Intro

My company use the Palo Alto Networks appliance in order to offer a VPN service for us. Normally, I use openconnect or openvpn client when I needed to setup some VPN connection, but these clients don’t work with Palo Alto devices. Openconnect client can’t implement the gloabl protect protocol, at least not now.

By default, the OpenVpn can not implement the global protect protocol and it is necessary to build from scratch from the code source

Build your openconnect to use Global Protect Protocol

The prerequisites are install libraries and packages needed to compile it.

For Fedora users the packages needed are:

sudo dnf -f install libxml2-devel \
  zlib-devel \
  openssl-devel \
  pkg-config \
  p11-kit \
  libp11 \
  libproxy \
  trous \
  libproxy-devel \
  libstoken 

And for Ubuntu users:

sudo apt-get install \
  build-essential gettext autoconf automake libproxy-dev \
  libxml2-dev libtool vpnc-scripts pkg-config \
  libgnutls28-dev

Finished the prerequisites steps, you need to download the git repository and compile the package using the branch globalprotect:

git clone https://github.com/dlenski/openconnect.git
cd openconnect
git checkout globalprotect
./autogen.sh
./configure
make
sudo make install

It is necessary to load the shared libraries

sudo ldconfig

Finally, you can test it!

sudo /usr/local/sbin/openconnect --protocol=gp vpn.mycompany.com --dump -v

Scripts to setup your credentials

Here we have are scripts examples to automate your personal credentials and execute your vpn connection automatically

Create a mycompany-vpn.sh file like this:

#!/bin/bash

case $1 in
        disconnect|stop)
                sudo kill $(pidof openconnect) && echo "the openconnect was disconnected"
                sudo systemctl restart systemd-resolved.service && echo "DNS service was restarted"
                ;;
        status)
                pid=$(pidof openconnect) && echo "the openconnect is running | pidof: $pid" || echo "the openconnect is stopped"
                ;;
        *)
                echo "the openconnect is trying to connect..."
                echo $(cat ~/mycompany.ocvpn.pass) | sudo openconnect -b --config=/home/jenciso/mycompany.ocvpn
                ;;
esac

A file ~/mycompany.ocvpn.pass with your password:

SuperSecretPass

And finally a mycompany.ocvpn with aditional configuration:

user=myuser
passwd-on-stdin
servercert=pin-sha256:axzKF1qMn0Ncyh8FIvSyg9SIRuSFfyn7ILk/20roII4=
protocol=gp
server=vpn.mycompany.com

Run your vpn and test it!

mycomapny-vpn.sh
mycomapny-vpn.sh status
mycomapny-vpn.sh disconnect

References:

• https://serverfault.com/questions/584163/supplying-password-to-openconnect-started-via-start-stop-daemon. Here you will get more ideas to create an init script.