18 at 21:36
  • Use `--csd-wrapper` option: `openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh --authenticate [--user username] "VPN host"` – GAD3R Aug 22 '18 at 21:43
  • See the [openconnect manpage](https://linux.die.net/man/8/openconnect) to set all the options . – GAD3R Aug 22 '18 at 21:50
  • 1
    @GAD3R: Based on your great help the VPN is mostly working. Unfortunately I still receive a small error because the `COOKIE` seems to change itself all few hours and I have to create a new one with `OpenConnect` and paste its `COOKIE`-output into `/var/lib/connman-vpn/vpnname.config`. Maybe you can have a look at my posted answer below and find some mistakes? – Dave Aug 23 '18 at 14:47

1 Answers1

3

Thanks to a comment from GAD3R and the Connman developer mailing list, a friend figured out on how to set up the VPN connection. Although there is still a small error existent we got it work mostly.

1. Initial situation

The following packages have to be installed on your client machine from where you want to access the host server:

  • connman
  • connman-vpn
  • cmst
  • openconnect

Furthermore the script csd-wrapper.sh was run in your clients /home-directory and has created the directory /home/.cisco with several authentication files of your machine.

2. Generating the necessary VPN authentication information by engaging OpenConnect

In a second step you have to execute the OpenConnect authentication request to obtain the server certificate (FINGERPRINT) and a COOKIE that Connman will use to connect to the VPN. This information will be created by utilizing OpenConnect package which is later displaying a server certificate and a cookie in terminal. We generate this information in terminal by running

$ sudo openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh --authenticate --user <username> <hostname>

Afterwards this command will display four variables: POST, COOKIE, HOST and FINGERPRINT. Hereby the fingerprint (starting with sha256:...) acts as a server certificate while the COOKIE is what it sounds like.

3. Creating the VPN provisioning file for Connman

In contrast to NetworkManager the Connman is using so called VPN provisioning files for each VPN connection from where it takes the information on how to connect to the VPN host. Therefore in a third step the previously generated authentication data has to be pasted into this VPN provisioning file that Connman will utilize to connect to the server. To do so we create the file /var/lib/connman-vpn/<connection-name>.config based on the following structure:

[global]
Name = VPN name, for example "My Company VPN" (without quotes)

[provider_openconnect]
Type = OpenConnect
Name = VPN Provider name, for example "My Company Cisco VPN" (without quotes)
Host = <VPN host IP address>
Domain = <VPN host domain>
OpenConnect.ServerCert = <paste the output of FINGERPRINT from the previous openconnect command>
OpenConnect.Cookie = <paste the output of COOKIE from the previous openconnect command>

Afterwards save and close the file.

4. Reboot your machine and check VPN connection

Reboot your system and you will find your now created VPN connection listed in the rider VPN of Connman System Tray (CMST) GUI. Mark it, click on "connect" and after a few seconds the VPN-connection to your VPN-host will be established. Now you can easily access the VPN-host within the file manager of your choice.

5. Eyesore: Generated cookie is only valid for a few hours

After a few hours your previously successfully working VPN-connection won't work anymore. When checking /var/log/syslog the connection approach will complain about failed verification of server certificate:

Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 2 ipconfig method 1
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {create} index 23 type 65534 <NONE>
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {update} flags 4240 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {newlink} index 23 address 00:00:00:00:00:00 mtu 1500
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {newlink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {create} index 23 type 65534 <NONE>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {update} flags 4240 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {newlink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 2 ipconfig method 1
Aug 24 00:14:51 <hostname> openconnect[4476]: Connected to <VPN server IP>:443
Aug 24 00:14:51 <hostname> openconnect[4476]: SSL negotiation with <VPN server IP>
Aug 24 00:14:51 <hostname> openconnect[4476]: Server certificate verify failed: signer not found
Aug 24 00:14:51 <hostname> openconnect[4476]: Connected to HTTPS on <VPN server IP>
Aug 24 00:14:51 <hostname> openconnect[4476]: Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Aug 24 00:14:51 <hostname> connmand[444]: vpn0 {dellink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connmand[444]: (null) {remove} index 23
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {dellink} index 23 operstate 2 <DOWN>
Aug 24 00:14:51 <hostname> connman-vpnd[365]: vpn0 {remove} index 23
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 7 ipconfig method 1
Aug 24 00:14:51 <hostname> connmand[444]: ipconfig state 6 ipconfig method 1

Hereby the initial authentication-COOKIE has changed, so the previously generated cookie is not valid anymore. Therefore you have to repeat the upper procedure all few hours to create a new COOKIE and paste this new one into your VPN provisioning file (/var/lib/connman-vpn/<yourvpnname>.config) while overwriting the old cookie. Afterwards restart Connman and your VPN will work great again for the next few hours.

Important:

It seems that NetworkManager can nudge the recreation of the new COOKIE by himself, while Connman needs to get feeded with the new cookie into its VPN provisioning file. Probably Connman is missing some kind of interface to launch the OpenConnect-command by himself.

6. Workaround to make recreation of the new cookie a bit more comfortable

You can use a bash-script to generate the new cookie and overwrite the old one. Just copy the following text into a *.sh-file, make it executable and run it. The new cookie will be placed into /var/lib/connman-vpn/vpnname.config at the right position automatically. Afterwards restart Connman and the VPN will work fine again.

#!/bin/bash

sed -i "s/^OpenConnect.Cookie =.*$/$( echo '<YOUR-VPN-PASSWORD>' | openconnect --csd-wrapper=/home/user/.cisco/csd-wrapper.sh --authenticate --user=<USERNAME> --authgroup="<YOURGROUP>" --passwd-on-stdin <VPN-HOST-DOMAIN> | grep 'COOKIE=' | sed "s/COOKIE='//; s/'//g; s/^/OpenConnect.Cookie = /")/" <EXTERNAL-FILENAME>

This script will:

  1. Start OpenConnect and execute the OpenConnect authentication request to obtain the server certificate (FINGERPRINT) and a COOKIE
  2. Insert your username into the user prompt
  3. Insert your password into the user prompt
  4. Insert your desired group into the user prompt
  5. Generate a new cookie
  6. Overwrite the old cookie in /var/lib/connman-vpn/vpnname.config with the new cookie

Afterwards you can reconnect to your VPN-host without any problems. Thanks to this script it is more comfortable and way faster to recreate new cookies when necessary.

GAD3R
  • 63,407
  • 31
  • 131
  • 192
Dave
  • 996
  • 4
  • 17
  • 36
  • @GAD3R: That would be an idea. But I am seriously wondering about the reasons for those frequent changes of the `COOKIE`. Is the `COOKIE` affected either by changes on the VPN-server or by changes on my client machine? So you think there is no other option available than replacing the old `COOKIE` with a new one in a regular time intervall of a few hours? – Dave Aug 23 '18 at 15:31